What does PAM have to do with AD DS 2022?
AD DS 2022 allows time-based group membership, which makes the process outlined above possible. This feature was first introduced with AD DS 2016. A user is added to a group with a Time-to-Live (TTL) value and, once it expires, the user is removed from the group automatically. For example, let's assume your CRM application has administrator rights assigned to the CRMAdmin security group. The users in this group only log in to the system once a month to do some maintenance. But the admin rights for the members in that group remain untouched for the remaining 29 days, 24/7. This provides enough of an opportunity for attackers to try and gain access to privileged accounts. So, if it's possible to grant access privileges for a shorter time period, isn't that more useful? Then, we can be assured that, for the majority of the days in a month, the CRM application does not run the risk of being compromised by an account in the CRMAdmin...
