add group member active directory

Active Directory Temporary Group Membership on Windows Server 2016


Often some access rights in Active Directory must be granted temporarily, for a certain period of time. In order to avoid the need to monitor the validity of the issued authorities, they can be created initially temporary.

To create temporary permissions in AD there are special mechanisms  Temporary Group Membership which will be discussed in this post.

Active Directory Temporary Group Membership

Temporary Group Membership is a new feature that appeared in Windows Server 2016 and is a part of the Privileged Access Management (PAM) functionality.

By default, PAM is not active and the first thing you need to do is turn it on. You can do this with the PowerShell cmdlet Enable-ADOptionalFeature. For example, to enable PAM in domain contoso.com, run the following command with domain administrator privileges:

Enable-ADOptionalFeature -Identity ″Privileged Access Management Feature″ -Scope ForestOrConfigurationSet -Target ″contoso.com″

Note that activating PAM is irreversible operation, you cannot disable it after the execution of the previous command. You can check the result with the command:

Get-ADOptionalFeature -Filter {Name -like ″Privileged*″}

Check that your domain name listed in the parameter EnabledScope. This confirms that Privileged Access Management is enabled for this domain.

Temporary Group Membership

After PAM is enabled, the MemberTimeToLive parameter appears in the Add-ADGroupMember cmdlet, with which you can set the membership time in the group. For example, add the JSilver user to the Domain Admins group for 5 minutes:

$TTL = New-TimeSpan -Minutes 5
Add-ADGroupMember -Identity ″Domain Admins″ -Members JSilver -MemberTimeToLive $TTL

Then you can check the group membership with the command:

Get-ADGroup -Identity ″Domain Admins″ -Properties Member -ShowMemberTimeToLive

As you can see, JSilver is a member of the Domain Admins group, and its TTL is 278 seconds. After this time, you can check the group membership again and make sure that it’s been removed from the group.

READ ALSO  Changing expired password via RDS in Windows Server 2012

add group member

Note. At the end of the TTL, the validity period of the user’s Kerberos ticket also expires, because for users with temporary membership in AD groups, a ticket with a lifetime equal to the lower of the remaining TTL values is issued.

Temporary Group Membership requires a Windows Server 2016 domain controller and also requires a forest level of at least Windows Server 2016. You can get Active Directory Forest and Domain functional level using the following commands:

(Get-ADForest).ForestMode
(Get-ADDomain).DomainMode

get addomain

To implement temporary membership in the groups in older versions of Windows Server, you can use less convenient functionality of dynamic objects (support for dynamic objects appeared since Windows Server 2003).

You can create of dynamic object using PowerShell. For example, you can create temporary AD group TempGroup with TTL value 600 second this way:

$OU = [adsi]″LDAP://CN=users,DC=contoso,DC=com″
$Grp = $OU.Create(″group″,″cn=TempGroup″)
$Grp.PutEx(2,″objectClass″,@(″dynamicObject″,″group″))
$Grp.Put(″entryTTL″,″600″)
$Grp.SetInfo()

As a result, a Group TempGroup will be created in the Groups container with a lifetime of 10 minutes (600 seconds). The lifetime of the group is stored in the attribute entryTTL and, if necessary, it can be changed, for example, increase or decrease. After the set time, the group automatically disappears.

group membership active directory


You may also like:

Installing Active Directory Snap-in on Windows 10 One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). To work with ADUC snap-in in ...
How to hide specific OU in Active Directory The first thing you see while opening Active Directory Users and Computers (ADUC) snap-in is AD containers (Organization Unit, OU), in which user acco...
Change Default OU permissions in Active Directory By default, each newly created organizational unit (OU) in the access list includes read permission for the group Authenticated Users (built-in group)...
Join Domain and Login over a VPN Connection This is a short tutorial on how to join a computer to a domain over a VPN connection. This was very useful for us this weekend. We had to reformat a c...
FSMO Role: Schema Master Schema Master is another FSMO role which is responsible for making changes to the Active Directory schema. The schema stores descriptions of all Activ...