ユースケース

When using Microsoft Active Directory, you may wish to filter out the default groups - such as Domain Admins, and Cert Publishers. These are default groups in Active Directory, and depending on your requirements, it may difficult or impossible to write a filter that excludes them all. Instead, you can filter objects by ignoring any that have the isCriticalSystemObject property set on them.

This also applies to any product where you can specify an LDAP filter - in this particular example, we're using Confluence.

ソリューション

• Log into Confluence as an Administrator from the local directory (this is so you can make changes to the Active Directory

• In Confluence Administration, click "User Directories"

• Next to your Active Directory, click "Edit"

• Click "Group Schema Settings" to expand those settings

• The default Group Filter is:

  (objectCategory=Group)

• Change it to the following:

  (&(objectCategory=Group)(!(isCriticalSystemObject=TRUE)))

  You may need to adjust this filter further, depending on your particular configuration and goals.

• This will match any object that is a group, and does not have the isCriticalSystemObject property set to true.
• Save the changes, and perform a sync - the groups should no longer be present in the Groups screen of Confluence