Temporary membership in Domain Admins group

Question

Hi, what would be the best way of accomplishing temporary membership in Domain Admins group? We have Privileged Access Management Feature enabled in our forest so I could write a small GUI app in PS Studio but I am interested if there is something else besides MIM 2016, product that is going to be deprecated according to all people I asked, some even working in Microsoft.

Thank you in advance.

Answer 1

Hello Bojan Zivkovic,

Thank you for posting in Q&A forum.

From the links below, I can see the method for temporary membership in Domain Admins group is Privileged Access Management Feature.

https://woshub.com/temporary-membership-in-active-directory-groups/#google_vignette

https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/previewing-server-2016-tp4-temporary-group-memberships/ba-p/400372

Except Privileged Access Management Feature, maybe one way is the manual setting via adding member to AD group or removing member from AD group and allow access the domain machine or deny allow the domain machine.

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-f--securing-domain-admins-groups-in-active-directory

I hope the information above is helpful.

If you have any questions or concerns, please feel free to let us know.

Best Regards,

Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 2

Yes but in first link (checked this link before) it says:

I have already been using JEA under the hood in GUI Apps handed over to other teams to do some tasks requiring admin privileges - here situation is different, admin privileges are not required for ad-hoc tasks but for some period of time so apart from PAM feature I am not aware of any other solution to provide time-limited group membership.