When you grant permissions to owners of the groups, you grant the permissions for the group object itself. That is, you can grant the right to read or write the properties of the group etc. To be able to view group members, you need to grant the permissions to read the objects that represent the group members in AD. For example, if you want to grant permissions to view users that are members of the groups, you need to grant permissions to view user accounts.
By default, the permission to view all objects is granted by the Security Role called Domain User. It is assigned to Authenticated Users over All Objects, which means that everyone can view everything. If you don't want to grant everyone the permission to view everything, you can grant each group owner the permissions to view only the objects that are members of the group they own. To do this, you need to modify the assignments of the Domain User Role:
- Launch Adaxes Administration Console.
- Expand the service node that represents your service.
- Navigate to and select the Domain User Security Role.
- Right-click the default assignment of the Role and click Delete.
- Right-click in the Assignments list and click Add Assignment.
- Double-click a user or group that is the owner of another group.
- Double-click a group that the user or group owns.
- In the Assignment Options dialog, select Members of this group.
- Click OK two times.
- Repeat steps 5-9 for as many group owners as you need and save the Security Role.