Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Active Directory / Time-Based (Temporary) Group Membership in Active Directory

March 15, 2024

Time-Based (Temporary) Group Membership in Active Directory

The version of Active Directory in Windows Server 2016 introduces an interesting feature that allows you to temporarily add a user to an AD security group. This feature is called Temporary Group Membership (Time Based). This feature can be used when you need to temporarily grant a user some authority based on AD security group membership. After the specified time has elapsed, the user will be automatically removed from the security group (without administrator intervention).

To use the Temporary Group Membership, you need to enable the Privileged Access Management Feature in your Active Directory forest. Like with AD Recycle Bin (which allows you to recover deleted objects), you cannot disable PAM after it has been enabled.

Make sure your AD forest is running at Windows Server 2016 forest function level (or higher):

(Get-ADForest).ForestMode

Check if the Privileged Access Management feature is enabled in the current forest using the command from the AD PowerShell module:

Get-ADOptionalFeature -filter "name -eq 'privileged access management feature'"

Get-ADOptionalFeature - check PAM enabled scopes

We need the value of EnableScopes parameter. It is empty in our example. It means that the Privileged Access Management Feature is not enabled for this forest.

To activate it, use Enable-ADOptionalFeature command, and specify your forest name as one of the arguments:

Enable-ADOptionalFeature 'Privileged Access Management Feature' -Scope ForestOrConfigurationSet -Target contoso.com

Enable-ADOptionalFeature 'Privileged Access Management Feature' in Active Directory forest

If the error “Enable-ADOptionalFeature: The SMO role ownership could not be verified because its directory partition has not replicated successfully with at least one replication partner” appears when running the command, check the status of the domain controllers and AD replication, and the availability of FSMO role owners. Manually force AD replication.

Run the command Get-ADOptionalFeature -filter "name -eq 'privileged access management feature'" | select EnabledScopes and check that the EnableScopes field is not empty.

To temporarily add a user to an AD group, you need to use PowerShell cmdlets. Temporarily adding to a security group from the ADUC graphical snap-in (dsa.msc) is not supported.

After PAM has been enabled, you can try to add a user to an AD group using a special argument MemberTimeToLive of Add-ADGroupMember cmdlet. It is convenient to set the time interval (TTL) using the New-TimeSpan cmdlet. Let’s say you want to add the user test1 to the Domain Admins group for 15 minutes:

$ttl = New-TimeSpan -Minutes 5
Add-ADGroupMember -Identity "Domain Admins" -Members test1 -MemberTimeToLive $ttl

It is not recommended to use temporary group membership to provide temporary access to privileged domain groups (Enterprise admins, Domain admins, etc.). Typically Temporary Group Membership is used to grant access to resource groups. To grant administrative permissions, you must use Active Directory delegation or PowerShell Just Enough Administration (JEA).

You can check how much time a user will be a group member using the Get-ADGroup cmdlet:
Get-ADGroup 'Domain Admins' -Property member –ShowMemberTimeToLive

Add-ADGroupMember MemberTimeToLive

In the command results, you can see an entry like <TTL=187,CN=test1,CN=Users,DC=woshub,DC=loc> for the group members. The TTL value is displayed in seconds. This means that this user has been added to the Domain Admins group temporarily. After 187 seconds, he will be automatically removed from the group

The user Kerberos ticket also expires. This is implemented because KDC issues a ticket with the lifetime equal to the least of TTL value for the user having a temporary membership in the AD groups.

You can check the next Kerberos ticket renewal time with the command:

klist

The time of the next renewal of the TGT ticket is displayed in the Renew Time parameter.

Earlier, we showed how to use klist to refresh AD group membership without logging off.

klist show kerberos tgt renew time

Be attentive when using hybrid scenarios with group sync from on-premises Active Directory to Azure AD via Azure AD Connect. This configuration should take into account the cloud sync interval settings.

Also in AD (with Windows2003Fores forest functional level or newer), you can create temporary AD groups. For such groups, the dynamicObject class is used. Automatic deletion of such groups is performed by the Active Directory Garbage Collection process.

For example, to create a temporary group that will be automatically deleted after a month (2592000 = 31 * 24 * 60 * 60), use the following PowerShell script:

$OU = [adsi]"LDAP://OU=Groups,OU=Munich,OU=DE,DC=woshub,DC=loc"
$Group = $OU.Create("group","cn=MUN-FS01_Public_tmp")
$Group.PutEx(2,"objectClass",@("dynamicObject","group"))
$Group.Put("entryTTL","2678400")
$Group.SetInfo()

Open the group attributes in the ADUC console. Pay attention to the entryTTL attribute. It indicates in how many seconds this AD group will be removed.

entryTTL in AD group properties (dynamicObject class)

Earlier, to implement a temporary AD group membership, you had to use dynamic objects, different scripts and scheduled tasks, or quite complex systems (Microsoft Forefront Identity Manager, etc.). Now, in Windows Server 2016/2019, this handy feature is available out of the box.

9 comments
8
Facebook Twitter Google + Pinterest
Active DirectoryPowerShellWindows Server 2016Windows Server 2019
previous post
Dumping User Passwords from Windows Memory with Mimikatz
next post
Adding a Sound Card to a Virtual Machine on VMWare ESXi

Related Reading

How to Refresh (Update) Group Policy Settings on...

August 13, 2024

Repairing the Domain Trust Relationship Between Workstation and...

May 16, 2024

Backing Up Active Directory with Windows Server Backup

November 26, 2024

Unable to Access SYSVOL and NETLOGON folders from...

May 10, 2023

Updating Group Policy Administrative Templates (ADMX)

January 24, 2025

Configuring Password Policy in Active Directory Domain

March 12, 2024

Troubleshooting: Group Policy (GPO) Not Being Applied to...

March 15, 2024

Checking Active Directory Domain Controller Health and Replication

May 15, 2025

9 comments

Temporary Group Memberships | Yogesh May 10, 2019 - 7:30 pm

[…] https://woshub.com/temporary-membership-in-active-directory-groups/ […]

Reply
Rapid Active Directory Hardening Checklist – PwnDefend February 26, 2022 - 2:20 pm

[…] https://woshub.com/temporary-membership-in-active-directory-groups/ […]

Reply
Matthias Berger September 27, 2023 - 8:18 am

Great Article! Thank you very much.

But I have a question. You say: “It is not recommended to use temporary group membership to provide temporary access to privileged domain groups (Enterprise admins, Domain admins, etc.).”

Why?

Reply
admin October 19, 2023 - 6:28 am

The user can grant himself permanent privileged permissions in the AD domain during the temporary membership.

Reply
Mat October 23, 2023 - 10:07 am

Thank your for the answer! So I understand that the reasoning behind this sentence is purely organizational. There is no technical reason not to do it, it won’t break anything or cause some kind of incompatibility. Correct?

Organizational, it’s in the nature of the matter, I guess. Like if you give the key to your house to a cleaner, he can make a copy of the key. But at some point you’ll have to trust someone with some means of access, otherwise you’ll have to clean yourself. At least in digital systems like AD we have the big advantage that we can address this issue by monitoring the members of security-critical groups and report any new that should no be there.

Reply
admin October 25, 2023 - 6:13 am

You are absolutely right!

Reply
Cristian October 31, 2023 - 4:50 pm

Hello… I have the following problem: when I add a user to an AD group with the script, add for a limited time as I define in Active Directory, this is synchronized with Azure AD, but when the user is removed from the AD group, only is reflected in the Active Directory.

What can this be?

Reply
Yazoo April 28, 2025 - 6:01 pm

I have the same problem. After TTL expires, user is removed from on prem group, but not from azure group.
Can someone help?

Reply
admin May 6, 2025 - 12:38 pm

Azure AD Connect sync does not currently support syncing the TTL-based membership expiration from on-prem AD to the Entra ID group.
So you should use some workaround, such as a custom script that detects TTL expirations on-premises and explicitly removes users from the corresponding EntraID groups.

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Configure Google Chrome Settings with Group Policy
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • How to Disable or Enable USB Drives in Windows using Group Policy
  • How to Find the Source of Account Lockouts in Active Directory
  • Get-ADComputer: Find Computer Properties in Active Directory with PowerShell
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • Adding Domain Users to the Local Administrators Group in Windows
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top