Windows Server 2016: Short-Lived Active Directory Group Membership

Posted on October 4, 2017 by Russell Smith in Windows Server with

In today’s Ask the Admin, I’ll show you how to temporarily add users to Active Directory groups.

 

 

The Just-in-Time (JIT) administration model was introduced in Windows Server 2016 and allows system administrators to grant users privileges for a limited period of time. Adding to PowerShell Just-Enough-Administration (JEA), which restricts users to a pre-defined list of cmdlets, parameters, and modules in a PowerShell session, the JIT model has two objectives. The first is to prevent privilege creep where users are granted elevated privileges for much longer than necessary or indefinitely. And secondly, to avoid permanently assigning privileges that might only be required for short periods of time.

The ability to add users to groups with a time-to-live (TTL) value is a feature of the JIT model. This can be useful in scenarios where you do not have the resources to set up Microsoft’s recommended infrastructure for JIT administration but would still like to benefit from short-lived Active Directory (AD) group membership.

For more information on PAM in Windows Server 2016 and Microsoft’s recommendations for implementing JIT administration, see Windows Server vNext Privileged Access Management on the Petri IT Knowledgebase.

Use Short-Lived Active Directory Group Membership

I am not going to show you how to set up a Privileged Identity Management (PIM) trust or how to configure Shadow Principals but just how to add users to AD groups and have them automatically removed after some time.

Add an account to an Active Directory group with a time-to-live value (Image Credit: Russell Smith)

Add an Account to an Active Directory Group with a Time-to-Live Value (Image Credit: Russell Smith)

 

Before you can use short-lived AD groups, you need to enable Privileged Access Management, which is an optional AD feature. The changes made to your domain when you add the PAM feature are irreversible. The PAM feature is designed to be used in bastion domains and not production domains, so you should decide whether you want to add it to your production domain.

Log in to a domain controller using an account that has permission to change the AD schema. Replace ad.contoso.com with the name of the domain you want to update.

Now let’s add an account to the Account Operators group with a TTL of 15 minutes. Replace russells with the name of the AD account you want to add to the group.

To see whether the account was added, we can use Get-ADGroup to show the group members and their associated TTL values:

Note that the member property of the returned object shows the group members and their TTL values. In my domain, Account Operators only has one member. The TTL value is shown in seconds. If you run Get-ADGroup again after 15 minutes, you will see that the user account you added to Account Operators will have been removed.

Be aware that adding an account to special AD groups, like Account Operators, might cause the adminCount attribute for the user account to be changed to 1 if the account is in the group long enough for the AdminSDHolder mechanism to make the account a protected object. When the account is removed from the group, the adminCount attribute remains set to 1.

 

Tagged with , , , , , ,

Register for this Webinar

How Replication Supports Your Company’s RTOs & RPOs
Join us for this free webinar

Can you have your workloads running within the agreed RTOs? Join this webinar with expert speakers from Veeam to exceed business objectives with an RPTO<15 min for ALL of your application and data.

Thursday, December 14, 2017 at 11 a.m EST