Windows Server 2016: Short-Lived Active Directory Group Membership
In today’s Ask the Admin, I’ll show you how to temporarily add users to Active Directory groups.
The Just-in-Time (JIT) administration model was introduced in Windows Server 2016 and allows system administrators to grant users privileges for a limited period of time. Adding to PowerShell Just-Enough-Administration (JEA), which restricts users to a pre-defined list of cmdlets, parameters, and modules in a PowerShell session, the JIT model has two objectives. The first is to prevent privilege creep where users are granted elevated privileges for much longer than necessary or indefinitely. And secondly, to avoid permanently assigning privileges that might only be required for short periods of time.
The ability to add users to groups with a time-to-live (TTL) value is a feature of the JIT model. This can be useful in scenarios where you do not have the resources to set up Microsoft’s recommended infrastructure for JIT administration but would still like to benefit from short-lived Active Directory (AD) group membership.
For more information on PAM in Windows Server 2016 and Microsoft’s recommendations for implementing JIT administration, see Windows Server vNext Privileged Access Management on the Petri IT Knowledgebase.
Use Short-Lived Active Directory Group Membership
I am not going to show you how to set up a Privileged Identity Management (PIM) trust or how to configure Shadow Principals but just how to add users to AD groups and have them automatically removed after some time.
Before you can use short-lived AD groups, you need to enable Privileged Access Management, which is an optional AD feature. The changes made to your domain when you add the PAM feature are irreversible. The PAM feature is designed to be used in bastion domains and not production domains, so you should decide whether you want to add it to your production domain.
Log in to a domain controller using an account that has permission to change the AD schema. Replace ad.contoso.com with the name of the domain you want to update.
Enable-ADOptionalFeature ‘Privileged Access Management Feature’ -Scope ForestOrConfigurationSet -Target ad.contoso.com
Now let’s add an account to the Account Operators group with a TTL of 15 minutes. Replace russells with the name of the AD account you want to add to the group.
$Time = New-TimeSpan -Minutes 15 Add-ADGroupMember -Identity ‘Account Operators’ -Members russells -MemberTimeToLive $Time
To see whether the account was added, we can use Get-ADGroup to show the group members and their associated TTL values:
Get-ADGroup ‘Account Operators’ -Property member –ShowMemberTimeToLive
Note that the member property of the returned object shows the group members and their TTL values. In my domain, Account Operators only has one member. The TTL value is shown in seconds. If you run Get-ADGroup again after 15 minutes, you will see that the user account you added to Account Operators will have been removed.
Be aware that adding an account to special AD groups, like Account Operators, might cause the adminCount attribute for the user account to be changed to 1 if the account is in the group long enough for the AdminSDHolder mechanism to make the account a protected object. When the account is removed from the group, the adminCount attribute remains set to 1.
More in Windows Server
Microsoft to Fix Windows Bug Breaking Wi-Fi hotspots After Installing Latest Patch Tuesday Update
Jun 17, 2022 | Rabia Noureen
Microsoft Confirms Windows Server Backup Issues in This Month's Patch Tuesday Updates
Jun 16, 2022 | Rabia Noureen
Microsoft Acknowledges Office Zero-Day Flaw Affecting Windows Diagnostic Tool
May 31, 2022 | Rabia Noureen
Microsoft Releases Out-Of-Band Patches to Fix Windows AD Authentication Issues
May 20, 2022 | Rabia Noureen
CISA Warns Windows Admins Against Applying May Patch Tuesday Updates on Domain Controllers
May 17, 2022 | Rabia Noureen
Microsoft Confirms May 2022 Patch Tuesday Updates Cause AD Authentication Issues
May 12, 2022 | Rabia Noureen
Most popular on petri