Today we’ll show you how to install and use the Windows PowerShell Active Directory Module. You can perform AD management tasks and use its cmdlets to get different information on domain users, computers, groups, and other objects. On the server OS, this PowerShell module is installed as a separate feature. On the desktop OS versions (Windows 10, 8.1, 7) the module is a part of the Remote Server Administration Tools (RSAT). RSAT includes all necessary management tools, command-line utilities, and Windows PowerShell modules to manage Windows Server infrastructure. You must download the RSAT package for your version of Windows from the Microsoft website (how to install RSAT on Windows 10?).
PowerShell provides an administrator with ample opportunities for interacting with Active Directory objects and automating actions (this is especially useful when performing bulk actions aimed at a large number of AD objects).
There are three main ways to interact with Active Directory in Windows PowerShell:
- Using Active Directory Services Interfaces (ADSI). This method is the most complex, but it works in any PowerShell installation and doesn’t require additional modules to be loaded. It is also “nearest” to the managing method used in the VBScript scripting language;
- Using the Active Directory Provider included into PowerShell extensions. This method allows you to mount an Active Directory as a drive on your computer and navigate through it using the appropriate commands: dir, cd, etc.
- Managing Active Directory from the RSAT-AD-PowerShell module. This is the most convenient way to manipulate AD objects, but it also requires additional installation of the corresponding module.
Hint. A different PowerShell module is used to manage objects in Azure Active Directory — Azure Active Directory Module for Windows PowerShell.
Install PowerShell Active Directory Module on Windows Server
The Active Directory module for Windows PowerShell first appeared on Windows Server 2008 R2. It appears on the Windows Server after you installed ADDS role (Active Directory Domain Services) and then promoted a server to the domain controller. To use the cmdlets from the Active Directory module, at least one domain controller with Windows Server 2008 R2 or higher must exist in your domain. If your network has the only DC with Windows Server 2003 or 2008, you must download and install the Active Directory Management Gateway Service. The cmdlets from the Active Directory module interact with the web service that is a part of the domain controller with the ADDS or ADMGS role.
- You can install the Active Directory module for PowerShell on the domain controller, on any Windows server or workstation;
- In Windows Server 2019/2016/2012 R2, you can install the Active Directory module for Windows PowerShell. You can do it by using the Add Roles and Features Wizard from the Server Manager. It is enough to start the wizard and at the step when selecting features, you need to select the item Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > Active Directory module for Windows PowerShell;
- You can also install this module using PowerShell. Open the PowerShell console as an administrator and run the following commands:
Import-Module ServerManager Add-WindowsFeature -Name "RSAT-AD-PowerShell" –IncludeAllSubFeature
To check the installation status of a module, use the command:
Hint. If you are using the PowerShell Core 7.0 or higher, keep in mind that the Active Directory module is fully natively compatible with this version of PoSh. But first, you need to install the WindowsCompatibility module:Install-Module -Name WindowsCompatibility
Installing the AD PowerShell Module on Windows 10
In Windows 10, Windows 8.1, and Windows 7, to install the RSAT-AD-PowerShell module, at first you must install the appropriate version of RSAT. You can install RSAT only in the Professional, Education, and Enterprise Windows editions. The installation of RSAT on Windows Home or Single Language is not available.
- You can install the RSAT module on Windows 7, 8.1, and Windows 10 (up to build 1803) using a special MSU package which can be downloaded from the Microsoft website;
- Then you need to enable the module (Control Panel > Programs > Turn Windows Features On or Off > Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > Active Directory module for Windows PowerShell).
Or using PowerShell:
Enable-WindowsOptionalFeature -Online -FeatureName RSATClient-Roles-AD-Powershell
- On Windows 10 1809 and newer builds the RSAT became a part of Features on Demand (FoD). You can install AD RSAT Tools from the Settings menu (Settings > Apps > Manage Optional Features > Add features > RSAT: Active Directory Domain Services and Lightweight Directory Tools > Install).
Or from the PowerShell console:
Add-WindowsCapability –online –Name “Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0”
Importing PowerShell Active Directory Module on Windows
- In Windows 7 and Windows Server 2008 R2 with PowerShell 2.0 installed, to start using the Active Directory module, you need to import it into the PowerShell session with the command:
- Also, you can export the module from a remote computer/server and import it into your PowerShell session (using the PSRemoting):
$S = New-PSSession -ComputerName MyDomainController Export-PSsession -Session $S -Module ActiveDirectory -OutputModule RemoteAD Remove-PSSession -Session $S Import-Module RemoteAD
Now you can use the Active Directory module remotely without installing it on your computer.
- On Windows Server 2016/2016/2012 R2 and Windows 8.1/Windows 10, the AD module will be automatically imported into the PowerShell session if installed.
- To confirm the AD PoSh module is installed and imported to the PowerShell session on Windows, run the command:
Hint. You can list all imported modules in a PowerShell session with the command:Get-Module –ListAvailable
When the computer joins to the AD domain, by default a separate disk is created with the name AD:\. You can go to this disk using the CD command and use the familiar commands of working with the file system to navigate this disk. The paths are in X500 format. The AD Provider allows you to navigate the AD as if it was a symbolic drive.
PS C:\> cd AD: PS AD:\> PS AD:\> dir PS AD:\> cd “DC=contoso,DC=com” PS AD:\> dir
You can display the list of available cmdlets for working with Active Directory as follows:
Get-Command -Module ActiveDirectory
Different versions of Windows (RSAT) have a different number of cmdlets available:
- Windows Server 2008 R2 — 76 cmdlets;
- Windows Server 2012 — 135 cmdlets;
- Windows Server 2012 R2/2016 — 147 cmdlets.
The following is a complete list of AD PowerShell Module cmdlets in Windows Server 2016:
Add-ADCentralAccessPolicyMember Add-ADComputerServiceAccount Add-ADDomainControllerPasswordReplicationPolicy Add-ADFineGrainedPasswordPolicySubject Add-ADGroupMember Add-ADPrincipalGroupMembership Add-ADResourcePropertyListMember Clear-ADAccountExpiration Clear-ADClaimTransformLink Disable-ADAccount Disable-ADOptionalFeature Enable-ADAccount Enable-ADOptionalFeature Get-ADAccountAuthorizationGroup Get-ADAccountResultantPasswordReplicationPolicy Get-ADAuthenticationPolicy Get-ADAuthenticationPolicySilo Get-ADCentralAccessPolicy Get-ADCentralAccessRule Get-ADClaimTransformPolicy Get-ADClaimType Get-ADComputer Get-ADComputerServiceAccount Get-ADDCCloningExcludedApplicationList Get-ADDefaultDomainPasswordPolicy Get-ADDomain Get-ADDomainController Get-ADDomainControllerPasswordReplicationPolicy Get-ADDomainControllerPasswordReplicationPolicyUsage Get-ADFineGrainedPasswordPolicy Get-ADFineGrainedPasswordPolicySubject Get-ADForest Get-ADGroup Get-ADGroupMember Get-ADObject Get-ADOptionalFeature Get-ADOrganizationalUnit Get-ADPrincipalGroupMembership Get-ADReplicationAttributeMetadata Get-ADReplicationConnection Get-ADReplicationFailure Get-ADReplicationPartnerMetadata Get-ADReplicationQueueOperation Get-ADReplicationSite Get-ADReplicationSiteLink Get-ADReplicationSiteLinkBridge Get-ADReplicationSubnet Get-ADReplicationUpToDatenessVectorTable Get-ADResourceProperty Get-ADResourcePropertyList Get-ADResourcePropertyValueType Get-ADRootDSE Get-ADServiceAccount Get-ADTrust Get-ADUser Get-ADUserResultantPasswordPolicy Grant-ADAuthenticationPolicySiloAccess Install-ADServiceAccount Move-ADDirectoryServer Move-ADDirectoryServerOperationMasterRole Move-ADObject New-ADAuthenticationPolicy New-ADAuthenticationPolicySilo New-ADCentralAccessPolicy New-ADCentralAccessRule New-ADClaimTransformPolicy New-ADClaimType New-ADComputer New-ADDCCloneConfigFile New-ADFineGrainedPasswordPolicy New-ADGroup New-ADObject New-ADOrganizationalUnit New-ADReplicationSite New-ADReplicationSiteLink New-ADReplicationSiteLinkBridge New-ADReplicationSubnet New-ADResourceProperty New-ADResourcePropertyList New-ADServiceAccount New-ADUser Remove-ADAuthenticationPolicy Remove-ADAuthenticationPolicySilo Remove-ADCentralAccessPolicy Remove-ADCentralAccessPolicyMember Remove-ADCentralAccessRule Remove-ADClaimTransformPolicy Remove-ADClaimType Remove-ADComputer Remove-ADComputerServiceAccount Remove-ADDomainControllerPasswordReplicationPolicy Remove-ADFineGrainedPasswordPolicy Remove-ADFineGrainedPasswordPolicySubject Remove-ADGroup Remove-ADGroupMember Remove-ADObject Remove-ADOrganizationalUnit Remove-ADPrincipalGroupMembership Remove-ADReplicationSite Remove-ADReplicationSiteLink Remove-ADReplicationSiteLinkBridge Remove-ADReplicationSubnet Remove-ADResourceProperty Remove-ADResourcePropertyList Remove-ADResourcePropertyListMember Remove-ADServiceAccount Remove-ADUser Rename-ADObject Reset-ADServiceAccountPassword Restore-ADObject Revoke-ADAuthenticationPolicySiloAccess Search-ADAccount Set-ADAccountAuthenticationPolicySilo Set-ADAccountControl Set-ADAccountExpiration Set-ADAccountPassword Set-ADAuthenticationPolicy Set-ADAuthenticationPolicySilo Set-ADCentralAccessPolicy Set-ADCentralAccessRule Set-ADClaimTransformLink Set-ADClaimTransformPolicy Set-ADClaimType Set-ADComputer Set-ADDefaultDomainPasswordPolicy Set-ADDomain Set-ADDomainMode Set-ADFineGrainedPasswordPolicy Set-ADForest Set-ADForestMode Set-ADGroup Set-ADObject Set-ADOrganizationalUnit Set-ADReplicationConnection Set-ADReplicationSite Set-ADReplicationSiteLink Set-ADReplicationSiteLinkBridge Set-ADReplicationSubnet Set-ADResourceProperty Set-ADResourcePropertyList Set-ADServiceAccount Set-ADUser Show-ADAuthenticationPolicyExpression Sync-ADObject Test-ADServiceAccount Uninstall-ADServiceAccount Unlock-ADAccount
Unlike previous tools that used LDAP to communicate with AD, AD PowerShell module uses Active Directory Web Services (ADWS) to communicate with a domain controller. The ADWS role in Windows Server 2008 R2 and newer is installed on a domain controller during the promotion from a domain member server to a domain controller. On Windows Server 2008 or Windows Server 2003, you need to install ADWS separately (included with the Active Directory Management Gateway Service).
Using RSAT-AD-PowerShell Module
PowerShell allows you to perform basic operations with the AD directory:
- Get all AD properties and object attributes;
- Change object properties;
- Manage AD groups;
- Create new directory objects, etc.
Let’s look at a few examples of using the cmdlets of the RSAT-AD-PowerShell module.
- To get the list of AD domain controllers, run the command:
Get-ADDomainController –filter *| format-table
- You can create several AD users at once by importing the user list from the CSV file. Use it together with the New-ADUser cmdlet.
To get information about an AD user, use the Get-ADUser cmdlet:
Get-ADUser –identity t.muller –properties *
The similar cmdlet to display all computer attributes in AD:
Get-ADComputer –identity dc01 –properties *
- Use the New-ADGroup cmdlet to create AD group. For example, to create a new group named ItalyUsers in the specific OU, run the command:
New-ADGroup -Path "OU=Groups,OU=Italy,DC=theitbros,DC=com" -Name "ItalyUsers" -GroupScope Global -GroupCategory Distribution
To get the AD group info, use the Get-ADGroup cmdlet:
If you want to add a user or computer to an AD group, use the Add-ADGroupMember cmdlet:
Add-ADGroupMember –Identity ‘NY_Managers’ -Members s.adams,d.thumb,p.muller
- Use the New-ADOrganizationalUnit cmdlet to create Active Directory Organizational Unit:
New-ADOrganizationalUnit -Name "France"
- Use the Unlock-ADAccount cmdlet to unlock user account in Active Directory domain:
Get-ADUser -Identity bjackson | Unlock-ADAccount
- Or you can use the Set-ADAccountPassword to change or reset the user’s password:
$newPass=Read-Host "Enter the new user password" –AsSecureString Set-ADAccountPassword bjackson -NewPassword $newPass
For detailed help on any cmdlet from the AD-PoSh module, use the Get-Help command:
If the computer is not a part of the Active Directory domain, the following warning appears when you try importing the AD-PoSh module:
WARNING: Error initializing default drive: ‘Unable to find a default server with Active Directory Web Services running’.
In this case, you need to specify the AD domain controller and user credentials to connect to it.
First of all, you need to get the user’s credentials to access the domain. Any authenticated domain user can view almost all AD objects properties (excluding protected Active Directory attributes).
$cred = Get-Credential
For example, to get the user’s info from the DC named TOR-DC01 under saved credentials, use the command:
get-aduser postfixsrv –server tor-dc01 -Credential $cred
As you can see, you have received the AD account info.
So now you can use the PowerShell cmdlets to manage and query Active Directory.
- How to Fix PFN_LIST_CORRUPT Blue Screen of Death in Windows 10? - June 20, 2021
- How to Prevent/Allow Log on Locally via GPO? - June 19, 2021
- Deploying Local Administrator Password Solution (LAPS) in Active Directory - June 19, 2021