The appsettings.json file is the main configuration file for AD Group Manager Web. It is located in the application’s root folder (the same folder as web.config and adgm.db).
Most day-to-day settings are managed through the admin panel in the browser. The appsettings.json file controls the settings that need to be in place before you can log in — authentication mode, admin users, OU restrictions, and debug logging.
Here is the full default appsettings.json as shipped with AD Group Manager Web:
{
"ConnectionStrings": {
"SqliteConnection": "Data Source=adgm.db"
},
"AllowedHosts": "*",
"AppSettings": {
"InactiveSessionTimeoutInMinutes": "60"
},
"Administration": {
"AdminUsers": [],
"AdminGroups": [
"Administrators"
]
},
"Authentication": "Basic",
"DebugMode": "False",
"DebugPath": "logs",
"AllowedOUs": [],
"CommonSettings": {
"ShowAllGroupOwners": true
}
}
| Key | Default | Description |
|---|---|---|
SqliteConnection |
"Data Source=adgm.db" |
Path to the SQLite database file. By default, adgm.db is created in the application root folder. You can specify an absolute path if you want to store the database elsewhere, for example "Data Source=D:\\Data\\adgm.db". |
The SQLite database stores application settings, field configurations, audit logs, license data, UI translations, and group access requests. It does not store Active Directory data.
| Key | Default | Description |
|---|---|---|
Authentication |
"Basic" |
The authentication mode. Set to "Basic" for AD username/password login (the application shows a login form). Set to "Windows" for Kerberos/Negotiate single sign-on (requires IIS configuration). |
In Basic mode, each user authenticates with their own Active Directory credentials. The application validates these credentials against the configured domain.
In Windows mode, IIS handles authentication transparently — users who are logged into a domain-joined machine are signed in automatically without seeing a login form.
The older value "Anonymous" is automatically normalized to "Basic" on application startup.
| Key | Default | Description |
|---|---|---|
AdminUsers |
[] (empty) |
An array of AD sAMAccountName values. Users in this list will have administrator access to the admin panel. Example: ["johndoe", "janesmith"] |
AdminGroups |
["Administrators"] |
An array of AD group names (sAMAccountName). Members of any group in this list will have administrator access. Example: ["IT_Admins", "Helpdesk_Team"] |
You can use AdminUsers, AdminGroups, or both. A user who matches either list gets admin access.
When an admin user logs in, they are redirected to the admin panel (Settings page) instead of the All Groups page. Admin users do not see managed groups — they manage the application configuration only.
| Key | Default | Description |
|---|---|---|
InactiveSessionTimeoutInMinutes |
"60" |
How long (in minutes) a user session remains active without activity before the user is automatically logged out. Applies to Basic authentication mode (cookie-based sessions). |
| Key | Default | Description |
|---|---|---|
AllowedOUs |
[] (empty) |
An array of OU distinguished names. When populated, only users whose AD accounts are located in one of these OUs can log in. An empty array means no restriction — all domain users can log in. |
Example:
{
"AllowedOUs": [
"OU=Office,OU=Users,DC=example,DC=com",
"OU=IT,OU=Corporate,DC=example,DC=com"
]
}
Admin users (those in AdminUsers or AdminGroups) bypass OU restrictions and can always log in. OU matching is case-insensitive and checks the user’s full distinguished name.
For more details, see OU Access Control.
| Key | Default | Description |
|---|---|---|
DebugMode |
"False" |
Set to "True" to enable detailed debug logging. When enabled, the application writes verbose log files that are useful for troubleshooting. Set back to "False" in production. |
DebugPath |
"logs" |
The folder where log files are written. Can be a relative path (relative to the application root) or an absolute path. Example: "C:\\ADGMWeb\\logs" |
When DebugMode is "True", the application writes two log files per day:
nlog-all-YYYY-MM-DD.log — all log messages including framework logs.nlog-own-YYYY-MM-DD.log — application-specific log messages with request URLs and MVC actions.Make sure the application pool identity has write permission to the log folder. Restart IIS after changing DebugMode.
For more details, see Troubleshooting.
| Key | Default | Description |
|---|---|---|
ShowAllGroupOwners |
true |
When true, the group members view displays all group owners (from both managedBy and msExchCoManagedByLink attributes). When false, only the primary managedBy value is shown. |
| Key | Default | Description |
|---|---|---|
AllowedHosts |
"*" |
Standard ASP.NET Core host filtering. The default "*" allows requests from any hostname. You can restrict this to specific hostnames if needed (for example, "groups.example.com" to only accept requests for that hostname). |
The following settings are stored in the SQLite database and managed through the admin panel — they are not in appsettings.json:
When you upgrade AD Group Manager Web, the application automatically checks appsettings.json on startup and adds any missing settings with their default values. A backup of the previous file is created before any changes (for example, appsettings.json.backup.20260116120000).
This means you generally don’t need to manually add new settings when upgrading — just keep your existing appsettings.json in place.
"Authentication": "Windows")AllowedOUs)