As of Release 2017 R1, membership for all access control groups is managed independently of LDAP EXCEPT for the following special (system defined) groups:

The All Users group is always modified by LDAP.

The Systems Administrators and VPE Administrators groups may or may not be modified by LDAP, depending on how these groups are defined and how the Sync Admin Group Membership options are defined for the LDAP connection.

The special Super User sub-group of the System Administrators group is ALWAYS managed manually.

For more information about Access Control groups, see Groups in the Access Control chapter.