To provide a user or multiple users temporary access to a group within AD there are 2 options which can provide a solution.

The first way is to make dynamic object within AD which is an object that has a set time that it will be active for. This is done by using ldifde and a text file. An example of this is shown below


Within the text file the information that must be supplied is the name of the security group you wish to create, ensure it has both the object class of group and dynamic group. Also the entryTTL needs to be set for how long the group needs to last in second. So in the screenshot above it is 432000 because that is how many seconds in 5 days.

Once the text file has been created and saved you must UNC to the location of where the group is saved so in this instance the desktop for the local administrator. Next the following command needs to be ran: ldifde –I –f “file name”. Once this is ran in CMD as admin you should receive the below;





The alternative way to complete this on Windows Server 2016 is by using the Privileged Access Management Feature. To use the feature, it would first need to be switched on which can be completed by using the following command;

Enable-adoptionalfeature “Privileged access management feature” –scope forestorconfigurationset –target “domain name”

Once it is active you are then able to set limits on how long a group or user has permissions to a group within AD. To add a user or group to another group within AD you can run the following;

Add-adgroupmember –identity “group you want user added to” –members “who you want added to the group” –membertimetolive (new-timespan –“how long you want user in the group”)

An example of the above script would be;

Add-adgroupmember –identity ‘domain admins’ –members ‘johnsmith’ –membertimetolive (new-timespan –days 5)

To see how long a user has left before the membership expires you can run the following;

Get-adgroup ‘domain admins’ –property member –showmembertimetolive

About the author