3.1.1.9.2 Privileged Access Management Optional Feature

The Privileged Access Management optional feature is represented by the Privileged Access Management Feature Object (see section 6.1.1.2.4.1.3.2).

The Privileged Access Management optional feature modifies the way in which link values are maintained in the state model of a DC replica. It allows a link value to have an expiry time associated with it. This expiry time is replicated to all DC replicas. When the expiry time has passed, the link value is no longer returned to LDAP clients. After an additional time period at least as large as a tombstone lifetime, the link value is removed from the state model of the DC.

The Privileged Access Management optional feature is identified by the feature GUID {ec43e873-cce8-4640-b4ab-07ffe4ab5bcd}.

The Privileged Access Management optional feature requires a Forest Functional Level of DS_BEHAVIOR_WIN2016 or greater.

The Privileged Access Management optional feature is forest-wide in scope; it cannot be enabled in only a domain-wide scope or server-wide scope. When the rootDSE modify operation enableOptionalFeature (section 3.1.1.3.3.28) is executed on a given DC to enable the Privileged Access Management optional feature, in addition to being added to the list of forest-wide enabled features, the optional feature is also added to the list of server-wide enabled features (see section 3.1.1.9).

The Privileged Access Management optional feature cannot be disabled once it is enabled.

Any DC with a behavior version of DS_BEHAVIOR_WIN2016 or greater MUST be capable of supporting the Privileged Access Management optional feature.

Note The Privileged Access Management optional feature also enables shadow-principal expansion, which is defined in the ExpandShadowPrincipal procedure (section 3.1.1.13.5).