Temporary Active Directory Group Membership

Rate this item
(1 vote)

Temporary Active Directory Group Membership


As you might have heard, Microsoft added quite a lot of new features in Windows Server 2016. Although Microsoft is still publishing documents of Windows Server 2016 and has yet many things to reveal, it is perhaps not too soon to talk and test the features already introduced officially. One of the features directly affecting how we work with Active Directory is so-called “group membership expiration”. Basically, this allows you to define a period of time up until which a certain group membership is valid. After that time, Active Directory automatically removes the membership. Practically speaking, one can use this feature to give specific privileges via group membership and reclaim those at the certain time.


Assume that you are about to take a vacation and you are considering a trustworthy employee to perform some limited routine tasks. In this case, certain privileges are given to the user by temporary Active Directory group membership. But, before Window Server 2016, the word temporary was used to accentuate the importance of privilege removal, not to refer to a certain feature or capability by which you enforce the removal procedure automatically. Needless to say, the repercussions of forgetting or dismissing such extra privileges can be devastating as far as security is concerned.


How can we establish such a temporary group membership in Active Directory? Is it also possible to create any kinds of temporary Active Directory objects? Is it possible to create a temporary group membership in older version of Windows servers? For starters, it is in fact possible to create such a makeshift object in older versions. In this article, we are going to elaborate upon such questions and provide the necessary commands.


The Old-Fashioned Way to Create Active Directory Temporary Group Membership


As I have mentioned earlier, it is indeed possible to establish a temporary group membership in Active Directory even back in the days of Windows Server 2003. Interestingly, one can even make any kinds of temporary objects, such as user account, computer account, etc., which will be cleared after its lifetime. So, what is all the fuss about? Well, there are some differences both in the way an administrator creates such objects and in the way Active Directory deals with these objects. First, let’s see how we can create temporary group membership in older versions of Windows Server.


If you have already embarked on a wasteful mission of finding such a feature in Active Directory Users and Computers (ADUC) GUI, the complete failure and waste of time would have probably disappointed you. There is nothing you can do with ADUC to create temporary Active Directory object. You need a cmd utility, called LDIFDE. For those who have tried to import or export users in balk, the utility is perhaps familiar. This utility allows you to create, modify and delete AD objects; extend the schema; import and export AD objects; etc.


Using the utility, we can create dynamic AD objects, which was the cornerstone of temporary Active Directory group membership back in Windows Server 2003. Note that if it was possible to create a dynamic object with ADUC, you would create a temporary group membership without using a command line, the lack of which still exists in Windows Server 2016.


First, open notepad, write the following lines and save the file. You can also download the file here. The first line specifies the distinguished name of the object being created. The second line indicates that you want to create a group, which can be replaced by other object types, such as user, computer, etc. The third line makes the object dynamic. Fourth line is the lifetime of the object in second, which starts the moment the object is being created. Note that 604800 seconds is equal to 7 days. Finally, the last line shows the SAM account name.

dn: cn=TemporaryPrivilegedGroup,ou=HR,dc=danapardaz,dc=net
objectClass: group
objectClass: dynamicObject
entryTTL: 604800
SAMAccountName: TemporaryPrivilegedGroup


Now use the following command to create the dynamic object, like the figure below.

ldifde -i -f dynamicObject.txt


active directory dynamic object


Now, if you check that OU out in ADUC, you will see the object. This object has extra attributes, which non-dynamic objects have not, called entryTTL. The attribute shows how many seconds are left until the object is being destroyed. Now, you can simply add a user account to this group, and give privileges you want the user to have temporarily. This is the old-school way to create a temporary Active Directory Group membership or in fact any Active Directory object.


active directory entry ttl of user object


Temporary Active Directory Group Membership in Windows Server 2016


One of the most important features of Windows Server 2016 regarding Active Directory is called Privileged Access Management (PAM). PAM reinforces the Active Directory security by granting administrative privilege temporarily to privileged users and prevent unprivileged users to steal the administrative credentials and privileges as much as possible. One of the capabilities available in Windows Server 2016 with the aim of PAM is group membership expiration, or expiring links. Putting the technical details and the things happened in the background aside, which is outside the scope of this article, the process is somehow the same. You cannot still create temporary group membership or any temporary object with ADUC or any built-in graphical tools. As before, you still have to execute some commands, but this time in PowerShell. So, why on earth’s bother to learn a new command line which is not essentially easier? Again, what you do to make a temporary object has not changed a lot, but what Active Directory does has.


First, open the PowerShell and type Get-ADOptionalFeature. When you enter, the console prompts you for filter. Enter *. As you can see below, a list of features is being shown. As you can see, there are two features called Recycle Bin and Privileged Access Management. Recycle bin is a useful feature allows you to recycle deleted Active Directory objects as simple as possible. Currently, we only need PAM feature. Note that once you enable this feature, you cannot disable it on the domain. Additionally, you need a Windows Server 2016, or Windows Threshold forest functional level, to enable this. To enable PAM, use the following command with the name for your domain at the end of the command line:

Enable-ADOptionalFeature 'Privileged Access Management Feature' -Scope ForestOrConfigurationSet -Target contoso.com


server 2016 get adoptionalfeatures


Now, if you execute Get-ADOptionalFeature again, you will see that the domain name is listed in the EnabledScope, as shown below. This confirms that PAM is successfully enabled.


enabled privileged access management get adoptionalfeatures


Now, assume that we want to give a domain admin privilege to j-harred user for 10 minutes. To do so, execute the following command, which is fairly clear what it does:

Add-ADGroupMember -Identity ‘Domain Admins’ -Members ‘j-harred’ -MemberTimeToLive (New-TimeSpan -Minutes 10)


Using the following PowerShell command, you can also see the remaining times of each temporary Active Directory membership:

Get-ADGroup ‘Domain Admins’ -Property member –ShowMemberTimeToLive


active directory get adgroup expiring link


If you visit j-harred user account in ADUC GUI, you will notice that the user is now a member of Domain Admins group. However, it seems that there is now way around in ADUC to find that this AD group membership is temporary.


temporary active directory group membership server 2016


Awesome! You managed to do the seemingly same thing you used to do with a single command line using a new PowerShell command. Not to mention that you were forced to increase your forest functional level that only supports Windows Server 2016. Great!


As I have mentioned earlier, there is not much of a difference when you consider how one can use this feature. Simply, both of them need some commands to be executed. However, there is a huge change in the background that improves security. Simply put, if a user has 10 minutes left in its temporary group membership when it logs on, a TGT-a ticket specifying user’s privileges-is issued for the user which is only valid for 10 minutes. After that, the user has to request another TGT and since Active Directory knows that the user is no longer in that group, new TGT will have no such a privilege anymore. This would not happen if you use the older method.


Temporary Everything and Automatic Tasks


Can we create a temporary user object? Can we create a temporary disabled user which will be enabled at a specific time? Can we move a user to another OU temporarily which will be moved back at a certain time in future? Can we reset a user password temporarily and change it back in a certain time? Can we automatically delete all users who has been inactive for a month periodically, at the beginning of each month? Well, you might be able to do a few of these kinds of tasks using the two methods mentioned so far. But, most of them are impossible to be performed, and some of them can only be performed with advanced scripting.


The important point is that what Active Directory does to remove the temporary group is, in the broader sense, an automation. However, full-functional automation is not implemented in Windows Servers. An automation allows you to do an arbitrary task in a specific time or even periodically. So, how can we reap the benefits of automation if it is not supported in Windows Servers? You have no option but to use automation software. Active Directory is an extremely powerful and secure directory service. However, when it comes to user interface, Windows Server is a mediocre solution. Many routine or crucial tasks are either only feasible with scripting or PowerShell, or not possible at all. Automation, for instance, is not supported by Windows Servers.


To see how to define automatic tasks, visit Active Directory automation.


Note that it is just a small new feature of Windows Server 2016. Privileged Access Management, new shadow security principals, etc., provide several incredible features that we will explain more about in our next articles. Although the background processes have always been being improved by Microsoft, the monotony of built-in graphical tools, failing to serve numerous feature only available with PowerShell, is the most notorious deficiency of Windows Servers.

Read 197 times