Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Active Directory / Temporary Membership in Active Directory Groups

December 28, 2016 Active DirectoryWindows Server 2016

Temporary Membership in Active Directory Groups

The version of Active Directory in Windows Server 2016 has a number of interesting changes. Today we’ll consider the opportunity to provide users with temporary membership in Active Directory groups. This feature can be used when you need to give specific privileges based on the membership in AD security group to a user for a certain period of time, and upon this period of time to automatically (without administrator) remove these rights.

Temporary Group Membership is implemented using a new Windows Server 2016 feature called Privileged Access Management Feature. Like with AD Recycle Bin, you cannot disable PAM after it has been activated.

You can make sure if the PAM is enabled in the current forest using the following PowerShell command:

Get-ADOptionalFeature -filter *

Get-ADOptionalFeature

We need the value of EnableScopes parameter. It is empty in our example. It means that Privileged Access Management Feature is not enabled for this domain.

To activate it, use Enable-ADOptionalFeature command, and specify your domain name as one of the arguments:

Enable-ADOptionalFeature 'Privileged Access Management Feature' -Scope ForestOrConfigurationSet -Target contoso.com

Enable-ADOptionalFeature 'Privileged Access Management Feature'

After PAM has been activated, you can try to add a user to an AD group using a special argument MemberTimeToLive of Add-ADGroupMember cmdlet. But first of all, using New-TimeSpan cmdlet specify the time period (TTL), during which the user will have access permissions. Say, we want to include the user test1 to the Domain Admins group for 5 minutes:

$ttl = New-TimeSpan -Minutes 5
Add-ADGroupMember -Identity "Domain Admins" -Members test1 -MemberTimeToLive $ttl

You can check how much time a user will be a group member using Get-ADGroup cmdlet:
Get-ADGroup ‘Domain Admins’ -Property member –ShowMemberTimeToLive

Get-ADGroup ShowMemberTimeToLive

In the command results you can see an entry like <TTL=246.CN=test1,CN=Users,DC=Contoso,DC=com> for the group members, it means that the user test1 will be a member of the Domain Admins group for 246 seconds. After that, he will be automatically removed from this group. The user Kerberos ticket also expires. This is implemented due to the fact that KDC issues a ticket with the lifetime equal to the least of TTL value for the user having the temporary membership in the AD groups.

Earlier, to implement a temporary AD group membership, you had to use dynamic objects, different scripts or quite complex systems (Microsoft Forefront Identity Manager, etc.). Now, in Windows Server 2016, this convenient feature is available out-of-the-box.

1 comment
1
Facebook Twitter Google + Pinterest
previous post
Remote Desktop Connection Error: Outdated entry in the DNS cache
next post
Tuning Windows Performance for Use in Virtual Environment

Related Reading

How to Sign a PowerShell Script (PS1) with...

February 25, 2021

How to Shadow (Remote Control) a User’s RDP...

February 22, 2021

Configuring PowerShell Script Execution Policy

February 18, 2021

Configuring Proxy Settings on Windows Using Group Policy...

February 17, 2021

Updating Group Policy Settings on Windows Domain Computers

February 16, 2021

1 comment

Temporary Group Memberships | Yogesh May 10, 2019 - 7:30 pm

[…] http://woshub.com/temporary-membership-in-active-directory-groups/ […]

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • Accessing USB Flash Drive from VMWare ESXi

    February 26, 2021
  • How to Sign a PowerShell Script (PS1) with a Code Signing Certificate?

    February 25, 2021
  • Change the Default Port Number (TCP/1433) for a MS SQL Server Instance

    February 24, 2021
  • How to Shadow (Remote Control) a User’s RDP session on RDS Windows Server 2016/2019?

    February 22, 2021
  • Configuring PowerShell Script Execution Policy

    February 18, 2021
  • Configuring Proxy Settings on Windows Using Group Policy Preferences

    February 17, 2021
  • Updating Group Policy Settings on Windows Domain Computers

    February 16, 2021
  • Managing Administrative Shares (Admin$, IPC$, C$, D$) in Windows 10

    February 11, 2021
  • Packet Monitor (PktMon) – Built-in Packet Sniffer in Windows 10

    February 10, 2021
  • Fixing “Winload.efi is Missing or Contains Errors” in Windows 10

    February 5, 2021

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How Automatically Fill Computer Description Field in Active Directory
  • Configuring Network Devices Authentication using Active Directory
  • Kerberos Token Size and Issues of Its Growth
  • Generating Outlook 2010/2013 Signature Using AD Information
  • Getting AD Accounts Created in the Last 24 Hours
  • Fine-Grained Password Policy in Windows Server 2012 R2
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top