With Windows Server 2016 there is a new Feature called Privileged Access Management Feature. This feature is only available in Active Directory Environments running Windows Server 2016 Forest Mode. This guide shows step-by-step how to set up Time Based Group Membership with Windows PowerShell.
First, make sure your domain is running Windows Server 2016 Forest Mode. All Domain Controllers must run Windows Server 2016 and the Forest Mode must be set to Windows Server 2016 Forest. Otherwise you can´t use this new feature.
For checking run
If your forest is set to lower than Windows Server 2016 and all Domain Controllers are running Windows Server 2016, then you can raise your Forest Mode to W2k16.
This example shows the change of the forest mode of the forest pagr.inet:
Set-ADForestMode -ForestMode Windows2016Forest -Identity pagr.inet
Enabling the Privileged Access Management Feature
Run the following command to enable the Privileged Access Management Feature. Pay attention to the parameter Target. Provide your forest name there.
Enable-ADOptionalFeature 'Privileged Access Management Feature' -Scope ForestOrConfigurationSet -Target pagr.inet
Configuring Time based Group Membership
Let´s continue. Now, I will add User Herbert to the Admins group. But only for five minutes.
Add-ADGroupMember -Identity 'Admins' -Members 'Herbert' -MemberTimeToLive (New-TimeSpan -Minutes 5)
The Time to live Value of Herbert can be retrieved by running Get-ADGroup.
Get-ADGroup Admins -Properties Member -ShowMemberTimeToLive