Catch up on the latest product updates, best practices, and expert insights from the Checkmk Conference #12 – Watch the livestream recordings now

Werk #19930: Quarantine vanished LDAP users instead of deleting them immediately

Component Setup
Title Quarantine vanished LDAP users instead of deleting them immediately
Date Jul 1, 2026
Level Prominent Change
Class New Feature
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
3.0.0b1
Not yet released
Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Cloud, Checkmk Ultimate MT

When a user synchronized from an LDAP connection can no longer be found during synchronization, Checkmk used to delete the account immediately. From now on, such a user is instead quarantined: the account is locked for a configurable retention period but stays in place, visible to administrators. If the user reappears before the period elapses, the account is automatically unlocked and reactivated; otherwise it is deleted once the period has passed.

This matters because a synchronized account holds per-user configuration that does not come from LDAP and cannot be reconstructed from it, such as notification rules and options, contact group memberships, and personal GUI configuration (views, dashboards, favorites, preferences). If a user vanishes only temporarily - a directory outage, a migration, an overly narrow search filter, or a faulty sync - immediate deletion throws all of this away. Quarantine keeps it, so a reappearing user gets everything back automatically.

The retention period is controlled by a new global setting Quarantine LDAP users before deletion under Setup > General > Global settings > User management, defaulting to 30 days. This changes the default behavior: vanished LDAP users are now kept for 30 days rather than removed on the next sync. Disable the option to restore immediate deletion. Quarantine and reactivation events are recorded in the security audit log.

To the list of all Werks