GroupMemberTTL.psm1
<# .Synopsis This function allows you to check a group for TTLs if you have installed PAM. It applies the defined TTL to all members of the group. If the current ttl is higher than the one defined it will set it to the new TTL. .EXAMPLE Example limiting "RemoteDesktop_48h_TempAccess" to a 5 day TTL. Set-GroupMemberTTL -Group "RemoteDesktop_48h_TempAccess" -TTL 5 -TTLPeriodOfTime Days #> function Set-GroupMemberTTL { [CmdletBinding()] Param ( #The group to monitor [Parameter(Mandatory = $true, Position = 0)] [String] $Group, #The ttl in seconds [Parameter(Mandatory = $true, Position = 1)] [int] $TTL, #Setting a period of time to multiply the ttl seconds acordingly [Parameter(Mandatory = $false, Position = 2)] [ValidateSet("Minutes", "Hours", "Days")] [String] $TTLPeriodOfTime ) switch ($PSBoundParameters.Values) { "Minutes"{ $TTL = $TTL * 60 } "Hours" { $TTL = $TTL * 3600 } "Days" { $TTL = $TTL * 86400 } } $GroupmembersTTL = Get-GroupMemberTTL -Group $Group $TTLTimespan = New-TimeSpan -Seconds $TTL foreach ($Member in $GroupmembersTTL) { if($Member.$HasTTL -and $Member.TTL -gt $TTL){ Add-ADGroupMember -Identity $Group -Members ($Member.DistinguishedName) -MemberTimeToLive $TTLTimespan Write-Debug "$($UserObj.SamAccountName) has a TTL value of $($Member.TTL) seconds setting it to $TTL seconds" }elseif ($Member.HasTTL -eq $false) { Add-ADGroupMember -Identity $Group -Members ($Member.DistinguishedName) -MemberTimeToLive $TTLTimespan Write-Debug "$($UserObj.SamAccountName)has no ttl value, seetting a TTL of $TTL seconds" } } } <# .Synopsis A function to create a user object that is easier to use than the build in function of "Get-ADGroup -ShowMemberTimeToLive" .EXAMPLE Example checking a group Get-GroupMemberTTL -Group "RemoteDesktop_48h_TempAccess" Expected Output: Samaccountname DistinguishedName TTL HasTTL -------------- ----------------- --- ------ test1 CN=test1,CN=Users,DC=fistoftech,DC=ch 477 True #> function Get-GroupMemberTTL { [CmdletBinding()] param ( [Parameter()] [String] $Group ) $GroupmembersTTL = Get-ADGroup $Group -Property member -ShowMemberTimeToLive if ($GroupmembersTTL.member -ne $null) { $UserArray = New-Object System.Collections.ArrayList foreach ($Member in $GroupmembersTTL.member) { $UserObject = [PSCustomObject]@{ Samaccountname = "" DistinguishedName = "" TTL = "" HasTTL = "" } if ($Member -like "*TTL*") { $DistinguishedName = ($Member.split(",") | Select-Object -Skip 1) -join "," $UserADObj = Get-ADUser -Identity $DistinguishedName $TTL = $Member.Split(",")[0] -replace "[^0-9]" $HasTTL = $true } else { $UserADObj = Get-ADUser -Identity $Member $TTL = 0 $HasTTL = $false } $UserObject.Samaccountname = $UserADObj.Samaccountname $UserObject.DistinguishedName = $UserADObj.DistinguishedName $UserObject.TTL =$TTL $UserObject.HasTTL =$HasTTL $UserArray.Add($UserObject) | Out-Null } return $UserArray } } |