Q. What is Windows Server 2016 Active Directory Privileged Identity Management (PIM) feature?
A. Many organizations struggle with protecting privileged accounts and groups. Over time lots of people are members of privileged groups and have high privileges. Privileged Identity Management (PIM) is a new feature of Windows Server 2016 Active Directory that introduces a number of new features:
- A new type of trust available between 2012 R2 domains and a new bastion 2016 domain in a forest running 2016 forest functional level that will contain shadow principals for accounts in the primary account forest. This trust will have a special type of bit set identifying the use case of PIM and enabling a special type of SID filtering required for PIM to function
- New type of security principal in the 2016 domain (msDS-ShadowPrincipal) that will have the same SID as the identity in the account domain
- New expiring link feature which will enable time-bound membership of groups
- KDC change to limit Kerberos ticket lifetime to that of the lowest time of the expiring links
What this enables is shadow security principals are created in the bastion 2016 forest that have the same SID as those principals in the regular account forest. The sensitive users and groups in the primary domain would no longer be directly usable. Instead now when an activity is needed to be performed that requires, for example, domain administrator privileges a shadow principal is created in the 2016 PIM enabled domain that is linked to a principal with the same SID as the Domain Administrators group in the primary domain. Now once the user authenticates against the 2016 PIM domain they now have a token with SIDs matching sensitive accounts in the account domain and can perform privileged actions in the account domain. Those tokens can be time limited so those privileges only last for a period of time, for example an hour.
This functionality will be best used through Microsoft Identity Manager (MIM) that will have workflows and processes to simplify the use of this technology by users.