Active Directory Expiring Links is new feature in Windows Server 2016 which enables time-bound group membership, expressed by a time-to-live (TTL) value. It allows administrators to assign temporally group membership. This feature is not enabled by default because it required forest function level must be Windows Server 2016. Also, once this feature is enabled, it cannot be disabled.
Open up PowerShell and execute the following command to enable time-bound feature in active directory.
Enable-ADOptionalFeature ‘Privileged Access Management Feature’ -Scope ForestOrConfigurationSet -Target example.com
example.com should be replaced with your domain name.
Now, I have a user called Jhon which I need to assign Domain Admin group membership for 20 minutes
List the current member of domain admin group by executing the following command
Get-ADGroupMember “Domain Admins”
Next step is to add the Jhon to the domain admin group for 20 minutes.
Add-ADGroupMember -Identity ‘Domain Admins’ -Members ‘jhon’ -MemberTimeToLive (New-TimeSpan -Minutes 20)
Verify the TTL group membership for user Jhon with the following command
Get-ADGroup ‘Domain Admins’ -Property member -ShowMemberTimeToLive
The group membership will automatically be expired after 20 minutes.
That's all for now.