Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-2082

Use tokenGroups attribute for nested group retrievals on AD


    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      It might be possible to improve the performance of nested groups on Active Directory by using the tokenGroups attribute. This is a computed attribute that lists all the nested members of a group by their SID ("objectSid" attribute).

      This was originally suggested in a forum post for Confluence, then developed as a popular custom Atlassian-User implementation by Swisscomm on CONF-17150.


      You can take advantage of how Crowd uses the configuration, and force AD to do this anyway. This will mean your groups are all flattened in Crowd, but you will receive the same performance benefit. To do this, configure the following in the directory in Crowd:

      1. On the "Connector" tab:
        • Uncheck "Use Nested Groups"
        • Uncheck "Use memberOf for group memberships"
        • Check "Use the User Membership Attribute"
      2. On the "Configuration" tab:
        • Change the "User Group Attribute" to "memberOf:1.2.840.113556.1.4.1941:"
      3. Perform a full sync in Crowd
        • If you had the directory configured to perform incremental synchronization, you will need to change it to full synchronization so that Crowd captures changes on nested groups.

            Unassigned Unassigned
            matt@atlassian.com Matt Ryall
            21 Vote for this issue
            28 Start watching this issue