WHAT
Grants time-bound membership of specific high-privileged groups on a per-user basis.
 
Grants temporary membership of either Domain Admins, Enterprise Admins or Schema Admins to a user, identified by their distinguished name, in the same domain.
 
Uses a nested, dynamic group object to ensure that membership of the high privileged group is automatically removed after a period of time, specified in hours. The dynamic group has a TTL. The user is added to the dynamic group and the dynamic group is nested in the high privileged group.
 
Can spin up a 'count down' to monitor when membership is due to be removed (-CountDown switch).
 
Can add the user to the Protected Users group (if it exists) to make use of credential theft mitigations, e.g. no long-term Kerberos keys (-ProtectedGroup switch).
 
Furthermore, if the domain is at Windows Server 2012 R2 functional level, can also make use of Authentication Policies to grant TGTs of less than four hours. This is so the TGT can match the TTL of the dynamic group. The Authentication Policy is removed at TTL expiry.
 
EXAMPLE 1
    Set-ADUserJitAdmin -UserDn "CN=Ian Farr Temp HPU,OU=HPU Accounts,OU=User Accounts,DC=halo,DC=net"
                                   -Domain "halo.net"
                                   -PrivGroup "Domain Admins"
                                   -TtlHours 10
                                   -Verbose
                       
Adds the 'Ian Farr Temp HPU' user account to a dynamic group that is then nested in the Domain Admins group of the halo.net domain. The dynamic group is given a TTL of 10 hours. After this time, AD removes the group, thereby removing privileged access.
   
Produces verbose output.
 
EXAMPLE 2
    Set-ADUserJitAdmin -UserDn "CN=Ian Farr Temp HPU,OU=HPU Accounts,OU=User Accounts,DC=halo,DC=net"
                                   -Domain "halo.net"
                                   -PrivGroup "Schema Admins"
                                   -TtlHours 12
                                   -CountDown
 
Adds the 'Ian Farr Temp HPU' user account to a dynamic group that is then nested in the Schema Admins group of the halo.net domain. The dynamic group is given a TTL of 12 hours. A count down of the remaining seconds is written to the console. After this time, AD removes the group, thereby removing privileged access.
 
EXAMPLE 3
    Set-ADUserJitAdmin -UserDn "CN=Ian Farr Temp HPU,OU=HPU Accounts,OU=User Accounts,DC=halo,DC=net"
                           -Domain "halo.net"
                           -PrivGroup "Enterprise Admins"
                           -TtlHours 2
                           -ProtectedUser
                           -Verbose
 
Adds the 'Ian Farr Temp HPU' user to the Protected Users group, if it exists. Will then create an Authentication Policy, if the domain functional level is Windows Server 2012 R2, that has a TGT life time of 2 hours. The Authentication Policy is associated with the 'Ian Farr Temp HPU' user.
 
Adds the 'Ian Farr Temp HPU' user account to a dynamic group that is then nested in the Enterprise Admin group of the halo.net domain. The dynamic group is given a TTL of 2 hours. A count down of the  remaining seconds is written to the console. After this time, AD removes the group, thereby removing privileged access. The Authentication Policy is also deleted.
 
Produces verbose output.

 

AUTHORS
 
Ian Farr (MSFT)
Phil Lane (MSFT)
 
 
PowerShell
Edit|Remove
<#       
THIS CODE-SAMPLE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED   
    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR   
    FITNESS FOR A PARTICULAR PURPOSE.  
     
This sample is not supported under any Microsoft standard support program or service.   
    The script is provided AS IS without warranty of any kind. Microsoft further disclaims all  
    implied warranties including, without limitation, any implied warranties of merchantability  
    or of fitness for a particular purpose. The entire risk arising out of the use or performance  
    of the sample and documentation remains with you. In no event shall Microsoft, its authors,  
    or anyone else involved in the creation, production, or delivery of the script be liable for   
    any damages whatsoever (including, without limitation, damages for loss of business profits,   
    business interruption, loss of business information, or other pecuniary loss) arising out of   
    the use of or inability to use the sample or documentation, even if Microsoft has been advised   
    of the possibility of such damages, rising out of the use of or inability to use the sample script,   
    even if Microsoft has been advised of the possibility of such damages.   
#>