New Utility: Domain Group Expiration Tool

Typically Active Directory is managed using th...
Image via Wikipedia

I wrote this tool out a of this simple request:  Why can’t a user’s membership to a domain group expire like their domain accounts can?

At my current employer we frequently need to grant temporary access for a few hours or days to resources.  However, this functionality is not built into Active Directory by default. The issue is that when you grant someone temporary membership to a group there is a real problem about removing that membership. Temporary access is based on a human element instead of an automated process.

As an example, what if your Director of Development comes to you and wants you to grant access to a individual. He/She needs this person to have VC access for group of VMware servers while another person is out sick. So you grant them access, a week goes by and you forget. Now you have an extra user with access they should not have.

But if when you added that user to the group, what if  you could assign a day and time when they lose that access? You could set and forget. This would eliminate auditing and having to keep reminders on these requests.

This tool is two parts. A PHP front-end that is used for submitting requests and a VBS script on the back-end for processing, logging, and alerting on requests. This tool provides the following:

  • Granularity on expiration down to the minute
  • Email alerts to requester and user-defined list (ISO, Managers, admins, etc) for processed additions and removals
  • Request form auto populates with users and groups from domain (no typing)
  • Uses DHTLM Calendar for Date/Time picking

Instructions for installation are found inside the README.
You can find the tool here: Domain Group Expiration Tool

dget

If you found this useful or have questions drop me an email or post your comments here.

Tools

7 Comments Leave a comment

  1. im getting this two errors :

    Notice: Undefined index: flag in
    C:xampphtdocsDomainGroupExpirationToolindex.php on line
    27

    Fatal error: Call to undefined function ldap_connect()
    in C:xampphtdocsDomainGroupExpirationToolindex.php on line
    84

  2. I answer myself : you need to add this two lines:

    ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);         ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);

  3. I would appreciate very much if you can provide the new working link to download this Domain Group Expiration Tool.

    Alex

  4. Hello,
    I was looking for a tool doing exactly this kind of time-limited affectation ! But the link for the download is broken.
    Do you still have this utility ? I would avoid rewriting exactly the same tool 🙂
    Regards,
    Ben

%d bloggers like this: