Cyber Security

Windows Server 2016: Configuring Time based Group Membership with PowerShell

With Windows Server 2016 there is a new Feature called Privileged Access Management Feature. This feature is only available in Active Directory Environments running Windows Server 2016 Forest Mode. This guide shows step-by-step how to set up Time Based Group Membership with Windows PowerShell.


First, make sure your domain is running Windows Server 2016 Forest Mode. All Domain Controllers must run Windows Server 2016 and the Forest Mode must be set to Windows Server 2016 Forest. Otherwise you can´t use this new feature.


For checking run



If your forest is set to lower than Windows Server 2016 and all Domain Controllers are running Windows Server 2016, then you can raise your Forest Mode to W2k16.

This example shows the change of the forest mode of the forest pagr.inet:

Set-ADForestMode -ForestMode Windows2016Forest -Identity pagr.inet

Enabling the Privileged Access Management Feature

Run the following command to enable the Privileged Access Management Feature. Pay attention to the parameter Target. Provide your forest name there.

Enable-ADOptionalFeature 'Privileged Access Management Feature' -Scope ForestOrConfigurationSet -Target pagr.inet


Configuring Time based Group Membership

Let´s continue. Now, I will add User Herbert to the Admins group. But only for five minutes.

Add-ADGroupMember -Identity 'Admins' -Members 'Herbert' -MemberTimeToLive (New-TimeSpan -Minutes 5)


The Time to live Value of Herbert can be retrieved by running Get-ADGroup.

Get-ADGroup Admins -Properties Member -ShowMemberTimeToLive


7 replies »

  1. Hi I am wondering Why a user is not inheriting that particular groups access to a specific folder ?
    I added user1 to a group for 5 minutes (success) but after adding him , if the group has no access to a folder , user1 still gets access to the folder . I have configured no access to this group for a specific folder. Do you think there is any additional command switch do I have to extend in the above command ? because when I do the same process without time limit user1 inherits target groups permission on the folder (Which is no access) but not with his limited time membership..


      • Hi Patrick Thank you for you reply.
        No I am working with only 1 dc and other member servers and clients on the same site. It is a very small test network. We have to raise this issue with MS as someone has to correct it before it is used in the Production Env. What say ?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.