A few weeks ago, I talked to a Customer, and he told me about this Feature, so thanks to Kristian for that hint. I was always struggling with that Feature cause you need to store a Date in “any” place and query that value, and then remove the User from that Group.
Kristian told me that this is a built-in Feature since Window Server 2016 🙂
So let’s see the Details.
Since Windows Server 2016, there is an Additional Active Directory Feature called “Active Directory Privileged Access Management.”
But that Feature is not enabled automatically, so let’s see what we need.
First, make sure your Active Directory Forest is at least in the Version 2016
Next, we need to check if the feature is enabled, so run the following Code.
Get-ADOptionalFeature -filter "name -eq 'privileged access management feature'"
Like you see above, the Property “EnabledScopes” is empty, so the Feature is not enabled.
Run the following script to enable the Function. Please change the Target to your Domain “domain.local”
Enable-ADOptionalFeature 'Privileged Access Management Feature' -Scope ForestOrConfigurationSet -Target domain.local
Now let’s run the Script from above again, and you should then see some Values here.
Now, we can run the following script to add a user to a Group for 5 Minutes
$User="seidlm" $Group="TTLGroup" $ttl = New-TimeSpan -Minutes 5 Add-ADGroupMember -Identity $Group -Members seidlm -MemberTimeToLive $ttl
To check the Groupmembershio, run the following script to see the Seconds left, where the user is a member of that Group
Get-ADGroup $Group -Property member –ShowMemberTimeToLive
Here you can see that the User will be removed as a Member after 294 Seconds
Time-Based Group Membership as Self Service with au2mator
With au2mator Self Service Portal, you can create a Service and delegate the Task to temporarily add an Active Directory User to a Group
Time-Based Group Membership as Self Service with au2mator Self-Service Portal
More Details: www.au2mator.com
Michael Seidl aka Techguy