Answers to common questions about AD Group Manager Web. Can’t find what you’re looking for? Check the Troubleshooting page or contact support.
AD Group Manager Web runs on Windows Server (2016 or later) with IIS and the ASP.NET Core 10 Hosting Bundle. The application uses an embedded SQLite database — no external database server is required. Clients need only a modern web browser. See System Requirements for full details.
No. AD Group Manager Web uses only standard Active Directory attributes (managedBy, msExchCoManagedByLink, member, and standard user/group properties). No schema extensions, custom attributes, or agents are installed on domain controllers.
No. The application runs entirely on-premises on your own Windows Server. It does not require internet connectivity, cloud services, Azure, or Entra ID. All data stays on your infrastructure.
A typical installation takes about 15 minutes: enable IIS, install the .NET Hosting Bundle, run the installer, and configure a few lines in appsettings.json. See the Quick Start Guide.
AD Group Manager Web version 26.x requires .NET 10. Install the ASP.NET Core 10 Hosting Bundle on your server.
The application reads the managedBy and msExchCoManagedByLink attributes on group objects to determine who can manage each group. It uses standard LDAP queries to read and write group membership (the member attribute) and other user/group properties. See How to set up a manager.
Yes. You have several options: set a security group as the managedBy value and add all managers to that group; use the msExchCoManagedByLink attribute to add co-managers; or use nested groups for hierarchical delegation. See Setup Examples for detailed scenarios.
Both Security groups and Distribution groups are supported, including all scopes (Global, Universal, Domain Local). Administrators can choose to show or hide each group type in the Settings.
Users, groups (nested membership), computers, and contacts can all be added as group members. Administrators can enable or disable each object type individually in Settings.
By default, a manager searching for members to add can find any AD user. Administrators can restrict this through several search and visibility controls: minimum search query length, safe search (wildcard restriction), excluded OUs, and object type filters.
Time-limited (TTL) membership lets managers add members with an automatic expiration. After the specified duration, Active Directory automatically removes the member from the group — no manual action needed. This requires Windows Server 2016+ with domain functional level 2016 or higher. Enable it in Settings.
When enabled, managers can add or remove multiple members at once by entering semicolon-separated usernames (for example, jsmith;jdoe;mwilson). This is useful for onboarding multiple users at once. Enable it in Settings.
When enabled, managers can select multiple groups from the All Groups page and add the same members to all selected groups in a single operation. Enable it in Settings.
Group Discovery lets users browse and search for groups they don’t currently manage and submit access requests. Managers can approve or deny these requests. Administrators configure which groups are discoverable. See Group Discovery.
Yes. Every text element in the application can be customized through the Interface Customization page. Built-in presets are available for French and German, and you can create custom translations for any language.
Exports include exactly the columns that are currently visible in the grid. The administrator controls which columns are available through Fields Configuration, and can disable exports entirely in Settings.
Yes. AD Group Manager Web supports both Basic authentication (AD username/password form) and Windows Authentication (Kerberos SSO). Windows Authentication requires a service account and SPN registration. See Windows Authentication Setup.
The SQLite database (adgm.db) stores application settings, field configurations, audit logs, UI translations, license data, and group access request history. No Active Directory data is cached or replicated — all AD data is queried live from the domain controller.
Yes (when audit logging is enabled). Every member addition, member removal, group property edit, and member property edit is logged with who made the change, when, and what was changed. See Audit Logging.
Yes. Use the AllowedOUs setting in appsettings.json to restrict access to users in specific Organizational Units. Administrator accounts always bypass OU restrictions. See OU Access Control.
Yes. AD Group Manager Web works behind IIS ARR, nginx, and other reverse proxies. Ensure the proxy forwards the correct Host header and doesn’t double-encode URLs. For Windows Authentication behind a proxy, constrained Kerberos delegation must be configured.
Yes. The application manages both Security and Distribution groups. Distribution lists used by Exchange or Microsoft 365 can be managed through AD Group Manager Web like any other AD group.
AD Group Manager Web is the actively developed product with a full feature set: web-based self-service portal, audit logging, email notifications, access request workflows, bulk operations, time-limited memberships, interface translation, and branding customization. The Desktop version is a standalone Windows application with basic group management features. For new deployments, the Web version is recommended.
AD Group Manager Web is $1295/year. See the pricing page for details.
Yes. You can request a free trial from the trial page. The trial includes full access to all features.
Users are redirected to the license registration page and cannot perform any group management operations. All data (settings, logs, configurations) is preserved. Entering a new license key restores access immediately. See License Management.