Active Directory Temporary Group Membership on Windows Server 2016

Often some access rights in Active Directory must be granted temporarily, for a certain period of time. In order to avoid the need to monitor the validity of the issued authorities, they can be created initially temporary.

To create temporary permissions in AD there are special mechanisms  Temporary Group Membership which will be discussed in this post.

Active Directory Temporary Group Membership

Temporary Group Membership is a new feature that appeared in Windows Server 2016 and is a part of the Privileged Access Management (PAM) functionality.

By default, PAM is not active and the first thing you need to do is turn it on. You can do this with the PowerShell cmdlet Enable-ADOptionalFeature. For example, to enable PAM in domain, run the following command with domain administrator privileges:

Enable-ADOptionalFeature -Identity ″Privileged Access Management Feature″ -Scope ForestOrConfigurationSet -Target ″″

Note that activating PAM is irreversible operation, you cannot disable it after the execution of the previous command. You can check the result with the command:

Get-ADOptionalFeature -Filter {Name -like ″Privileged*″}

Check that your domain name listed in the parameter EnabledScope. This confirms that Privileged Access Management is enabled for this domain.

Temporary Group Membership

After PAM is enabled, the MemberTimeToLive parameter appears in the Add-ADGroupMember cmdlet, with which you can set the membership time in the group. For example, add the JSilver user to the Domain Admins group for 5 minutes:

$TTL = New-TimeSpan -Minutes 5
 Add-ADGroupMember -Identity ″Domain Admins″ -Members JSilver -MemberTimeToLive $TTL

Then you can check the group membership with the command:

Get-ADGroup -Identity ″Domain Admins″ -Properties Member -ShowMemberTimeToLive

As you can see, JSilver is a member of the Domain Admins group, and its TTL is 278 seconds. After this time, you can check the group membership again and make sure that it’s been removed from the group.

add group member

Note. At the end of the TTL, the validity period of the user’s Kerberos ticket also expires, because for users with temporary membership in AD groups, a ticket with a lifetime equal to the lower of the remaining TTL values is issued.

Temporary Group Membership requires a Windows Server 2016 domain controller and also requires a forest level of at least Windows Server 2016. You can get Active Directory Forest and Domain functional level using the following commands:



get addomain

To implement temporary membership in the groups in older versions of Windows Server, you can use less convenient functionality of dynamic objects (support for dynamic objects appeared since Windows Server 2003).

You can create of dynamic object using PowerShell. For example, you can create temporary AD group TempGroup with TTL value 600 second this way:

$OU = [adsi]″LDAP://CN=users,DC=contoso,DC=com″
 $Grp = $OU.Create(″group″,″cn=TempGroup″)

As a result, a Group TempGroup will be created in the Groups container with a lifetime of 10 minutes (600 seconds). The lifetime of the group is stored in the attribute entryTTL and, if necessary, it can be changed, for example, increase or decrease. After the set time, the group automatically disappears.

group membership active directory

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Cyril Kardashevsky

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.