AD DS 2016 now allows time-based group membership, which makes this whole process possible. A user is added to a group with a TTL value, and once it expires, the user is removed from the group automatically. For example, let's assume your CRM application has administrator rights assigned to the CRMAdmin security group. The users in this group only log in to the system once a month to do some maintenance. But the admin rights for the members in that group remain untouched for the remaining 29 days, 24/7. This provides enough opportunity for attackers to try and gain access to privileged accounts. So if it's possible to grant access privileges for a shorter time period, isn't that more useful? Then we can rest assured that for the majority of the days in a month, the CRM application does not run the risk of being compromised by an account in the CRMAdmin group.