In today's post, I will show you how to provide Active Directory user accounts with temporary group memberships in Windows Server 2016. To do this, we need to activate a feature called Privileged Access Management (PAM).

Tim Buntrock

Tim Buntrock is one of three enterprise administrators for the Active Directory service of a "global player" in the contact center business. He is a certified engineer for MCTS, MCITP, MCSA and MCPS.

Enabling Privileged Access Management ^

You can verify the status of PAM with the following PowerShell command:

Verifying PAM status

Verifying PAM status

If the EnabledScopes value is empty, then PAM is not enabled. To enable it, use the command below and just replace tim.petun with your domain name:

Enabling PAM

Enabling PAM

After you click Yes, you can verify whether it's enabled by using Get-ADOptionalFeature again.

Verifying that PAM is enabled

Verifying that PAM is enabled

Assigning temporary group membership ^

Let's see if we can assign a temporary group membership. In my example, I want to add a user called Petun to the Account Operators group for 15 minutes.

To verify the time Petun will be a member of the Account Operators, type in:

Verifying group membership

Verifying group membership

If you look at the values of the property member, you can see the TTL value in front of the user's member properties. In my example, this is:

That means that Petun will be a member of the Account Operators group for 886 seconds. After 886 seconds, his group membership will expire. The Kerberos tickets will expire as well.

After 15 minutes, you can use this command to verify that Petun is no longer a member of the Account Operators group.

User account is no longer a group member

User account is no longer a group member

If you assign temporary access to an admin group like Account Operators, remember to reset the adminCount.

Note: If Petun is an Exchange user and using ActiveSync, just open Active Directory Users and Computers (ADUC), navigate to the account and clear the "adminCount."

Clearing adminCount

Clearing adminCount

If you don't do this, ActiveSync won't work properly due to this value.

Scheduling temporary group membership ^

If you want to give access at a specific time, let's say at midnight, just create a PowerShell script and schedule a task on the server by carrying out the following steps.

Save the attached script to c:\admin\PetunTempMembership.ps1.

Start the Task Scheduler located in Administrative Tools. Right-click on Task Scheduler and select Create Basic Task…

Create a basic task

Create a basic task

On the "General" tab, type in a name for this task and click Next.

User account is no longer a group member

User account is no longer a group member

On the Trigger tab, select One time and click Next.

Task trigger

Task trigger

Enter the time and click Next.

Scheduling a task

Scheduling a task

Just click Next.

Configuring an action

Configuring an action

For Program/script, type in "powershell" and in Add arguments, type in powershell -file "c:\admin\PetunTempMembership.ps1" and click Next.

The program to start

The program to start

On the last window, select Open the Properties dialog for this task when I click Finish and click Finish.

Finishing the task

Finishing the task

Select Run whether user is logged on or not and click OK.

Task runs whether user is logged on or not

Enter your credentials and click OK.

Entering credentials

Entering credentials

Win the monthly 4sysops member prize for IT pros

Share
2+

Users who have LIKED this post:

  • avatar
  • avatar

Related Posts

3 Comments
  1. Brandon 4 weeks ago

    We can't get this to work on our domain. I did a little research, but I just wanted confirmation that we need an Azure AD Premium license to activate the privileged access management feature.

    0

  2. Author
    Tim Buntrock 4 weeks ago

    I think "On-Prem" you don´t need it.

    0

    • Brandon 4 weeks ago

      We have an on-prem setup, but we couldn't get this feature to turn on. Do you know what sort of access level you need? I have domain admin credentials, but not enterprise admin. Would that make a difference?

      0

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017

Log in with your credentials

or    

Forgot your details?

Create Account