How to Exclude Active Directory Default Domain Groups from Confluence
When using Microsoft Active Directory, you may wish to filter out the default groups - such as Domain Admins, and Cert Publishers. These are default groups in Active Directory, and depending on your requirements, it may difficult or impossible to write a filter that excludes them all. Instead, you can filter objects by ignoring any that have the
isCriticalSystemObject property set on them.
This also applies to any product where you can specify an LDAP filter - in this particular example, we're using Confluence.
You should perform these tests in a test environment first - that way, you don't accidentally lock your users out of Confluence
- Log into Confluence as an Administrator from the local directory (this is so you can make changes to the Active Directory
In Confluence Administration, click "User Directories"
Next to your Active Directory, click "Edit"
Click "Group Schema Settings" to expand those settings
The default Group Filter is:
Change it to the following:
You may need to adjust this filter further, depending on your particular configuration and goals.
- This will match any object that is a group, and does not have the
isCriticalSystemObjectproperty set to true.
- Save the changes, and perform a sync - the groups should no longer be present in the Groups screen of Confluence