Table of Contents
Introduction
In case you need to give users elevated permissions for a limited time, for example because they need to install software, you can use the PowerShell script available below to create an expiring security group that will be automatically deleted.
In our example, after creating this group, we will add it to the local client administrators group by Least Privilege and then make the user a member of the expiring group.
Requirements
Access to the domain controller with administrator permissions
ADIS Editor installed on the domain controller
Executable PowerShell
Skript
[INT]$TTLminutes=60
$TTLSeconds = [int](New-TimeSpan -minutes $TTLminutes).TotalSeconds
$destinationOu="OU=Groups,DC=Testdom,DC=local"
$destinationOuObject = [ADSI]("LDAP://test-dc1-2016.testdom.local/" + $destinationOu)
$GroupName="TempClientAdminRights"
$TempGroup = $destinationOuObject.Create("group","CN=$GroupName")
$TempGroup.PutEx(2,"objectClass",@("dynamicObject","Group"))
$TempGroup.Put("entryTTL",$TTLSeconds)
$TempGroup.Put("sAMAccountName", $GroupName)
$TempGroup.Put("displayName", $GroupName)
$TempGroup.SetInfo()Given that you'll likely need this script frequently, save it as a .ps1 file on your domain controller. Do not save it to your desktop!
Group creation
Open a PowerShell as administrator and paste the script (1).
Specify when this group should be deleted again (2).
Specify in which organizational unit the group should be created (3).
Name the group (4).
Run the script (5).
In Active Directory Users and Computers Management, go to the organizational unit in which you created the group.
Here, as usual, you have the option to manage memberships (6) and verify settings (7).
