Enabling Active Directory Temporary Group Membership

Since Windows Server 2016, we have the Temporary Group Membership feature that allows us to add a user to an Active Directory security group for a limited time period.

By setting a TTL value for the user's group membership, we can restrict their membership to a specific group for the specified duration only. Once the TTL period expires, the user will be automatically removed from the group without any confirmation. However, to use this feature, the "Privileged Access Management" feature must be enabled at the Active Directory forest level.

It's important to note that the changes made using this feature cannot be undone like the ones in the Active Directory Trash Bin. Also, to enable the Privileged Access Management feature, the forest level must be 2016 or higher.

1. Lets start with finding out forest level. Enter "(Get-ADForest).ForestMode" command to Powershell and check the result. You may continue if it is 2016 or higher.
2. Check if "Priviliged Access Management" is enabled by writing "Get-ADOptionalFeature -filter {name -like "Privileged*"}"
3. Enter this command if it is not already enabled. "Enable-ADOptionalFeature 'Privileged Access Management Feature' -Scope ForestOrConfigurationSet -Target kbsuperuser.com"
4. Define TTL and set this value to a group by entering these commands in powershell:
   • $TTL = New-TimeSpan -Minutes 10
   • Add-ADGroupMember -Identity ″Guest_User_Group″ -Members "users" -MemberTimeToLive $TTL
5. Now it is done. You may check the TTL by checking the properties of the group.