The Active Directory for Windows PowerShell module is one of the main tools to administer domain, manage objects in Active Directory and get different information about AD computers, users, groups, etc. Any Windows administrator must know how to use both the AD graphic snap-ins (usually it is ADUC – Active Directory Users & Computers) and the cmdlets of the
RSAT-AD-PowerShell module for performing daily Active Directory administration tasks. In this article we will look on how to install the PowerShell Active Directory module on Windows, discover its basic features and popular cmdlets that are useful to manage and interact with AD.
Installing the Powershell Active Directory Module on Windows Server
The Active Directory for Windows PowerShell is already built-in into Windows Server operating systems (starting from Windows Server 2008 R2), but it is not enabled by default.
On Windows Server 2016, you can install the AD for PowerShell module from the Server Manager (Add Roles and Features -> Features -> Remote Server Administration Tools -> Role Administration Tools -> AD DS and AD LDS Tools -> Active Directory module for Windows PowerShell).
You can also install the module from the PowerShell console using the command:
Install-WindowsFeature -Name "RSAT-AD-PowerShell" –IncludeAllSubFeature
You can install the RSAT-AD-PowerShell not only on the domain controllers. Any domain member server or even a workstation will do. The PowerShell Active Directory Module is installed automatically when you deploying the Active Directory Domain Services (AD DS) role (when promoting server to AD domain controller).
The module is interacting with AD through the Active Directory Web Service that must be installed on your domain controller (communication is performed over the TCP port 9389).
How to Install the PowerShell Active Directory Module on Windows 10?
You can install the RSAT-AD-PowerShell module not only on Windows Server, but also on your workstations. This module is a part of the RSAT (Remote Server Administration Tools) package you can download and install manually on Windows 7, Windows 8.1. After the installation of RSAT, you can install the Active Directory module for PowerShell from the Control Panel (Control Panel -> Programs and Features -> Turn Windows features on or off -> Remote Server Administration Tools-> Role Administration Tools -> AD DS and AD LDS Tools).
On Windows 10 build 1809 or newer the RSAT package is integrated into Windows image (as Features on Demand), so you can use this PowerShell command to install the Active Directory module:
Add-WindowsCapability –online –Name “Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0”
Active Directory PowerShell Cmdlets
There are a lot of cmdlets to interact with AD in the Active Directory module for Windows PowerShell. Each new RSAT version contains more cmdlets than the previous one. In Windows Server 2016 there are 147 PowerShell cmdlets for Active Directory available.
Before using cmdlets of the Active Directory module, you need to import it to your PowerShell session (on Windows Server 2012 R2/ Windows 8.1 and newer the module is imported automatically).
$psSess = New-PSSession -ComputerName DC_or_Comp_with_ADPoSh_installed
Import-Module -PSsession $psSess -Name ActiveDirectory
You can display a complete list of available Active Directory cmdlets using the command:
Get-Command –module ActiveDirectory
The total number of cmdlets in the AD module:
Get-Command –module ActiveDirectory |measure-object|select count
Most RSAT-AD-PowerShell cmdlets start from
- Get– class cmdlets are used to get different information from Active Directory (Get-ADUser — user properties, Get-ADComputer – computer settings, Get-ADGroupMember — group membership, etc.). To run them, you do not need to be a domain admin. Any domain user can run PowerShell commands to get the values of the AD object attributes (except confidential ones, like in the example with LAPS);
- Set- class cmdlets are used to set (change) object settings in Active Directory. For example, you can change user properties (Set-ADUser), computer settings (Set-ADComputer), add a user to a group, etc. To do it, your account must have the permissions to modify the object properties (see the article How to Delegate Administrator Privileges in Active Directory);
- Commands that start with New- allow you to create AD objects (create a user — New-ADUser, create a group — New-ADGroup);
- Remove- cmdlets are used to delete AD objects.
Here is how you can get help on any cmdlet:
You can display the examples of using Active Directory cmdlets as follows:
It’s convenient to use the pop-up hints when typing cmdlet parameters in PowerShell ISE.
Active Directory Administration with RSAT-AD-PowerShell Module
Let’s look at some typical tasks of an administrator you can do using the Active Directory for PowerShell cmdlets.
New-ADUser: Creating AD Users
To create a new AD user, you can use the New-ADUser cmdlet. You can create a user with the following command:
New-ADUser -Name "Mila Beck" -GivenName "Mila" -Surname "Beck" -SamAccountName "mbeck" -UserPrincipalName "email@example.com" -Path "OU=Users,OU=Berlin,OU=DE,DC=woshub,DC=com" -AccountPassword(Read-Host -AsSecureString "Input User Password") -Enabled $true
For a detailed info about New-ADUser cmdlet (including the example on how to create user domain accounts in bulk), see this article.
Get-ADComputer: Getting Computer Properties
To display the information about computer properties in the specific OU (the computer name and the last logon date), use the Get-ADComputer cmdlet:
Get-ADComputer -SearchBase ‘OU=CA,OU=USA,DC=woshub,DC=com’ -Filter * -Properties * | FT Name, LastLogonDate -Autosize
Add-AdGroupMember: Add AD User to Groups
To add users to an existing security group in your AD domain, run this command:
Add-AdGroupMember -Identity LondonSales -Members e.braun, l.wolf
Display the list of users in the AD group and export it to a CSV file:
Get-ADGroupMember LondonSales -recursive| ft samaccountname| Out-File c:\ps\export_ad_users.csv
Learn more about managing AD groups from PowerShell.
Set-ADAccountPassword: Reset a User Password in AD
In order to reset an AD user password from PowerShell, run the following command:
Set-ADAccountPassword m.lorenz -Reset -NewPassword (ConvertTo-SecureString -AsPlainText “Ne8Pa$$0rd1” -Force -Verbose) –PassThru
How to Unlock, Enable and Disable AD Account?
To disable AD user account:
To enable an account:
To unlock an account after it has been blocked by a domain password policy:
Search-ADAccount: How to Find Inactive and Disabled Objects?
To find and disable all computers in the AD domain that have not logged on for more than 90 days, use the Search-ADAccount cmdlet:
$timespan = New-Timespan –Days 90
Search-ADAccount -AccountInactive -ComputersOnly –TimeSpan $timespan | Disable-ADAccount
New-ADOrganizationalUnit: Create an Organizational Unit in AD
To quickly create a typical Organizational Unit structure in AD, you can use a PowerShell script. Suppose you want to create multiple OUs with states as their names and create typical object containers in them. It is quite time consuming to create this AD structure manually through the graphical ADUC snap-in. AD module for PowerShell allows to do it in seconds (except the time to write the script):
$fqdn = Get-ADDomain
$fulldomain = $fqdn.DNSRoot
$domain = $fulldomain.split(".")
$Dom = $domain
$Ext = $domain
$Sites = ("Nevada","Texas","California","Florida")
$Services = ("Users","Admins","Computers","Servers","Contacts","Service Accounts")
New-ADOrganizationalUnit -Name $FirstOU -Description $FirstOU -Path "DC=$Dom,DC=$EXT" -ProtectedFromAccidentalDeletion $false
foreach ($S in $Sites)
New-ADOrganizationalUnit -Name $S -Description "$S" -Path "OU=$FirstOU,DC=$Dom,DC=$EXT" -ProtectedFromAccidentalDeletion $false
foreach ($Serv in $Services)
New-ADOrganizationalUnit -Name $Serv -Description "$S $Serv" -Path "OU=$S,OU=$FirstOU,DC=$Dom,DC=$EXT" -ProtectedFromAccidentalDeletion $false
After running the script, the following OU structure appears in Active Directory.
To move objects between AD containers, you can use the Move-ADObject cmdlet:
$TargetOU = "OU=Sales,OU=Computers,DC=woshub,DC=com"
Get-ADComputer -Filter 'Name -like "SalesPC*"' | Move-ADObject -TargetPath $TargetOU
Get-ADReplicationFailure: Check AD Replication Failures
Using the Get-ADReplicationFailure cmdlet you can check the state of replication between AD domain controllers:
Get-ADReplicationFailure -Target NY-DC01,NY-DC02
To get information about all DCs in the domain, use the Get-AdDomainController cmdlet:
Get-ADDomainController –filter * | select hostname,IPv4Address,IsGlobalCatalog,IsReadOnly,OperatingSystem | format-table –auto
So, we have considered the basic features of the Active Directory PowerShell module to administer AD domain. I hope it will encourage you to further explore other features of the module and automate most of AD management task.