add group member active directory

Active Directory Temporary Group Membership on Windows Server 2016

Often some access rights in Active Directory must be granted temporarily, for a certain period of time. In order to avoid the need to monitor the validity of the issued authorities, they can be created initially temporary.

To create temporary permissions in AD there are special mechanisms  Temporary Group Membership which will be discussed in this post.

Active Directory Temporary Group Membership

Temporary Group Membership is a new feature that appeared in Windows Server 2016 and is a part of the Privileged Access Management (PAM) functionality.

By default, PAM is not active and the first thing you need to do is turn it on. You can do this with the PowerShell cmdlet Enable-ADOptionalFeature. For example, to enable PAM in domain, run the following command with domain administrator privileges:

Enable-ADOptionalFeature -Identity ″Privileged Access Management Feature″ -Scope ForestOrConfigurationSet -Target ″″

Note that activating PAM is irreversible operation, you cannot disable it after the execution of the previous command. You can check the result with the command:

Get-ADOptionalFeature -Filter {Name -like ″Privileged*″}

Check that your domain name listed in the parameter EnabledScope. This confirms that Privileged Access Management is enabled for this domain.

Temporary Group Membership

After PAM is enabled, the MemberTimeToLive parameter appears in the Add-ADGroupMember cmdlet, with which you can set the membership time in the group. For example, add the JSilver user to the Domain Admins group for 5 minutes:

$TTL = New-TimeSpan -Minutes 5
 Add-ADGroupMember -Identity ″Domain Admins″ -Members JSilver -MemberTimeToLive $TTL

Then you can check the group membership with the command:

Get-ADGroup -Identity ″Domain Admins″ -Properties Member -ShowMemberTimeToLive

As you can see, JSilver is a member of the Domain Admins group, and its TTL is 278 seconds. After this time, you can check the group membership again and make sure that it’s been removed from the group.

add group member

Note. At the end of the TTL, the validity period of the user’s Kerberos ticket also expires, because for users with temporary membership in AD groups, a ticket with a lifetime equal to the lower of the remaining TTL values is issued.

Temporary Group Membership requires a Windows Server 2016 domain controller and also requires a forest level of at least Windows Server 2016. You can get Active Directory Forest and Domain functional level using the following commands:



get addomain

To implement temporary membership in the groups in older versions of Windows Server, you can use less convenient functionality of dynamic objects (support for dynamic objects appeared since Windows Server 2003).

You can create of dynamic object using PowerShell. For example, you can create temporary AD group TempGroup with TTL value 600 second this way:

$OU = [adsi]″LDAP://CN=users,DC=contoso,DC=com″
 $Grp = $OU.Create(″group″,″cn=TempGroup″)

As a result, a Group TempGroup will be created in the Groups container with a lifetime of 10 minutes (600 seconds). The lifetime of the group is stored in the attribute entryTTL and, if necessary, it can be changed, for example, increase or decrease. After the set time, the group automatically disappears.

group membership active directory

You may also like:

How to Migrate DHCP to Windows Server 2016 Migrating the DHCP service from the old server to the new Windows Server 2016 with saving of all the settings of the old server is quite easy. If the ...
AD Account Keeps Locking Out Sometimes there are situations when AD account keeps locking out, this happen when you try to log on to a domain computer and getting an error on the ...
Installing Active Directory Users and Computers MM... One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). The ADUC snap-in is used to p...
Store BitLocker Recovery Keys using Active Directo... In a domain network, you can store the BitLocker recovery keys for encrypted drives in the Active Directory Domain Services (AD DS). This is one of th...
How to transfer FSMO Roles From a Failed Domain Co... In case domain controller, which owns FSMO (Flexible Single Master Operation) roles, is fail (virus attack, fatal software problems or catastrophic ha...

Add Your Comment