How can we manage all requests for temporary access to the applications or any other Active Directory groups used to assign higher permissions ? It doesn’t matter if user needs temporary access to published XenApp application to perform some tests or needs higher permissions in Active Directory. The case is the same in all scenarios: it’s easy to add the user to proper AD group or configure requested permissions but the real challenge is to remember to revoke temporary settings when access is no longer required. Ability to add a user to an Active Directory group for a specific, defined per request length of time is a huge benefit for Active Directory administrators. It can be used to automate process of access provisioning with full support of legal requirements for user access management principles.

Temporary group membership is a new implementation of well know functionality, introduced as part of Privileged Access Management feature in Windows Server 2016. Prior to Windows Server 2016 administrators had to use less convenient functionality of dynamic object, available since Windows Server 2013 or must implement other complex tools like Microsoft Forefront Identity Manager, etc.

Important notes:

  • Privileged Access Management feature require Forest functional level of 2016 or higher and windows 2016 domain. KDC enhancements to restrict Kerberos ticket lifetime to the lowest possible time-to-live (TTL) value are built in to Active Directory domain controllers.
  • Like with AD Recycle Bin,  PAM cannot be disabled after it has been activated.

How to use temporary group membership ?

In order to activate PAM, use Enable-ADOptionalFeature command and specify your domain name as one of the arguments. The command example is listed below:

#
Enable-ADOptionalFeature -Identity "Privileged Access Management Feature" -Scope ForestOrConfigurationSet -Target lab.citrix24.ctx
#

Figure 1

To check if PAM is configured for your domain use Get_ADOptionalFeature cmdlet. The command example is listed below.

#
Get-ADOptionalFeature -Filter {Name -like “Privileged*”}
#

Output is presented in the Figure 2 below. As you can see PAM is enabled for LAB.citrix24.ctx domain.

Figure 2

The list of group members can be displayed using Get-ADGroupMember cmdlet. In the Figure 3 below I displayed members of Citrix admins group in my LAB.

Figure 3

In order to assign temporary permissions to a user we have to declare a time interval (TTL), during which this user will have configured permissions. The New-TimeSpan cmdlet creates a TimeSpan object that represents a time interval.  As a parameter you can specify -Days -Hours -Minutes -Seconds. For more details check cmdlet help:  Get-Help New-TimeSpan -online. In the example below I created new TTL variable and assigned to it time span interval of 8 minutes.

#
$TTL = New-TimeSpan -Minutes 8
#

To add a test user to the Citrix admin group execute Add-ADGroupMember cmdlet with MemberTimeToLive argument using variable mentioned above. The command example is listed below.

#
Add-ADGroupMember -Identity GG_CTX_Admins -Members Test1 -MemberTimeToLive $TTL
#

To display the members and expiry time of temporary assignment use Get-ADGroupMember cmdlet. The command example is listed below.

#
Get-ADGroupMember -Identity GG_CTX_Admins -Properties Members -ShowMemberTimeToLive 
#

As you can see in the Figure 4 below Test1 user is added to the CTX Admins group with TTL 473 (8 minutes = 480 seconds). The time span is automatically decremented, and when it expires user will be automatically removed from this group.

In the Figure 5 below you can see TTL 153 seconds and then Test1 user is no longer a member of CTX Admin group.

Figure 4

Output of the same command executed 5 minutes later:

Figure 5

It is important to mention that time span is visible when checking the validity period of the user’s Kerberos ticket. In the Figure you can see standard TGT expiry and renewal time defined via GPO policy. In the Figure 6 below you can see standard renewal interval defined in my LAB.

Figure 6

When user Test1 is assigned with temporary membership in AD group, a ticket with a lifetime equal to the lower of the remaining TTL values is issued. Once the TGT renewal come the user Test1 will no longer be member of CTX Admin group. The new renewal time configured for 8 minutes you can see in the Figure 7 below.

Figure 7

For more information about Kerberos please see Kerberos Authentication Overview article

I hope you will find this post useful. Feel free to add your comments or questions.