Windows OS Hub / PowerShell / How to Install and Use the PowerShell Active Directory Module?

February 11, 2020 Active Directory PowerShell Windows 10 Windows Server 2016

How to Install and Use the PowerShell Active Directory Module?

The Active Directory for Windows PowerShell module is one of the main tools to administer domain, manage objects in Active Directory and get different information about AD computers, users, groups, etc. Any Windows administrator must know how to use both the AD graphic snap-ins (usually it is ADUC – Active Directory Users & Computers) and the cmdlets of the RSAT-AD-PowerShell module for performing daily Active Directory administration tasks. In this article we will look on how to install the PowerShell Active Directory module on Windows, discover its basic features and popular cmdlets that are useful to manage and interact with AD.

Contents:

Installing the Powershell Active Directory Module on Windows Server
How to Install the PowerShell Active Directory Module on Windows 10?
Active Directory PowerShell Cmdlets
Active Directory Administration with RSAT-AD-PowerShell Module

Installing the Powershell Active Directory Module on Windows Server

The Active Directory for Windows PowerShell is already built-in into Windows Server operating systems (starting from Windows Server 2008 R2), but it is not enabled by default.

On Windows Server 2016, you can install the AD for PowerShell module from the Server Manager (Add Roles and Features -> Features -> Remote Server Administration Tools -> Role Administration Tools -> AD DS and AD LDS Tools -> Active Directory module for Windows PowerShell).

You can also install the module from the PowerShell console using the command:

Install-WindowsFeature -Name "RSAT-AD-PowerShell" –IncludeAllSubFeature

You can install the RSAT-AD-PowerShell not only on the domain controllers. Any domain member server or even a workstation will do. The PowerShell Active Directory Module is installed automatically when you deploying the Active Directory Domain Services (AD DS) role (when promoting server to AD domain controller).

The module is interacting with AD through the Active Directory Web Service that must be installed on your domain controller (communication is performed over the TCP port 9389).

How to Install the PowerShell Active Directory Module on Windows 10?

You can install the RSAT-AD-PowerShell module not only on Windows Server, but also on your workstations. This module is a part of the RSAT (Remote Server Administration Tools) package you can download and install manually on Windows 7, Windows 8.1. After the installation of RSAT, you can install the Active Directory module for PowerShell from the Control Panel (Control Panel -> Programs and Features -> Turn Windows features on or off -> Remote Server Administration Tools-> Role Administration Tools -> AD DS and AD LDS Tools).

On Windows 10 build 1809 or newer the RSAT package is integrated into Windows image (as Features on Demand), so you can use this PowerShell command to install the Active Directory module:

Add-WindowsCapability –online –Name “Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0”

There is a way to deploy PowerShell ActiveDirectory Module on Windows 10 without Installing RSAT.

Active Directory PowerShell Cmdlets

There are a lot of cmdlets to interact with AD in the Active Directory module for Windows PowerShell. Each new RSAT version contains more cmdlets than the previous one. In Windows Server 2016 there are 147 PowerShell cmdlets for Active Directory available.

Before using cmdlets of the Active Directory module, you need to import it to your PowerShell session (on Windows Server 2012 R2/ Windows 8.1 and newer the module is imported automatically).

Import-Module ActiveDirectory

If the Active Directory module is not installed on your computer, you can import it from your domain controller (you need the domain administrator privileges to do it) or from another desktop computer:

$psSess = New-PSSession -ComputerName DC_or_Comp_with_ADPoSh_installed Import-Module -PSsession $psSess -Name ActiveDirectory

You can display a complete list of available Active Directory cmdlets using the command:

Get-Command –module ActiveDirectory

The total number of cmdlets in the AD module:

Get-Command –module ActiveDirectory |measure-object|select count

Most RSAT-AD-PowerShell cmdlets start from Get-, Set- or New- prefixes.

Get– class cmdlets are used to get different information from Active Directory (Get-ADUser — user properties, Get-ADComputer – computer settings, Get-ADGroupMember — group membership, etc.). To run them, you do not need to be a domain admin. Any domain user can run PowerShell commands to get the values of the AD object attributes (except confidential ones, like in the example with LAPS);
Set- class cmdlets are used to set (change) object settings in Active Directory. For example, you can change user properties (Set-ADUser), computer settings (Set-ADComputer), add a user to a group, etc. To do it, your account must have the permissions to modify the object properties (see the article How to Delegate Administrator Privileges in Active Directory);
Commands that start with New- allow you to create AD objects (create a user — New-ADUser, create a group — New-ADGroup);
Remove- cmdlets are used to delete AD objects.

Here is how you can get help on any cmdlet:

get-help Set-ADUser

You can display the examples of using Active Directory cmdlets as follows:

(get-help New-ADComputer).examples

It’s convenient to use the pop-up hints when typing cmdlet parameters in PowerShell ISE.

Active Directory Administration with RSAT-AD-PowerShell Module

Let’s look at some typical tasks of an administrator you can do using the Active Directory for PowerShell cmdlets.

You can find some useful examples on how to use AD for PowerShell cmdlets on the WOSHub website. Follow the links to get the detailed instructions.

New-ADUser: Creating AD Users

To create a new AD user, you can use the New-ADUser cmdlet. You can create a user with the following command:

New-ADUser -Name "Mila Beck" -GivenName "Mila" -Surname "Beck" -SamAccountName "mbeck" -UserPrincipalName "mbeck@woshub.com" -Path "OU=Users,OU=Berlin,OU=DE,DC=woshub,DC=com" -AccountPassword(Read-Host -AsSecureString "Input User Password") -Enabled $true

For a detailed info about New-ADUser cmdlet (including the example on how to create user domain accounts in bulk), see this article.

Get-ADComputer: Getting Computer Properties

To display the information about computer properties in the specific OU (the computer name and the last logon date), use the Get-ADComputer cmdlet:

Get-ADComputer -SearchBase ‘OU=CA,OU=USA,DC=woshub,DC=com’ -Filter * -Properties * | FT Name, LastLogonDate -Autosize

Add-AdGroupMember: Add AD User to Groups

To add users to an existing security group in your AD domain, run this command:

Add-AdGroupMember -Identity LondonSales -Members e.braun, l.wolf

Display the list of users in the AD group and export it to a CSV file:

Get-ADGroupMember LondonSales -recursive| ft samaccountname| Out-File c:\ps\export_ad_users.csv

Learn more about managing AD groups from PowerShell.

Set-ADAccountPassword: Reset a User Password in AD

In order to reset an AD user password from PowerShell, run the following command:

Set-ADAccountPassword m.lorenz -Reset -NewPassword (ConvertTo-SecureString -AsPlainText “Ne8Pa$$0rd1” -Force -Verbose) –PassThru

How to Unlock, Enable and Disable AD Account?

To disable AD user account:

Disable-ADAccount m.lorenz

To enable an account:

Enable-ADAccount m.lorenz

To unlock an account after it has been blocked by a domain password policy:

Unlock-ADAccount m.lorenz

Search-ADAccount: How to Find Inactive and Disabled Objects?

To find and disable all computers in the AD domain that have not logged on for more than 90 days, use the Search-ADAccount cmdlet:

$timespan = New-Timespan –Days 90 Search-ADAccount -AccountInactive -ComputersOnly –TimeSpan $timespan | Disable-ADAccount

New-ADOrganizationalUnit: Create an Organizational Unit in AD

To quickly create a typical Organizational Unit structure in AD, you can use a PowerShell script. Suppose you want to create multiple OUs with states as their names and create typical object containers in them. It is quite time consuming to create this AD structure manually through the graphical ADUC snap-in. AD module for PowerShell allows to do it in seconds (except the time to write the script):

$fqdn = Get-ADDomain $fulldomain = $fqdn.DNSRoot $domain = $fulldomain.split(".") $Dom = $domain[0] $Ext = $domain[1] $Sites = ("Nevada","Texas","California","Florida") $Services = ("Users","Admins","Computers","Servers","Contacts","Service Accounts") $FirstOU ="USA" New-ADOrganizationalUnit -Name $FirstOU -Description $FirstOU -Path "DC=$Dom,DC=$EXT" -ProtectedFromAccidentalDeletion $false foreach ($S in $Sites) { New-ADOrganizationalUnit -Name $S -Description "$S" -Path "OU=$FirstOU,DC=$Dom,DC=$EXT" -ProtectedFromAccidentalDeletion $false foreach ($Serv in $Services) { New-ADOrganizationalUnit -Name $Serv -Description "$S $Serv" -Path "OU=$S,OU=$FirstOU,DC=$Dom,DC=$EXT" -ProtectedFromAccidentalDeletion $false } }

After running the script, the following OU structure appears in Active Directory.

To move objects between AD containers, you can use the Move-ADObject cmdlet:

$TargetOU = "OU=Sales,OU=Computers,DC=woshub,DC=com" Get-ADComputer -Filter 'Name -like "SalesPC*"' | Move-ADObject -TargetPath $TargetOU

Get-ADReplicationFailure: Check AD Replication Failures

Using the Get-ADReplicationFailure cmdlet you can check the state of replication between AD domain controllers:

Get-ADReplicationFailure -Target NY-DC01,NY-DC02

To get information about all DCs in the domain, use the Get-AdDomainController cmdlet:

Get-ADDomainController –filter * | select hostname,IPv4Address,IsGlobalCatalog,IsReadOnly,OperatingSystem | format-table –auto

So, we have considered the basic features of the Active Directory PowerShell module to administer AD domain. I hope it will encourage you to further explore other features of the module and automate most of AD management task.