none
PAM & Windows 2016 RRS feed

  • Question

  • Hi,

    Just wondering what are the major changes/enhancements when Windows 2016 launches and Privileged Access Management (PAM). No need for a bastion forest anymore?

    Thx

    Wednesday, September 7, 2016 6:42 AM

Answers

  • There's a few AD changes that will light up with relation to PAM:

    • TTL based memberships - AD will automatically remove members from groups when their time membership defined via PAM expires
    • Shadow principal objects - removes the need for AD to have SID history for your PAM forest groups
    • Trust changes to let you have users in built-in groups managed by PAM e.g. Domain Admins
    • Kerberos TGTs are TTL aware so you won't get a TGT that's valid for longer than your shortest group membership duration

    The bastion forest is still the recommended design, though.


    Thanks,
    Brian

    Consulting | Blog | AD Book

    • Marked as answer by Shim Kwan Monday, September 12, 2016 4:44 AM
    Wednesday, September 7, 2016 6:30 PM
    Moderator

All replies

  • There's a few AD changes that will light up with relation to PAM:

    • TTL based memberships - AD will automatically remove members from groups when their time membership defined via PAM expires
    • Shadow principal objects - removes the need for AD to have SID history for your PAM forest groups
    • Trust changes to let you have users in built-in groups managed by PAM e.g. Domain Admins
    • Kerberos TGTs are TTL aware so you won't get a TGT that's valid for longer than your shortest group membership duration

    The bastion forest is still the recommended design, though.


    Thanks,
    Brian

    Consulting | Blog | AD Book

    • Marked as answer by Shim Kwan Monday, September 12, 2016 4:44 AM
    Wednesday, September 7, 2016 6:30 PM
    Moderator
  • thank you Brian.

    I was hoping for one more new item..."Easier to deploy and use" ;)

    Monday, September 12, 2016 4:44 AM