How to Install PowerShell Active Directory Module and Manage AD? ,

Every Windows system administrator needs to be able to use not only the graphical AD snap-in (usually it’s ADUC, Active Directory Users and Computers), but also PowerShell cmdlets to perform everyday Active Directory administration tasks. The most, Active Directory Module for Windows PowerShell Used for domain and object management tasks (users, computers, groups). In this article, we will see how to installRSAT-AD-PowerShell Discover the module on Windows, its basic features, and popular cmdlets that are useful for managing and interacting with AD.

How to Install Active Directory PowerShell Module on Windows 10 & 11?

You can install the RSAT-AD PowerShell module not only on servers but also on workstations. This module is included in the RSAT (Remote Server Administration Tools) package for Windows.

In current builds of Windows 11 and Windows 10, RSAT components are installed online as features on demand. You can install modules using the command:

Add-WindowsCapability -online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~

Add-WindowsCapability: Install Active Directory PowerShell Module

or via Settings -> Apps -> Optional features -> Add a feature -> RSAT: Active Directory Domain Services and Lightweight Directory Services Tools.

Install RSAT AD PowerShell Utility on Windows

The RSAT package had to be downloaded and installed manually on previous versions of Windows. After that, you need to enable AD Module for PowerShell from Control Panel: Programs and Features -> Turn Windows features on or off -> Remote Server Administration Tools-> Role Administration Tools -> AD DS and AD LDS Tools .

To use AD cmdlets in PowerShell Core 6.x, 7.x you must first install the WindowsCompatibility module:

Install-Module -Name WindowsCompatibility

Then load the module into your session:

Import-Module -Name WindowsCompatibility
Import-WinModule -Name ActiveDirectory

Import Active Directory in PowerShell Core 7.3 session (pwsh.exe)

You can now use AD cmdlets in your PowerShell Core 7.x scripts.

Installing RSAT-AD-PowerShell Module on Windows Server

On Windows Server, you can install the Active Directory Module for Windows PowerShell from the Server Manager graphical console or by using PowerShell.

You can check that the Active Directory module is installed with the command:

Get-WindowsFeature -Name "RSAT-AD-PowerShell"

If the module is missing, install it:

Install-WindowsFeature -Name "RSAT-AD-PowerShell" –IncludeAllSubFeature

Install RSAT-AD-PowerShell using PowerShell

To install the module via Server Manager, go to Add Roles and Features -> Features -> Remote Server Administration Tools -> Role Administration Tools -> AD DS and AD LDS Tools , Enable Active Directory Module for Windows PowerShell,

Install Windows Server Utility: Active Directory Module for Windows PowerShell

You do not need to use a local domain controller session to manage Active Directory by using the RSAT-AD PowerShell module. This module can be installed on any member server or workstation. On AD domain controllers, the module is automatically installed when Active Directory Domain Services The (AD DS) role is deployed (when the server is promoted to DC).

Module interacts through AD Active Directory Web Services Which should be running on your domain controller and should be available to clients on TCP port 9389. Use the Test-Netconnection cmdlet to verify that this port is not blocked by the firewall on the DC:

Test-NetConnection MUN-DC1 -port 9389

Active Directory Administration with PowerShell

The Active Directory Module for Windows PowerShell contains a large number of cmdlets for interacting with AD. There are 147 AD PowerShell cmdlets available in the current version of the module for Windows Server 2022/Windows 11.

Check that the module is installed on the computer:

Get-Module -Name ActiveDirectory –ListAvailable

Before you can use the Active Directory Module cmdlets, you must import it into your PowerShell session (starting with Windows Server 2012 R2/Windows 8.1 the module is imported automatically).

Import-Module ActiveDirectory

Make sure the AD module is loaded in your PowerShell session:


Check if ad is loaded in powershell module session

You can display a full list of available Active Directory cmdlets:

Get-Command –module ActiveDirectory

Total number of cmdlets in the AD module:

Get-Command –module ActiveDirectory |measure-object|select count

Get all commands from Active Directory PowerShell module

Most RSAT-AD PowerShell modules start with cmdlets Get-, Set- either New- prefix.

  • Get– class cmdlets are used to retrieve various information from Active Directory (Get-ADUser – user properties, Get-ADComputer – computer settings, Get-ADGroupMember group membership, etc.). You do not need to be a domain administrator to use these cmdlets. Any domain user can run a PowerShell command to obtain the values ​​of AD object attributes (except confidential ones, as in the LAPS example);
  • set- The class cmdlets are used to set (change) object properties in Active Directory. For example, you can change user properties (set-brought), computer settings (set-ADcomputer), Etcetera. To perform these tasks, your account must have write permission on the objects you want to modify (see the article How to delegate administrator privileges in Active Directory);
  • orders starting with new- Allows you to create an AD object (create a user — New-ADUsercreate a group – New-ADGroup Create an organizational unit — New-ADOrganizationalUnit ,
  • Getting Started with Cmdlets add-: Add a user to a group (Add-ADGroupMember), add a sophisticated password policy (Add-ADFineGrainedPasswordPolicySubject,
  • remove- cmdlets used to delete AD objects Remove-ADGroup, Remove-ADComputer, Remove-ADUser,

There are specific PowerShell cmdlets that you can use to manage only certain AD components:

  • Enable-ADOptionalFeature – Enable optional AD features (for example, AD Recycle Bin to restore deleted objects);
  • Install-ADServiceAccount – Configure Managed Service Account (MSA, gMSA);
  • Search-ADAccount – allows you to find disabled, inactive, closed user and computer accounts in Active Directory;
  • Enable-ADAccount , Disable-ADAccount , Unlock-ADAccount – Enable/Disable/Unlock Account.

By default, PowerShell cmdlets connect to the closest domain controller in your environment (LOGONSERVER). with him -Server parameter, you can connect to ADDS on a different domain controller or in a different domain (you can display a list of DCs in another domain nltest / command).

The -Server parameter is available for almost all module cmdlets. For example

Get-ADuser j.smith -Server

you can also use -credential Parameter to specify optional Active Directory user credentials.

$creds = Get-Credential
Get-ADUser -Filter * -Credential $creds

Here’s how you can get help on any cmdlet

get-help Set-ADUser

You can demonstrate examples of using Active Directory cmdlets as follows:

(get-help New-ADComputer).examples

Importing Active Directory PowerShell Modules from a Remote Computer

It is not necessary to install the AD PowerShell module on all computers. An administrator can import this module remotely from a domain controller (domain administrator privileges are required) or from another computer.

PowerShell Remoting is used to connect to remote computers. This requires that Windows Remote Management (WinRM) is enabled and configured on the remote host.

Create a new session with the remote computer that has the AD PowerShell module installed:

$psSess = New-PSSession -ComputerName DC_or_Comp_with_ADPosh

Import the ActiveDirectory module from the remote computer into your local PS session:

Import-Module -PSsession $psSess -Name ActiveDirectory

You can now run any command from the Active Directory module on your computer as if the module was installed locally. However, they will be executed on the remote host.

You can add these commands to your PowerShell profile file to automatically import modules from a remote session when you start the powershell.exe console. run notepad $profile.CurrentUserAllHosts to open your PS profile file.

You can end a remote session with the command:

Remove-PSSession -Session $psSess

This method of importing AD modules via PowerShell implicit remoting allows you to use PowerShell cmdlets from Linux and MacOS hosts that cannot install a local copy of the module.

You can also use the Active Directory Module for PowerShell without installing RSAT. to do

For this, just copy some files from the computer where RSAT-AD PowerShell module is installed:

  • directory C:\Windows\System32\WindowsPowerShell\v1.0\Modules
  • file ActiveDirectory.Management.dll
  • file ActiveDirectory.Management.resources.dll

Then you need to import the module into your current session:

Import-Module C:\PS\ADmodule\Microsoft.ActiveDirectory.Management.dll
Import-Module C:\PS\ADmodule\Microsoft.ActiveDirectory.Management.resources.dll

Then, you can use all AD module cmdlets without installing RSAT.

Common PowerShell Commands for Active Directory

Let’s take a look at some of the typical administrative tasks that can be performed using Active Directory for PowerShell cmdlets.

You can find some useful examples of how to use Active Directory for PowerShell module cmdlets on the WOSHub website. Follow the link to get detailed instructions.

New-ADUser: Creating an AD User

To create a new AD user, you can use New-ADUser cmdlet. You can create a user with the following command:

New-ADUser -Name "Mila Beck" -GivenName "Mila" -Surname "Beck" -SamAccountName "mbeck" -UserPrincipalName "[email protected]" -Path "OU=Users,OU=Berlin,OU=DE,DC=woshub,DC=com" -AccountPassword(Read-Host -AsSecureString "Input User Password") -Enabled $true

For detailed information about the New-ADUser cmdlet (including examples of how to create user domain accounts in bulk), see this article.

Get-ADComputer: Get computer object properties

To get the properties of the computer object in a particular OU (computer name and last logon date), use the Get-ADComputer cmdlet:

Get-ADComputer -SearchBase ‘OU=CA,OU=USA,DC=woshub,DC=com’ -Filter * -Properties * | FT Name, LastLogonDate -Autosize

Add-ADGroupMember: Add Active Directory users to a group

To add users to an existing security group in the AD domain, run this command:

Add-AdGroupMember -Identity LondonSales -Members e.braun, l.wolf

Display a list of users in an AD group and export it to a CSV file:

Get-ADGroupMember LondonSales -recursive| ft samaccountname| Out-File c:\ps\export_ad_users.csv

Learn more about managing AD groups with PowerShell.

Set-ADAccountPassword: reset user password in AD

To reset a user’s password in AD with PowerShell:

Set-ADAccountPassword m.lorenz -Reset -NewPassword (ConvertTo-SecureString -AsPlainText “Ne8Pa$$0rd1” -Force -Verbose) –PassThru

How to unlock, enable and disable Active Directory accounts?

To disable an AD user account:

Disable-ADAccount m.lorenz

To enable the account:

Enable-ADAccount m.lorenz

To unlock an account after it is locked by the domain password policy:

Unlock-ADAccount m.lorenz

Search-ADAAccount: How to find inactive and disabled AD objects?

To find and disable all computers in the AD domain that haven’t logged on for more than 90 days, use the Search-ADAccount cmdlet:

$timespan = New-Timespan –Days 90
Search-ADAccount -AccountInactive -ComputersOnly –TimeSpan $timespan | Disable-ADAccount

New-ADOrganisationalUnit: Create an organizational unit in AD

To quickly create a specific organizational unit structure in AD, you can use a PowerShell script. Let’s say you want to create multiple OUs with the names of states and specific object containers. Creating this AD infrastructure manually through the graphical ADUC snap-in is very time consuming. The AD Module for PowerShell allows solving this task in seconds (excluding the time it takes to write the script):

$fqdn = Get-ADDomain
$fulldomain = $fqdn.DNSRoot
$domain = $fulldomain.split(".")
$Dom = $domain[0]$Ext = $domain[1]$Sites = ("Nevada","Texas","California","Florida")
$Services = ("Users","Admins","Computers","Servers","Contacts","Service Accounts")
$FirstOU ="USA"
New-ADOrganizationalUnit -Name $FirstOU -Description $FirstOU -Path "DC=$Dom,DC=$EXT" -ProtectedFromAccidentalDeletion $false
foreach ($S in $Sites)
New-ADOrganizationalUnit -Name $S -Description "$S" -Path "OU=$FirstOU,DC=$Dom,DC=$EXT" -ProtectedFromAccidentalDeletion $false
foreach ($Serv in $Services)
New-ADOrganizationalUnit -Name $Serv -Description "$S $Serv" -Path "OU=$S,OU=$FirstOU,DC=$Dom,DC=$EXT" -ProtectedFromAccidentalDeletion $false

After running the script, you will see the following OU structure in Active Directory.

Creating a complex AD OU structure with New-ADOrganizationalUnit

To move objects between AD containers, you can use Move-ADObject Cmdlet:

$TargetOU = "OU=Sales,OU=Computers,DC=woshub,DC=com"
Get-ADComputer -Filter 'Name -like "SalesPC*"' | Move-ADObject -TargetPath $TargetOU

Get-ADReplicationFailure: Check Active Directory Replication

You can use the Get-ADReplicationFailure cmdlet to check the status of replication between AD domain controllers:

Get-ADReplicationFailure -Target NY-DC01,NY-DC02

To get information about all DCs in the domain, use Get-AdDomainController Cmdlet:

Get-ADDomainController –filter * | select hostname,IPv4Address,IsGlobalCatalog,IsReadOnly,OperatingSystem | format-table –auto

Get-ADDomainController - PowerShell gets domain controller information

In this article, we looked at how to install and use the Active Directory PowerShell module for AD domain administration. I hope this article will encourage you to further explore this module and automate most of your AD management tasks.

Leave a Comment