In preparation for the upcoming release of Windows Server 2016, I have been reviewing many of the new features that will be coming.  One great new feature I came across is the ability to set group membership expiration.  With this feature, when you add a user to an Active Directory group you now have the ability to set an expiration on the membership.  This feature does require Active Directory to be running in Server 2016 functional levels.

Some use cases for this feature:

  • Temporary Administrator Privilege
  • Vendor and Contractor accounts
  • Temporary employees
  • Students can be expired at the end of an education term period

Once enabled, this feature is managed through PowerShell with the following cmdlets as shown in the following examples.

It’s easy to enable with PowerShell:
Enable-ADOptionalFeature ‘Privileged Access Management Feature’ -Scope ForestOrConfigurationSet -Target

Now that you’ve done this, you can start setting time limits on group memberships directly. It’s so easy:
Add-ADGroupMember -Identity ‘Domain Admins’ -Members ‘InfoSecSvcAcct’ -MemberTimeToLive (New-TimeSpan -Days 5)

If you want to view the time remaining in a temporary group membership in real time:
Get-ADGroup ‘Domain Admins’ -Property member -ShowMemberTimeToLive

Another interesting point from a security aspect was found in this article, when you add a temporary group membership like this, the domain controller will actually constrain the Kerberos TGT lifetime to the shortest TTL that the user currently has. What that means is that if a user account only has 5 minutes left in its Domain Admins membership when it logs on, the domain controller will give that account a TGT that’s only good for 5 more minutes before it has to be renewed, and when it is renewed, the PAC (privilege attribute certificate) will no longer contain that group membership!

Over the years, I have seen people try to accomplish this with scripts and other mechanisms.  A built-in feature like this is certainly welcomed.

Windows Server 2016 Blog Series

Innovative Integration is creating a whole series about Windows Server 2016 leading up to the September launch. To read other articles from this series, click here.

About Larry Taylor

Innovative helps you balance your business requirements, service levels, staff and infrastructure to make your IT as effective as possible. Larry Taylor is a Senior Solutions Consultant at Innovative with a focus on Microsoft technologies. Since 2002, Larry has been recommending, deploying, and providing support for organizations to align technology solutions with their business needs.

Leave a Reply

Innovative Integration can help you optimize your IT infrastructure. Request a Consultation