The Temporary Group Membership feature on Windows Server 2016 allows us to add users temporarily in a time based manner to an Active Directory security group.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform related Windows queries.
In this context, we shall look into how to fix this Windows issue.
The Temporary Group Membership (Time Based) helps us when we need to temporarily grant a user some authority based on AD security group membership.
As a result, after the specified time has elapsed, the user will be automatically removed from the security group (without administrator intervention).
In order to use the Temporary Group Membership, we need to enable the Privileged Access Management Feature in Active Directory forest. Though the AD Recycle Bin allows recovering deleted objects, we cannot disable PAM after it has been enabled.
Make sure AD forest is running at Windows Server 2016 forest function level (or higher):
(Get-ADForest).ForestMode
Check if Privileged Access Management feature is enabled in the current forest using the command from the AD PowerShell module:
Get-ADOptionalFeature -filter "name -eq 'privileged access management feature'"
We need the value of EnableScopes parameter. It is empty in our example. It means that Privileged Access Management Feature is not enabled for this forest.
To activate it, use Enable-ADOptionalFeature command and specify forest name as one of the arguments:
Enable-ADOptionalFeature 'Privileged Access Management Feature' -Scope ForestOrConfigurationSet -Target linuxapt.com
If the error "Enable-ADOptionalFeature: The SMO role ownership could not be verified because its directory partition has not replicated successfully with at least one replication partner" appears when running the command, check the status of the domain controllers and AD replication and the availability of FSMO role owners. Manually force AD replication.
Run the command and check that the EnableScopes field is not empty:
Get-ADOptionalFeature -filter "name -eq 'privileged access management feature'" | select EnabledScopes
To temporarily add a user to an AD group, we need to use PowerShell cmdlets.
After enabling PAM, we can try to add a user to an AD group using a special argument MemberTimeToLive of Add-ADGroupMember cmdlet. Further, it is convenient to set the time interval (TTL) using the New-TimeSpan cmdlet. For instance, to add the user test1 to the Domain Admins group for 15 minutes:
$ttl = New-TimeSpan -Minutes 5
Add-ADGroupMember -Identity "Domain Admins" -Members test1 -MemberTimeToLive $ttl
It is not recommended to use temporary group membership to provide temporary access to privileged domain groups (Enterprise admins, Domain admins, etc.). Typically Temporary Group Membership is used to grant access to resource groups. Further. in order to grant administrative permissions, we must use Active Directory delegation or PowerShell Just Enough Administration (JEA).
We can check how much time a user will be a group member using the Get-ADGroup cmdlet:
Get-ADGroup 'Domain Admins' -Property member –ShowMemberTimeToLive
In the command results, we can see an entry like <TTL=187,CN=test1,CN=Users,DC=bobcares,DC=loc> for the group members.
Normally, it represents the TTL value in seconds. This means after 187 seconds, this user will be automatically removed from the Domain Admins group.
The user Kerberos ticket also expires. This is because KDC issues a ticket with a lifetime equal to the least of TTL value for the user having the temporary membership in the AD groups.
We can check the next Kerberos ticket renewal time with the command:
klist
The Renew Time parameter displays the time of the next renewal of the TGT ticket.
Be attentive when using hybrid scenarios with group sync from on-premises Active Directory to Azure AD via Azure AD Connect.
This configuration should take into account the cloud sync interval settings.
Also in AD (with Windows2003Fores forest functional level or newer), we can create temporary AD groups. For such groups, we use the dynamicObject class. Active Directory Garbage Collection process performs Automatic deletion of such groups.
For example, to create a temporary group that will be automatically deleted after a month (2592000 = 31 * 24 * 60 * 60), use the following PowerShell script:
$OU = [adsi]"LDAP://OU=Groups,OU=Munich,OU=DE,DC=bobcares,DC=loc"
$Group = $OU.Create("group","cn=MUN-FS01_Public_tmp")
$Group.PutEx(2,"objectClass",@("dynamicObject","group"))
$Group.Put("entryTTL","2678400")
$Group.SetInfo()
Open the group attributes in the ADUC console. Pay attention to the entryTTL attribute. It indicates in how many seconds this AD group will be removed.
Earlier, to implement a temporary AD group membership, we had to use dynamic objects, different scripts and scheduled tasks or quite complex systems (Microsoft Forefront Identity Manager, etc.). Now, in Windows Server 2016/2019, this handy feature is available out-of-the-box.
Basically, Temporary Group Membership (Time Based) is the version of Active Directory in Windows Server 2016 introduces an interesting feature that allows you to temporarily add a user to an AD security group. In order to use the Temporary Group Membership, you need to enable the Privileged Access Management Feature in your Active Directory forest. Like with AD Recycle Bin (which allows you to recover deleted objects), you cannot disable PAM after it has been enabled.