Add-ADGroupMember "MemberTimeToLive" parameter not being recognised

Add-ADGroupMember “MemberTimeToLive” parameter recognised after enabling ActiveDirectory Privileged Access Management Feature

I’ve recently discovered the MemberTimeToLive that comes with the “Privileged Access Management Feature” in Windows Server 2016 forest functional level. (I of course immediately wanted it!)

So I had ran through the steps required to enable the feature – something like That worked without issue. But when testing the Add-ADGroupMember returned "A parameter cannot be found that matches parameter name ‘MemberTimeToLive’.

Through the AD feature is not enabled on another domain’s server, I can type the Add-ADGroupMember command then the parameter tab-completes! But still doesn’t run, so thought there might be a difference in the module that I can use.

What I’ve tried

  • Reimporting the module with '-Force'
  • Moving a copy of DLL-based ActiveDirectory module directory from where it worked to where it didn't (checked that that was the one being pointed to in the first place)
  • Again reimporting
  • What I've tried to try
  • I'm not able to explore the DLL-based module unless I decompiled it! Or is there another way to delve deeper on DLL-based modules. (Not that there's a great need usually.)
I tried to find the help and syntax on the parameter -- here are the results:


PS C:\Users.fnicules> Get-Help Add-ADGroupMember -Parameter MemberTimeToLive
Get-Help : No parameter matches criteria MemberTimeToLive.
At line:1 char:1


PS C:\Users.fnicules> Get-Command Add-ADGroupMember -Syntax
Add-ADGroupMember [-Identity] <ADGroup> [-Members] <ADPrincipal> [-WhatIf] [-Confirm] [-AuthType <ADAuthType>] [-Crede
ntial <pscredential>] [-Partition <string>] [-PassThru] [-Server <string>] [<CommonParameters>]


So no MemberTimeToLive parameter!

Does anyone know what I’m doing wrong, or what I can look please?

Didn’t have any issues on my Windows 2019 lab machine.

From the article you posted do have something in the “EnabledScopes” paramater when running:
Get-ADOptionalFeature -filter {name -like “Privileged*”}

Hi Fredrik

Yes, just below is some of the truncated output. In full it shows the DC DNs and then “CN=Partitions,CN=Configuration”, which I think is the expected config.

PS C:\Users\.fnicules> Get-ADOptionalFeature -Identity "Privileged Access Management Feature" | select -ExpandProperty E

CN=NTDS Settings,CN=
CN=NTDS Settings,CN=
CN=NTDS Settings,CN=
CN=NTDS Settings,CN=

I should add that I’ve seen MemberTimeToLive parameter being used in a demo before and after enabling the Privileged Access Management Feature, and the cmdlet tab-completed and I believe took the parameter without the recognition error and threw another error prior to PAM being enabled.

Then I guess it should work, the module version in 2019 is

Also are you running this on one of the DC’s and are you running PS as administrator?
Some properties in AD is not exposed when running as a “normal” user.