When using Active Directory, it may be necessary to temporarily add a user to a group. This is made possible by the Privileged Access Management feature.
This article presents the different ways of adding a user to a group for a period of one hour.
Although the article focuses on one user, it is possible to add any type of object on a temporary basis.
With Add-ADGroupMember
Add-ADGroupMember -Identity "MyGroup1" -Members "Bastien" -MemberTimeToLive (New-TimeSpan -Hours 1)With Set-ADObject
The member must be <TTL=xxxx,DNObject>.
Set-ADObject -Identity "CN=MyGroup,<resteduDN>" -Add @{'member'="<TTL=3600,CN=bastien,<resteDuDn>"}With LDAP/LDIF
The member must be<TTL=xxxx,DNObject>. However, if you use LDIF, you must also encode to base 64.
You can use PowerShell to convert to base 64 :
$text = "<TTL=xxx,CN=xx,OU=Users,DC=domain,DC=com>"
System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($text))The LDIF file should look like this :
CN=MyGroup1,OU=Groups,OU=ITProTips,DC=ad,DC=itprotips,DC=com
changetype: modify
add: member
member:: base64value
-
Note : member is preceded by two ':' because it is the base 64 standard (see https://ldap.com/ldif-the-ldap-data-interchange-format/).
Previous Post
Enable PAM (Privileged Access Management) in Active Directory
Next Post
Impact use Set-ADDefaultDomainPasswordPolicy
Comments