How to Assign Temporary Group Membership to AD Users in Windows Server 2016

Temporary group membership is implemented in Privileged Access Management Feature which is introduced in Windows Server 2016.

In this article, we will see how we can enable privileged access management feature in Windows Server 2016 and assign temporary group membership to AD users.


Forest functional level should be at Windows Server 2016. To check, issue the following command on PowerShell. 


Enabling Privileged Access Management (PAM) Feature 

To enable PAM, replace the domain name in the following command and execute it on PowerShell. Once this feature is enabled, it can not be disabled later. 

Enable-ADOptionalFeature ‘Privileged Access Management Feature’ -Scope ForestorconfigurationSet -Target

Once PAM is enabled issue the following command to verify.

Get-ADOptionalFeature -filter {name -like "Privileged*"}

Assigning Temporary Group Membership to AD Users

Execute the following command on PowerShell and specify the time period (TTL).
$ttl = New-TimeSpan -Minutes

Execute the following command and specify the above TTL value. The members will have an access permissions for that duration. Say, we want to add users to the Enterprise Admin group for one minute.   

Add-ADGroupMember -Identity “Group name” -Members -MemberTimeToLive $ttl

To verify that your desired AD users are actually a member of the group, execute the following command as shown in the following figure. The highlighted portion shows the members of the group and the remaining time (TTL value in seconds) of their group membership. 

Get-ADGroup “Group name” -Property Member -ShowMemberTimeToLive

After 1 minute, again execute the following command and you will not notice the presence of members in that specific group.


Read 477 times


I love my computer because all my friends live inside it

Welcome to AustinLaptop.Com

Latest Tech News

We use cookies to improve our website. By continuing to use this website, you are giving consent to cookies being used. More details…