Today we’ll show you how to install and use the Windows PowerShell Active Directory Module. You can use the cmdlets of this module to get different information about domain users, computers, and groups, others objects and perform some Active Directory management tasks. This PowerShell module in the server OS is installed as a separate feature. On the desktop OS versions (Windows 10, 8.1, 7) the module is a part of the Remote Server Administration Tools (RSAT). RSAT includes all the necessary management tools, command line utilities and Windows PowerShell modules for Windows servers and AD manage. You must download the RSAT package for your version of the OS from the Microsoft website (how to install RSAT on Windows 10).
Install PowerShell Active Directory Module on Windows Server
The Active Directory module for Windows PowerShell first appeared on Windows Server 2008 R2. It is automatically installed on the Windows Server after you installed ADDS role (Active Directory Domain Services) and promote a server to the domain controller. To use the PowerShell cmdlets from the Active Directory module, at least one controller with Windows Server 2008 R2 or higher must exist in your domain. If your network has only DCs with Windows Server 2003 or 2008, you must download and install the Active Directory Management Gateway Service. The PowerShell cmdlets from the Active Directory module interact with the web service that is part of the domain controller with the ADDS role or ADMGS.
- You can install the Active Directory module for Windows PowerShell not only on the domain controller but also on any Windows server or workstation.
- In Windows Server 2019/2016/2012 R2, you can install the Active Directory module for Windows PowerShell from the Server Manager graphical console using the Add Roles and Features Wizard. It is enough to start the wizard and at the stage of selecting features you need to select the item Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > Active Directory module for Windows PowerShell.
- This module can also be installed using PowerShell. Open the PowerShell console as an administrator and run the following commands:
Import-Module ServerManager Add-WindowsFeature -Name "RSAT-AD-PowerShell" –IncludeAllSubFeature
Installing AD PowerShell Module on Windows 10
In Windows desktop operating systems, such as Windows 10, Windows 8.1, and Windows 7, to install the RSAT-AD-PowerShell module, you must first install the appropriate version of RSAT. You can install RSAT only in the Professional, Education, and Enterprise Windows editions, but not on Windows Home or Single Language.
- You can install the RSAT module on Windows 7, 8.1 and Windows 10 up to 1803 built by downloading and installing a special MSU package (check the article).
- Then you need to enable the module (Control Panel > Programs > Turn Windows Features On or Off > Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > Active Directory module for Windows PowerShell).Or using PowerShell:
Enable-WindowsOptionalFeature -Online -FeatureName RSATClient-Roles-AD-Powershell
- On Windows 10 1809 and newer the RSAT became a part of Features on Demand (FoD). You can install AD RSAT Tools from the Settings menu (Settings > Apps > Manage Optional Features > Add features > RSAT: Active Directory Domain Services and Lightweight Directory Tools > Install). Or from the PowerShell console:
Add-WindowsCapability –online –Name “Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0”
Importing PowerShell Active Directory Module on Windows
- In Windows 7 and Windows Server 2008 R2 with PowerShell 2.0 installed, to start using the Active Directory module, you need to import it into the PowerShell session with the command:
- In addition, you can export the module from a remote computer/server and import it into your PowerShell session:
$S = New-PSSession -ComputerName MyDomainController Export-PSsession -Session $S -Module ActiveDirectory -OutputModule RemoteAD Remove-PSSession -Session $S Import-Module RemoteAD
- On Windows Server 2016/2016/2012 R2 and Windows 8.1/Windows 10, the module is imported into the session automatically.
- To confirm the AD PoSh module is loaded, run the command:
If the computer is joined to the AD domain, by default a separate disk is created with the name AD:. You can go to this disk using the CD command and use the familiar commands of working with the file system to navigate this disk. The paths are in X500 format.
PS C:\> cd AD:
PS AD:\> dir
PS AD:\> cd “DC=contoso,DC=com”
PS AD:\> dir
You can display the list of available cmdlets for working with Active Directory as follows:
Get-Command -Module ActiveDirectory
Different versions of Windows (RSAT) have the different number of cmdlets available:
- Windows Server 2008 R2 — 76 cmdlets
- Windows Server 2012 — 135 cmdlets
- Windows Server 2012 R2/2016 — 147 cmdlets
Using RSAT-AD-PowerShell Module
Let’s look at a few examples of using the cmdlets of the RSAT-AD-PowerShell module.
- To get the list of AD domain controllers, run the command:
Get-ADDomainController –filter *| format-table
- You can create several AD users at once by importing the user list from the CSV file and use it together with the New-ADUser cmdlet (check the article).
- To create AD group, the New-ADGroup cmdlet is used. For example to create a new group named ItalyUsers in the specific OU, run the command:
New-ADGroup -Path "OU=Groups,OU=Italy,DC=theitbros,DC=com" -Name "ItalyUsers" -GroupScope Global -GroupCategory Distribution
- To get the AD group info, use the Get-ADGroup cmdlet:
- To create Active Directory Organizational Unit, the New-ADOrganizationalUnit cmdlet is used:
New-ADOrganizationalUnit -Name "France"
- To unlock user account in Active Directory domain the Unlock-ADAccount is used:
Get-ADUser -Identity bjackson | Unlock-ADAccount
- Or you can use the Set-ADAccountPassword to change or reset user’s password:
$newPass=Read-Host "Enter the new user password" -AsSecureString Set-ADAccountPassword bjackson -NewPassword $newPass
If your computer is not a part of Active Directory domain, the following warning appears after you try to import AD-PoSh module:
WARNING: Error initializing default drive: ‘Unable to find a default server with Active Directory Web Services running.’.
In this case, you need to specify the AD domain controller and user credentials to connect it.
First of all, you need to get the user’s credentials to access domain. Any authenticated domain user can view almost all AD objects properties.
$cred = Get-Credential
For example, to get the user’s info from the DC named TOR-DC01 under saved credentials, use the command:
get-aduser postfixsrv –server tor-dc01 -Credential $cred
As you can see, you have received the AD account info.
So now you can use the PowerShell cmdlets to manage and query Active Directory.