If you are using temporary group memberships introduced as a part of the Privileged Access Management optional feature in Server 2016, the tool to AD and query them, as per Microsoft guidance, is the RSAT PowerShell module for Active Directory.
You can obtain them without resorting to the Active Directory module, however, since that involved an LDAP control, you’ll have to fall back all the way to SDS.P:
PowerShell
$dc = "<DC FQDN to connect to>"
$rootDN = "<DN of OU or domain to search for groups>"
$filter = "(objectClass=group)"
[string[]] $attributesToGet = @("member","name")
[void] ([System.Reflection.Assembly]::LoadWithPartialName('System.DirectoryServices.Protocols'))
[DirectoryServices.Protocols.LdapConnection] $ldapConn = New-Object DirectoryServices.Protocols.LdapConnection($dc)
$ldapConn.AuthType = [DirectoryServices.Protocols.AuthType]::Kerberos
[System.DirectoryServices.Protocols.DirectoryControl]$jit_ctr = New-Object System.DirectoryServices.Protocols.DirectoryControl("1.2.840.113556.1.4.2309",$val,$true,$true)
[DirectoryServices.Protocols.SearchRequest] $ldapRequest = New-Object DirectoryServices.Protocols.SearchRequest($rootDN, $filter, 'SubTree', $attributesToGet)
$ldapRequest.Controls.Add($jit_ctr)
[DirectoryServices.Protocols.SearchResponse] $ldapResponse = $null
$ldapResponse = $ldapConn.SendRequest($ldapRequest)
foreach ($entry in $ldapResponse.Entries) {
$entry.DistinguishedName
foreach ($mship in $entry.Attributes['member']) {
$mstring = [System.Text.Encoding]::UTF8.GetString($mship)
if ($mstring -match "^<TTL=(\d+)>,") {
$mstring
}
}
}