How to Configure Privileged Access Management in Active Directory on Windows Server 2016

How to Configure Windows Server 2016 Privileged Access Management

Privileged Access Management (PAM) is an Active Directory feature introduced with Windows Server 2016 that provides a time-based, just-in-time approach to granting privileged group memberships. Instead of users having permanent membership in groups like Domain Admins, PAM allows them to request temporary membership for the duration needed to perform a specific task. After the time limit expires, the membership is automatically removed. This significantly reduces the attack surface from credential theft, pass-the-hash attacks, and long-term abuse of standing privileged access.

How PAM Works

PAM in Windows Server 2016 builds on the concept of a bastion Active Directory forest — a dedicated, highly secured forest used exclusively for administrative access. This bastion forest maintains shadow accounts for administrators. When an admin needs elevated access, they request membership in a privileged group in the production forest. The request flows through the bastion forest, which creates a time-limited shadow principal (using the msDS-MembersForAzureAD and related attributes). After the TTL expires, the membership is automatically cleaned up.

PAM requires the forest functional level to be Windows Server 2016, making it a feature available only in fully updated environments. It also integrates with Microsoft Identity Manager (MIM) for workflow-based approval in enterprise scenarios.

Prerequisites

PAM requires the forest functional level of Windows Server 2016. All Domain Controllers in the forest must be running Windows Server 2016. The PAM optional feature must be enabled on the forest. Optionally, Microsoft Identity Manager 2016 with the PAM component can be installed for enterprise-grade workflow and approval.

Check the current forest functional level:

Get-ADForest | Select-Object ForestMode

Raise the forest functional level if needed:

Set-ADForestMode -Identity "corp.local" -ForestMode Windows2016Forest -Confirm:$false

Enabling the PAM Optional Feature

Enable the Privileged Access Management feature on the forest. Like the Recycle Bin, this is a one-way operation that cannot be reversed:

Enable-ADOptionalFeature -Identity "Privileged Access Management Feature" -Scope ForestOrConfigurationSet -Target "corp.local" -Confirm:$false

Verify the feature is enabled:

Get-ADOptionalFeature -Filter {Name -eq "Privileged Access Management Feature"} | Select-Object Name, EnabledScopes

Granting Time-Limited Group Membership

Once PAM is enabled, you can add a user to a group with a Time-to-Live (TTL) value. When the TTL expires, the membership is automatically removed by Active Directory without any administrator intervention:

Add-ADGroupMember -Identity "Domain Admins" -Members jsmith -MemberTimeToLive (New-TimeSpan -Hours 4)

This grants jsmith membership in Domain Admins for exactly 4 hours. After 4 hours, the membership is automatically expired. You can also grant access for specific minutes:

Add-ADGroupMember -Identity "Server_Admins" -Members bwilliams -MemberTimeToLive (New-TimeSpan -Minutes 60)

Checking Time-Limited Membership

To view the current time-limited memberships and their remaining TTL for a specific group:

Get-ADGroup "Domain Admins" -Properties member -ShowMemberTimeToLive | Select-Object -ExpandProperty member

To check what privileged groups a specific user is temporarily a member of:

Get-ADUser jsmith -Properties memberOf | Select-Object -ExpandProperty memberOf

Configuring a PAM Trust from a Bastion Forest

In an enterprise PAM deployment, a separate bastion forest is used. Administrators have accounts in both the production forest and the bastion forest. To set up the trust relationship that allows the bastion forest to manage time-limited access in the production forest:

# Run on the production forest DC
netdom trust corp.local /domain:bastion.local /enablepim:yes /add

# Establish the one-way trust from bastion to production
New-ADTrust -Name "bastion.local" -TrustType External -TrustDirection Inbound -TrustingDomain "bastion.local"

Auditing PAM Activity

Enable auditing on privileged groups to track when time-limited memberships are granted and expire. Use the following audit policy categories:

auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

Review Security event logs for Event ID 4728 (member added to global security group) and 4729 (member removed from global security group). PAM-triggered expirations will generate 4729 events with the source being the system rather than an administrator account.

Integrating with Microsoft Identity Manager

For production environments, Microsoft Identity Manager (MIM) 2016 with PAM provides a complete workflow solution including approval processes, requestor self-service, email notifications, and a PowerShell/REST API for integration with ticketing systems. The MIM PAM REST API allows users to request access through a portal, which routes the request to approvers. Once approved, MIM calls the Active Directory PAM cmdlets automatically, then removes the access when the approved time window expires.

Just Enough Administration Integration

PAM works alongside Just Enough Administration (JEA), PowerShell’s role-based access control framework. Where PAM controls temporal access to AD groups, JEA restricts what commands an elevated user can run in a PowerShell session. Combining PAM (time-limited elevation) with JEA (command-limited elevation) gives organizations fine-grained, auditable administrative access that dramatically reduces the risk of insider threats and compromised credentials.

Best Practices

Enable PAM in all Windows Server 2016 forests where the forest functional level permits. Replace all standing privileged group memberships with just-in-time PAM memberships. Require approval workflows for all Domain Admin access requests. Set aggressive TTLs — grant the minimum time needed (often 1-4 hours). Audit all PAM grant and expiry events. Combine PAM with multi-factor authentication for the request process. Educate administrators on the new model to ensure smooth adoption. In the bastion forest model, the bastion forest must be extremely hardened as it is the key to all privileged access.

Privileged Access Management in Windows Server 2016 represents a significant step forward in reducing the risk associated with privileged accounts. By eliminating standing privilege and automating time-limited access expiry, PAM makes it far harder for attackers to leverage stolen credentials for extended periods.