Add-ADGroupMember "MemberTimeToLive" parameter not being recognised

Welcome Forums General PowerShell Q&A Add-ADGroupMember "MemberTimeToLive" parameter not being recognised

Viewing 3 reply threads
  • Author
    Posts
    • #161652
      Participant
      Topics: 1
      Replies: 1
      Points: 40
      Rank: Member

      Add-ADGroupMember “MemberTimeToLive” parameter recognised after enabling ActiveDirectory Privileged Access Management Feature

      I’ve recently discovered the MemberTimeToLive that comes with the “Privileged Access Management Feature” in Windows Server 2016 forest functional level. (I of course immediately wanted it!)

      So I had ran through the steps required to enable the feature — something like https://4sysops.com/archives/privileged-access-management-assign-temporary-ad-group-membership. That worked without issue. But when testing the Add-ADGroupMember returned “A parameter cannot be found that matches parameter name ‘MemberTimeToLive’.

      Through the AD feature is not enabled on another domain’s server, I can type the Add-ADGroupMember command then the parameter tab-completes! But still doesn’t run, so thought there might be a difference in the module that I can use.

      What I’ve tried

      • Reimporting the module with ‘-Force’
      • Moving a copy of DLL-based ActiveDirectory module directory from where it worked to where it didn’t (checked that that was the one being pointed to in the first place)
      • Again reimporting
      • What I’ve tried to try
      • I’m not able to explore the DLL-based module unless I decompiled it! Or is there another way to delve deeper on DLL-based modules. (Not that there’s a great need usually.)

      I tried to find the help and syntax on the parameter — here are the results:

      PS C:\Users\.fnicules> Get-Help Add-ADGroupMember -Parameter MemberTimeToLive
      Get-Help : No parameter matches criteria MemberTimeToLive.
      At line:1 char:1
      
      
      PS C:\Users\.fnicules> Get-Command Add-ADGroupMember -Syntax
      Add-ADGroupMember [-Identity] <ADGroup> [-Members] <ADPrincipal[]> [-WhatIf] [-Confirm] [-AuthType <ADAuthType>] [-Crede
      ntial <pscredential>] [-Partition <string>] [-PassThru] [-Server <string>] [<CommonParameters>]
      
      

      So no MemberTimeToLive parameter!

      Does anyone know what I’m doing wrong, or what I can look please?

    • #161726
      Participant
      Topics: 12
      Replies: 232
      Points: 466
      Helping Hand
      Rank: Contributor

      Didn’t have any issues on my Windows 2019 lab machine.

      From the article you posted do have something in the “EnabledScopes” paramater when running:

      Get-ADOptionalFeature -filter {name -like “Privileged*”}
      
    • #161823
      Participant
      Topics: 1
      Replies: 1
      Points: 40
      Rank: Member

      Hi Fredrik

      Yes, just below is some of the truncated output. In full it shows the DC DNs and then “CN=Partitions,CN=Configuration”, which I think is the expected config.

      PS C:\Users\.fnicules> Get-ADOptionalFeature -Identity "Privileged Access Management Feature" | select -ExpandProperty E
      nabledScopes
      
      
      CN=NTDS Settings,CN=
      CN=NTDS Settings,CN=
      CN=NTDS Settings,CN=
      CN=NTDS Settings,CN=
      CN=Partitions,CN=Configuration,DC=
      
      

      I should add that I’ve seen MemberTimeToLive parameter being used in a demo before and after enabling the Privileged Access Management Feature, and the cmdlet tab-completed and I believe took the parameter without the recognition error and threw another error prior to PAM being enabled.

    • #161931
      Participant
      Topics: 12
      Replies: 232
      Points: 466
      Helping Hand
      Rank: Contributor

      Then I guess it should work, the module version in 2019 is 1.0.1.0

      Also are you running this on one of the DC’s and are you running PS as administrator?
      Some properties in AD is not exposed when running as a “normal” user.

Viewing 3 reply threads
  • The topic ‘Add-ADGroupMember "MemberTimeToLive" parameter not being recognised’ is closed to new replies.