In the previous section, I explained PAM features in the new AD DS 2016. Time-based group membership is a part of that broader topic. It allows administrators to assign temporary group membership, which is expressed by a time-to-live (TTL) value. This value will be added to the Kerberos ticket. It is also called the expiring links feature. When a user is assigned to a temporary group membership, their login Kerberos ticket-granting ticket (TGT) lifetime will be equal to the lowest TTL value they have. For example, let's assume you grant temporary group membership to user A to be a member of the Domain Admin group. It is only valid for 60 minutes. But the user logs in 50 minutes after the original assignment and only has 10 minutes left to be a member of the Domain Admin group. Based on this, the domain controller will issue a TGT valid only for 10 minutes to user A.

This feature is not enabled by default. The reason is that to use this feature, the forest function level must be Windows Server 2016. Also, once this feature is enabled, it cannot be disabled.

Let's see how it works in the real world:

1. I have a Windows domain controller installed and it is running with the Windows Server 2016 forest functional level. This can be verified using the following PowerShell command:

        Get-ADForest | fl Name,ForestMode

2. Then, we need to enable the expiring links feature. It can be enabled using the following command:

        Enable-ADOptionalFeature 'Privileged Access Management Feature'
        -Scope ForestOrConfigurationSet -Target rebeladmin.com

The domain name rebeladmin.com can be replaced with your FQDN.

3. This is the output you'll get with the previous command:

4. I have a user called Adam Curtiss to whom I need to assign Domain Admin group membership for 60 minutes. Take a look at this command:

        Get-ADGroupMember "Domain Admins"

5. It lists the current members of the Domain Admin group:

6. The next step is to add Adam Curtiss to the Domain Admin group for 60 minutes:

        Add-ADGroupMember -Identity 'Domain Admins' -Members 'acurtiss'
        -MemberTimeToLive (New-TimeSpan -Minutes 60)

7. Once it has run, we can verify the remaining TTL value for the group membership using the following command:

        Get-ADGroup 'Domain Admins' -Property member 
        -ShowMemberTimeToLive

8. Once I log in as the user and list the Kerberos ticket, it shows the renew time as less than 60 minutes as I've logged in after a few minutes of being granted permission:

Once the TGT renewal period is crossed, the user will no longer be a member of the Domain Admin group.