In preparation for the upcoming release of Windows Server 2016, I have been reviewing many of the new features that will be coming. One great new feature I came across is the ability to set group membership expiration. With this feature, when you add a user to an Active Directory group you now have the ability to set an expiration on the membership. This feature does require Active Directory to be running in Server 2016 functional levels.
Some use cases for this feature:
- Temporary Administrator Privilege
- Vendor and Contractor accounts
- Temporary employees
- Students can be expired at the end of an education term period
Once enabled, this feature is managed through PowerShell with the following cmdlets as shown in the following examples.
It’s easy to enable with PowerShell:
Enable-ADOptionalFeature ‘Privileged Access Management Feature’ -Scope ForestOrConfigurationSet -Target adatum.com
Now that you’ve done this, you can start setting time limits on group memberships directly. It’s so easy:
Add-ADGroupMember -Identity ‘Domain Admins’ -Members ‘InfoSecSvcAcct’ -MemberTimeToLive (New-TimeSpan -Days 5)
If you want to view the time remaining in a temporary group membership in real time:
Get-ADGroup ‘Domain Admins’ -Property member -ShowMemberTimeToLive
Another interesting point from a security aspect was found in this article, when you add a temporary group membership like this, the domain controller will actually constrain the Kerberos TGT lifetime to the shortest TTL that the user currently has. What that means is that if a user account only has 5 minutes left in its Domain Admins membership when it logs on, the domain controller will give that account a TGT that’s only good for 5 more minutes before it has to be renewed, and when it is renewed, the PAC (privilege attribute certificate) will no longer contain that group membership!
Over the years, I have seen people try to accomplish this with scripts and other mechanisms. A built-in feature like this is certainly welcomed.