Issue Summary

When an AD connector in Confluence incrementally syncs user directories it can remove users from their groups in Confluence. A full sync restores these users. 

Environment

Tested in Confluence 6.x that has embedded Crowd 2.10, but all Confluence versions are affected

Steps to Reproduce

1. Create an AD connector and set it to do incremental syncs with Active Directory
2. During an incremental sync, the embedded Crowd within Confluence will check for all of recently changed groups.

Expected Results

Any user added to a group in AD that is set to sync with Confluence would be added to the corresponding group in Confluence.

Actual Results

Any user in the group that was not modified is removed from Confluence and only the modified users are added. 

The below is an example INFO message of this from the atlassian-confluence.log file:

INFO [Caesium-1-3] [atlassian.crowd.directory.DbCachingRemoteChangeOperations] removeUserMembershipsForGroup removed [ 1462 ] user members from [ GROUPNAME ] in [ 10583ms ]

Notes

During the incremental sync, for changed AD groups it will fetch their memberships. Unfortunately the embedded Crowd within Confluence will only ask for members who also were recently changed and then during the incremental sync, make them the only users existing in the local Confluence group. The embedded Crowd in Confluence will ignore all other users who were not a part in this synchronization as they were not changed, resulting in them being removed during the sync. 

Workaround

Set the AD connector in Confluence to do FULL syncs only by un-checking the "Enable Incremental Synchronization" option in the Advanced section of the AD connector's settings.