🟠 High   ⏱ 5–30 min  Last verified: 02 April 2027
Affected versions: Windows Server 2016

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Just-in-Time admin elevation fails on Windows Server 2016 because temporal group memberships do not propagate or expire before use, blocking admins who rely on Privileged Access Management.

Environment & Reproduction

Reproducible when PAM forest TGT lifetime or replication is misconfigured.

Get-ADUser jdoe -Properties msDS-AssignedAuthNPolicy,memberOf
Get-ADGroupMember 'Domain Admins'

Root Cause Analysis

Temporal group membership requires PAM Optional Feature and short-lived TGTs honored by all DCs.

Quick Triage

Check feature and ticket lifetime.

Get-ADOptionalFeature -Filter 'Name -like "Privileged*"'
klist tgt

Step-by-Step Diagnosis

Validate temporal membership flow.

Add-ADGroupMember -Identity 'Domain Admins' -Members jdoe -MemberTimeToLive (New-TimeSpan -Minutes 60)
Get-ADGroup 'Domain Admins' -Properties Member | Select -ExpandProperty Member
Illustrative mockup for windows-server-2016 β€” terminal_or_powershell
PAM request failure β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Enable PAM feature and align KDC settings.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

Enable-ADOptionalFeature 'Privileged Access Management Feature' -Scope ForestOrConfigurationSet -Target corp.local
Set-ADDomain -Identity corp.local -MaxTicketAge 1.00:00:00
Illustrative mockup for windows-server-2016 β€” error_dialog
Privileged Access group membership β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Use Microsoft Identity Manager PAM or Azure AD PIM for orchestration.

# Configure PAM via MIM PowerShell or Azure AD PIM portal
Get-ADGroupMember 'Domain Admins' | Where-Object {$_.objectClass -eq 'user'}

Verification & Acceptance Criteria

Admin elevates, runs tasks, and access expires automatically.

klist purge
klist tgt
Get-ADGroupMember 'Domain Admins'

Rollback Plan

Disable PAM feature if business requires standard memberships.

Remove-ADGroupMember -Identity 'Domain Admins' -Members jdoe

Prevention & Hardening

Document elevation workflows, monitor 4728/4729 events, and audit privileged group changes.

Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4728 or EventID=4729)]]" -MaxEvents 50

Linked with RunAs, JEA, and Credential Guard.

Related tutorial: View the step-by-step tutorial for Windows Server 2016.

View all Windows Server 2016 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: Privileged Access Management for AD DS.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.