Temporary group membership is implemented in Privileged Access Management Feature which is introduced in Windows Server 2016.

In this article, we will see how we can enable privileged access management feature in Windows Server 2016 and assign temporary group membership to AD users.

Prerequisites

Forest functional level should be at Windows Server 2016. To check, issue the following command on PowerShell. 

(Get-ADForest).ForestMode

‚Äč

Enabling Privileged Access Management (PAM) Feature 

To enable PAM, replace the domain name in the following command and execute it on PowerShell. Once this feature is enabled, it can not be disabled later. 

Enable-ADOptionalFeature ‘Privileged Access Management Feature’ -Scope ForestorconfigurationSet -Target <FQDN of domain>

Once PAM is enabled issue the following command to verify.

Get-ADOptionalFeature -filter {name -like "Privileged*"}

Assigning Temporary Group Membership to AD Users

Execute the following command on PowerShell and specify the time period (TTL).
 
$ttl = New-TimeSpan -Minutes <value>

Execute the following command and specify the above TTL value. The members will have an access permissions for that duration. Say, we want to add users to the Enterprise Admin group for one minute.   

Add-ADGroupMember -Identity “Group name” -Members <list of AD members separated by comma> -MemberTimeToLive $ttl

To verify that your desired AD users are actually a member of the group, execute the following command as shown in the following figure. The highlighted portion shows the members of the group and the remaining time (TTL value in seconds) of their group membership. 

Get-ADGroup “Group name” -Property Member -ShowMemberTimeToLive

After 1 minute, again execute the following command and you will not notice the presence of members in that specific group.