SID-500

Home » PowerShell » Windows Server 2016: Configuring Time based Group Membership with PowerShell

Windows Server 2016: Configuring Time based Group Membership with PowerShell

With Windows Server 2016 there is a new Feature called Privileged Access Management Feature. This feature is only available in Active Directory Environments running Windows Server 2016 Forest Mode. This guide shows step-by-step how to set up Time Based Group Membership with Windows PowerShell.

Preparation

First, make sure your domain is running Windows Server 2016 Forest Mode. All Domain Controllers must run Windows Server 2016 and the Forest Mode must be set to Windows Server 2016 Forest. Otherwise you can´t use this new feature.

1.PNG

For checking run

(Get-ADForestMode).ForestMode

1.PNG

If your forest is set to lower than Windows Server 2016 and all Domain Controllers are running Windows Server 2016, then you can raise your Forest Mode to W2k16.

This example shows the change of the forest mode of the forest pagr.inet:

Set-ADForestMode -ForestMode Windows2016Forest -Identity pagr.inet

Enabling the Privileged Access Management Feature

Run the following command to enable the Privileged Access Management Feature. Pay attention to the parameter Target. Provide your forest name there.

Enable-ADOptionalFeature 'Privileged Access Management Feature' -Scope ForestOrConfigurationSet -Target pagr.inet

1.PNG

Configuring Time based Group Membership

Let´s continue. Now, I will add User Herbert to the Admins group. But only for five minutes.

Add-ADGroupMember -Identity 'Admins' -Members 'Herbert' -MemberTimeToLive (New-TimeSpan -Minutes 5)

1.PNG

The Time to live Value of Herbert can be retrieved by running Get-ADGroup.

Get-ADGroup Admins -Properties Member -ShowMemberTimeToLive

1.PNG


1 Comment

  1. […] Windows Server 2016: Configuring Time based Group Membership with PowerShell […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

WHOIS

My name is Patrick Grünauer (pewa2303). I am from Austria. On sid-500 I write about Windows, Cisco and IT-Security in English and German. Have fun while reading!

Patrick Gruenauer
Follow SID-500 on WordPress.com