I wrote this tool out a of this simple request: Why can’t a user’s membership to a domain group expire like their domain accounts can?
At my current employer we frequently need to grant temporary access for a few hours or days to resources. However, this functionality is not built into Active Directory by default. The issue is that when you grant someone temporary membership to a group there is a real problem about removing that membership. Temporary access is based on a human element instead of an automated process.
As an example, what if your Director of Development comes to you and wants you to grant access to a individual. He/She needs this person to have VC access for group of VMware servers while another person is out sick. So you grant them access, a week goes by and you forget. Now you have an extra user with access they should not have.
But if when you added that user to the group, what if you could assign a day and time when they lose that access? You could set and forget. This would eliminate auditing and having to keep reminders on these requests.
This tool is two parts. A PHP front-end that is used for submitting requests and a VBS script on the back-end for processing, logging, and alerting on requests. This tool provides the following:
- Granularity on expiration down to the minute
- Email alerts to requester and user-defined list (ISO, Managers, admins, etc) for processed additions and removals
- Request form auto populates with users and groups from domain (no typing)
- Uses DHTLM Calendar for Date/Time picking
Instructions for installation are found inside the README.
You can find the tool here: Domain Group Expiration Tool
If you found this useful or have questions drop me an email or post your comments here.