Temporary Membership in Active Directory Groups

The version of Active Directory in Windows Server 2016 has a number of interesting changes. Today we’ll consider the opportunity to provide users with temporary membership in Active Directory groups. This feature can be used when you need to give specific privileges based on the membership in AD security group to a user for a certain period of time, and upon this period of time to automatically (without administrator) remove these rights.

Temporary Group Membership is implemented using a new Windows Server 2016 feature called Privileged Access Management Feature. Like with AD Recycle Bin, you cannot disable PAM after it has been activated.

You can make sure if the PAM is enabled in the current forest using the following PowerShell command:

Get-ADOptionalFeature -filter *

We need the value of EnableScopes parameter. It is empty in our example. It means that Privileged Access Management Feature is not enabled for this domain.

To activate it, use Enable-ADOptionalFeature command, and specify your domain name as one of the arguments:

Enable-ADOptionalFeature 'Privileged Access Management Feature' -Scope ForestOrConfigurationSet -Target contoso.com

After PAM has been activated, you can try to add a user to an AD group using a special argument MemberTimeToLive of Add-ADGroupMember cmdlet. But first of all, using New-TimeSpan cmdlet specify the time period (TTL), during which the user will have access permissions. Say, we want to include the user test1 to the Domain Admins group for 5 minutes:

$ttl = New-TimeSpan -Minutes 5
Add-ADGroupMember -Identity "Domain Admins" -Members test1 -MemberTimeToLive $ttl

You can check how much time a user will be a group member using Get-ADGroup cmdlet:
Get-ADGroup ‘Domain Admins’ -Property member –ShowMemberTimeToLive

In the command results you can see an entry like <TTL=246.CN=test1,CN=Users,DC=Contoso,DC=com> for the group members, it means that the user test1 will be a member of the Domain Admins group for 246 seconds. After that, he will be automatically removed from this group. The user Kerberos ticket also expires. This is implemented due to the fact that KDC issues a ticket with the lifetime equal to the least of TTL value for the user having the temporary membership in the AD groups.

Earlier, to implement a temporary AD group membership, you had to use dynamic objects, different scripts or quite complex systems (Microsoft Forefront Identity Manager, etc.). Now, in Windows Server 2016, this convenient feature is available out-of-the-box.