Privileged Access Management – Assign temporary AD group membership

• Author
• Recent Posts

Tim Buntrock

Tim Buntrock is one of three enterprise administrators for the Active Directory service of a "global player" in the contact center business. He is a certified engineer for MCTS, MCITP, MCSA and MCPS.

Latest posts by Tim Buntrock (see all)

• Create a self-signed certificate with PowerShell - Thu, Aug 9 2018
• Prevent copying of an Active Directory attribute when duplicating a user account - Thu, Mar 29 2018
• Find and delete unlinked (orphaned) GPOs with PowerShell - Thu, Mar 15 2018

Enabling Privileged Access Management

You can verify the status of PAM with the following PowerShell command:

Get-ADOptionalFeature -filter {name -like "Privileged*"}

Verifying PAM status

If the EnabledScopes value is empty, then PAM is not enabled. To enable it, use the command below and just replace tim.petun with your domain name:

Enable-ADOptionalFeature "Privileged Access Management Feature" -Scope ForestOrConfigurationSet -Target tim.petun

Enabling PAM

After you click Yes, you can verify whether it's enabled by using Get-ADOptionalFeature again.

Get-ADOptionalFeature -filter {name -like "Privileged*"}

Verifying that PAM is enabled

Assigning temporary group membership

Let's see if we can assign a temporary group membership. In my example, I want to add a user called Petun to the Account Operators group for 15 minutes.

$Time = New-TimeSpan -Minutes 15
Add-ADGroupMember -Identity "Account Operators" -Members Petun -MemberTimeToLive $Time

To verify the time Petun will be a member of the Account Operators, type in:

Get-ADGroup "Account Operators" -Property member –ShowMemberTimeToLive

Verifying group membership

If you look at the values of the property member, you can see the TTL value in front of the user's member properties. In my example, this is:

<TTL=886>,CN=Petun,CN=Users,DC=tim,DC=petun

That means that Petun will be a member of the Account Operators group for 886 seconds. After 886 seconds, his group membership will expire. The Kerberos tickets will expire as well.

After 15 minutes, you can use this command to verify that Petun is no longer a member of the Account Operators group.

Get-ADGroup "Account Operators" -Property member –ShowMemberTimeToLive

User account is no longer a group member

If you assign temporary access to an admin group like Account Operators, remember to reset the adminCount.

Note: If Petun is an Exchange user and using ActiveSync, just open Active Directory Users and Computers (ADUC), navigate to the account and clear the "adminCount."

Clearing adminCount

If you don't do this, ActiveSync won't work properly due to this value.

Scheduling temporary group membership

If you want to give access at a specific time, let's say at midnight, just create a PowerShell script and schedule a task on the server by carrying out the following steps.

Save the attached script to c:\admin\PetunTempMembership.ps1.

$Time = New-TimeSpan -Minutes 15
Add-ADGroupMember -Identity "Account Operators" -Members Petun -MemberTimeToLive $Time

Start the Task Scheduler located in Administrative Tools. Right-click on Task Scheduler and select Create Basic Task…

Create a basic task

On the "General" tab, type in a name for this task and click Next.

User account is no longer a group member

On the Trigger tab, select One time and click Next.

Task trigger

Enter the time and click Next.

Scheduling a task

Just click Next.

Configuring an action

For Program/script, type in "powershell" and in Add arguments, type in powershell -file "c:\admin\PetunTempMembership.ps1" and click Next.

The program to start

On the last window, select Open the Properties dialog for this task when I click Finish and click Finish.

Finishing the task

Select Run whether user is logged on or not and click OK.

Task runs whether user is logged on or not

Enter your credentials and click OK.

Entering credentials