These examples show how different Active Directory configurations translate into what each manager sees in AD Group Manager Web. For instructions on how to set these up, see How to set up a manager.
Example 1: Direct and group-based delegation
Active Directory structure
Object type
Name
managedBy
memberOf
Group
Group 1
Manager A
—
Group
Group 2
Manager A
—
Group
Group 3
(not set)
—
Group
Group 4
Manager B
—
Group
Subgroup 1
Group 3
—
Group
Subgroup 2
Group 3
—
User
Manager A
—
Group 3
User
Manager B
—
Group 3
User
Manager C
—
—
What each user sees in AD Group Manager Web
Manager
Managed groups
Why
Manager A
Group 1, Group 2, Subgroup 1, Subgroup 2
Group 1 and Group 2: direct managedBy. Subgroup 1 and Subgroup 2: managed by Group 3, and Manager A is a member of Group 3.
Manager B
Group 4, Subgroup 1, Subgroup 2
Group 4: direct managedBy. Subgroup 1 and Subgroup 2: managed by Group 3, and Manager B is a member of Group 3.
Manager C
(none)
Manager C is not set as a managedBy on any group, and is not a member of any manager group.
Key takeaways from this example:
Manager A sees 4 groups even though they are only directly assigned to 2 — the other 2 come from their membership in Group 3 (which is the manager of Subgroup 1 and Subgroup 2).
Manager B also sees Subgroup 1 and Subgroup 2 through Group 3 membership, in addition to their directly managed Group 4.
Group 3 itself has no manager, so it does not appear in anyone’s list (unless someone is set as its managedBy).
Manager C has no management rights because they are not referenced by any group’s managedBy attribute (directly or through group membership).
Example 2: Single user, multiple groups
Active Directory structure
Object type
Name
managedBy
Group
Sales Team
Alice
Group
Sales Distribution
Alice
Group
Sales Resources
Alice
User
Alice
—
Result
Manager
Managed groups
Alice
Sales Team, Sales Distribution, Sales Resources
Alice is set as the direct managedBy on all three groups, so she sees all three when she logs in. This is the simplest delegation pattern.
Example 3: Team-based delegation with a manager group
Active Directory structure
Object type
Name
managedBy
memberOf
Group
Engineering Access
Eng Leads
—
Group
Engineering DL
Eng Leads
—
Group
Eng Leads
(not set)
—
User
Tom
—
Eng Leads
User
Sarah
—
Eng Leads
Result
Manager
Managed groups
Why
Tom
Engineering Access, Engineering DL
Member of Eng Leads, which is the managedBy on both groups.
Sarah
Engineering Access, Engineering DL
Same reason — member of the same manager group.
When a new engineering lead joins, you add them to the “Eng Leads” group — no need to update managedBy on individual groups.
Example 4: Using msExchCoManagedByLink for co-managers
Active Directory structure
Object type
Name
managedBy
msExchCoManagedByLink
Group
Finance Team
David
Lisa
User
David
—
—
User
Lisa
—
—
Result
Manager
Managed groups
Why
David
Finance Team
Direct managedBy.
Lisa
Finance Team
Listed in msExchCoManagedByLink.
Both David and Lisa can manage the Finance Team. This is useful when a single group needs multiple individual managers without creating a separate manager group.
Example 5: Nested group inheritance
Active Directory structure
Object type
Name
managedBy
memberOf
Group
Shared Resources
Regional Managers
—
Group
Regional Managers
(not set)
—
Group
EMEA Team
(not set)
Regional Managers
User
Hans
—
EMEA Team
Result
Manager
Managed groups
Why
Hans
Shared Resources
Hans → member of EMEA Team → member of Regional Managers → managedBy on Shared Resources. Two levels of nesting.
AD Group Manager Web follows the chain of group memberships to find all groups a user can manage, regardless of nesting depth.
Troubleshooting: group doesn’t appear
If a manager doesn’t see an expected group, check these common causes:
The managedBy attribute is not set on the group, or is set to a different user/group.
The manager is not a member of the manager group (check membership, including nested groups).
The group is in an excluded OU configured in the admin Settings.