Dynamic Objects in Active Directory

Sometimes we need to create users/groups/computers in Active Directory that will be used temporary (by a contractor, for testing etc.). The typical workflow is: Create > Use for a while > Delete. The deletion is manual and often these objects are being forgotten which poses some security risks.

It is little known fact that we can create the so called Dynamic objects (DOs, a.k.a. temporary objects) that get deleted from AD automatically when the associated TTL expires. Microsoft added this capability in Windows Server 2003. In fact the “Dynamic object” is an auxiliary class (OID = When linked to an object it adds some new attributes like the entryTTL (Entry-TTL) and ms-DS-Entry-Time-To-Die attribute.

Here are some details:

1) the value of entryTTL represents object’s lifetime *in seconds*

2) Some settings related to DOs can be found here: CN=msDS-Other-Settings,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain,DC=tld:

++ DynamicObjectDefaultTTL specifies the default entryTTL value (if one was not supplied). It defaults to 84600 seconds (24 hours)
++ DynamicObjectMinTTL specifies the minimum value for entryTTL. It defaults to 900 (15 minutes) i.e. if you try to set entryTTL to a value below that number it will be replaced with 900

3) the value of entryTTL is automatically decremented. When it becomes 0 the object is purged from the database, leaving no traces i.e. the object is not tombstoned.

4) every Domain Controller will purge expired DOs locally, so there is no replication impact from the death of the object

5) Normal objects cannot be created/moved under Dynamic object containers (like OUs)

6) Dynamic object container will have a lifetime equal to the child with longest TTL i.e. parent DO containers will not be deleted before their children

7) there is no way to change a static entry into a dynamic entry and vice-versa

8) dynamic entries with TTL values are supported in all partitions except the Configuration partition and Schema partition

9) dynamic entries are handled similar to non-dynamic entries when processing search, compare, add, delete, modify, and modifyDN operations

10) entryTTL is a constructed attribute. The actual value is stored in the object’s system attribute ms-DS-Entry-Time-To-Die as an absolute time when the object can be destroyed

11) According to MSDN the entryTTL is read-only and can only be changed via a special refresh operation (RootDSE will contain a new LDAP operation with OID = under supportedExtension):

SearchRequest: BaseDN: objectClass=Person, SearchScope: base Object
LDAPFilter Filter: (&(objectClass=Person)(mailto:cn=someuser@contoso.com)(sttl=60))

This will set entryTTL to 60 minutes of usersomeuser@contoso.com.

Please note that sttl value is in *minutes*.

MSDN andsome other sources confirm that you can refresh the TTL by issuing a replace operation like this:

dn: cn=jsmith,cn=users,dc=rallencorp,dc=com
changetype: modify
replace: entryTTL
entryTTL: 1800

Here is the PowerShell version:

Set-ADObject -Identity ‘CN=Brad Sutton,OU=Accounting,DC=Fabrikam,DC=com’ -Replace @{entryTTL="200000"}

12) If the DO is deleted before TTL expiration the object will be tombstoned. After TTL expiration it will be permanently deleted (i.e. Tombstone Life isn't honored)

Unfortunately there is no GUI way to create Dynamic objects so it is common to use ldifde/adsi (via vbs/PowerShell). Here is a sample ldifde script:

dn: CN=TestAccount-(temp),CN=Users,DC=domain,DC=local
changetype: add
objectClass: user
objectClass: dynamicObject
entryTTL: 1200
sAMAccountName: t-testaccount
userAccountControl: 514

It creates a user account named TestAccount-(temp) as a Dynamic object and sets its TTL to 1200 seconds (20 minutes).

As you see DOs introduce many possibilities: you can create temporary accounts, even temporary groups that are members of security sensitive groups like Administrators/Domains admins. The only side effect is when that kind of admin group expires, user’s token does not get updated [To Be Confirmed] so it stays admin so use it with caution.

But there’s more: Windows Server 2016 extends the idea about Dynamic object even further. It introduces the so called dynamic links (expiring links)for group membership (i.e. groups with time limited membership). That serve as a base for the cool feature named PAM (Privileged Access Management)which I will describe in a separate article.

Additional resources:

  1. Active Directory Dynamic Objects
  2. Creating Dynamic Objects With Active Directory
  3. RFC 2589 – Lightweight Directory Access Protocol (v3): Extension
  4. Dynamic Objects

One thought on “Dynamic Objects in Active Directory

Leave a Reply

Your email address will not be published. Required fields are marked *