Issue
-
Jenkins is able to resolve individual users from AD and can see external groups, but cannot resolve external group membership. For example,
user1
is part of theDeveloper
group.User1
can be added individually, and theDeveloper
group appears to be resolved(shows external group icon in RBAC, for example). When assigning permissions to theDeveloper
group, they are not reflected for its members, such asuser1
.
Resolution
Navigate to the AD plugin configuration under Manage Jenkins -> Configure Global Security
. The option Remove irrelevant groups needs to be unchecked. This feature was added in Active Directory plugin version 1.39. It is incompatible with RBAC, as RBAC needs to see every group a user is a member of.
This article is part of our Knowledge Base and is provided for guidance-based purposes only. The solutions or workarounds described here are not officially supported by CloudBees and may not be applicable in all environments. Use at your own discretion, and test changes in a safe environment before applying them to production systems.