Privileged Access Management

One of my favorite new features of AD 2016 is Privileged Access Management.

This feature allows you to add a user to a global group for a set amount of time. This will be useful for temporary rights to the RDP or local administrator groups on servers.

Using the –MemberTimeToLive parameter we are able to add a time to live on the group membership for the user. Once the time to live has reached its limit, the AD group membership will become invalid as the Kerberos token cannot be renewed and will become invalid

$Time = New-TimeSpan -Minutes 15
Add-ADGroupMember -Identity "TESTGroup1" -Members "tstuser" -MemberTimeToLive $Time
$TTL = @{
    Identity = "TESTGroup1 "
    Members = " tstuser"
    MemberTimeToLive = (New-TimeSpan -Days 15)

Add-ADGroupMember @TTL 

This feature can become very useful very fast.

In the past I was accomplishing this but creating a scheduled task to add a user to a global group that gave them permission on a server and a second scheduled task to take them out of the group. For example… A developer needs local admin rights on a server to install their widget. So you tell them they can have local admin privileges for 5 days but no longer. So you add them to the group, and 5 days later you remove them. Now you don’t have to do that that work manually. You can just use the -MemberTimeToLive parameter and give it a time span of 5 days and go on about the rest of your day.

But now you may be asking how you can verify all of this. We have to use the Get-Adgroup command and specify the ShowMembertimeToLive paramater.

(Get-ADGroup "TESTGroup1" -Property member –ShowMemberTimeToLive).member


We can see the TTL at the beginning of the account TEST User. This is displayed in seconds.

I hope you find this as useful as I have.