User Deactivator Documentation Administrator Guide Current: Remove Groups from Users in Read Only, with Local Groups Directories Remove Groups from Users in Read Only, with Local Groups Directories ProblemYou are using an external directory with LDAP Permissions "Read Only, with Local Groups" and can't deactivate users because the directory is Read Only.SolutionInstead of deactivating users, you could remove them from the groups which provide application access.In Jira, these groups are by default called jira-software-users, jira-servicedesk-users or jira-core-users. In Confluence it's the confluence-users and in Bitbucket the stash-users group. If you created these groups directly in your active directory, they are not considered as local groups yet and you need to perform the steps below. Change LDAP permissions settings for the external directoryFor new users, you need to make sure that they are assigned to the groups providing application access, as in the example of Jira and the jira-software-users group in the picture below.Add users to a temporary groupThe safest way to not forget who previously was a member of the groups providing application access is to add the users to a temporary group. This is because you'll need to remove the groups in the Active Directory / LDAP server in the next step, thus loosing the membership information in the Active Directory.Delete Group in Active Directory/ LDAP and adjust directory in Jira, Confluence or BitbucketPlease follow the steps described here: https://confluence.atlassian.com/jirakb/how-to-remove-ldap-groups-from-jira-300811978.htmlInstead of the group name in the example in the above tutorial, please use jira-software-users or another group name, depending on your setup, i.e.: (&(objectCategory=Group)(!(cn:=jira-software-users))) CODE After saving the new directory configuration, perform a full synchronization for that directory:Add users from the temporary group to the group providing application access againOnly after performing the previous step you can add users to the group providing application access from within Jira, Confluence or Bitbucket.Otherwise it just wouldn't work and look like nothing happened. Only in the log files on the server you'd see that you are still trying to add users to a read-only group.So all users from the temporary group should now be added to i.e. jira-software-users, confluence-users or the stash-users group. Reset the default group membership action of LDAP directoriesIf you decide to remove groups provided in the Default Group Memberships section of the LDAP connector, you might want to consider resetting the flag that groups have been added.This is because Atlassian only adds users to these groups on first login. Normally you could only do that with a database update, read here: https://confluence.atlassian.com/confkb/how-to-reset-the-default-group-membership-action-of-ldap-directories-959789273.html.If you check the corresponding box below the group picker:ConclusionWith this setup you have now full control over group memberships for these groups in Jira, Confluence or Bitbucket directly.Please note that you'll need version 4.4.0 or later of the License & User Deactivator app in order to remove users from groups as part of the automatic deactivation. SAML Single Sign-On is available for Atlassian Server & Atlassian Data Center products. Our Jira Data Center, Confluence Data Center, Bitbucket Data Center, Jira Server, Confluence Server, Bitbucket Server and other apps are all available on the Atlassian Marketplace.