Temporary membership to AD group

We restrict the running of exe's across the organization. But based on justifications & approvals we add users to (specific) AD groups for 24 hours.

Currently the process of removing the users from those AD groups after X hours is manual. I am trying to automate it in some fashion. But I was wondering if there is any native way of handling this within AD 2003. Is writing a script (powershell / vbs) the only way of handling this?


Solution 1:

Assuming all your Domain Controllers are Windows Server 2003 or later you can do this with native Active Directory's dynamic objects functionality without any scripting.

Let's say that a user account, "Bob", needs to be in the "Accounting" group for 24 hours.

  • Create a "Bob in Accounting 24 Hours" group and specify an entry-TTL for 24 hours (the duration you want the group to remain in the Active Directory) at the time of creation.

  • Add the "Bob in Accounting 24 Hours" as a member of the "Accounting" group

  • Add the "Bob" user account as a member of the "Bob in Accounting 24 Hours" group

Upon the "Bob" user account's next logon it will be a member of the "Accounting" group through the nested group membership of the "Bob in Accounting 24 Hours" group into the "Accounting" group. At the end of 24 hours all the domain controllers will garbage-collect the "Bob in Accounting 24 Hours" group and "Bob" will no longer be a member of "Accounting".

The trick is that non-dynamic objects cannot be converted to dynamic after their creation. Using group nesting, though, gets you around that limitation in this instance.

You'll need to use a tool other than "Active Directory Users and Computers" to create the group because you'll need to set the entry-TTL at the time of the group's creation. The script in this blog entry might be a starting place (it's built to create User objects) or, alternatively, you could just use ldifde or csvde to do the creation, too.

Solution 2:

You could handle this a few ways, none are native to AD:

  1. Write a script and put it in task scheduler. Have it query a text file or CSV somewhere on the network with the current list. Have it remove people not on that list at runtime.

  2. Use something like System Center Orchestrator to create a runbook to add users to the group and to remove them after X hours automatically.

  3. Make an Outlook reminder to take people out manually :)