When using Active Directory, it may be necessary to temporarily add a user to a group. This is made possible by the Privileged Access Management feature.

This article presents the different ways of adding a user to a group for a period of one hour.

Although the article focuses on one user, it is possible to add any type of object on a temporary basis.

With Add-ADGroupMember

Add-ADGroupMember -Identity "MyGroup1" -Members "Bastien" -MemberTimeToLive (New-TimeSpan -Hours 1)

With Set-ADObject

The member must be <TTL=xxxx,DNObject>.

Set-ADObject -Identity "CN=MyGroup,<resteduDN>" -Add @{'member'="<TTL=3600,CN=bastien,<resteDuDn>"}

With LDAP/LDIF

The member must be<TTL=xxxx,DNObject>. However, if you use LDIF, you must also encode to base 64.

You can use PowerShell to convert to base 64 :

$text = "<TTL=xxx,CN=xx,OU=Users,DC=domain,DC=com>"
System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($text))

The LDIF file should look like this :

CN=MyGroup1,OU=Groups,OU=ITProTips,DC=ad,DC=itprotips,DC=com
changetype: modify
add: member
member:: base64value
-

Note : member is preceded by two ':' because it is the base 64 standard (see https://ldap.com/ldif-the-ldap-data-interchange-format/).

Comments

banner-Bastien Perez
Bastien Perez's avatar

Freelance Microsoft 365 - Active Directory - Modern Workplace

France