How the Active Directory Expiring Links Feature Really Works

April 3, 2016 | Michael Grafnetter

One of the new features in Windows Server 2016 will be the Active Directory Expiring Links feature, which enables time-bound group membership, expressed by a time-to-live (TTL) value. Here is how it works:

Enabling the Expiring Links Feature

The Expiring Links feature had been a standalone feature in early Windows Server 2016 builds, but as of TP4, it is a part of the broader Privileged Access Management (PAM) feature. It is disabled by default, because it requires Windows Server 2016 forest functional level. One of the ways to enable the PAM feature is running this PowerShell cmdlet:

Note that once this feature is enabled in a forest, it can never be disabled again.

Creating Expiring Links using PowerShell

Unfortunately, this feature is not exposed in any GUI (yet), so you cannot create expiring links, nor can you tell the difference between a regular link and an expiring one. We will therefore use PowerShell to do the job:

As we can see, the TTL value in the output is in seconds (2h = 7200s). As soon as the TTL expires, the DCs will automatically remove user PatColeman from the Domain Admins group and his current Kerberos tickets will also expire.

Creating Expiring Links using LDAP

PowerShell is great, but what if we needed to stick with pure LDAP? Well, if you want to add a user into a group for a limited amount of time, you do it exactly as you are used to, but you have to specify his distinguished name (DN) in the new TTL-DN form: <TTL=TimeToLive,DN>. In our sample case, it would look like this:

<TTL=7200,CN=PatColeman,CN=Users,DC=adatum,DC=com>

To view the group membership with TTLs, the corresponding LDAP search operation has to contain the LDAP_SERVER_LINK_TTL extended control (OID = 1.2.840.113556.1.4.2309). Here is a screenshot from the ldp.exe tool with this control enabled:

Link TTL

Implementation Details (Very Advanced Stuff)

I was also quite interested in how this feature is implemented in the ntds.dit file. I have found out that as soon as you enable the PAM feature, the DCs automatically extend their database schemas in the following way:

  1. The expiration_time_col column is added to the link_table table. It contains timestamps (in the UTC FILETIME / 107 format), after which the links get deactivated. This is yet another reason for the time to be in sync between DCs.
  2. The link_expiration_time_index index is added to the link_table table. It is created over these columns: expiration_time_col, link_DNT, backlink_DNT. Thanks to this index, DCs can find expired links very quickly.

Tags: , , ,

5 comments on “How the Active Directory Expiring Links Feature Really Works

  1. Ishwar says:

    Hi, I have tried the above methods using both Powershell and LDAP. Using Powershell, I am able to add and view the group member with Time to live value. Using ldp.exe I am able to view the TTL-DN for members as shown above.

    But, adding a member with TTL-DN using ldp.exe is failing. Here is the values I have used:
    DN: CN=demogroup,CN=Users,DC=EXCHG2K16,DC=com
    Entry List: [Add]member:,CN=user2,CN=Users,DC=EXCHG2K16,DC=com The modify operation fails with the following error:

    ***Call Modify…
    ldap_modify_ext_s(ld, ‘CN=demogroup,CN=Users,DC=EXCHG2K16,DC=com’,[1] attrs, SvrCtrls, ClntCtrls);
    Error: Modify: Unwilling To Perform.
    Server error: 0000054F: SvcErr: DSID-031A1267, problem 5003 (WILL_NOT_PERFORM), data 0

    Error 0x54F An internal error occurred. I have also tried this with ldap_modify_ext_s() by passing the server control. I get the error 53 (Unwilling to Perform).

    Any suggestions on how to add the member using LDAP?

    Thanks,
    Ishwar

  2. Michael Grafnetter says:

    Your value is “7200,CN=user2,CN=Users,DC=EXCHG2K16,DC=com” (you probably omitted the TTL value because of num-lock), but the value should instead be “<7200,CN=user2,CN=Users,DC=EXCHG2K16,DC=com>”.

  3. Ishwar says:

    Michael, In my previous query I have posted incorrect Entry List. The actual entry list I have tried was [Add]member:,CN=user2,CN=Users,DC=EXCHG2K6,DC=com. This format is displayed while viewing the memberships. After I have updated this to as per your suggestion, I am able to add the membership with time to live value.

    Thanks a lot.
    Ishwar

  4. jag says:

    from attribute editor of that Group which consisting of TTL value, if we can add anything to the attribute member TTL is vanishing

  5. Michael Grafnetter says:

    Yes, jag, the GUI is not ready for TTL yet.

Leave a Reply

Your email address will not be published.