<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Pre Server 2016 Group Membership Expiration Tool

Published on
3,260 Points
60 Views
2 Endorsements
Last Modified:
Editors:
Shaun Vermaak
My name is Shaun Vermaak and I have always been fascinated with technology and how we use it to enhance our lives and business.
Group membership expiration is a superb new feature included with Active Directory 2016 functional level.
But what if you want this functionality but you haven't upgraded yet?

Since I have many clients that cannot yet leverage this new feature, I have developed a custom tool.

Introduction


Group membership expiration gives the ability to add a user to a group with the notion of a membership expiration.

This means you can add a user to a group and the user will automatically be removed from the group when the configure timespan has passed.


Unfortunately, some environments do not yet run at an Active Directory 2016 functional level.


For those, I developed the GroupMembershipExpiration tool.


Setup


1) Download the GroupMembershipExpiration tool and extract its contents to a folder on a computer that you are planning to install this tool on. 


(I recommend extracting to C:\Program Files\GroupMembershipExpiration)


2) Run Configurator.exe (Configurator Editor).


a) On the Encrypt tab, enter the password for the account that will be performing the cleanup task. Encrypt it with key aubXjiUZhyl6XnfBVQ920Y9rOWaEWSre and record the encrypted password.



b) On the Settings tab, enter the distinguished name, fully qualified domain name, NetBIOS, and username and the encrypted password recorded in step 2a.


Specify a location where the tool can save a history file, the interval in seconds the task should be performed and the allowed number of minutes a member may be part of a group.



c) On the Groups tab, specify the group name that tool should manage the members for (+ or INS to add, - or DEL to delete, Enter or double-click to edit)



d) Although you can just run the tool by executing GroupMembershipExpiration.WindowsService.exe, I recommend you install it as a service by running GroupMembershipExpiration.WindowsService.exe INSTALL from an elevated command prompt. You may need to start the service manually the first time


The Code


private void ProcessGroup(string groupName)
{
    List historicalyGroupMembers = new List();

    // Read previous history file if it exists
    if (File.Exists(_historyFile))
    {
        historicalyGroupMembers = Newtonsoft.Json.JsonConvert.DeserializeObject>(File.ReadAllText(_historyFile));
    }

    // Get current members of group
    List genericGroupMembers = new List();
    genericGroupMembers = ActiveDirectory.GenericGetGroupMembers(_domainInfo, groupName);

    List groupMembers = new List();

    // Compare histrory file with current members
    foreach (var genericGroupMember in genericGroupMembers)
    {
        Models.GroupMember historicalyGroupMember = historicalyGroupMembers.Where(g => g.DistinguishedName == genericGroupMember.DistinguishedName).FirstOrDefault();

        // If group member not in history, add it with current date and time as FirstDateObserved
        if (historicalyGroupMember == null)
        {
            // Add to history
            groupMembers.Add(new Models.GroupMember() { GroupName = genericGroupMember.GroupName, DistinguishedName = genericGroupMember.DistinguishedName, sAMAccountName = genericGroupMember.sAMAccountName, FirstDateObserved = DateTime.Now });
        }
        else
        {
            // If group member in history and it is pass the maximum allowed timespan, remove it
            if ((DateTime.Now - historicalyGroupMember.FirstDateObserved).TotalMinutes > _allowedNumberOfMinutes)
            {
                // Remove Group from AD group and group history
                groupMembers.Remove(historicalyGroupMember);
                ActiveDirectory.GenericRemoveGroupMember(_domainInfo, groupName, genericGroupMember.DistinguishedName);
            }
            // If group member in history and it is not passed the maximum allowed timespan, ignore it
            else
            {
                // Ignored
                groupMembers.Add(historicalyGroupMember);
            }
        }
    }

    // Save current members to new history file
    File.WriteAllText(_historyFile, Newtonsoft.Json.JsonConvert.SerializeObject(groupMembers));
}


Conclusion


There you have it. Essentially everytime the timer triggers in the Windows Service, the process will reference the history file and use it to determine if a member's membership has expired.


I hope you found this tutorial useful. You are encouraged to ask questions, report any bugs or make any other comments about it below.

 

Note: If you need further "Support" about this topic, please consider using the Ask a Question feature of Experts Exchange. I monitor questions asked and would be pleased to provide any additional support required in questions asked in this manner, along with other EE experts...  

 

Please do not forget to press the "Thumb's Up" button if you think this article was helpful and valuable for EE members.


It also provides me with positive feedback. Thank you!



2
  • 2
  • 2
4 Comments
LVL 63

Expert Comment

by:McKnife
Interesting.

I wonder if this takes into account that you, as a group member, get a kerberos ticket that will have a life time of some hours, so that when you are removed from the group, you will still, for some hours, be able to act as group member until the ticket expires. AD 2016 does that automatically (=shortens ticket lifetime accordingly already at the moment of ticket-granting).
0
LVL 49

Author Comment

by:Shaun Vermaak
Usually, that ticket is valid 12 hours, but yes basically the same issue exists (prior to 2016) when you manually remove the account after a set time.

Good point though
0
LVL 63

Expert Comment

by:McKnife
That's too bad. I had hoped that it would, so that we could switch to your tool instead of using what is built-in @2016 server, because the built-in method has a funny limitation (at least in our domain) : it won't work with times of 5 minutes or less (6 minutes is ok!). When using 5 minutes or less, the group will get populated, but the kerberos ticket will not be granted for whatever reason.

We would like to use less than 6 minutes, sometimes, for example when we activate a software license, we give the machine internet access for the shortest time possible (working close to the military, here, no direct internet access allowed). And to do so, we use AD groups, that the SQUID proxy works with. We would like to use, say, 1 minute, but we can't do less than 6... :-)
0
LVL 49

Author Comment

by:Shaun Vermaak
Will look into it. Our requirement usually for a ~day but yours make sense
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month