Privileged Access Management Directory Services

Hello,

In Windows Server 2016 Technical Preview 4, Microsoft unveiled a brand new feature, very much welcome. Privileged Access Management feature, this will allow you to replace your dynamic objects. This feature allow you to give group membership based on a time to live.

Privileged Access Management Directory Services – The old way

Until now, when we wanted to give temporary permission, we had to use a “Dynamic Object”, and then assign a life time :

$objOU = [ADSI]"LDAP://$OrgUnitDN"
$objGroup = $objOU.Create('group', "cn=$TempGroupName")
$objGroup.Put('sAMAccountName', "$TempGroupName")
$objGroup.PutEx(2,'objectClass',@('dynamicObject','group'))
$objGroup.Put('entryTTL',$($Hours*3600))
$objGroup.SetInfo()

And then add member and memberof the group that grant permission as usual, once the time to live expired, this group disappear and the permissions are lost because of broken group imbrication.

You can see the Time To Live with :

Get-ADGroup -Identity MyDynamicGroup -Properties entryTTL

You can also do it with users, but once the TTL expired, the user disappear, and you loose SID <-> UserName mapping.

The down side of this method :

• Hard to create
• Hard to trace and log
• The TTL is at the group level, not at the user level, or you loose SID<->UserName mapping
• SID consumption

It also imply a group for temporary permissions you want to grant.

Privileged Access Management Directory Services – The new 2016 way

Since the Technical Preview 4, Microsoft unveiled a new Directory Services feature named “Privileged Access Management”. This feature is off by default, and can’t be removed once activated, just like the Recycle-bin :

Get-ADOptionalFeature ‘Privileged Access Management Feature’

You can enable it with :

Enable-ADOptionalFeature ‘Privileged Access Management Feature’ -Scope ForestOrConfiguratio
nSet -Target $env:USERDNSDOMAIN

Once enabled, the “EnabledScopes” member of Get-ADOptionalFeature is populated :

Now, we can use it :

#Check group
Get-ADGroup -Identity ‘Domain Admins’ -ShowMemberTimeToLive -Properties Member | Select-Object -ExpandProperty Member
#New Active Directory User
New-ADUser -Name 'Poorly Developed App'
#Add the new user to the group with a Time to live of 10 minutes
Add-ADGroupMember -Identity ‘Domain Admins’ -Members ‘Poorly Developed App’ -MemberTimeToLive (New-TimeSpan -Minutes 10)
#Check Members, with TimeToLive
Get-ADGroup -Identity ‘Domain Admins’ -ShowMemberTimeToLive -Properties Member | Select-Object -ExpandProperty Member

Note :

1. The TTL is in seconds but you can use a TimeSpan object to create it so you won’t have to do the maths on your own.
2. You need to use the “Get-ADGroup” and not the “Get-ADGroupMember” to see member time to live.

At the time of writing this, the “Users and Computers” and “Active Directory Administrative Center” do not show any way to see the time to live left. I even tried with AdExplorer :

When you grant group membership based on TTL, this information is embedded in the Kerberos TGT, so, the user can out-passed the time-span he has permission for.

This feature promise to be very useful for :

• Temporary permissions for contractor
• Temporary permissions for projects
• Temporary permissions for auditors
• Temporary permissions for editor troubleshooting
• Temporary GPO bypass with group filtering
• Temporary distribution list membership
• etc…