Self Service for AD Connect Synchronized Distribution Groups

There's not really any magic here - as long as the DLs are in the scope of AADC, you can manage them through the Web UI like you would any other group.  AADC will propagate the locally made changes to your tenant.

I assume you currently have ActiveRoles managing your current on-prem Exchange org - if this is the design you are going to continue with (i.e. Msft Hybrid mode), then really there's nothing you need to do from the DL side of things.

I'm just trying to understand 'what' I need to do to accomplish the goal here.  Getting users to admin their groups.  I know we have templates and all that but I don't see anything that helps me.  At least.  I'm not sure.

So starting with the which interface to use.  There are three and from the descriptions I'm figuring I need users to use either ARWebHelpDesk or ARWebSelfService.  ARWebSelfService seems geared toward modifying the personal account information.  If users are to admin groups would they use ARWebHelpDesk?

As far as managing groups I'm not sure which templates to use.  There are a few under User Self Management.  I'm thinking Self - Group Management is the right template.  Other than that are there any I need?

Maybe some tips on anything else I might need to think about in this scenario. 

Your question is a more fundamental one.

WI to use:  ARWebAdmin

Access Templates (ATs):

(depends on how many privileges you want to delegate)

 Configuration | Access Templates | Active Directory | Groups - Modify All Properties

OR

Configuration | Access Templates | Active Directory | Advanced | Groups -  Read/Write Group Members

AND

...you could also selectively allow

Configuration | Access Templates | Active Directory | Advanced | Groups - Create

AND/OR

Configuration | Access Templates | Active Directory | Advanced | Groups - Delete

Create some corresponding native AD security groups to use as Trustees for your delegation - example:

ARS - Groups Modify 

ARS - Groups Manage Members

ARS - Groups Create

ARS - Groups Delete

...and then link the these in combination with the ATs I mentioned to whatever OU(s) hold your groups

That's how you do delegation.

Hope that helps.

Yes I know this.  That is why I mentioned the templates and which templates and so on.  I'm trying to ensure I have the right recipe in mind as I work this out.

To test things out I made a test account and assigned it the "Self - Group Management" template.  I have a group in the OU I delegated the permissions to.  The group shows now in the Helpdesk interface.  I'll have to experiment more.

I'm wondering if this support applies to something you may be trying to accomplish? Add someone to ManagedBy or Secondary Owners and then they can manage those groups.

support.oneidentity.com/.../how-to-add-my-managed-resources-to-self-administration-web-interface

Let me give that a try.  It sure appears to be what I was looking for.  It at least points me to what I 'wanted' to do.  I thought having users go to the Helpdesk interface was too much.

The instructions are awful and don't seem to mesh with what I'm seeing.  I can't find what they're talking about.  Screenshots would be helpful.  Ugh.

Hi David,

Could I get some more details to where you're having trouble with the steps provided in the article?

Interface between the screen and the my brain. 

I got it working.  I'm new to where the links are and how things work.  At first I was trying to verify the query ahead of time but I don't know the query URL's well yet.  So my fault.

heh Understood. Though you're not wrong that screen shots would be helpful. I'll see about throwing some on there.

One thing to note about the managed resources is when you're viewing the list, there's a checkbox at the bottom to include secondary ownership (or something along those lines). It's been asked many times about having that checked off by default but that hasn't come to fruition yet so you'll want to instruct your users/admins that it exists and they'll need to check it off manually when viewing that list.

heh Understood. Though you're not wrong that screen shots would be helpful. I'll see about throwing some on there.

One thing to note about the managed resources is when you're viewing the list, there's a checkbox at the bottom to include secondary ownership (or something along those lines). It's been asked many times about having that checked off by default but that hasn't come to fruition yet so you'll want to instruct your users/admins that it exists and they'll need to check it off manually when viewing that list.