Microsoft introduced a new feature back in 2016 called „time based group membership“ . Since then it is possible to add groupmembership with an expiration date.

There are plenty of examples on how to add a ttl to a groupmembership. I will only explain the basic mechanism on how to determine if a membership is time based or not.

After adding a time based membership you can check the groupmemberships with powershell by adding a ShowMemberTimeToLive parameter like this:

(Get-ADGroup -LDAPFilter „(CN=ROL-TEST-DIFEO)“ -Properties member -ShowMemberTimeToLive).member

The Result of the member field is mixed with normal memberships and time based memberships.

Time based memberships have the distinguishedname in the members field with an TTL prefix and look like this <TTL=xxx>,cn=difeo,ou=users… while xxx is time in seconds that this object remains in this group. These seconds count down to 0. After this, the object isnt member of this group anymore.

For flexibility we put groups into groups to summarize permissions to roles and not to persons. So it usual that a user has 3 groupmemberships with tons of groups with additional permissions. We cascade groups only one level to keep complexity under contol.

So my user difeo is in a group calles ROL-TEST. This group is member in a group called RES-TEST that binds the permissions to the resource.

Due to the lack of implementation for Active directory, a lot of systems can’t resolve groups in groups on LDAP level. We have such software in use and don’t want to make compromises in giving our users permission, so we use a special query called LDAP_MATCHING_RULE_IN_CHAIN that does the resolving job for us.

This query works pretty well, while being very slow. But in the end it does it’s job, unfortunately not for permissions with a TTL. If we do the query with LDAP_MATCHING_RULE_IN_CHAIN it will return all the users plus the users that has been added with a TTL, even when they shoudln’t be part of the group anymore. This break the permission model, because people still have access to things that they dont have to.

We opened a case for this one at microsoft and hope to get a fix for that.

Here are some powershell screenshots of this

Adding my users to ROL-TEST group with TTL of 2 minutes

Getting all members of this group (see my TTL membership)

Getting all members (none) again and then do the LDAP_MATCHING_RULE_IN_CHAIN query with the result of my user that isn’t part of the group anymore.

What I’ve missed here was querying the RES group, because this is the scenario we have (cascaded groups) but the result is the same

UPDATE 27.04.2023

Microsoft can reproduce this behaviour in their lab. They’ll keep me updated on this topic. Lets see when this will be fixed

Update 01.08.2023

Microsoft confirmed this as a bug and deploy a fix within the upcoming patchdays. All supported Windows Server (not extended support) will receive an update for this issue.

We are running several Powershell scripts at our server to add printer remotly at the printserver. From time to time we see the error 0x80070709 with something like „unknown server“. We traced this problem, after we see that some printers fail to get created while some successfully got created at the printserver. So there wasn’t a general problem regarding our server, it had something to do with the set-printer powershell call.

After some investigation we found out, that only printers that start(!) with a lowercase character are failing to create. If we change the first char to uppercase, the printers got created without any problem. So maybe someone will help this. I don’t know why or where this happens, but it does and is reproducable

If you get this annoying message from your favorite MS application, you may have read the internet to the end until you got here. We had the same issue with Word or Excel and tried to get into that problem. First of all, we recognized that it only appears when we upgrade our clients from Windows 7 to Windows 10 1809. If we made a different step between, that everything worked as expected. You may read a lot of stories where Microsoft has a bug on 1809 and you should upgrade to the next Windows 10 version (1903) to „fix“ this problem, but in some cases you can’t and have to deal with this problem like we did.

What’s the problem?

As you can read in the internet, you may have already mentioned that this issue is a issue with fonts. Some problems occur, when you add fonts to the fonts directory and add an entry to the registry, like everyone does, when you have to deal with additional fonts like barcode fonts e.g. Even it is not recommended, it worked for a long time

What did you do while analyzing the root cause?

We tried several tools like „fontreg“ that replaces the old fontinst of Microsoft and tried to repair the fonts, but that didn’t do the trick. After that, we tried to copy remove all fonts and added them back to the system, but some times it works, some times it doesn’t. Even a script to automate that process was unable to solve this 100%.

After some experiments on how to add fonts, we started procmon to dive even deeper into the problem and found some entries that correlate to a problem we see in Wordpad. If we opened Wordpad and click on the font selection dropdown, there were several entries empty, even normal system fonts didn’t appear correctly. So the list looked like Wordpad had issues showing the font information. That pointed us in the right direction

What was the solution?

I checked some information at procmon which pointed us to the acl of the fonts, the xxx.ttf in c:\windows\fonts and we recognized a mismatch between these fonts. For example, arial.ttf had different permissions set that others, so we decided to take arial.ttf as our new „acl source“ and overwrite the permissions of the other fonts, and poof, our problem was gone. We created a powershell script for this task. I attached it here, so you can get it. Please make sure that you know what you are doing. I’m not responsible for any problems that occur when using this script.

Please leave me a comment if you have this issue and have fixed this problem with this script

fix.ps1

$aclFromArial = Get-Acl „c:\windows\fonts\arial.ttf“
$aclFromArial | Set-Acl „c:\windows\fonts*.“ # set permission for every font
$aclFromArial | Set-Acl „c:\windows\fonts\“ # set permission for fonts dir