Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Active Directory / Time-Based (Temporary) Group Membership in Active Directory

May 20, 2021 Active DirectoryPowerShellWindows Server 2016Windows Server 2019

Time-Based (Temporary) Group Membership in Active Directory

The version of Active Directory in Windows Server 2016 introduces an interesting feature that allows you to temporarily add a user to an AD security group. This feature is called Temporary Group Membership (Time Based). This feature can be used when you need to temporarily grant a user some authority based on AD security group membership. After the specified time has elapsed, the user will be automatically removed from the security group (without administrator intervention).

In order to use the Temporary Group Membership, you need to enable the Privileged Access Management Feature in your Active Directory forest. Like with AD Recycle Bin (which allows you to recover deleted objects), you cannot disable PAM after it has been enabled.

Make sure your AD forest is running at Windows Server 2016 forest function level (or higher):

(Get-ADForest).ForestMode

Check if Privileged Access Management feature is enabled in the current forest using the command from the AD PowerShell module:

Get-ADOptionalFeature -filter "name -eq 'privileged access management feature'"

Get-ADOptionalFeature - check PAM enabled scopes

We need the value of EnableScopes parameter. It is empty in our example. It means that Privileged Access Management Feature is not enabled for this forest.

To activate it, use Enable-ADOptionalFeature command, and specify your forest name as one of the arguments:

Enable-ADOptionalFeature 'Privileged Access Management Feature' -Scope ForestOrConfigurationSet -Target contoso.com

Enable-ADOptionalFeature 'Privileged Access Management Feature' in Active Directory forest

If the error “Enable-ADOptionalFeature: The SMO role ownership could not be verified because its directory partition has not replicated successfully with at least one replication partner” appears when running the command, check the status of the domain controllers and AD replication, and the availability of FSMO role owners. Manually force AD replication.

Run the command Get-ADOptionalFeature -filter "name -eq 'privileged access management feature'" | select EnabledScopes and check that the EnableScopes field is not empty.

To temporarily add a user to an AD group, you need to use PowerShell cmdlets. Temporarily adding to a security group from the ADUC graphical snap in (dsa.msc) is not supported.

After PAM has been enabled, you can try to add a user to an AD group using a special argument MemberTimeToLive of Add-ADGroupMember cmdlet. It is convenient to set the time interval (TTL) using the New-TimeSpan cmdlet. Let’s say you want to add the user test1 to the Domain Admins group for 15 minutes:

$ttl = New-TimeSpan -Minutes 5
Add-ADGroupMember -Identity "Domain Admins" -Members test1 -MemberTimeToLive $ttl

It is not recommended to use temporary group membership to provide temporary access to privileged domain groups (Enterprise admins, Domain admins, etc.). Typically Temporary Group Membership is used to grant access to resource groups. In order to grant administrative permissions, you must use Active Directory delegation or PowerShell Just Enough Administration (JEA).

You can check how much time a user will be a group member using the Get-ADGroup cmdlet:
Get-ADGroup 'Domain Admins' -Property member –ShowMemberTimeToLive

Add-ADGroupMember MemberTimeToLive

In the command results you can see an entry like <TTL=187,CN=test1,CN=Users,DC=woshub,DC=loc> for the group members. The TTL value is displayed in seconds. This means that this user has been added to the Domain Admins group temporarily. After 187 seconds, he will be automatically removed from the group

The user Kerberos ticket also expires. This is implemented due to the fact that KDC issues a ticket with the lifetime equal to the least of TTL value for the user having the temporary membership in the AD groups.

You can check the next Kerberos ticket renewal time with the command:

klist

The time of the next renewal of the TGT ticket is displayed in the Renew Time parameter.

Earlier, we showed how to use klist to refresh AD group membership without logging off.

klist show kerberos tgt renew time

Be attention when using hybrid scenarios with group sync from on-premises Active Directory to Azure AD via Azure AD Connect. This configuration should take into account the cloud sync interval settings.

Also in AD (with Windows2003Fores forest functional level or newer), you can create temporary AD groups. For such groups, the dynamicObject class is used. Automatic deletion of such groups is performed by the Active Directory Garbage Collection process.

For example, to create a temporary group that will be automatically deleted after a month (2592000 = 31 * 24 * 60 * 60), use the following PowerShell script:

$OU = [adsi]"LDAP://OU=Groups,OU=Munich,OU=DE,DC=woshub,DC=loc"
$Group = $OU.Create("group","cn=MUN-FS01_Public_tmp")
$Group.PutEx(2,"objectClass",@("dynamicObject","group"))
$Group.Put("entryTTL","2678400")
$Group.SetInfo()

Open the group attributes in the ADUC console. Pay attention to the entryTTL attribute. It indicates in how many seconds this AD group will be removed.

entryTTL in AD group properties (dynamicObject class)

Earlier, to implement a temporary AD group membership, you had to use dynamic objects, different scripts and scheduled tasks, or quite complex systems (Microsoft Forefront Identity Manager, etc.). Now, in Windows Server 2016/2019, this handy feature is available out-of-the-box.

2 comments
3
Facebook Twitter Google + Pinterest
previous post
Managing Windows Processes with PowerShell
next post
Adding a Sound Card to a Virtual Machine on VMWare ESXi

Related Reading

Using Previous Command History in PowerShell Console

January 31, 2023

How to Install the PowerShell Active Directory Module...

January 31, 2023

Finding Duplicate E-mail (SMTP) Addresses in Exchange

January 27, 2023

How to Disable or Uninstall Internet Explorer (IE)...

January 26, 2023

How to Delete Old User Profiles in Windows?

January 25, 2023

2 comments

Temporary Group Memberships | Yogesh May 10, 2019 - 7:30 pm

[…] https://woshub.com/temporary-membership-in-active-directory-groups/ […]

Reply
Rapid Active Directory Hardening Checklist – PwnDefend February 26, 2022 - 2:20 pm

[…] https://woshub.com/temporary-membership-in-active-directory-groups/ […]

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Using Previous Command History in PowerShell Console

    January 31, 2023
  • How to Install the PowerShell Active Directory Module and Manage AD?

    January 31, 2023
  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023
  • Adding Trusted Root Certificates on Linux

    January 9, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Configure Google Chrome Settings with Group Policy
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Allow RDP Access to Domain Controller for Non-admin Users
  • How to Find the Source of Account Lockouts in Active Directory?
  • Get-ADComputer: Find Computer Properties in Active Directory with PowerShell
  • How to Disable or Enable USB Drives in Windows using Group Policy?
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top