Tag Archives: Active Directory 2016

Time Based Group Membership – AD DS 2016

In new AD DS 2016 allows administrators to assign temporally group membership which is expressed by TTL (Time-To-Live) value. This value will add to the Kerberos ticket. This also called as “Expiring-Link” feature. When user assign to a temporally group membership, his login Kerberos ticket granting ticket (TGT) life time will be equal to lowest TTL value he has. 

This feature is not enabled by default. The reason for that is, to use this feature the forest function level must be windows server 2016. Also, once this feature is enabled, it cannot be disabled. 

Let’s see how it works

Enable-ADOptionalFeature ‘Privileged Access Management Feature’ -Scope ForestOrConfigurationSet -Target rebeladmin.com

tg2

Rebeladmin.com can be replaced with your FQDN.

I have a user called Peter which I need to assign Domain Admin group membership for 15 minutes.

Get-ADGroupMember “Domain Admins” will list the current member of domain admin group. 

tg1

Next step is to add the peter to the domain admin group for 15 minutes.

Add-ADGroupMember -Identity ‘Domain Admins’ -Members ‘peter’ -MemberTimeToLive (New-TimeSpan -Minutes 15)

tg3

Once its run, we can verify the TTL value remaining for the group membership using,

Get-ADGroup ‘Domain Admins’ -Property member -ShowMemberTimeToLive

tg4

Once I log in as the user and list the Kerberos ticket it shows the renew time with less than 15 minutes as I log in as user after few minutes of granting.

tg5

Once the TGT renewal come the user will no longer be member of domain admin group. 

hope this was useful and if you have any questions feel free to contact me on rebeladm@live.com