I automated something very similar to this a while ago. We had a script to check for an approved requested for admin access, which also included the number of days this access was needed (maximun of 7 days). This information was stored in a database, and the user was added to the correct AD group.
The database columns where (from memory), index, Username, startdate, endate, current_state.
The database was checked for any user that was “active” and the enddate had past and then they would be removed from the AD group.
We had an autoation engine that ran this workflow, but it can be setup from a teak schedule as well.
I can expand more on this but not sure is this is the right place to go on about workflows etc.