"net rpc group addmem/delmem" ignores the "managedBy" group attribute. Typically, the AD ACL group has the following attributes: cn description distinguishedName dSCorePropagationData gidNumber groupType info instanceType managedBy member name objectCategory objectClass objectGUID objectSid sAMAccountName sAMAccountType uSNChanged uSNCreated whenChanged whenCreated The “managedBy“ attribute refers to another ACL group that can manage this group (i.e. add/remove users). It looks like "net rpc group addmem/delmem" only makes an LDAP modify request to the AD, so unless you have LDAP write access (e.g. Domain Admin) you won’t be able to modify the group. In other words, it ignores the special “managedBy” attribute. Thanks, -- Abraham