The Active Directory for Windows PowerShell module is one of the main tools to administer domain, manage objects in Active Directory and get different information about AD computers, users, groups, etc. Any Windows administrator must know how to use both the AD graphic snap-ins (usually it is ADUC – Active Directory Users & Computers) and the cmdlets of the RSAT-AD-PowerShell module for performing daily Active Directory administration tasks. In this post we will look on how to install the PowerShell Active Directory module on Windows, discover its basic features and popular cmdlets that are useful to manage and interact with AD.
Installing the Powershell Active Directory Module on Windows Server
The Active Directory for Windows PowerShell is already built-in into Windows Server operating systems (starting from Windows Server 2008 R2), but it is not enabled by default.
On Windows Server 2016, you can install the AD for PowerShell module from the Server Manager (Add Roles and Features -> Features -> Remote Server Administration Tools -> Role Administration Tools -> AD DS and AD LDS Tools -> Active Directory module for Windows PowerShell).
You can also install the module from the PowerShell console using the command:
Install-WindowsFeature -Name "RSAT-AD-PowerShell" –IncludeAllSubFeature
You can install the RSAT-AD-PowerShell not only on the domain controllers. Any domain member server or even a workstation will do. The PowerShell Active Directory Module is installed automatically when you deploying the Active Directory Domain Services (AD DS) role (when promoting server to AD domain controller).
The module is interacting with AD through the Active Directory Web Service that must be installed on your domain controller (communication is performed over the TCP port 9389).
How to Install the PowerShell Active Directory Module on Windows 10?
You can install the RSAT-AD-PowerShell module not only on Windows Server, but also on your workstations. This module is a part of the RSAT (Remote Server Administration Tools) package you can download and install manually on Windows 7, Windows 8.1. After the installation of RSAT, you can install the Active Directory module for PowerShell from the Control Panel (Control Panel -> Programs and Features -> Turn Windows features on or off -> Remote Server Administration Tools-> Role Administration Tools -> AD DS and AD LDS Tools).
On Windows 10 build 1809 or newer the RSAT package is integrated into Windows image (as Features on Demand), so you can use this PowerShell command to install the Active Directory module:
Add-WindowsCapability –online –Name “Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0”There is a way to deploy PowerShell ActiveDirectory Module on Windows 10 without Installing RSAT.
Active Directory PowerShell Cmdlets
There are a lot of cmdlets to interact with AD in the Active Directory module for Windows PowerShell. Each new RSAT version contains more cmdlets than the previous one. In Windows Server 2016 there are 147 PowerShell cmdlets for Active Directory available.
Before using cmdlets of the Active Directory module, you need to import it to your PowerShell session (on Windows Server 2012 R2/ Windows 8.1 and newer the module is imported automatically).
Import-Module ActiveDirectoryIf the Active Directory module is not installed on your computer, you can import it from your domain controller (you need the domain administrator privileges to do it) or from another desktop computer:
$psSess = New-PSSession -ComputerName DC_or_Comp_with_ADPoSh_installed
Import-Module -PSsession $psSess -Name ActiveDirectory
You can display a complete list of available Active Directory cmdlets using the command:
Get-Command –module ActiveDirectory
The total number of cmdlets in the AD module:
Get-Command –module ActiveDirectory |measure-object|select count
Most RSAT-AD-PowerShell cmdlets start from Get-, Set- or New- prefixes.
- Get– class cmdlets are used to get different information from Active Directory (Get-ADUser — user properties, Get-ADComputer – computer settings, Get-ADGroupMember — group membership, etc.). To run them, you do not need to be a domain admin. Any domain user can run PowerShell commands to get the values of the AD object attributes (except confidential ones, like in the example with LAPS);
- Set- class cmdlets are used to set (change) object settings in Active Directory. For example, you can change user properties (Set-ADUser), computer settings (Set-ADComputer), add a user to a group, etc. To do it, your account must have the permissions to modify the object properties (see the post How to Delegate Administrator Privileges in Active Directory);
- Commands that start with New- allow you to create AD objects (create a user — New-ADUser, create a group — New-ADGroup);
- Remove- cmdlets are used to delete AD objects.
Here is how you can get help on any cmdlet:
get-help Set-ADUser
You can display the examples of using Active Directory cmdlets as follows:
(get-help New-ADComputer).examples
It’s convenient to use the pop-up hints when typing cmdlet parameters in PowerShell ISE.
