Add-ADGroupMember "MemberTimeToLive" parameter not being recognised

Welcome Forums General PowerShell Q&A Add-ADGroupMember "MemberTimeToLive" parameter not being recognised

This topic contains 3 replies, has 2 voices, and was last updated by

 
Participant
3 months ago.

  • Author
    Posts
  • #161652

    Participant
    Topics: 1
    Replies: 1
    Points: 39
    Rank: Member

    Add-ADGroupMember "MemberTimeToLive" parameter recognised after enabling ActiveDirectory Privileged Access Management Feature

    I've recently discovered the MemberTimeToLive that comes with the "Privileged Access Management Feature" in Windows Server 2016 forest functional level. (I of course immediately wanted it!)

    So I had ran through the steps required to enable the feature — something like https://4sysops.com/archives/privileged-access-management-assign-temporary-ad-group-membership. That worked without issue. But when testing the Add-ADGroupMember returned "A parameter cannot be found that matches parameter name 'MemberTimeToLive'.

    Through the AD feature is not enabled on another domain's server, I can type the Add-ADGroupMember command then the parameter tab-completes! But still doesn't run, so thought there might be a difference in the module that I can use.

    What I've tried

    • Reimporting the module with '-Force'
    • Moving a copy of DLL-based ActiveDirectory module directory from where it worked to where it didn't (checked that that was the one being pointed to in the first place)
    • Again reimporting
    • What I've tried to try
    • I'm not able to explore the DLL-based module unless I decompiled it! Or is there another way to delve deeper on DLL-based modules. (Not that there's a great need usually.)

    I tried to find the help and syntax on the parameter — here are the results:

    
    PS C:\Users\.fnicules> Get-Help Add-ADGroupMember -Parameter MemberTimeToLive
    Get-Help : No parameter matches criteria MemberTimeToLive.
    At line:1 char:1
    
    
    
    PS C:\Users\.fnicules> Get-Command Add-ADGroupMember -Syntax
    Add-ADGroupMember [-Identity]  [-Members]  [-WhatIf] [-Confirm] [-AuthType ] [-Crede
    ntial ] [-Partition ] [-PassThru] [-Server ] []
    
    

    So no MemberTimeToLive parameter!

    Does anyone know what I'm doing wrong, or what I can look please?

  • #161726

    Participant
    Topics: 12
    Replies: 232
    Points: 466
    Helping Hand
    Rank: Contributor

    Didn't have any issues on my Windows 2019 lab machine.

    From the article you posted do have something in the "EnabledScopes" paramater when running:

    Get-ADOptionalFeature -filter {name -like "Privileged*"}
    
  • #161823

    Participant
    Topics: 1
    Replies: 1
    Points: 39
    Rank: Member

    Hi Fredrik

    Yes, just below is some of the truncated output. In full it shows the DC DNs and then "CN=Partitions,CN=Configuration", which I think is the expected config.

    
    PS C:\Users\.fnicules> Get-ADOptionalFeature -Identity "Privileged Access Management Feature" | select -ExpandProperty E
    nabledScopes
    
    
    
    CN=NTDS Settings,CN=
    CN=NTDS Settings,CN=
    CN=NTDS Settings,CN=
    CN=NTDS Settings,CN=
    CN=Partitions,CN=Configuration,DC=
    
    

    I should add that I've seen MemberTimeToLive parameter being used in a demo before and after enabling the Privileged Access Management Feature, and the cmdlet tab-completed and I believe took the parameter without the recognition error and threw another error prior to PAM being enabled.

  • #161931

    Participant
    Topics: 12
    Replies: 232
    Points: 466
    Helping Hand
    Rank: Contributor

    Then I guess it should work, the module version in 2019 is 1.0.1.0

    Also are you running this on one of the DC's and are you running PS as administrator?
    Some properties in AD is not exposed when running as a "normal" user.

The topic ‘Add-ADGroupMember "MemberTimeToLive" parameter not being recognised’ is closed to new replies.