If you run into problems, this page covers the most common issues and their solutions. If your issue isn’t listed here, contact support and include a log file to help us resolve the problem quickly.
Enabling debug logging
Debug logs are the most useful tool for diagnosing problems. To enable them:
Open appsettings.json in the application root folder.
Set DebugMode to "True" and optionally change the DebugPath:
{"DebugMode":"True","DebugPath":"logs"}
Restart IIS (iisreset) or recycle the application pool.
Reproduce the issue.
Check the log folder for two files per day:
nlog-all-YYYY-MM-DD.log — all messages including framework logs.
nlog-own-YYYY-MM-DD.log — application-specific messages with request URLs and actions.
The DebugPath can be relative (for example, "logs" creates a folder in the application root) or absolute (for example, "C:\\ADGMWeb\\logs"). Make sure the application pool identity has write permission to this folder.
Remember to set DebugMode back to "False" after troubleshooting to avoid filling up disk space with verbose logs.
Installation issues
HTTP 500.19 error (error code 0x8000000d)
Cause: The ASP.NET Core Hosting Bundle is not installed or not the correct version.
Solution: Download and install the ASP.NET Core 10 Hosting Bundle from Microsoft. After installation, restart IIS by running iisreset from an elevated command prompt, or restart the server.
Application won’t start or shows a blank page
Check the .NET version: AD Group Manager Web version 26.x requires .NET 10. Verify your installed version by opening an elevated command prompt and running:
Ensure the Application Pool is configured correctly:
Open IIS Manager and click Application Pools.
Find the pool used by AD Group Manager Web and open Advanced Settings.
Verify:
.NET CLR Version — set to No Managed Code (ASP.NET Core runs out-of-process).
Enable 32-bit applications — set to False.
Identity — set to an account with appropriate AD and file system permissions.
Permission issues
The application pool identity needs:
Read/write access to the application directory (for the SQLite database adgm.db and log files).
Read access to Active Directory user, group, computer, and contact objects.
Write Members permission on AD groups (for adding/removing members — required for Windows Authentication; for Basic auth, the logged-in user’s own permissions are used).
web.config issues
If you see HTTP 500 errors or modules not loading, verify that web.config contains the ASP.NET Core module handler. The Hosting Bundle installer normally creates this automatically. If it’s missing or corrupt, reinstalling the Hosting Bundle and restarting IIS usually fixes it.
Authentication issues
Basic authentication: “Invalid credentials” or “Access denied”
Verify the username is in sAMAccountName format (for example, jsmith), not UPN format (jsmith@domain.com).
Verify the domain name on the login form is correct. Check the default domain in the admin panel Settings.
If AllowedOUs is configured in appsettings.json, verify the user’s AD account is in one of the allowed OUs.
Enable debug logging and check for specific LDAP error messages.
Windows Authentication: 401 Unauthorized
Verify in IIS Manager that Anonymous Authentication is Disabled and Windows Authentication is Enabled for the site.
Check that Kernel-mode authentication is enabled in IIS (Windows Authentication → Advanced Settings).
Verify the SPN is registered correctly: run setspn -L domain\serviceaccount and check the output includes HTTP/your-server-hostname.
Verify the Application Pool identity is set to the service account (not the default ApplicationPoolIdentity).
Run iisreset after making any IIS authentication changes.
Windows Authentication: browser prompts for credentials
If the browser shows a login dialog instead of signing in automatically:
The site URL may not be in the browser’s Local intranet zone. In Internet Explorer/Edge settings, add the site URL to the Local intranet zone.
The SPN may be missing or incorrect — verify with setspn -L.
If accessing by IP address instead of hostname, Kerberos will not work. Use the hostname (FQDN) that matches the SPN.
Group visibility issues
Manager doesn’t see any groups
Verify the managedBy attribute is set on at least one group, pointing to the user or a group the user belongs to. See How to set up a manager.
Check if the groups are in an excluded OU (admin panel Settings → “Exclude these OUs from search results”).
Check if the group type is hidden — if Show Security Groups or Show Distribution Groups is disabled in Settings, those groups won’t appear.
If using group-based delegation (a group is the managedBy value), verify the user is actually a member of that manager group.
Enable debug logging and look for the LDAP query filter — it shows exactly which groups the application is searching for.
Groups appear for the wrong manager
Check the managedBy and msExchCoManagedByLink attributes on the group. These determine who can see and manage it.
Remember that group membership is inherited through nesting. If a user is a member of Group A, and Group A is a member of Group B, and Group B is the managedBy on Group C, the user will see Group C.
Member search issues
“Nothing was found” when searching for members
The minimum search query length may require more characters than you typed (check Settings).
If Safe Search is enabled, only Latin letters, numbers, and spaces are allowed — special characters will be rejected.
The member may be in an excluded OU (Settings → “Exclude these OUs from search results”).
The object type may be disabled — for example, if Can add computers is off, computer objects won’t appear in results.
If using starts-with matching (default), the query must match the beginning of the name. Try enabling Broad Search Matching if you need contains-matching.
“Illegal symbols are used” error
Safe Search is enabled and the search query contains characters other than Latin letters, numbers, and spaces. This blocks wildcard symbols and special characters by design.
Member operation issues
“Failed to add members” or “Access denied”
If Enforce User Permission Checks is enabled in Settings, the user needs explicit AD-level Write Members permission on the group. This is separate from managedBy visibility.
For Windows Authentication: verify the service account has Write Members permission on the target group or its OU.
For Basic Authentication: the logged-in user’s own AD permissions are used — verify they have sufficient rights.
“Time-limited membership feature is not enabled”
Enable Time-Limited Group Membership in the admin panel Settings. This feature also requires Windows Server 2016 or later with a domain functional level of 2016 or higher.
Members reappear after removal
The member may be a member of a nested group that is also in the target group. Direct removal only removes the member’s direct membership — nested group membership is unaffected.
Notification issues
Email notifications are not being sent
Verify SMTP settings in the admin panel Notifications page: server address, port, SSL, authentication credentials.
Check that Instant Notifications are enabled and at least one notification type is checked.
Verify that recipient email addresses are configured (To and/or CC).
Check debug logs for email-related error messages.
Test SMTP connectivity from the server by sending a test email using PowerShell or telnet.
Scheduled reports are not being sent
Verify scheduled reports are enabled in the Notifications page.
Check the “Last Execution Time” and “Next Execution Time” fields to see if the scheduler is running.
Click Run Task Now to test immediately.
Check debug logs for scheduler-related errors.
Performance issues
Slow loading with large directories
Increase the minimum search query length to 3 or more to prevent broad queries.
Exclude large OUs that are not relevant (for example, OUs with thousands of service accounts or disabled users).
For Group Discovery, set a maximum results limit and enable require search terms.
Special characters in names
AD Group Manager Web handles special characters (commas, slashes, quotes, etc.) in group and member distinguished names. If you encounter errors with groups or members whose names contain special characters:
Verify you are running the latest version (special character handling has been improved in several releases).
Enable debug logging and check for LDAP query errors — the log shows the exact DN and any escaping issues.
IIS reverse proxy
If running AD Group Manager Web behind a reverse proxy (for example, IIS ARR, nginx, or a load balancer):
Ensure the proxy forwards the correct Host header to the backend.
For Windows Authentication behind a proxy, Kerberos delegation must be configured (constrained delegation on the service account).
If member operations fail with “Cannot find group” errors, check that the proxy correctly passes URL-encoded characters without double-encoding.
Database issues
The application uses a local SQLite database (adgm.db) in the application root folder. If the database becomes corrupt or inaccessible:
Verify the application pool identity has read/write permissions on the file.
If the file is locked, recycle the application pool or restart IIS.
Restore from a backup if the file is corrupt (the Upgrade Guide recommends backing up adgm.db before upgrades).