AD Group Manager Web gives administrators fine-grained control over what data group managers can see and search for. All settings described on this page are configured in the admin panel under Settings.
When a manager adds new members to a group, they search Active Directory by typing a name. By default, the search is permissive — a single character like “a” will return all matching users. You can tighten this with several settings.
Setting: Search query minimum length Default: 1 character (range: 1–10)
Controls the minimum number of characters a manager must type before the search executes. Setting this to 3 or higher prevents managers from browsing the full directory with short queries like “a” or “ab”.
Setting: Safe search queries (Allow only lowercase, uppercase Latin letters, numbers and spaces) Default: Enabled
When enabled, search queries can only contain Latin letters (a–z, A–Z), numbers (0–9), and spaces. This blocks special characters and LDAP wildcard symbols (like *) that could be used to craft broad queries or exploit LDAP filter injection. It is strongly recommended to keep this enabled.
Setting: Activate Broad Search Matching Default: Disabled (starts-with matching)
Controls how the search query is matched against AD object names:
Setting: Activate Extended Search Default: Disabled
When enabled, the search also checks the description attribute of AD objects, not just the name attribute. This can help managers find users by keywords in their description field, but also exposes more data.
These settings control which types of Active Directory objects managers can search for and add as group members.
| Setting | Default | What it controls |
|---|---|---|
| Can add users | Enabled | Allow searching for and adding user accounts |
| Can add computers | Enabled | Allow searching for and adding computer accounts |
| Can add groups | Enabled | Allow searching for and adding groups as members (nested groups) |
| Can add contacts | Enabled | Allow searching for and adding contact objects |
Disabling an object type removes it from the search filter entirely — managers won’t see those objects in search results and can’t add them.
Setting: Exclude these OUs from search results Default: Empty (no OUs excluded)
Specify one or more Organizational Units whose objects should never appear in the member search results. Separate multiple OUs with semicolons (;).
For example, to hide service accounts and disabled users from search:
OU=Service Accounts,DC=example,DC=com;OU=Disabled Users,DC=example,DC=com
Objects in these OUs will be completely invisible to managers when searching for new members to add.
These settings control which types of groups managers can see on the All Groups page.
| Setting | Default | What it controls |
|---|---|---|
| Show Security Groups | Enabled | Display security groups in the manager’s group list |
| Show Distribution Groups | Enabled | Display distribution groups (mail-enabled groups) in the manager’s group list |
If you disable one type, groups of that type won’t appear on the All Groups page even if the manager has managedBy rights on them.
Setting: Enforce User Permission Checks Default: Disabled
When enabled, the application checks whether the current user actually has the AD-level Write Members permission on the group before allowing them to add or remove members. This is an additional security layer on top of the managedBy-based visibility.
When disabled (default), any manager who can see a group via managedBy can add and remove members. The AD-level permission check is skipped — the application performs the operation using whatever credentials are available (the manager’s own in Basic auth, or the service account in Windows auth).
Enable this setting if you want to enforce that managers must have both managedBy visibility AND explicit AD permissions.
These settings control whether managers can modify properties of groups and members (beyond just adding/removing members).
| Setting | Default | What it controls |
|---|---|---|
| Allow editing group data | Enabled | Managers can edit group properties (name, description, email, info/notes) for editable fields |
| Allow editing member data | Enabled | Managers can edit member properties (first name, last name, account status, etc.) for editable fields |
Even when editing is enabled, managers can only edit fields that the administrator has marked as editable in the admin panel Fields section. Disabling these settings turns off editing entirely, regardless of field configuration.
| Setting | Default | What it controls |
|---|---|---|
| Allow export to Excel (XLSX) | Enabled | Managers can export group/member data to Excel |
| Allow export to PDF | Enabled | Managers can export group/member data to PDF |
Disable these if you don’t want managers to be able to download AD data in file format.
In addition to the settings on this page, you can control exactly which Active Directory attributes are displayed to managers using the Fields section in the admin panel. Each field (for both groups and members) can be set to visible or hidden, and editable or read-only.
This gives you granular control — for example, you can show a manager the member’s department and job title but hide their phone number and email.
For most organizations, a good starting point is:
| Setting | Recommended value | Why |
|---|---|---|
| Minimum search query length | 3 | Prevents single-character directory browsing |
| Safe search queries | Enabled | Blocks wildcard and special character abuse |
| Broad search matching | Disabled | Starts-with is sufficient and returns fewer results |
| Extended search (description) | Disabled | Only enable if managers need to search by description |
| Excluded OUs | Set to service account and disabled user OUs | Hide irrelevant objects from search |
| Object type filters | Disable computers and contacts if not needed | Reduces search noise |
Then fine-tune field visibility to show only the attributes managers need for their job.