Microsoft introduced a new feature back in 2016 called „time based group membership“ . Since then it is possible to add groupmembership with an expiration date. There are plenty of examples on how to add a ttl to a groupmembership. I will only explain the basic mechanism on how to determine if a membership is time based or not. After adding a time based membership you can check the groupmemberships with powershell by adding a ShowMemberTimeToLive parameter like this: (Get-ADGroup -LDAPFilter „(CN=ROL-TEST-DIFEO)“ -Properties member -ShowMemberTimeToLive).member The Result of the member field is mixed with normal memberships and time based memberships. Time based memberships have the distinguishedname in the members field with an TTL prefix and look like this <TTL=xxx>,cn=difeo,ou=users… while xxx is time in seconds that this object remains in this group. These seconds count down to 0. After this, the object isnt member of this group anymore. For flexibility we put groups into groups to summarize permissions to roles and not to persons. So it usual that a user has 3 groupmemberships with tons of groups with additional permissions. We cascade groups only one level to keep complexity under contol. So my user difeo is in a group calles…
Marco Di Feo Posts
We are running several Powershell scripts at our server to add printer remotly at the printserver. From time to time we see the error 0x80070709 with something like „unknown server“. We traced this problem, after we see that some printers fail to get created while some successfully got created at the printserver. So there wasn’t a general problem regarding our server, it had something to do with the set-printer powershell call. After some investigation we found out, that only printers that start(!) with a lowercase character are failing to create. If we change the first char to uppercase, the printers got created without any problem. So maybe someone will help this. I don’t know why or where this happens, but it does and is reproducable
