GroupMemberTTL

1.4

GroupMemberTTL.psm1

                                
<#

.Synopsis

   This function allows you to check a group for TTLs if you have installed PAM. It applies the defined TTL to all members of the group.

   If the current ttl is higher than the one defined it will set it to the new TTL.

.EXAMPLE

   Example limiting "RemoteDesktop_48h_TempAccess" to a 5 day TTL.

   Set-GroupMemberTTL -Group "RemoteDesktop_48h_TempAccess" -TTL 5 -TTLPeriodOfTime Days 

#>

function Set-GroupMemberTTL {

    [CmdletBinding()]

    Param

    (

        #The group to monitor

        [Parameter(Mandatory = $true,

            Position = 0)]

        [String]

        $Group,

        #The ttl in seconds

        [Parameter(Mandatory = $true,

            Position = 1)]

        [int]

        $TTL,

        #Setting a period of time to multiply the ttl seconds acordingly

        [Parameter(Mandatory = $false,

            Position = 2)]

        [ValidateSet("Minutes", "Hours", "Days")]

        [String]

        $TTLPeriodOfTime

    )

    switch ($PSBoundParameters.Values) {

        "Minutes"{

            $TTL = $TTL * 60

        }

        "Hours" {

            $TTL = $TTL * 3600

        }

        "Days" {

            $TTL = $TTL * 86400

        }

    }

    $GroupmembersTTL = Get-GroupMemberTTL -Group $Group

    $TTLTimespan = New-TimeSpan -Seconds $TTL

    foreach ($Member in $GroupmembersTTL) {

        if($Member.$HasTTL -and $Member.TTL -gt $TTL){

            Add-ADGroupMember -Identity $Group -Members ($Member.DistinguishedName) -MemberTimeToLive $TTLTimespan

            Write-Debug "$($UserObj.SamAccountName) has a TTL value of $($Member.TTL) seconds setting it to $TTL seconds" 

        }elseif ($Member.HasTTL -eq $false) {

            Add-ADGroupMember -Identity $Group -Members ($Member.DistinguishedName) -MemberTimeToLive $TTLTimespan

            Write-Debug "$($UserObj.SamAccountName)has no ttl value, seetting a TTL of $TTL seconds"

        }

    }

}

<#

.Synopsis

   A function to create a user object that is easier to use than the build in function of "Get-ADGroup -ShowMemberTimeToLive"

.EXAMPLE

   Example checking a group

   Get-GroupMemberTTL -Group "RemoteDesktop_48h_TempAccess"

   Expected Output:

   Samaccountname DistinguishedName                                 TTL HasTTL

   -------------- -----------------                                 --- ------

   test1          CN=test1,CN=Users,DC=fistoftech,DC=ch             477   True

#>

function Get-GroupMemberTTL {

    [CmdletBinding()]

    param (

        [Parameter()]

        [String]

        $Group

    )

    $GroupmembersTTL = Get-ADGroup $Group -Property member -ShowMemberTimeToLive

    if ($GroupmembersTTL.member -ne $null) {

        $UserArray = New-Object System.Collections.ArrayList

        foreach ($Member in $GroupmembersTTL.member) {

            $UserObject = [PSCustomObject]@{

                Samaccountname    = ""

                DistinguishedName = ""

                TTL               = ""

                HasTTL            = ""

            }

            if ($Member -like "*TTL*") {

                $DistinguishedName = ($Member.split(",") | Select-Object -Skip 1) -join ","

                $UserADObj = Get-ADUser -Identity $DistinguishedName

                $TTL = $Member.Split(",")[0] -replace "[^0-9]"

                $HasTTL = $true

            }

            else {

                $UserADObj = Get-ADUser -Identity $Member

                $TTL = 0

                $HasTTL = $false

            }

            $UserObject.Samaccountname = $UserADObj.Samaccountname

            $UserObject.DistinguishedName = $UserADObj.DistinguishedName

            $UserObject.TTL =$TTL

            $UserObject.HasTTL =$HasTTL

            $UserArray.Add($UserObject) | Out-Null

        }

        return $UserArray

    }

}