25.05.2023

How to Manage Groups in AD. Part 3: Managing Expiring Groups and Viewing Nested Group

In average AD forests, groups govern authorization to sensitive data. Groups can distribute content or help to give access to files, services or even AD delegation. After installation you will gain several built-in groups such as Domain Admins group or Account Operators.

The Active Directory Users and Computers (ADUC) and the Active Directory Administrative Center (ADAC) are programs that provide graphic UI to interact with groups and help to manage them. ADAC differs from ADUC in a way that it has PowerShell History this provides the ability to see the PowerShell cmdlets behind the GUI.

In order to manage groups, you have to sign in to a DC, a doman-joined server, or a device with the Remote Server Administration Tools (RSAT) installed.
Speaking about access level you need to have a domain admin account, the Account Operators account, or have rights to create groups in certain OU via delegation.

Managing Expiring Group Memberships

Group memberships can be configured to expire. To use the expiring group membership option, the Active Directory FFL needs to be at least Windows Server 2012 R2. The Privileged Access Management feature needs to be enabled. This can be achieved using the following lines of PowerShell on a system with the Active Directory Module for Windows PowerShell installed:

Import-Module ActiveDirectory
Enable-ADOptionalFeature "Privileged Access Management Feature" -Scope ForestOrConfigurationSet -Target office.local

Type “y” to confirm this action. Note that this is irreversible feature and cannot be disabled.
Set Expiring Group Memberships via Windows PowerShell.
Normally, to add a user object to a group, you'd use the following lines of PowerShell:

Import-Module ActiveDirectory
Add-ADGroupMember -Identity "CN=ITGroup,OU=OfficeCorp,DC=office,DC=local" -Members "GSoul"

However, to add a user with an expiring group membership to a group you need to use the following lines of PowerShell on a system with the Active Directory Module for Windows PowerShell installed:

Import-Module ActiveDirectory
Add-ADGroupMember -Identity "CN=ITGroup,OU=OfficeCorp,DC=office,DC=local" -Members "GSoul" -MemberTimeToLive (New-TimeSpan -Days 14)

To view the time-to-live for group memberships, use the following lines of PowerShell code:

Import-Module ActiveDirectory
Get-ADGroup "CN=ITGroup,OU=OfficeCorp,DC=office,DC=local" -Property member -ShowMemberTimeToLive

Look for TTL option, it is displayed in seconds.

Viewing Nested Group Memberships

This instruction will show you how to enumerate all members of a group, even members in nested groups.
Using ADUC
As an admin, you could click groups on the Members tab and enter the properties of nested groups to look at its members. When groups are heavily nested, though, this becomes very hard to perform such action.
View All Group Members Including Nested Groups via PowerShell.
Use the following lines of PowerShell code to enumerate all group memberships in a group:

Import-Module ActiveDirectory
Get-ADGroupMember -Identity "CN=ITGroup,OU=OfficeCorp,DC=office,DC=local" -Recursive | Out-GridView

Finding Empty Groups

This guide will help you to find groups without group members. Every object in Active Directory takes up resources. When a group is not used you can consider it to deletion to make room for other more important objects.

Finding Empty Groups with PowerShell

Use the following lines of PowerShell to find all groups without memberships in Active Directory:

Import-Module ActiveDirectory
Get-ADGroup -Filter * -Properties members | Where-Object {$_.Members.count -eq 0} | Out-GridView