Get AD groups with temporary members
Clap
To get temporary group members, you can use :
Get-ADGroup "MonGroupe" -Property member –ShowMemberTimeToLive
The problem is that beyond 1500 members, this command is counterproductive. Indeed, users listed after the first 1500 appear without the TTL-XXX prefix, wrongly suggesting that they are permanent when they could be temporary.
If you're using an LDAP browser, such as Apache Directory Studio or AD Explorer, you won't see the default TTLs. In fact, you need to add the LDAP control LDAP_SERVER_LINK_TTL(OID : 1.2.840.113556.1.4.2309).
But you can also simply use my script which scans the AD for all AD groups containing dynamic members and provides the list along with the members and their TTL :
ActiveDirectory-Toolbox/Groups/Get-ADGroupsWithExpireLinks.ps1 at master · itpro-tips/ActiveDirectory-Toolbox
Contribute to itpro-tips/ActiveDirectory-Toolbox development by creating an account on GitHub.
itpro-tipsClap
