You need department managers to handle their own AD group memberships. You search for "self-service AD group management" and every result pushes you toward Microsoft Entra ID or an enterprise identity governance platform that costs more than your entire IT tooling budget. But your organization runs on-premises Active Directory. Maybe you can't move to the cloud. Maybe you don't want to. Maybe compliance says your data stays on your servers. Whatever the reason, you need a solution that works with on-prem AD—and you need it without deploying a 50-component identity platform.
This guide compares the realistic options for self-service group management when your Active Directory is on-premises and staying that way.
Microsoft's own documentation states it clearly: "Groups synced from on-premises Active Directory can only be managed on-premises." If your security groups control access to on-prem file shares, network printers, line-of-business applications, or VPN access, Entra ID's self-service group features don't apply to them.
This creates a gap. Microsoft invests heavily in cloud-based identity management through Entra ID, but millions of organizations still rely on on-premises Active Directory as their primary identity store. Some are in regulated industries where data must stay within their infrastructure. Others have air-gapped networks. Many simply don't need or want to add Azure licensing and hybrid sync complexity for what should be a straightforward operational improvement.
The result: IT continues processing group membership tickets manually, and managers continue waiting hours or days for access changes that should take seconds.
Before comparing solutions, it's important to understand the mechanism that makes self-service group management possible in on-premises AD. Every AD group object has a managedBy attribute that can point to any user or group in the directory. When you open a group's properties in Active Directory Users and Computers, navigate to the Managed By tab, and check "Manager can update membership list," you're granting that user Write Members permission on the group through the standard AD security model.
Organizations using Exchange also have msExchCoManagedByLink, a multi-valued attribute that allows multiple co-managers for a single group—useful when a group is shared across teams or when backup managers are needed.
Here's how to set this up via PowerShell:
# Designate a manager for a group
Set-ADGroup "Marketing-Team" -ManagedBy "jsmith"
# Verify the assignment
Get-ADGroup "Marketing-Team" -Properties ManagedBy |
Select-Object Name, ManagedBy
# Grant "Manager can update membership list" permission
$group = Get-ADGroup "Marketing-Team"
$manager = Get-ADUser "jsmith"
$acl = Get-Acl "AD:\$($group.DistinguishedName)"
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
$manager.SID,
"WriteProperty",
"Allow",
[GUID]"bf9679c0-0de6-11d0-a285-00aa003049e2" # Member attribute
)
$acl.AddAccessRule($ace)
Set-Acl "AD:\$($group.DistinguishedName)" $aclThis is the foundation. The challenge is what comes next: the manager now has permission to modify the group, but they need a practical tool to do it. ADUC requires RSAT installation and is far too complex for non-technical users. That's where the options diverge.
The first instinct for many sysadmins is to script a solution. A PowerShell-based web form using something like Pode, Universal Dashboard, or a simple ASP.NET page can query managedBy, display the manager's groups, and provide add/remove functionality.
A custom solution tailored exactly to your environment, at no licensing cost. You control every aspect of the interface, the logic, and the deployment.
The real cost of a DIY approach isn't building it—it's maintaining it. Custom scripts need audit logging (and you need to build the log viewer), email notifications (and the template system), error handling for edge cases like nested groups or cross-domain members, security hardening and code review, and ongoing maintenance when AD schema changes or PowerShell versions update. Every hour spent maintaining a custom tool is an hour not spent on other projects. If the person who wrote the script leaves, someone else inherits undocumented code.
If you have fewer than five groups to delegate, a single reliable admin to maintain the scripts, and no compliance requirements for audit trails, a PowerShell approach can work. For anything beyond that, the maintenance burden typically exceeds the cost of a dedicated tool within the first year.
Microsoft's built-in answer to self-service group management lives in Entra ID (formerly Azure AD). It allows users to request group membership and group owners to approve requests through the My Groups portal.
Entra ID self-service groups require Azure AD Premium P1 licenses (approximately $6 per user per month), Azure AD Connect or Cloud Sync configured for hybrid identity, and groups that are either cloud-native or synced to Entra ID.
This is the critical point: Entra ID self-service only manages group membership in the cloud directory. Groups synced from on-premises AD are read-only in Entra—membership changes must be made on-premises. If your groups control access to on-prem resources (file shares, printers, applications, VPN), Entra self-service cannot modify them.
Microsoft does offer group writeback (writing cloud group changes back to on-prem AD), but this requires additional configuration, introduces sync delays, and adds complexity that defeats the purpose of a simple self-service solution.
If your organization is already fully invested in Azure AD Premium, your groups primarily control access to cloud resources (Microsoft 365, SaaS apps, Azure resources), and you've migrated or are migrating away from on-prem resource access, Entra self-service is a natural fit. For organizations with significant on-prem infrastructure and no current Azure AD Premium licensing, it's not the right tool for this problem.
Several enterprise vendors offer comprehensive identity governance solutions that include self-service group management as one component of a larger platform.
Cayosoft Administrator provides dynamic group management, self-service enrollment, group certification, and access attestation. It supports both on-prem and hybrid environments with features like automatic membership rules based on user attributes.
Netwrix GroupID (formerly Imanami) focuses on group lifecycle management including automated provisioning, expiration policies, and self-service portals. It supports Active Directory, Entra ID, and Exchange environments.
ManageEngine ADManager Plus is a broad AD management suite covering user provisioning, group management, reporting, and automation. Self-service group management is one feature among dozens.
These platforms excel when you need dynamic group membership based on user attributes, group lifecycle management with expiration and certification, access attestation for regulatory compliance, and integration across on-prem AD, Entra ID, Exchange, and Microsoft 365. They are comprehensive solutions designed for organizations with dedicated identity management teams and complex requirements.
The trade-off is complexity and cost. Enterprise platforms typically involve multi-component server deployments, significant configuration effort, and pricing that starts at several thousand dollars annually and scales with user count. Implementation timelines are measured in weeks or months, not hours. For an organization that simply needs managers to add and remove members from their groups, this level of tooling can be more than what's needed.
If you have 5,000+ users, a dedicated identity or IAM team, regulatory requirements for access certification and attestation, or complex hybrid environments spanning multiple identity stores, enterprise platforms provide capabilities that simpler tools cannot match.
Between DIY scripts and enterprise platforms, there's a category of purpose-built tools designed specifically for self-service group management on on-premises Active Directory.
AD Group Manager Web is one such tool. It's a web application that runs on your IIS server, reads the native managedBy and msExchCoManagedByLink attributes from AD, and provides managers with a browser-based interface to manage their groups. No schema extensions, no cloud dependency, no external database—just a single IIS site pointed at your domain.
IT installs the application on an IIS server (a 15-minute process). Managers open a browser, authenticate via Windows Authentication (Kerberos)—no separate credentials—and see only the groups they're designated to manage. They can search the directory to add members, remove existing members, view member details, and export membership lists. Every action is logged in a complete audit trail with timestamps, and email notifications can be sent to IT, security, or other stakeholders on every change.
Audit logging with filtering and export to PDF and Excel. Scheduled activity reports delivered via email on a daily, weekly, or monthly basis. An access request workflow where users can discover groups and request membership with manager approval. Time-limited (TTL) memberships that automatically expire. Configurable search restrictions and field visibility. Complete UI customization including logos, branding, and multi-language support.
It doesn't manage user provisioning, password resets, or computer objects. It doesn't provide dynamic group rules based on user attributes. It doesn't manage Entra ID or Microsoft 365 groups. It's a focused tool for one specific job: letting managers handle group memberships while IT maintains control. If you need those broader capabilities, an enterprise platform is the right choice.
Try the live demo or start a free 30-day trial with your own AD environment.
Live Demo Start Free Trial No credit card required • Full functionality includedHere's how the four approaches compare across the dimensions that matter most for on-premises environments.
| PowerShell Scripts | Entra ID Self-Service | Enterprise Platforms | AD Group Manager Web | |
|---|---|---|---|---|
| Works with on-prem AD groups | Yes | Read-only (cloud side only) | Yes | Yes |
| Cloud dependency | None | Requires Azure | None (most offer hybrid) | None |
| Self-service web portal | Must build it | My Groups portal | Yes | Yes |
| Audit trail | Must build it | Azure AD logs | Comprehensive | Comprehensive |
| Email notifications | Must build it | Limited | Yes | Yes |
| Approval workflows | Must build it | Yes | Yes | Yes |
| Dynamic group rules | Possible with effort | Yes (cloud groups) | Yes | No |
| Group lifecycle management | No | Expiration policies | Yes | TTL memberships |
| Setup time | Days to weeks | Hours (if Azure is ready) | Weeks to months | 15 minutes |
| Annual cost | Free (plus your time) | ~$6/user/month (P1 license) | $5,000–$50,000+ | $1,295 flat |
| Best for | < 5 groups, one admin | Cloud-first orgs with P1 | 5,000+ users, IAM team | On-prem orgs, 10–1,000+ groups |
The right solution depends on your environment, budget, and requirements. Here's a straightforward decision framework.
You have fewer than five groups to delegate, a technical admin available to build and maintain scripts, no compliance requirements for formal audit trails, and you want to validate the self-service concept before investing in tooling.
Your organization already has Azure AD Premium P1 licensing, your groups primarily control access to cloud resources (Microsoft 365, SaaS apps), and you're migrating away from on-prem resource dependencies. Keep in mind that on-prem AD groups remain read-only in Entra.
You have 5,000+ users with a dedicated identity or IAM team, you need dynamic group rules that automatically adjust membership based on user attributes, regulatory requirements mandate access certification and attestation cycles, or you need to manage identities across multiple directories and cloud platforms.
Your Active Directory is on-premises and staying that way, you need self-service with audit trails and notifications but not full identity governance, your budget doesn't accommodate enterprise platform licensing, you want something running in production this week rather than this quarter, or data sovereignty requires that nothing leaves your network.
For organizations in healthcare, government, education, or financial services, where data stays matters. Cloud-based solutions inherently involve data processing outside your infrastructure—even if Microsoft's compliance certifications cover your regulatory requirements, the operational reality of sending directory queries through Azure introduces a dependency and a data flow that some organizations cannot accept.
A fully on-premises solution means your directory data never leaves your network. Authentication happens against your domain controllers. Audit logs are stored on your server. There are no external API calls, no telemetry, and no third-party sub-processors to evaluate in your security questionnaires. For compliance-heavy environments, this simplifies vendor assessment significantly—most security questionnaire items become "not applicable" when the tool runs entirely within your infrastructure.
Regardless of which approach you choose, the foundation is the same: identify the groups that should be delegated, designate appropriate managers using the managedBy attribute, and start with a small pilot before expanding. For a detailed walkthrough of the delegation process, see our guide on delegating AD group management to department managers.
If you're evaluating a web-based approach for your on-premises environment, AD Group Manager Web offers a free 30-day trial with full functionality. Install it on an IIS server, point it at your domain, and have managers testing self-service within the hour. You can also explore the live demo to see the interface before downloading.