Cyber Security

Windows Server 2016: Configuring Time based Group Membership with PowerShell

By on ( 7 Comments )

With Windows Server 2016 there is a new Feature called Privileged Access Management Feature. This feature is only available in Active Directory Environments running Windows Server 2016 Forest Mode. This guide shows step-by-step how to set up Time Based Group Membership with Windows PowerShell.

Preparation

First, make sure your domain is running Windows Server 2016 Forest Mode. All Domain Controllers must run Windows Server 2016 and the Forest Mode must be set to Windows Server 2016 Forest. Otherwise you can´t use this new feature.

1.PNG

For checking run

(Get-ADForest).ForestMode

1.PNG

If your forest is set to lower than Windows Server 2016 and all Domain Controllers are running Windows Server 2016, then you can raise your Forest Mode to W2k16.

This example shows the change of the forest mode of the forest pagr.inet:

Set-ADForestMode -ForestMode Windows2016Forest -Identity pagr.inet

Enabling the Privileged Access Management Feature

Run the following command to enable the Privileged Access Management Feature. Pay attention to the parameter Target. Provide your forest name there.

Enable-ADOptionalFeature 'Privileged Access Management Feature' -Scope ForestOrConfigurationSet -Target pagr.inet

1.PNG

Configuring Time based Group Membership

Let´s continue. Now, I will add User Herbert to the Admins group. But only for five minutes.

Add-ADGroupMember -Identity 'Admins' -Members 'Herbert' -MemberTimeToLive (New-TimeSpan -Minutes 5)

1.PNG

The Time to live Value of Herbert can be retrieved by running Get-ADGroup.

Get-ADGroup Admins -Properties Member -ShowMemberTimeToLive

1.PNG

Categories: Cyber Security, PowerShell, Windows Server

Tagged as: , , , , ,

Published by Patrick Gruenauer

Microsoft MVP on PowerShell [2018-2023], IT-Trainer, IT-Consultant, MCSE: Cloud Platform and Infrastructure, Cisco Certified Academy Instructor.

7 replies »

  1. Pingback: Habilitando associação de grupo baseada em tempo com o PowerShell – Gabriel Luiz

  2. Hi I am wondering Why a user is not inheriting that particular groups access to a specific folder ?
    I added user1 to a group for 5 minutes (success) but after adding him , if the group has no access to a folder , user1 still gets access to the folder . I have configured no access to this group for a specific folder. Do you think there is any additional command switch do I have to extend in the above command ? because when I do the same process without time limit user1 inherits target groups permission on the folder (Which is no access) but not with his limited time membership..

    Like

    Reply

      • Hi Patrick Thank you for you reply.
        No I am working with only 1 dc and other member servers and clients on the same site. It is a very small test network. We have to raise this issue with MS as someone has to correct it before it is used in the Production Env. What say ?

        Like

  3. Pingback: PowerShell: Encrypt and Decrypt Data by using Certificates (Public Key / Private Key) « SID-500
  4. Pingback: Active Directory: Force replication of all Domain Controllers on all Sites at once « SID-500

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.