Jan 14, 2017

Active Directory Time-bound Group Membership in Windows Server 2016


Active Directory Expiring Links is new feature in Windows Server 2016 which enables time-bound group membership, expressed by a time-to-live (TTL) value. It allows administrators to assign temporally group membership. This feature is not enabled by default because it required forest function level must be Windows Server 2016. Also, once this feature is enabled, it cannot be disabled. 






This article will guide you through the steps to enable active directory time-bound group membership in Windows Server 2016.

Open up PowerShell and execute the following command to enable time-bound feature in active directory.

Enable-ADOptionalFeature ‘Privileged Access Management Feature’ -Scope ForestOrConfigurationSet -Target example.com

example.com should be replaced with your domain name.

Now, I have a user called Jhon which I need to assign Domain Admin group membership for 20 minutes

List the current member of domain admin group by executing the following command

Get-ADGroupMember “Domain Admins”

Next step is to add the Jhon to the domain admin group for 20 minutes.


Add-ADGroupMember -Identity ‘Domain Admins’ -Members ‘jhon’ -MemberTimeToLive (New-TimeSpan -Minutes 20)

Verify the TTL group membership for user Jhon with the following command


Get-ADGroup ‘Domain Admins’ -Property member -ShowMemberTimeToLive

The group membership will automatically be expired after 20 minutes.


That's all for now.



2 comments:

  1. Nicholas PeterFebruary 04, 2017

    Finally Microsoft has introduced an excellent feature in active directory. Appreciating your guidelines.

    ReplyDelete
    Replies
    1. Microsoft still in learning phase....:-) you will see vast improvements in near future

      Delete

 
TECHNOCRACY © 2012-2017