Skip Ribbon Commands
Skip to main content

Ondrej Sevecek's English Pages


Engineering and troubleshooting by Directory Master!
MCM: Directory

Quick Launch

Ondrej Sevecek's English Pages > Posts > PAM AD expiring group membership does not expire effective access
June 09
PAM AD expiring group membership does not expire effective access

There is a new optional feature in Active Directory (AD) with forest functiona level (FFL) 2016 which name is Privilege Access Management (PAM). When enabled, you can use PowerShell cmdlet Add-AdGroupMember with its new parameter MembershipTimeToLive which allows you to specify time to live (TTL) for the group membership. This creates actually an expiring link value into the standard member attribute of the group.

Microsoft says that the effective group membership expires exactly at the point of the membership expiration. In order to achieve the effect, Kerberos TGT tickets are now issued not for their standard lifetime (by default ten hours), but are limited up to the lowest group membership TTL. Which means that users with expiring group membership must request new TGT once the shortest group membership expires.

Note that NTLM authentication does not use tickets so if an application uses NTLM then nothing must expire and any new NTLM authentication always checks the group membership on a DC.

Although the TGT really expires, do not think that the user immediatelly loses access. If the user is logged on locally (interactively) or over RDP on some machine (as an example, RDP logon on a DC of a time limited Domain Admins member) the local access token cannot be refreshed and will contain the group SID until the user logs off completelly. In case of RDP, simple session disconnection does not matter and the user must logoff in order to lose access to local resources granted by the expiring group membership.

Even when accessing resources remotely over some TCP connections, such as a remote management connection, WMI or LDAP and PowerShell remoting, the user will not lose the access immediatelly when his TGT expires. TCP connections are usually authenticated only once during session establishement. If the time-limited admin starts a GUI console client and keeps it open it is then probable that its TCP connections are kept open and the console will not reauthenticate remote admin connections and it will not lose access until the console restart. Same thing with other GUI client applications.

Similarly even web interfaces or VPN connections may keep working even after the group expires depending on their internal logic and especially whether they reauthenticate user connections or not.

This is the point where you must limit active connection/session times if it is at all possible with the particular application or management interface.


There are no comments for this post.

Add Comment

Sorry comments are disable due to the constant load of spam *

This simple antispam field seems to work well. Just put here the number.


You do not need to provide any value this column. It will automatically fill with the name of the article itself.

Author *

Body *