Group memberships can alternatively be configured to expire.
To use the expiring group membership, the Active Directory FFL needs to be Windows Server 2012 R2, or a later version.
The optional Privileged Access Management feature needs to be enabled. This can be achieved using the following lines of PowerShell on a system with the Active Directory Module for Windows PowerShell installed:
Enable-ADOptionalFeature "Privileged Access Management Feature" -Scope ForestOrConfigurationSet -Target lucernpub.com
To manage a group, you should sign in to a domain controller, a member server, and/or a device with the RSAT for Active Directory Domain...