User Loses all Local Group Memberships If Any of the LDAP Syncs Is Unable to Find the User, Even If the User Appears After Subsequent Syncs

I can't think of a better title, but the steps to reproduce should explain this behavior:

1. Create a connection to Active Directory via JIRA Administration >> User Directories, using Read Only with Local Groups.
2. Sync all users from AD , set Default Group Memberships to jira-users and jira-internal
3. Login using a testADuser
4. Notice that testADuser is automatically added to the groups jira-users and jira-internal
5. Logout and login again as admin, this time, change the user object filter in the AD Directory to this:

   (&(objectCategory=Person)(!(sAMAccountName=testADuser)))
   

6. Sync the directory. Notice that testADuser is not synchronized.
7. Change the user object filter back to:

   (&(objectCategory=Person)(sAMAccountName=*))
   

8. Sync the directory again, notice that testADuser is synced back, but the user is no longer in jira-users and jira-internal. In this sense, the user indeed, loses all group memberships if they are filtered out from an Active Directory sync (could be due to a failure in any of the Active Directory trees)

Suggestion

Instead of using a regular Active Directory Connector with Local Groups, Consider using Internal with LDAP Authentication (Delegated) Directory instead.