How to Install and Import PowerShell Active Directory Module?

Today we’ll show you how to install and use the Windows PowerShell Active Directory Module. You can perform AD management tasks and use its cmdlets to get different information on domain users, computers, groups, and other objects. On the server OS, this PowerShell module is installed as a separate feature. On the desktop OS versions (Windows 10, 8.1, 7) the module is a part of the Remote Server Administration Tools (RSAT). RSAT includes all necessary management tools, command-line utilities, and Windows PowerShell modules to manage Windows Server infrastructure. You must download the RSAT package for your version of Windows from the Microsoft website (how to install RSAT on Windows 10?).

PowerShell provides an administrator with ample opportunities for interacting with Active Directory objects and automating actions (this is especially useful when performing bulk actions aimed at a large number of AD objects).

There are three main ways to interact with Active Directory in Windows PowerShell:

  • Using Active Directory Services Interfaces (ADSI). This method is the most complex, but it works in any PowerShell installation and doesn’t require additional modules to be loaded. It is also “nearest” to the managing method used in the VBScript scripting language;
  • Using the Active Directory Provider included into PowerShell extensions. This method allows you to mount an Active Directory as a drive on your computer and navigate through it using the appropriate commands: dir, cd, etc.
  • Managing Active Directory from the RSAT-AD-PowerShell module. This is the most convenient way to manipulate AD objects, but it also requires additional installation of the corresponding module.

Hint. A different PowerShell module is used to manage objects in Azure Active Directory — Azure Active Directory Module for Windows PowerShell.

Install PowerShell Active Directory Module on Windows Server

The Active Directory module for Windows PowerShell first appeared on Windows Server 2008 R2. It appears on the Windows Server after you installed ADDS role (Active Directory Domain Services) and then promoted a server to the domain controller. To use the cmdlets from the Active Directory module, at least one domain controller with Windows Server 2008 R2 or higher must exist in your domain. If your network has the only DC with Windows Server 2003 or 2008, you must download and install the Active Directory Management Gateway Service. The cmdlets from the Active Directory module interact with the web service that is a part of the domain controller with the ADDS or ADMGS role.

  • You can install the Active Directory module for PowerShell on the domain controller, on any Windows server or workstation;
  • In Windows Server 2019/2016/2012 R2, you can install the Active Directory module for Windows PowerShell. You can do it by using the Add Roles and Features Wizard from the Server Manager. It is enough to start the wizard and at the step when selecting features, you need to select the item Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > Active Directory module for Windows PowerShell;
    import-module activedirectory
  • You can also install this module using PowerShell. Open the PowerShell console as an administrator and run the following commands:
    Import-Module ServerManager
    
    Add-WindowsFeature -Name "RSAT-AD-PowerShell" –IncludeAllSubFeature

    powershell active directory module

To check the installation status of a module, use the command:

Get-WindowsFeature RSAT-AD-PowerShell

install active directory powershell module

Hint. If you are using the PowerShell Core 7.0 or higher, keep in mind that the Active Directory module is fully natively compatible with this version of PoSh. But first, you need to install the WindowsCompatibility module:

Install-Module -Name WindowsCompatibility

Installing the AD PowerShell Module on Windows 10

In Windows 10, Windows 8.1, and Windows 7, to install the RSAT-AD-PowerShell module, at first you must install the appropriate version of RSAT. You can install RSAT only in the Professional, Education, and Enterprise Windows editions. The installation of RSAT on Windows Home or Single Language is not available.

  • You can install the RSAT module on Windows 7, 8.1, and Windows 10 (up to build 1803) using a special MSU package which can be downloaded from the Microsoft website;
  • Then you need to enable the module (Control Panel > Programs > Turn Windows Features On or Off > Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > Active Directory module for Windows PowerShell).
    install active directory powershell module
    Or using PowerShell:

    Enable-WindowsOptionalFeature -Online -FeatureName RSATClient-Roles-AD-Powershell
  • On Windows 10 1809 and newer builds the RSAT became a part of Features on Demand (FoD). You can install AD RSAT Tools from the Settings menu (Settings > Apps > Manage Optional Features > Add features > RSAT: Active Directory Domain Services and Lightweight Directory Tools > Install).
    powershell install active directory module
    Or from the PowerShell console:

    Add-WindowsCapability –online –Name “Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0”

Importing PowerShell Active Directory Module on Windows

  1. In Windows 7 and Windows Server 2008 R2 with PowerShell 2.0 installed, to start using the Active Directory module, you need to import it into the PowerShell session with the command:
    import-module activedirectory

    powershell active directory module windows 10

  2. Also, you can export the module from a remote computer/server and import it into your PowerShell session (using the PSRemoting):
    $S = New-PSSession -ComputerName MyDomainController
    
    Export-PSsession -Session $S -Module ActiveDirectory -OutputModule RemoteAD
    
    Remove-PSSession -Session $S
    
    Import-Module RemoteAD

Now you can use the Active Directory module remotely without installing it on your computer.

  1. On Windows Server 2016/2016/2012 R2 and Windows 8.1/Windows 10, the AD module will be automatically imported into the PowerShell session if installed.
  2. To confirm the AD PoSh module is installed and imported to the PowerShell session on Windows, run the command:
    Get-Module ActiveDirectory

    import-module activedirectory windows 10

Hint. You can list all imported modules in a PowerShell session with the command:

Get-Module –ListAvailable

import module active directory

When the computer joins to the AD domain, by default a separate disk is created with the name AD:\. You can go to this disk using the CD command and use the familiar commands of working with the file system to navigate this disk. The paths are in X500 format. The AD Provider allows you to navigate the AD as if it was a symbolic drive.

PS C:\> cd AD:

PS AD:\>

PS AD:\> dir

PS AD:\> cd “DC=contoso,DC=com”

PS AD:\> dir

active directory module for windows powershell

You can display the list of available cmdlets for working with Active Directory as follows:

Get-Command -Module ActiveDirectory

powershell ad module

Different versions of Windows (RSAT) have a different number of cmdlets available:

  • Windows Server 2008 R2 — 76 cmdlets;
  • Windows Server 2012 — 135 cmdlets;
  • Windows Server 2012 R2/2016 — 147 cmdlets.

The following is a complete list of AD PowerShell Module cmdlets in Windows Server 2016:

Add-ADCentralAccessPolicyMember

Add-ADComputerServiceAccount

Add-ADDomainControllerPasswordReplicationPolicy

Add-ADFineGrainedPasswordPolicySubject

Add-ADGroupMember

Add-ADPrincipalGroupMembership

Add-ADResourcePropertyListMember

Clear-ADAccountExpiration

Clear-ADClaimTransformLink

Disable-ADAccount

Disable-ADOptionalFeature

Enable-ADAccount

Enable-ADOptionalFeature

Get-ADAccountAuthorizationGroup

Get-ADAccountResultantPasswordReplicationPolicy

Get-ADAuthenticationPolicy

Get-ADAuthenticationPolicySilo

Get-ADCentralAccessPolicy

Get-ADCentralAccessRule

Get-ADClaimTransformPolicy

Get-ADClaimType

Get-ADComputer

Get-ADComputerServiceAccount

Get-ADDCCloningExcludedApplicationList

Get-ADDefaultDomainPasswordPolicy

Get-ADDomain

Get-ADDomainController

Get-ADDomainControllerPasswordReplicationPolicy

Get-ADDomainControllerPasswordReplicationPolicyUsage

Get-ADFineGrainedPasswordPolicy

Get-ADFineGrainedPasswordPolicySubject

Get-ADForest

Get-ADGroup

Get-ADGroupMember

Get-ADObject

Get-ADOptionalFeature

Get-ADOrganizationalUnit

Get-ADPrincipalGroupMembership

Get-ADReplicationAttributeMetadata

Get-ADReplicationConnection

Get-ADReplicationFailure

Get-ADReplicationPartnerMetadata

Get-ADReplicationQueueOperation

Get-ADReplicationSite

Get-ADReplicationSiteLink

Get-ADReplicationSiteLinkBridge

Get-ADReplicationSubnet

Get-ADReplicationUpToDatenessVectorTable

Get-ADResourceProperty

Get-ADResourcePropertyList

Get-ADResourcePropertyValueType

Get-ADRootDSE

Get-ADServiceAccount

Get-ADTrust

Get-ADUser

Get-ADUserResultantPasswordPolicy

Grant-ADAuthenticationPolicySiloAccess

Install-ADServiceAccount

Move-ADDirectoryServer

Move-ADDirectoryServerOperationMasterRole

Move-ADObject

New-ADAuthenticationPolicy

New-ADAuthenticationPolicySilo

New-ADCentralAccessPolicy

New-ADCentralAccessRule

New-ADClaimTransformPolicy

New-ADClaimType

New-ADComputer

New-ADDCCloneConfigFile

New-ADFineGrainedPasswordPolicy

New-ADGroup

New-ADObject

New-ADOrganizationalUnit

New-ADReplicationSite

New-ADReplicationSiteLink

New-ADReplicationSiteLinkBridge

New-ADReplicationSubnet

New-ADResourceProperty

New-ADResourcePropertyList

New-ADServiceAccount

New-ADUser

Remove-ADAuthenticationPolicy

Remove-ADAuthenticationPolicySilo

Remove-ADCentralAccessPolicy

Remove-ADCentralAccessPolicyMember

Remove-ADCentralAccessRule

Remove-ADClaimTransformPolicy

Remove-ADClaimType

Remove-ADComputer

Remove-ADComputerServiceAccount

Remove-ADDomainControllerPasswordReplicationPolicy

Remove-ADFineGrainedPasswordPolicy

Remove-ADFineGrainedPasswordPolicySubject

Remove-ADGroup

Remove-ADGroupMember

Remove-ADObject

Remove-ADOrganizationalUnit

Remove-ADPrincipalGroupMembership

Remove-ADReplicationSite

Remove-ADReplicationSiteLink

Remove-ADReplicationSiteLinkBridge

Remove-ADReplicationSubnet

Remove-ADResourceProperty

Remove-ADResourcePropertyList

Remove-ADResourcePropertyListMember

Remove-ADServiceAccount

Remove-ADUser

Rename-ADObject

Reset-ADServiceAccountPassword

Restore-ADObject

Revoke-ADAuthenticationPolicySiloAccess

Search-ADAccount

Set-ADAccountAuthenticationPolicySilo

Set-ADAccountControl

Set-ADAccountExpiration

Set-ADAccountPassword

Set-ADAuthenticationPolicy

Set-ADAuthenticationPolicySilo

Set-ADCentralAccessPolicy

Set-ADCentralAccessRule

Set-ADClaimTransformLink

Set-ADClaimTransformPolicy

Set-ADClaimType

Set-ADComputer

Set-ADDefaultDomainPasswordPolicy

Set-ADDomain

Set-ADDomainMode

Set-ADFineGrainedPasswordPolicy

Set-ADForest

Set-ADForestMode

Set-ADGroup

Set-ADObject

Set-ADOrganizationalUnit

Set-ADReplicationConnection

Set-ADReplicationSite

Set-ADReplicationSiteLink

Set-ADReplicationSiteLinkBridge

Set-ADReplicationSubnet

Set-ADResourceProperty

Set-ADResourcePropertyList

Set-ADServiceAccount

Set-ADUser

Show-ADAuthenticationPolicyExpression

Sync-ADObject

Test-ADServiceAccount

Uninstall-ADServiceAccount

Unlock-ADAccount

Unlike previous tools that used LDAP to communicate with AD, AD PowerShell module uses Active Directory Web Services (ADWS) to communicate with a domain controller. The ADWS role in Windows Server 2008 R2 and newer is installed on a domain controller during the promotion from a domain member server to a domain controller. On Windows Server 2008 or Windows Server 2003, you need to install ADWS separately (included with the Active Directory Management Gateway Service).

Using RSAT-AD-PowerShell Module

PowerShell allows you to perform basic operations with the AD directory:

  • Get all AD properties and object attributes;
  • Change object properties;
  • Manage AD groups;
  • Create new directory objects, etc.

Let’s look at a few examples of using the cmdlets of the RSAT-AD-PowerShell module.

  • To get the list of AD domain controllers, run the command:
    Get-ADDomainController –filter *| format-table

    install active directory powershell module windows 10

  • You can create several AD users at once by importing the user list from the CSV file. Use it together with the New-ADUser cmdlet.
    To get information about an AD user, use the Get-ADUser cmdlet:

    Get-ADUser –identity t.muller –properties *

    The similar cmdlet to display all computer attributes in AD:

    Get-ADComputer –identity dc01 –properties *

    install ad module powershell

  • Use the New-ADGroup cmdlet to create AD group. For example, to create a new group named ItalyUsers in the specific OU, run the command:
    New-ADGroup -Path "OU=Groups,OU=Italy,DC=theitbros,DC=com" -Name "ItalyUsers" -GroupScope Global -GroupCategory Distribution

    To get the AD group info, use the Get-ADGroup cmdlet:

    Get-ADGroup ItalyUsers

    If you want to add a user or computer to an AD group, use the Add-ADGroupMember cmdlet:

    Add-ADGroupMember –Identity ‘NY_Managers’ -Members s.adams,d.thumb,p.muller
  • Use the New-ADOrganizationalUnit cmdlet to create Active Directory Organizational Unit:
    New-ADOrganizationalUnit -Name "France"
  • Use the Unlock-ADAccount cmdlet to unlock user account in Active Directory domain:
    Get-ADUser -Identity bjackson | Unlock-ADAccount
  • Or you can use the Set-ADAccountPassword to change or reset the user’s password:
    $newPass=Read-Host "Enter the new user password" –AsSecureString 
    
    Set-ADAccountPassword bjackson -NewPassword $newPass

For detailed help on any cmdlet from the AD-PoSh module, use the Get-Help command:

get-help set-aduser

install-module activedirectory

If the computer is not a part of the Active Directory domain, the following warning appears when you try importing the AD-PoSh module:

WARNING: Error initializing default drive: ‘Unable to find a default server with Active Directory Web Services running’.

In this case, you need to specify the AD domain controller and user credentials to connect to it.

First of all, you need to get the user’s credentials to access the domain. Any authenticated domain user can view almost all AD objects properties (excluding protected Active Directory attributes).

$cred = Get-Credential

active directory powershell module

For example, to get the user’s info from the DC named TOR-DC01 under saved credentials, use the command:

get-aduser postfixsrv –server tor-dc01 -Credential $cred

import active directory module

As you can see, you have received the AD account info.

So now you can use the PowerShell cmdlets to manage and query Active Directory.

Cyril Kardashevsky
READ ALSO  Adding an Additional Domain Controller on Windows Server 2016

4 comments

  1. This is a fantastic article. I’ve referred to it several times to install the Active Directory modules on multiple Windows servers and Win7 PC.

    Thanks for writing it!

  2. Installed fine and connected once but won’t make connection to my server any more and I can’t remove it. Tried Remove-PSSession -Id 1 and Remove-Module RemoteAD but it remains even after restart. Every time I start PowerShell it does this.

  3. For Windows 10 builds 1909 and later, replace the command `Add-WindowsCapability –online –Name “Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0”` with simply `Add-WindowsCapability –online –Name “Rsat.ActiveDirectory.DS-LDS.Tools”`. You don’t need the specific version # at the end; it will likely throw an error.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.