A cool new feature of Active Directory Domain Services on Server 2016 is the ability to allow administrators to assign temporary group membership to users. This is expressed by TTL (Time-To-Live) Value. This value will be added to the Kerberos ticket.
When a user is assigned to a group temporally, their login Kerberos ticket-granting ticket (TGT) lifetime will now be equal to the lowest TTL value they have.
This cool new feature is only available to you when your forest functional level is set to 2016. By default, it is also Disabled and once Enabled it cannot be Disabled again. Kind of like Active Directory Recycle Bin.
Open PowerShell with Elevated credentials and enter the follow code. Changing it to match your domain name.
|Enable-ADOptionalFeature "Privileged Access Management Feature" -Scope ForestOrConfigurationSet -Target pixelrobots.co.uk|
Let’s say I have a user called Ian and I need him to be a member of Domain Admins for 30 minutes, so he can install some software that requires domain admin permissions.
Let’s check who is in domain admins first
|Get-ADGroupMember "Domain Admins"|
The next command will add Ian to the Domain admin Group for 30 minutes. You change the parameters to fit your need.
|Add-ADGroupMember -Identity "Domain Admins" -Members "Ian" -MemberTimeToLive (New-TimeSpan -Minutes 30)|
To verify the TTL value of the user and his group membership
|Get-ADGroup "Domain Admins" -Property member -ShowMemberTimeToLive|
And that’s it. Nice and easy. Hopefully, this will help someone, so they do not forget to remove a user from a group.