AD Group Manager Web determines who can manage which groups by reading two standard Active Directory attributes: managedBy and msExchCoManagedByLink. This page explains how to configure these attributes and how the application resolves management rights.
This is the most common method. Open Active Directory Administrative Center (ADAC), find the group you want to delegate, and open its properties.
In the Managed By field, select the user or group who should manage this group.
If you want the manager to be able to add and remove members, also check Manager can update membership list in ADUC (this grants the Write Members permission on the group object). In ADAC, this option is under the Extensions → Security tab.
You can also use ADUC (Active Directory Users and Computers):
For bulk operations or scripting, use PowerShell:
# Set a single user as manager
Set-ADGroup "GroupName" -ManagedBy "CN=John Doe,OU=Users,DC=example,DC=com"
# Set a group as manager (enables team-based delegation)
Set-ADGroup "ProjectAccess" -ManagedBy "CN=ProjectLeads,OU=Groups,DC=example,DC=com"
To also grant the Write Members permission:
$group = Get-ADGroup "GroupName"
$manager = Get-ADUser "johndoe"
$acl = Get-Acl "AD:\$($group.DistinguishedName)"
$identity = [System.Security.Principal.SecurityIdentifier]$manager.SID
$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
$identity, "WriteProperty", "Allow",
[Guid]"bf9679c0-0de6-11d0-a285-00aa003049e2" # member attribute GUID
)
$acl.AddAccessRule($rule)
Set-Acl "AD:\$($group.DistinguishedName)" $acl
The managedBy attribute only holds a single value. If you need multiple managers for the same group, use the msExchCoManagedByLink attribute. This is a multi-valued attribute originally from Exchange that AD Group Manager Web also reads.
# Add a co-manager
Set-ADGroup "GroupName" -Add @{msExchCoManagedByLink="CN=Jane Smith,OU=Users,DC=example,DC=com"}
# Add multiple co-managers
Set-ADGroup "GroupName" -Add @{msExchCoManagedByLink=@(
"CN=Jane Smith,OU=Users,DC=example,DC=com",
"CN=Bob Wilson,OU=Users,DC=example,DC=com"
)}
Note: the msExchCoManagedByLink attribute is available in AD environments that have had the Exchange schema extension applied. If your environment has never had Exchange, this attribute may not exist in your schema. In that case, use the group-as-manager method described below instead.
AD Group Manager Web finds managed groups using three methods. All three work with both managedBy and msExchCoManagedByLink.
UserA is set directly as the managedBy (or msExchCoManagedByLink) value on GroupA. When UserA logs in, they see GroupA.
UserA is a member of GroupB. GroupB is set as the managedBy value on GroupA. When UserA logs in, they see GroupA — because they are a member of the manager group.
This is the recommended approach for team-based delegation: create a “managers” security group, add all team leads to it, and set that group as the managedBy on the target groups.
UserA is a member of GroupC. GroupC is a member of GroupB. GroupB is set as the managedBy value on GroupA. UserA inherits management rights through the chain of nested group memberships.
The managedBy and msExchCoManagedByLink values can reference:
This gives you flexible delegation options: assign individual managers, delegate to a whole team via a group, or build hierarchical management structures through nesting.
Single manager per group — set the department head as the managedBy on each of their groups. Simple and easy to understand.
Team-based delegation — create a security group (for example, HR_GroupManagers) and add all HR managers to it. Set this group as the managedBy on all HR-related groups. When a new HR manager joins, just add them to HR_GroupManagers.
Hierarchical delegation — nest manager groups. For example, Regional_Managers is a member of All_Managers. Groups managed by All_Managers are accessible to both regional and central managers.
Co-manager setup — set the primary manager via managedBy and add additional managers via msExchCoManagedByLink. Or set a group as the manager and add all co-managers to that group.
After configuring managedBy, log in to AD Group Manager Web as the manager and verify that the expected groups appear on the All Groups page.
If a group does not appear, check:
managedBy or msExchCoManagedByLink attribute is correctly set on the group.For more examples showing AD structures and expected results, see Setup Examples.