Get AD groups with temporary members

Problem with -ShowMemberTimeToLive parameters

To get temporary group members, you can use the built-in CMDlet:

Get-ADGroup "YourGroup" -Property member –ShowMemberTimeToLive

However, this CMDlet presents an issue: if your group exceeds 1500 members, the command becomes ineffective, as it only returns the TTL attribute for the initial 1500 members. As a result, for objects beyond the first 1500, you won't get the TTL-XX value, wrongly suggesting that they are permanent when they could be temporary.

Workaround

With LDAP browser

With LDAP browser, you won't have issue with the 1500 limit.

But, if you use LDAP browser such as Apache Directory Studio or AD Explorer, you won't see the default TTLs by default : You need to use the LDAP control LDAP_SERVER_LINK_TTL (OID 1.2.840.113556.1.4.2309).
This allows viewing of all TTL values.

With PowerShell

You can also use my script, which searches AD for all AD groups with dynamic members and generates a list including the members and their TTL.

This script takes into account the problem of groups with more than 1500 members, as it uses LDAP_SERVER_LINK_TTL.

You can find it on my GitHub with the link below:

ActiveDirectory-Toolbox/Groups/Get-ADGroupsWithExpireLinks.ps1 at master · itpro-tips/ActiveDirectory-Toolbox

Contribute to itpro-tips/ActiveDirectory-Toolbox development by creating an account on GitHub.

GitHubitpro-tips