Every Windows system administrator needs to be able to use not only the graphical AD snap-in (usually it’s ADUC, Active Directory Users and Computers), but also PowerShell cmdlets to perform everyday Active Directory administration tasks. The most, Active Directory Module for Windows PowerShell Used for domain and object management tasks (users, computers, groups). In this article, we will see how to install
RSAT-AD-PowerShell Discover the module on Windows, its basic features, and popular cmdlets that are useful for managing and interacting with AD.
How to Install Active Directory PowerShell Module on Windows 10 & 11?
You can install the RSAT-AD PowerShell module not only on servers but also on workstations. This module is included in the RSAT (Remote Server Administration Tools) package for Windows.
In current builds of Windows 11 and Windows 10, RSAT components are installed online as features on demand. You can install modules using the command:
Add-WindowsCapability -online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
or via Settings -> Apps -> Optional features -> Add a feature -> RSAT: Active Directory Domain Services and Lightweight Directory Services Tools.
The RSAT package had to be downloaded and installed manually on previous versions of Windows. After that, you need to enable AD Module for PowerShell from Control Panel: Programs and Features -> Turn Windows features on or off -> Remote Server Administration Tools-> Role Administration Tools -> AD DS and AD LDS Tools .
To use AD cmdlets in PowerShell Core 6.x, 7.x you must first install the WindowsCompatibility module:
Install-Module -Name WindowsCompatibility
Then load the module into your session:
Import-Module -Name WindowsCompatibility
Import-WinModule -Name ActiveDirectory
You can now use AD cmdlets in your PowerShell Core 7.x scripts.
Installing RSAT-AD-PowerShell Module on Windows Server
On Windows Server, you can install the Active Directory Module for Windows PowerShell from the Server Manager graphical console or by using PowerShell.
You can check that the Active Directory module is installed with the command:
Get-WindowsFeature -Name "RSAT-AD-PowerShell"
If the module is missing, install it:
Install-WindowsFeature -Name "RSAT-AD-PowerShell" –IncludeAllSubFeature
To install the module via Server Manager, go to Add Roles and Features -> Features -> Remote Server Administration Tools -> Role Administration Tools -> AD DS and AD LDS Tools , Enable Active Directory Module for Windows PowerShell,
You do not need to use a local domain controller session to manage Active Directory by using the RSAT-AD PowerShell module. This module can be installed on any member server or workstation. On AD domain controllers, the module is automatically installed when Active Directory Domain Services The (AD DS) role is deployed (when the server is promoted to DC).
Module interacts through AD Active Directory Web Services Which should be running on your domain controller and should be available to clients on TCP port 9389. Use the Test-Netconnection cmdlet to verify that this port is not blocked by the firewall on the DC:
Test-NetConnection MUN-DC1 -port 9389
Active Directory Administration with PowerShell
The Active Directory Module for Windows PowerShell contains a large number of cmdlets for interacting with AD. There are 147 AD PowerShell cmdlets available in the current version of the module for Windows Server 2022/Windows 11.
Check that the module is installed on the computer:
Get-Module -Name ActiveDirectory –ListAvailable
Before you can use the Active Directory Module cmdlets, you must import it into your PowerShell session (starting with Windows Server 2012 R2/Windows 8.1 the module is imported automatically).
Make sure the AD module is loaded in your PowerShell session:
You can display a full list of available Active Directory cmdlets:
Get-Command –module ActiveDirectory
Total number of cmdlets in the AD module:
Get-Command –module ActiveDirectory |measure-object|select count
Most RSAT-AD PowerShell modules start with cmdlets
- Get– class cmdlets are used to retrieve various information from Active Directory (
Get-ADUser– user properties,
Get-ADComputer– computer settings,
Get-ADGroupMembergroup membership, etc.). You do not need to be a domain administrator to use these cmdlets. Any domain user can run a PowerShell command to obtain the values of AD object attributes (except confidential ones, as in the LAPS example);
- set- The class cmdlets are used to set (change) object properties in Active Directory. For example, you can change user properties (set-brought), computer settings (set-ADcomputer), Etcetera. To perform these tasks, your account must have write permission on the objects you want to modify (see the article How to delegate administrator privileges in Active Directory);
- orders starting with new- Allows you to create an AD object (create a user —
New-ADUsercreate a group –
New-ADGroupCreate an organizational unit —
- Getting Started with Cmdlets add-: Add a user to a group (
Add-ADGroupMember), add a sophisticated password policy (
- remove- cmdlets used to delete AD objects
There are specific PowerShell cmdlets that you can use to manage only certain AD components:
Enable-ADOptionalFeature– Enable optional AD features (for example, AD Recycle Bin to restore deleted objects);
Install-ADServiceAccount– Configure Managed Service Account (MSA, gMSA);
Search-ADAccount– allows you to find disabled, inactive, closed user and computer accounts in Active Directory;
Unlock-ADAccount– Enable/Disable/Unlock Account.
By default, PowerShell cmdlets connect to the closest domain controller in your environment (LOGONSERVER). with him -Server parameter, you can connect to ADDS on a different domain controller or in a different domain (you can display a list of DCs in another domain
nltest /dclist:newad.com command).
The -Server parameter is available for almost all module cmdlets. For example
Get-ADuser j.smith -Server mun-dc1.woshub.com
you can also use -credential Parameter to specify optional Active Directory user credentials.
$creds = Get-Credential
Get-ADUser -Filter * -Credential $creds
Here’s how you can get help on any cmdlet
You can demonstrate examples of using Active Directory cmdlets as follows:
Importing Active Directory PowerShell Modules from a Remote Computer
It is not necessary to install the AD PowerShell module on all computers. An administrator can import this module remotely from a domain controller (domain administrator privileges are required) or from another computer.
PowerShell Remoting is used to connect to remote computers. This requires that Windows Remote Management (WinRM) is enabled and configured on the remote host.
Create a new session with the remote computer that has the AD PowerShell module installed:
$psSess = New-PSSession -ComputerName DC_or_Comp_with_ADPosh
Import the ActiveDirectory module from the remote computer into your local PS session:
Import-Module -PSsession $psSess -Name ActiveDirectory
You can now run any command from the Active Directory module on your computer as if the module was installed locally. However, they will be executed on the remote host.
notepad $profile.CurrentUserAllHoststo open your PS profile file.
You can end a remote session with the command:
Remove-PSSession -Session $psSess
This method of importing AD modules via PowerShell implicit remoting allows you to use PowerShell cmdlets from Linux and MacOS hosts that cannot install a local copy of the module.
You can also use the Active Directory Module for PowerShell without installing RSAT. to do
For this, just copy some files from the computer where RSAT-AD PowerShell module is installed:
Then you need to import the module into your current session:
Then, you can use all AD module cmdlets without installing RSAT.
Common PowerShell Commands for Active Directory
Let’s take a look at some of the typical administrative tasks that can be performed using Active Directory for PowerShell cmdlets.
You can find some useful examples of how to use Active Directory for PowerShell module cmdlets on the WOSHub website. Follow the link to get detailed instructions.
New-ADUser: Creating an AD User
To create a new AD user, you can use New-ADUser cmdlet. You can create a user with the following command:
New-ADUser -Name "Mila Beck" -GivenName "Mila" -Surname "Beck" -SamAccountName "mbeck" -UserPrincipalName "[email protected]" -Path "OU=Users,OU=Berlin,OU=DE,DC=woshub,DC=com" -AccountPassword(Read-Host -AsSecureString "Input User Password") -Enabled $true
For detailed information about the New-ADUser cmdlet (including examples of how to create user domain accounts in bulk), see this article.
Get-ADComputer: Get computer object properties
To get the properties of the computer object in a particular OU (computer name and last logon date), use the Get-ADComputer cmdlet:
Get-ADComputer -SearchBase ‘OU=CA,OU=USA,DC=woshub,DC=com’ -Filter * -Properties * | FT Name, LastLogonDate -Autosize
Add-ADGroupMember: Add Active Directory users to a group
To add users to an existing security group in the AD domain, run this command:
Add-AdGroupMember -Identity LondonSales -Members e.braun, l.wolf
Display a list of users in an AD group and export it to a CSV file:
Get-ADGroupMember LondonSales -recursive| ft samaccountname| Out-File c:\ps\export_ad_users.csv
Learn more about managing AD groups with PowerShell.
Set-ADAccountPassword: reset user password in AD
To reset a user’s password in AD with PowerShell:
Set-ADAccountPassword m.lorenz -Reset -NewPassword (ConvertTo-SecureString -AsPlainText “Ne8Pa$$0rd1” -Force -Verbose) –PassThru
How to unlock, enable and disable Active Directory accounts?
To disable an AD user account:
To enable the account:
To unlock an account after it is locked by the domain password policy:
Search-ADAAccount: How to find inactive and disabled AD objects?
To find and disable all computers in the AD domain that haven’t logged on for more than 90 days, use the Search-ADAccount cmdlet:
$timespan = New-Timespan –Days 90
Search-ADAccount -AccountInactive -ComputersOnly –TimeSpan $timespan | Disable-ADAccount
New-ADOrganisationalUnit: Create an organizational unit in AD
To quickly create a specific organizational unit structure in AD, you can use a PowerShell script. Let’s say you want to create multiple OUs with the names of states and specific object containers. Creating this AD infrastructure manually through the graphical ADUC snap-in is very time consuming. The AD Module for PowerShell allows solving this task in seconds (excluding the time it takes to write the script):
$fqdn = Get-ADDomain
$fulldomain = $fqdn.DNSRoot
$domain = $fulldomain.split(".")
$Dom = $domain$Ext = $domain$Sites = ("Nevada","Texas","California","Florida")
$Services = ("Users","Admins","Computers","Servers","Contacts","Service Accounts")
New-ADOrganizationalUnit -Name $FirstOU -Description $FirstOU -Path "DC=$Dom,DC=$EXT" -ProtectedFromAccidentalDeletion $false
foreach ($S in $Sites)
New-ADOrganizationalUnit -Name $S -Description "$S" -Path "OU=$FirstOU,DC=$Dom,DC=$EXT" -ProtectedFromAccidentalDeletion $false
foreach ($Serv in $Services)
New-ADOrganizationalUnit -Name $Serv -Description "$S $Serv" -Path "OU=$S,OU=$FirstOU,DC=$Dom,DC=$EXT" -ProtectedFromAccidentalDeletion $false
After running the script, you will see the following OU structure in Active Directory.
To move objects between AD containers, you can use Move-ADObject Cmdlet:
$TargetOU = "OU=Sales,OU=Computers,DC=woshub,DC=com"
Get-ADComputer -Filter 'Name -like "SalesPC*"' | Move-ADObject -TargetPath $TargetOU
Get-ADReplicationFailure: Check Active Directory Replication
You can use the Get-ADReplicationFailure cmdlet to check the status of replication between AD domain controllers:
Get-ADReplicationFailure -Target NY-DC01,NY-DC02
To get information about all DCs in the domain, use Get-AdDomainController Cmdlet:
Get-ADDomainController –filter * | select hostname,IPv4Address,IsGlobalCatalog,IsReadOnly,OperatingSystem | format-table –auto
In this article, we looked at how to install and use the Active Directory PowerShell module for AD domain administration. I hope this article will encourage you to further explore this module and automate most of your AD management tasks.
Leave a Comment