Temporary membership to AD group

Question

We restrict the running of exe's across the organization. But based on justifications & approvals we add users to (specific) AD groups for 24 hours.

Currently the process of removing the users from those AD groups after X hours is manual. I am trying to automate it in some fashion. But I was wondering if there is any native way of handling this within AD 2003. Is writing a script (powershell / vbs) the only way of handling this?

score 23 · Accepted Answer · answered Jul 08 '13 at 21:07

23

Assuming all your Domain Controllers are Windows Server 2003 or later you can do this with native Active Directory's dynamic objects functionality without any scripting.

Let's say that a user account, "Bob", needs to be in the "Accounting" group for 24 hours.

Create a "Bob in Accounting 24 Hours" group and specify an entry-TTL for 24 hours (the duration you want the group to remain in the Active Directory) at the time of creation.
Add the "Bob in Accounting 24 Hours" as a member of the "Accounting" group
Add the "Bob" user account as a member of the "Bob in Accounting 24 Hours" group

Upon the "Bob" user account's next logon it will be a member of the "Accounting" group through the nested group membership of the "Bob in Accounting 24 Hours" group into the "Accounting" group. At the end of 24 hours all the domain controllers will garbage-collect the "Bob in Accounting 24 Hours" group and "Bob" will no longer be a member of "Accounting".

The trick is that non-dynamic objects cannot be converted to dynamic after their creation. Using group nesting, though, gets you around that limitation in this instance.

You'll need to use a tool other than "Active Directory Users and Computers" to create the group because you'll need to set the entry-TTL at the time of the group's creation. The script in this blog entry might be a starting place (it's built to create User objects) or, alternatively, you could just use ldifde or csvde to do the creation, too.

answered Jul 08 '13 at 21:07

Evan Anderson

141,881
20
196
331

5

Holy crap, that is something I did not know about. And it's 10 years old. – mfinni Jul 08 '13 at 21:26
1

@mfinni - I've never used it in production, ever. It works exactly as-advertised, though. Pretty neat, eh? – Evan Anderson Jul 08 '13 at 21:26
1

+1 for a cool feature I never knew existed. – Grant Jul 08 '13 at 22:07
6

http://i.imgur.com/TZX2RbP.jpg – MDMarra Jul 08 '13 at 22:25
Just think how much cooler I'd look if I'd gotten to this question 45 seconds after it was posted and put up this answer! >smile< I don't know why this feature is so obscure, other than it has very few practical uses. It's terrible from an auditing perspective because the objects are *completely* gone after they've been deleted. They don't tombstone-- they actually garbage-collect on all the DCs simultaneously. From a forensics perspective I don't know what they leave laying around in the DIT. If I had some free time I'd love to look into that. They could certainly be used for evil, though! – Evan Anderson Jul 08 '13 at 23:15
1

You can bump the TTL over and over again and, so long as it doesn't reach zero, the object will persist. This is definitely a way to make an Active Directory dead-man switch. I cannot confirm or deny that I may have used this feature to automatically take actions if I should die unexpectedly... >smile – Evan Anderson Jul 08 '13 at 23:17
If it were possible to favorite answers, I'd favorite this one. – Nathan C Jul 09 '13 at 00:50
2

@EvanAnderson You're a badass. – Ryan Ries Jul 09 '13 at 00:51
2

You're all too kind. There's some really good background on the feature in this blog (*this* guy really is an AD badass-- I just use the product a lot): http://blogs.chrisse.se/2012/11/28/how-the-active-directory-data-store-really-works-inside-ntds.dit-part-4/ – Evan Anderson Jul 09 '13 at 01:05

score 6 · Answer 2 · edited Jul 08 '13 at 16:39

6

You could handle this a few ways, none are native to AD:

Write a script and put it in task scheduler. Have it query a text file or CSV somewhere on the network with the current list. Have it remove people not on that list at runtime.
Use something like System Center Orchestrator to create a runbook to add users to the group and to remove them after X hours automatically.
Make an Outlook reminder to take people out manually :)

edited Jul 08 '13 at 16:39

uSlackr

6,412
21
37

answered Jul 08 '13 at 01:16

MDMarra

100,734
32
197
329

1

FYI - We use Quest's ActiveRoles server to assist with AD management. It has the capability built in along with a little workflow tool added to assist. – uSlackr Jul 08 '13 at 16:39
I think using option 1 and creating a scheduled PowerShell script with a file of current users is a good way to solve this. – jer.salamon Jul 08 '13 at 17:01
5

You cannot resist the siren song of dynamic objects... Dynamic objects! – Evan Anderson Jul 08 '13 at 21:50

Temporary membership to AD group

2 Answers2