Group membership expiration: A look at Windows Server 2016’s useful new feature

Active Directory is the base technology used to provide authentication and authorization services to Microsoft and third-party applications. Microsoft has been focusing more on the development of Active Directory and has been introducing new features in every new version of Windows Server. We saw enhancements in Active Directory running on Windows Server 2012 such as applying virtual snapshots to a domain controller, domain controller cloning feature, Active Directory recycle bin, fine-grained password policies (referred to as just FGPP), dynamic access control, and many other features. Windows Server 2016 brings some new and exciting features for Active Directory. The main feature that was introduced in Windows Server 2016 is the Group membership expiration, which is the focus of this article.

Group membership expiration

One of the notable features added to Windows Server 2016 Active Directory is “group membership expiration.” In earlier versions of Active Directory, if you added users to a security group temporarily, you had to keep track of users to be removed from the security group to avoid any potential harm and to ensure users are removed from the security groups for compliance purposes. For example, if you add someone to the domain admins security group to perform some admin tasks in Active Directory for a certain period of time and if you forgot to remove the user from the group, the user may have unauthorized access to the Active Directory and other systems in the production environment. If you needed to perform removal of several users from the security group, you had to design a script that would process the users stored in a CSV file and then remove the users from the security group. But group membership expiration can help you remove users from the security group automatically. It allows you to add a user to a security group for a certain period of time. This feature is quite handy if you need someone to be part of a security group for a limited time, for example installing an application and to perform some maintenance tasks on the systems.

Requirements for using group membership expiration

There are a few requirements that you need to meet before group membership expiration feature can be used as listed below:

First, make sure to raise the functional level to Windows Server 2016. It may be difficult for many organizations to raise functional levels to Windows Server 2016 due to the fact most of the production environments are still running Windows Server 2012 R2 and earlier versions of domain controllers. Note that raising the function level to Windows Server 2016 will disable the ability to install earlier versions of domain controllers. You can verify the current functional level by executing the PowerShell command below:


Get-Domain | Select DomainMode
Get-ADForest | Select ForestMode


The group membership expiration feature was introduced as part of the PAM (privileged access management) feature. To ensure PAM is enabled, run this PowerShell command:


Get-ADOptionalFeature “Privileged Access Management Feature”


Once privileged access management is enabled, you can use simple PowerShell commands to add an expiration date for a user account as shown below:


$TTL = New-TimeSpan –Minutes 30
Add-ADGroupMember -Identity “Domain Admins” -Members TestUser -MemberTimeToLive $TTL


As you can see in the above commands, the first command creates a time entry, the second command uses Add-ADGroupMember PowerShell cmdlet to add “TestUser” to domain admins security group, and then also specify the time when the user needs to be removed from the security group. The second command uses “-MemberTimeToLive” property to set the expiration time for the user. When the time expires, the user “TestUser” is automatically removed from the domain admins security group.

The group membership expiration feature is quite useful when dealing with contractors, vendors, temporary employees, and anyone else who needs temporary access to Active Directory and systems connected to the production environment. The group membership expiration feature will surely avoid any security risks in the production environment.

Time synchronization enhancements

Time synchronization throughout the Active Directory forest is necessary considering the fact Kerberos authentication protocol requires systems in sync before an identity can be authenticated. Windows Server 2016 adds new enhancements to the time synchronization algorithm such as making sure frequent time adjustments are processed, eliminating any rounding errors that generally occur when synchronizing time with a PDC or a domain controller. Accuracy has been improved from 100s of milliseconds to the 10s of microseconds.

Win-win for admins

If you haven’t been aware of the group membership expiration, you are now. Using this feature can not only save you time, it can keep your systems safer.

Nirmal Sharma

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites.

Share
Published by
Nirmal Sharma

Recent Posts

Using PowerShell to assess Active Directory health

When using PowerShell as a tool for monitoring Active Directory health, you are limited only by your imagination. Here’s some…

2 hours ago

Microsoft Authentication Libraries now generally available

Microsoft Authentication Libraries, available for Android, iOS, and macOS, help developers integrate authentication into a diverse set of applications.

6 hours ago

Checkrain fake iOS jailbreak site a menace to iPhone users

iPhone users looking for help in jailbreaking their devices will find trouble if they head to a website named checkrain,…

9 hours ago

Key to success: Tracking down and unlocking locked files in Windows

Locked files in Windows can be a maddening experience. Thankfully, it is usually relatively easy to get a locked file…

1 day ago

‘Made By Google’ 2019: Pixel 4 and Pixel 4 XL are finally official

The release of Google’s much-awaited new smartphones is official. The tech giant has unveiled the Pixel 4 and Pixel 4…

1 day ago

COBIT 2019: An effective governance framework for IT pros

Every business with IT as part of its foundation needs a comprehensive governance strategy. This is where COBIT 2019 comes…

1 day ago