Active Directory

Lingering access with Temporary Group Memberships

Beware of NTLM when using Temporary Group Memberships

Short-term group memberships might lead to long-term permissions

Temporary Group Memberships are a very welcome addition to Windows Server 2016 Active Directory Domain Services.

It gives you the means to elevate privileges for someone temporarily.

However, this blog post is not here to give instructions on enabling it or using it. You will find plenty of that elsewhere.

This blog post is here to remind you not to trust this feature blindly.

Your short-term group membership might give you long-term privileges.

No, you do not need to run ADPREP manually anymore

There are many great step-by-step guides out there about upgrading your Active Directory forest to Windows Server 2012 (R2).

There is however one thing, most of them seem to forget:

ADPREP, that prepares the forest and domain(s) for the new Active Directory version, is now a part of the Active Directory Domain Services installation process, both when using the Server Manager Wizard and when running Install-AddsDomainController.

The Windows Server 2012 (R2) server, on which the AD DS installation process is running, will perform the ADPREP tasks remotely on the existing Domain Controllers.

This makes the installation process significantly easier, as you do not have to attach the installation media to an existing Domain Controller and run ADPREP from there.

There is however one case, where you would need to run ADPREP manually:
If you have never run the ADPREP /DOMAINPREP /GPPREP (which will add ACEs to the GPOs in the SYSVOL folder to enable additional RSOP functionality) in an existing domain before, this will need to be done manually.

If you have already run ADPREP from Windows Server 2003 SP1 or higher previously, most likely /GPREP will have been run already.

So go ahead and run that AD DS Installation wizard (or PowerShell cmdlet), and don't worry about how you will run the ADPREP from the existing Domain Controllers, because you don't have to.