3

Is there any way to add a user to a group for an exact time and then delete the user from the group automatically?
e.g.: CN=testuser1 and CN=testgroup1
Now I want to add the CN=testuser1 to the CN=testgroup1 for 1 day.
After that 1 day the user should leave(shouldn't be a member of the group anymore) CN=testgroup1 automatically.
Is this possible with System.DirectoryServices.AccountManagement;, System.DirectoryServices; or is there another solution except a Powershell script?

Hint: I don't want a solution with a powershell script or something like that. It should be done with in my c# program. I have a windows form where I have 3 textboxes:

  • Username from AD: searches in the AD for a user (I already have a searcher)
  • Groupname from AD: searches in the AD for a group (I already have a searcher)
  • and duration: this is where I want to enter the duration how long the user should be in that group (in days)

When I press a button "Add user temporarily to group" the user should be added to that group for a specific time which I can enter in that duration textbox.

Thanks in Advance!

ov4rlrd
  • 33
  • 5

2 Answers2

2

Brian answered the question - here's a C# example of how we've done this as requested by a comment on his answer.

using (GroupPrincipal group = GroupPrincipal.FindByIdentity(context, groupName))
{
    TimeSpan span = accessUntil.Subtract(dtNow.Value);
    DirectoryEntry groupDirectoryEntry = (DirectoryEntry)group.GetUnderlyingObject();
    groupDirectoryEntry.Properties["member"].Add("<TTL=" + ((int)span.TotalSeconds).ToString() + "," + user.DistinguishedName + ">");
    groupDirectoryEntry.CommitChanges();
    groupDirectoryEntry.Close();
}

Note that the "Add" will replace the current TTL if one already exists for the member.

Pigfaricus
  • 183
  • 8
1

Yes this is possible. It requires that you have a Windows Server 2016 forest and that you have the Privileged Access Management optional feature enabled.

Once you have this, you can specify a TTL for a linked value such as a group membership. This blog https://www.dsinternals.com/en/how-the-active-directory-expiring-links-feature-really-works/ shows you how to do this. I do not know if you can supply the syntax via ADSI (System.DirectoryServices) or if you will need to fall back to a direct LDAP call with System.DirectoryServices.Protocols.

Brian Desmond
  • 4,473
  • 1
  • 13
  • 11
  • So when I enable "PAM", then I am able to set such a path like this(?): when I add an user to a group right? Thanks for your link tho! @Brian Desmond – ov4rlrd Aug 30 '18 at 06:14
  • It would be nice if someone could actually provide a C# example. – EricLavault Jul 04 '19 at 13:53
  • Hello! A great solution for adding a user! BUT! How do I use C#/LDAP to get time counters from users in a group? As far as I understand, this value is not stored in the group? Is it hidden somewhere in the dark forest of AD? – KUL Nov 16 '21 at 07:32