Sometimes some access rights in Active Directory must be granted temporarily, for a certain period of time. In order to avoid the need to monitor the validity of the issued authorities, they can be created initially temporary.
Therefore, there is an opportunity to provide users with membership in Active Directory Temporary Group.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform related Windows queries.
In this context, we shall look into how to implement Active Directory Temporary Group Membership on Windows Server 2016.
Active Directory Temporary Group Membership on Windows Server 2016
Usually, when we need to give specific privileges based on the membership in AD security group to a user for a certain period of time and upon this period of time to automatically (without administrator) remove these rights.
Generally, A new Windows Server 2016 feature called Privileged Access Management Feature used to implement Temporary Group Membership.
Initially, use the below Powershell command to check status of PAM:
Get-ADOptionalFeature -filter *
EnableScopes parameter must have a value. It is empty in our example. It means that Privileged Access Management Feature is not enabled for this domain.
To activate it, use Enable-ADOptionalFeature command and specify the domain name as one of the arguments:
Enable-ADOptionalFeature -Identity ″Privileged Access Management Feature″ -Scope ForestOrConfigurationSet -Target ″contoso.com″
Once PAM is active, add a user to an AD group using a special argument MemberTimeToLive of Add-ADGroupMember cmdlet.
First of all, using New-TimeSpan cmdlet specify the time period (TTL), during which the user will have access permissions. Say, we want to include the user test1 to the Domain Admins group for 5 minutes:
$ttl = New-TimeSpan -Minutes 5
Add-ADGroupMember -Identity “Domain Admins” -Members test1 -MemberTimeToLive $ttl
In order to, check how much time a user will be a group member using Get-ADGroup cmdlet:
Get-ADGroup ‘Domain Admins’ -Property member –ShowMemberTimeToLive
In the command results, the entry will be <TTL=246.CN=test1,CN=Users,DC=Contoso,DC=com> for the group members.
The user test1 will be a member of the Domain Admins group for 246 seconds. After that, the user will be automatically removed from this group.
Earlier, dynamic objects, different scripts or quite complex systems (Microsoft Forefront Identity Manager, etc.) used to implement a temporary AD group membership.
Then in Windows Server 2016, this convenient feature is available out-of-the-box.
[Need urgent assistance in fixing Windows Server errors? We can help you. ]