Question for time based group membership in FL 2016

[Douglas Bagnall]

hi Kees,

> Still, if you know what this powershell call changes in the LDAP record 
> of the group, the user or elsewhere in LDAP, you can mimic this 
> functionality quite easily with a little cron script on the DC.

I had similar thoughts, but it sounds this Windows Server 2016 feature 
is a bit cleverer than that -- in particular, the KDC will not issue 
tickets that outlive an expiring group.

cheers,
Douglas