With Windows Server 2016 there is a new Feature called Privileged Access Management Feature. This feature is only available in Active Directory Environments running Windows Server 2016 Forest Mode. This guide shows step-by-step how to set up Time Based Group Membership with Windows PowerShell.
First, make sure your domain is running Windows Server 2016 Forest Mode. All Domain Controllers must run Windows Server 2016 and the Forest Mode must be set to Windows Server 2016 Forest. Otherwise you can´t use this new feature.
For checking run
If your forest is set to lower than Windows Server 2016 and all Domain Controllers are running Windows Server 2016, then you can raise your Forest Mode to W2k16.
This example shows the change of the forest mode of the forest pagr.inet:
Set-ADForestMode -ForestMode Windows2016Forest -Identity pagr.inet
Enabling the Privileged Access Management Feature
Run the following command to enable the Privileged Access Management Feature. Pay attention to the parameter Target. Provide your forest name there.
Enable-ADOptionalFeature 'Privileged Access Management Feature' -Scope ForestOrConfigurationSet -Target pagr.inet
Configuring Time based Group Membership
Let´s continue. Now, I will add User Herbert to the Admins group. But only for five minutes.
Add-ADGroupMember -Identity 'Admins' -Members 'Herbert' -MemberTimeToLive (New-TimeSpan -Minutes 5)
The Time to live Value of Herbert can be retrieved by running Get-ADGroup.
Get-ADGroup Admins -Properties Member -ShowMemberTimeToLive
Categories: Cyber Security, PowerShell, Windows Server
Hi I am wondering Why a user is not inheriting that particular groups access to a specific folder ?
I added user1 to a group for 5 minutes (success) but after adding him , if the group has no access to a folder , user1 still gets access to the folder . I have configured no access to this group for a specific folder. Do you think there is any additional command switch do I have to extend in the above command ? because when I do the same process without time limit user1 inherits target groups permission on the folder (Which is no access) but not with his limited time membership..
I’m sorry but I cannot help you in this case. Remember that group membership is replicated between domain controllers, so maybe this could be an issue?
Hi Patrick Thank you for you reply.
No I am working with only 1 dc and other member servers and clients on the same site. It is a very small test network. We have to raise this issue with MS as someone has to correct it before it is used in the Production Env. What say ?
I think best practice is to post it at Technet to see what they say …