What is time based group membership ? In new AD DS 2016 allows administrators to assign temporally group membership which is expressed by TTL (Time-To-Live) value. This value will add to the Kerberos ticket. This also called as “Expiring-Link” feature. When user assign to a temporally group membership, his login Kerberos ticket granting ticket (TGT) life time will be equal to lowest TTL value he has.
This feature is not enabled by default. The reason for that is, to use this feature the forest function level must be windows server 2016. Also, once this feature is enabled, it cannot be disabled.
Let’s see how it works.
Time Based Group Membership Testing
Enable-ADOptionalFeature ‘Privileged Access Management Feature’ -Scope ForestOrConfigurationSet -Target rebeladmin.com
Rebeladmin.com can be replaced with your FQDN.
I have a user called Peter which I need to assign Domain Admin group membership for 15 minutes.
Get-ADGroupMember “Domain Admins” will list the current member of domain admin group.
Next step is to add the peter to the domain admin group for 15 minutes.
Add-ADGroupMember -Identity ‘Domain Admins’ -Members ‘peter’ -MemberTimeToLive (New-TimeSpan -Minutes 15)
Once its run, we can verify the TTL value remaining for the time based group membership using,
Get-ADGroup ‘Domain Admins’ -Property member -ShowMemberTimeToLive
Once I log in as the user and list the Kerberos ticket it shows the renew time with less than 15 minutes as I log in as user after few minutes of granting.
Once the TGT renewal come the user will no longer be member of domain admin group.
hope this was useful and if you have any questions feel free to contact me on rebeladm@live.com
Very useful, thanks for posting