How to Install and Import PowerShell Active Directory Module?

Today we’ll show you how to install and use the Windows PowerShell Active Directory Module. PowerShell AD Module is a part of the Remote Server Administration Tools (RSAT). RSAT includes all necessary management tools, command-line utilities, and Windows PowerShell modules to manage Windows Server infrastructure. You can use the RSAT-AD-PowerShell cmdlets to perform basic AD management tasks and get different information on domain users, computers, groups, and other objects. You can install RSAT-AD-PowerShell on Windows Server hosts and workstations running desktop OS versions (Windows 11, 10, 8.1, and 7).

Install PowerShell Active Directory Module on Windows Server

The Active Directory module for Windows PowerShell first appeared on Windows Server 2008 R2. It is automatically deployed on Windows Server after you installed the ADDS role (Active Directory Domain Services) when promoting a server to the domain controller. You can install this module manually on any member Windows server or workstation.

You can install the Active Directory module for Windows PowerShell on Windows Server 2019/2016/2012 R2 using the Add Roles and Features Wizard from the Server Manager. It is enough to start the wizard and at the step when selecting features, you need to select the item Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > Active Directory module for Windows PowerShell;

import-module activedirectory

ADVERTISEMENT

You can also install this module using PowerShell. Open the PowerShell console as an administrator and run the following commands:

Import-Module ServerManager 

Add-WindowsFeature -Name "RSAT-AD-PowerShell" –IncludeAllSubFeature

powershell install active directory module windows 10

You can also use DISM to install the AD PowerShell module on Windows:

DISM /online /enable-feature /featurename:RSATClient-Roles-AD

DISM /online /enable-feature /featurename:RSATClient-Roles-AD-DS

DISM /online /enable-feature /featurename:RSATClient-Roles-AD-DS-SnapIns

To check the installation status of a module, use the command:

Get-WindowsFeature RSAT-AD-PowerShell

powershell install active directory module

Hint. If you are using the PowerShell Core 7.x (pwsh.exe), keep in mind that the Active Directory module is fully natively compatible with this version of PoSh. But first, you need to install the WindowsCompatibility module:

Install-Module -Name WindowsCompatibility

Hint. A different PowerShell module is used to manage objects in the Azure Active Directory — Azure Active Directory Module for Windows PowerShell.

Installing the AD PowerShell Module on Windows 10 and 11

In Windows 11, Windows 10, Windows 8.1, and Windows 7, to install the RSAT-AD-PowerShell module, first you must install the appropriate version of RSAT. RSAT is available for installation for Professional, Education, and Enterprise Windows editions (Windows Home or Single Language are not supported).

On modern Windows 10 builds (1809 and newer) the RSAT became a part of Features on Demand (FoD). You can install AD RSAT Tools from the Settings menu (Settings > Apps > Manage Optional Features > Add features > RSAT: Active Directory Domain Services and Lightweight Directory Tools > Install).

Or from the PowerShell console:

Add-WindowsCapability –online –Name “Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0”

install active directory powershell module

You will need to make sure that your security policies, firewalls, and proxies are allowed to access Microsoft Update servers on the Internet to download and install FOD components.

On Windows 11, you can install the Active Directory RSAT package from Settings > Apps > Optional Features > Add an optional feature > type Active Directory in the search box and select the RSAT: Active Directory Domain Services and Lightweight Directory Tools feature > Next > Install.

ADVERTISEMENT

import-module activedirectory windows 10

Or you can install the module from the elevated PowerShell console:

Get-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 -Online | Add-WindowsCapability -Online

install-module activedirectory

You don’t have to reboot Windows after installing RSAT.

In order to RSAT module on Windows 7, 8.1, and Windows 10 (up to build 1803) you need to download and install a special MSU package See how to install RSAT on Windows 10.

Then you need to enable the module (Control Panel > Programs > Turn Windows Features On or Off > Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > Active Directory module for Windows PowerShell).

Or using PowerShell:

ADVERTISEMENT
Enable-WindowsOptionalFeature -Online -FeatureName RSATClient-Roles-AD-Powershell

install ad module powershell

Importing PowerShell Active Directory Module on Windows

The RSAT-AD-PowerShell module is automatically imported into your PowerShell session. However, on legacy versions of Windows (Windows 7 and Windows Server 2008 R2), you may get an error when running any cmdlet from the Active Directory PowerShell module:

Get-ADComputer: The ‘Get-ADComputer’ command was found in the module ‘ActiveDirectory’, but the module could not be loaded. For more information, run ‘Import-Module ActiveDirectory’.

In this case, you need to manually import the module into the PowerShell session with the command:

Import-Module activedirectory

powershell active directory module

Also, you can import the module from a remote computer/server (with installed RSAT-AD-PowerShell module) and import it into your PowerShell session (using the PSRemoting):

$S = New-PSSession -ComputerName MyDomainController 

Export-PSsession -Session $S -Module ActiveDirectory -OutputModule RemoteAD 

Import-Module RemoteAD -Force

Now you can use all cmdlets of the RSAT-AD-PowerShell module from a remote computer as if you had it installed locally. However, implicit remoting will actually work here, and all PowerShell cmdlets will be executed remotely.

The session will be active until you close the PowerShell console. You can also close the session (Disconnect-PSSession -Session $S) or remove it (Remove-PSSession -Session $S).

Now you can use the Active Directory module remotely without installing it on your computer.

ADVERTISEMENT

To confirm the AD PoSh module is installed and imported to the PowerShell session on Windows, run the command:

Get-Module ActiveDirectory

powershell active directory module windows 10

You can display the list of available AD PowerShell module cmdlets for interacting with Active Directory as follows:

Get-Command -Module ActiveDirectory

powershell install ad module

Different versions of Windows (RSAT) have a different number of cmdlets available:

get-command -Module activedirectory|measure
  • Windows Server 2008 R2 — 76 cmdlets;
  • Windows Server 2012 — 135 cmdlets;
  • Windows Server 2012 R2/2016/2019/2022 — 147 cmdlets.

The following is a complete list of AD PowerShell Module cmdlets in Windows Server 2019:

Add-ADCentralAccessPolicyMember 

Add-ADComputerServiceAccount 

Add-ADDomainControllerPasswordReplicationPolicy 

Add-ADFineGrainedPasswordPolicySubject 

Add-ADGroupMember 

Add-ADPrincipalGroupMembership 

Add-ADResourcePropertyListMember 

Clear-ADAccountExpiration 

Clear-ADClaimTransformLink 

Disable-ADAccount 

Disable-ADOptionalFeature 

Enable-ADAccount 

Enable-ADOptionalFeature 

Get-ADAccountAuthorizationGroup 

Get-ADAccountResultantPasswordReplicationPolicy 

Get-ADAuthenticationPolicy 

Get-ADAuthenticationPolicySilo 

Get-ADCentralAccessPolicy 

Get-ADCentralAccessRule 

Get-ADClaimTransformPolicy 

Get-ADClaimType 

Get-ADComputer 

Get-ADComputerServiceAccount 

Get-ADDCCloningExcludedApplicationList 

Get-ADDefaultDomainPasswordPolicy 

Get-ADDomain 

Get-ADDomainController 

Get-ADDomainControllerPasswordReplicationPolicy 

Get-ADDomainControllerPasswordReplicationPolicyUsage 

Get-ADFineGrainedPasswordPolicy 

Get-ADFineGrainedPasswordPolicySubject 

Get-ADForest 

Get-ADGroup 

Get-ADGroupMember 

Get-ADObject 

Get-ADOptionalFeature 

Get-ADOrganizationalUnit 

Get-ADPrincipalGroupMembership 

Get-ADReplicationAttributeMetadata 

Get-ADReplicationConnection 

Get-ADReplicationFailure 

Get-ADReplicationPartnerMetadata 

Get-ADReplicationQueueOperation 

Get-ADReplicationSite 

Get-ADReplicationSiteLink 

Get-ADReplicationSiteLinkBridge 

Get-ADReplicationSubnet 

Get-ADReplicationUpToDatenessVectorTable 

Get-ADResourceProperty 

Get-ADResourcePropertyList 

Get-ADResourcePropertyValueType 

Get-ADRootDSE 

Get-ADServiceAccount 

Get-ADTrust 

Get-ADUser 

Get-ADUserResultantPasswordPolicy 

Grant-ADAuthenticationPolicySiloAccess 

Install-ADServiceAccount 

Move-ADDirectoryServer 

Move-ADDirectoryServerOperationMasterRole 

Move-ADObject 

New-ADAuthenticationPolicy 

New-ADAuthenticationPolicySilo 

New-ADCentralAccessPolicy 

New-ADCentralAccessRule 

New-ADClaimTransformPolicy 

New-ADClaimType 

New-ADComputer 

New-ADDCCloneConfigFile 

New-ADFineGrainedPasswordPolicy 

New-ADGroup 

New-ADObject 

New-ADOrganizationalUnit 

New-ADReplicationSite 

New-ADReplicationSiteLink 

New-ADReplicationSiteLinkBridge 

New-ADReplicationSubnet 

New-ADResourceProperty 

New-ADResourcePropertyList 

New-ADServiceAccount 

New-ADUser 

Remove-ADAuthenticationPolicy 

Remove-ADAuthenticationPolicySilo 

Remove-ADCentralAccessPolicy 

Remove-ADCentralAccessPolicyMember 

Remove-ADCentralAccessRule 

Remove-ADClaimTransformPolicy 

Remove-ADClaimType 

Remove-ADComputer 

Remove-ADComputerServiceAccount 

Remove-ADDomainControllerPasswordReplicationPolicy 

Remove-ADFineGrainedPasswordPolicy 

Remove-ADFineGrainedPasswordPolicySubject 

Remove-ADGroup 

Remove-ADGroupMember 

Remove-ADObject 

Remove-ADOrganizationalUnit 

Remove-ADPrincipalGroupMembership 

Remove-ADReplicationSite 

Remove-ADReplicationSiteLink 

Remove-ADReplicationSiteLinkBridge 

Remove-ADReplicationSubnet 

Remove-ADResourceProperty 

Remove-ADResourcePropertyList 

Remove-ADResourcePropertyListMember 

Remove-ADServiceAccount 

Remove-ADUser 

Rename-ADObject 

Reset-ADServiceAccountPassword 

Restore-ADObject 

Revoke-ADAuthenticationPolicySiloAccess 

Search-ADAccount 

Set-ADAccountAuthenticationPolicySilo 

Set-ADAccountControl 

Set-ADAccountExpiration 

Set-ADAccountPassword 

Set-ADAuthenticationPolicy 

Set-ADAuthenticationPolicySilo 

Set-ADCentralAccessPolicy 

Set-ADCentralAccessRule 

Set-ADClaimTransformLink 

Set-ADClaimTransformPolicy 

Set-ADClaimType 

Set-ADComputer 

Set-ADDefaultDomainPasswordPolicy 

Set-ADDomain 

Set-ADDomainMode 

Set-ADFineGrainedPasswordPolicy 

Set-ADForest 

Set-ADForestMode 

Set-ADGroup 

Set-ADObject 

Set-ADOrganizationalUnit 

Set-ADReplicationConnection 

Set-ADReplicationSite 

Set-ADReplicationSiteLink 

Set-ADReplicationSiteLinkBridge 

Set-ADReplicationSubnet 

Set-ADResourceProperty 

Set-ADResourcePropertyList 

Set-ADServiceAccount 

Set-ADUser 

Show-ADAuthenticationPolicyExpression 

Sync-ADObject 

Test-ADServiceAccount 

Uninstall-ADServiceAccount 

Unlock-ADAccount

Using RSAT-AD-PowerShell Module

The PowerShell AD module provides an administrator with many opportunities for interacting with Active Directory objects and automating tasks (this is especially useful when performing bulk actions aimed at a large number of AD objects). You can perform all the basic operations with the AD directory:

  • Get all AD properties and object attributes;
  • Change object properties;
  • Manage AD groups;
  • Create new directory objects, etc.

The cmdlets from the Active Directory module interact with Active Directory Web Services (ADWS) on the domain controller. This role is installed on a domain controller during the promotion from a domain member server to a domain controller. The module accesses the Active Directory Web Services via TCP port 9389 (check that this port is open on the firewall).

Hint. Check if the ADWS service is running on the domain controller and is responding on port 9389 (Test-NetConnection DC01 -port 9389). Learn more about the Unable to find a default server with Active Directory Web Services running error.

If your computer is joined to an AD domain, the AD PowerShell cmdlets find the nearest domain controller to connect to based on the LogonServer environment variable. However, you can connect to any other domain controller using the -Server parameter (available on most cmdlets). For example:

Get-ADUser a.smith -Server nydc01.theitbros.com

Let’s look at a few examples of using the cmdlets of the RSAT-AD-PowerShell module.

  • To get the list of AD domain controllers, run the command:
    Get-ADDomainController –filter *| format-table

install module active directory

  • You can create several AD users at once by importing the user list from the CSV file. Use it together with the New-ADUser cmdlet.
    To get information about an AD user, use the Get-ADUser cmdlet:

    Get-ADUser –identity t.muller –properties *

    A similar cmdlet to display all computer attributes in AD:

    Get-ADComputer –identity dc01 –properties *

import ad module powershell

  • Use the New-ADGroup cmdlet to create an AD group. For example, to create a new group named ItalyUsers in the specific OU, run the command:
    New-ADGroup -Path "OU=Groups,OU=Italy,DC=theitbros,DC=com" -Name "ItalyUsers" -GroupScope Global -GroupCategory Distribution
  • To get the AD group info, use the Get-ADGroup cmdlet:
    Get-ADGroup ItalyUsers
  • If you want to add a user or computer to an AD group, use the Add-ADGroupMember cmdlet:
    Add-ADGroupMember –Identity ‘NY_Managers’ -Members s.adams,d.thumb,p.muller
  • Use the New-ADOrganizationalUnit cmdlet to create an Active Directory Organizational Unit:
    New-ADOrganizationalUnit -Name "France"
  • Use the Unlock-ADAccount cmdlet to unlock the user account in the Active Directory domain:
    Get-ADUser -Identity bjackson | Unlock-ADAccount
  • Or you can use the Set-ADAccountPassword to change or reset the user’s password:
    $newPass=Read-Host "Enter the new user password" –AsSecureString
    
    Set-ADAccountPassword bjackson -NewPassword $newPass
  • Check for Active Directory replication status for all domain controllers in the specific AD site:
    Get-ADReplicationFailure -scope SITE -target London | Format-Table Server, FirstFailureTime, FailureClount, LastError, Partner
  • Find and disable user accounts that have not logged in to the domain for more than 120 days:
    Search-ADAccount -AccountInactive -TimeSpan 120 –UsersOnly| Disable-ADAccount
  • For detailed help on any cmdlet from the AD-PoSh module, use the Get-Help command:
    get-help set-aduser

install ad module powershell windows 10

If the computer is not a part of the Active Directory domain, the following warning appears when you try importing the AD-PoSh module:

WARNING: Error initializing default drive: ‘Unable to find a default server with Active Directory Web Services running’.

In this case, you need to specify the AD domain controller and user credentials to connect to it.

First of all, you need to get the user’s credentials to access the domain. Any authenticated domain user can view almost all AD objects properties (excluding protected Active Directory attributes).

$cred = Get-Credential

install active directory module powershell

For example, to get the user’s info from the DC named TOR-DC01 under saved credentials, use the command:

get-aduser postfixsrv –server nydc01 -Credential $cred

import module active directory

As you can see, you have received the AD account info.

So now you can use the PowerShell cmdlets to manage and query Active Directory.

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.

5 comments

  1. This is a fantastic article. I’ve referred to it several times to install the Active Directory modules on multiple Windows servers and Win7 PC.

    Thanks for writing it!

  2. Installed fine and connected once but won’t make connection to my server any more and I can’t remove it. Tried Remove-PSSession -Id 1 and Remove-Module RemoteAD but it remains even after restart. Every time I start PowerShell it does this.

  3. For Windows 10 builds 1909 and later, replace the command `Add-WindowsCapability –online –Name “Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0”` with simply `Add-WindowsCapability –online –Name “Rsat.ActiveDirectory.DS-LDS.Tools”`. You don’t need the specific version # at the end; it will likely throw an error.

  4. Any way to install RSAT on a Windows 10 machine, but hide all the AD “modules” like AD Users and Computers, but we want to leverage the AD Powershell module only. Installing RSAT AD Tools on a few thousands machines just for the AD PowerShell module, seems silly.

    Ideally it would be nice to be able to ONLY install the AD Powershell module to leverage its capabilities, but now allowing users to SEE all the “other modules”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.