Temporary Group Membership in WS2016 Active Directory


Along with the new functionality of Windows Server 2016, another essential element of any domain administrator — Active Directory — has been updated with some very important and great features. One of the updates that aims to improve the environment’s protection against external and internal threats to accounts is called privileged access management (PAM). This functionality is based on the idea of Just Enough Administration (JEA), which is a security technology that allows the delegation of administration rights with the help of PowerShell.

The idea is to grant the administration rights only for a certain period. With PAM, we can set the time limit on a group membership by setting a Time to Live (TTL) value. In other words: You can add a user to a group that will be active for a limited time only. This comes in handy in situations when you need to grant access to your AD environment to a third party or to help desk personnel who are troubleshooting problems in the environment but don’t need elevated permissions on a permanent basis. And it’s only logical to limit the time they have the access rather than do the manual clean-up after they’re done, which is doomed to be forgotten.

Let’s dive into the procedure. Be aware that, as with Active Directory Recycle Bin, this function is not enabled by default and once enabled, you can’t turn it off.

To enable PAM, we need to ensure that the forest functional level is at Windows Server 2016. You can do so like this:

Get the Active Directory Forest functional level
Get the Active Directory Domain functional level
(Get-ADDomain) .DomainMode
Get the Active Directory Domain suffix:
Get-ADDomain | Select-Object DNSRoot | fl
Enable "Privileged Access Management Feature"
Enable-ADOptionalFeature "Privileged Access Management Feature" -Scope ForestOrConfigurationSet -Target SYSADMIT.lab
Check "Privileged Access Management Feature" status:
Get-ADOptionalFeature -filter {name -like "Privileged*"}

If we try to activate this feature with a lower forest functional level than Windows Server 2016, we will get the error (see Figure 1).

Figure 1: The error message in case of a wrong forest functionality level

To increase the functional level of both the domain and the forest, there are several tools that we can use:

  1.  Active Directory Domains and Trusts (domain.msc) — We can find this tool starting from Windows Server 2000.
  2.  Active Directory Administrative Center (dsac.exe) — We can find this tool from starting from Windows Server 2008 R2.
  3. PowerShell (Active Directory Module).

Since we’re on Windows Server 2016, we will use PowerShell to increase the domain and forest functional level.

In the example, the name of the DC is S1 and the domain is SYSADMIT.lab.

Raise the Domain Functional Level to Windows Server 2016:
Set-ADDomainMode -identity S1.SYSADMIT.lab -DomainMode Windows2016
Raise the Forest Functional Level to Windows Server 2016:
$ Forest = Get-ADForest
Set-ADForestMode -Identity $ Forest -Server $ Forest.SchemaMaster -ForestMode Windows2016

Helpful things to know:

  • To enable the PAM feature, you only need to raise the forest functional level to Windows Server 2016, but not the domain functional level.
  • As a rule, Active Directory functional levels cannot be reversed. The exception would be Windows Server 2008 R2 where the forest functional level can be reversed back to 2008 level if the Recycle Bin hasn’t been enabled. In case of 2016, this operation would be irreversible.
  • Special attention is required when raising a functional level for applications like Exchange Server. Each version of Exchange Server requires a specific functional level.

To run a quick test of the temporary group membership, we will create a group and a user who we will add to that group by setting a TTL value.

Add AD User (in the example, the username is: Xavi)
New-ADUser -Name "Xavi" -UserPrincipalName Xavi@SYSADMIT.lab
Set AD user password:
Set-ADAccountPassword -Identity "Xavi"
Add AD global group (in the example, the group name is: Temp-MemberShip)
New-ADGroup -name "Temp-MemberShip" -groupscope Global
Enable AD User:
Enable-ADAccount -Identity "Xavi"
Add the User “Xavi” into “Temp-MemberShip” only for 2 days:
$variable = New-TimeSpan -Days 2
Add-ADGroupMember -Identity "Temp-MemberShip" -Members Xavi -MemberTimeToLive $variable

That’s it! After two days, the user “Xavi” will no longer be a member of the group “Temp-MemberShip,” and no manual action is required.

You can check the user group membership TTL value with the following command (see example in a Figure 2):

Get-ADGroup "Temp-MemberShip" -Property member -ShowMemberTimeToLive

Figure 2: Checking the TTL value

Read more:

Managing Hyper-V with PowerShell

How to use PowerShell and PowerShell cmdlets

Get 30 days trial of Veeam Backup & Replication now

About the author
VeeamVeeam Logo
Xavier Genestós (vExpert) is a sysadmin and author of several IT books, most notably the first Windows Server 2016 book to be written in Spanish. He’s also an IT Trainer and blogger at www.SYSADMIT.com