How to Install and Use the PowerShell Active Directory Module?

The Active Directory for Windows PowerShell module is one in every of the most important instruments to administer area, handle objects in Active Directory and get totally different details about AD computer systems, customers, teams, and so on. Any Windows administrator should understand how to use each the AD graphic snap-ins (normally it’s ADUC – Active Directory Users & Computers) and the cmdlets of the RSAT-AD-PowerShell module for performing every day Active Directory administration duties. In this text we’ll look on how to set up the PowerShell Active Directory module on Windows, uncover its fundamental options and in style cmdlets which might be helpful to handle and work together with AD.

Installing the Powershell Active Directory Module on Windows Server

The Active Directory for Windows PowerShell is already built-in into Windows Server working techniques (ranging from Windows Server 2008 R2), however it’s not enabled by default.

On Windows Server 2016, you may set up the AD for PowerShell module from the Server Manager (Add Roles and Features -> Features -> Remote Server Administration Tools -> Role Administration Tools -> AD DS and AD LDS Tools -> Active Directory module for Windows PowerShell).

install windows server feature: Active Directory module for Windows PowerShell

You may set up the module from the PowerShell console utilizing the command:

Install-WindowsFunction -Name "RSAT-AD-PowerShell" –IncludeAllSubFeature

Install RSAT-AD-PowerShell using powershell

You can set up the RSAT-AD-PowerShell not solely on the area controllers. Any area member server or perhaps a workstation will do. The PowerShell Active Directory Module is put in robotically once you deploying the Active Directory Domain Services (AD DS) function (when selling server to AD area controller).

The module is interacting with AD by way of the Active Directory Web Service that should be put in in your area controller (communication is carried out over the TCP port 9389).

How to Install the PowerShell Active Directory Module on Windows 10?

You can set up the RSAT-AD-PowerShell module not solely on Windows Server, but in addition in your workstations. This module is part of the RSAT (Remote Server Administration Tools) bundle you may obtain and set up manually on Windows 7, Windows eight.1. After the set up of RSAT, you may set up the Active Directory module for PowerShell from the Control Panel (Control Panel -> Programs and Features -> Turn Windows options on or off -> Remote Server Administration Tools-> Role Administration Tools -> AD DS and AD LDS Tools).

enable Active Directory module for Windows PowerShell on windows 10/8.1/7

is built-in into Windows picture (as Features on Demand), so you should utilize this PowerShell command to set up the Active Directory module:

Add-WindowsFunctionality –on-line –Name “”

Active Directory PowerShell Cmdlets

There are numerous cmdlets to work together with AD in the Active Directory module for Windows PowerShell. Each new RSAT model accommodates extra cmdlets than the earlier one. In Windows Server 2016 there are 147 PowerShell cmdlets for Active Directory obtainable.

Before utilizing cmdlets of the Active Directory module, you want to import it to your PowerShell session (on Windows Server 2012 R2/ Windows eight.1 and newer the module is imported robotically).

Import-Module ActiveDirectory

If the Active Directory module shouldn’t be put in in your laptop, you may import it out of your area controller (you want the area administrator privileges to do it) or from one other desktop laptop:

$psSess = New-PSSession -ComputerName DC_or_Comp_with_ADPoSh_installed
Import-Module -PSsession $psSess -Name ActiveDirectory

You can show a whole listing of obtainable Active Directory cmdlets utilizing the command:

Get-Command –module ActiveDirectory

The complete variety of cmdlets in the AD module:

Get-Command –module ActiveDirectory |measure-object|choose rely

Get all Command of ActiveDirectory powershell module

Most RSAT-AD-PowerShell cmdlets begin from Get-, Set- or New- prefixes.

  • Get– class cmdlets are used to get totally different data from Active Directory ( — person properties, Get-ADComputer – laptop settings, Get-ADGroupMember — group membership, and so on.). To run them, you don’t want to be a website admin. Any area person can run PowerShell instructions to get the values of the AD object attributes (besides confidential ones, like in the instance with );
  • Set- class cmdlets are used to set (change) object settings in Active Directory. For instance, you may change person properties (Set-ADUser), laptop settings (Set-ADComputer), add a person to a gaggle, and so on. To do it, your account will need to have the permissions to modify the object properties (see the article );
  • Commands that begin with New- enable you to create AD objects (create a person — New-ADUser, create a gaggle — New-ADGroup);
  • Remove- cmdlets are used to delete AD objects.

Here is how one can get assistance on any cmdlet:

get-help Set-ADUser

You can show the examples of utilizing Active Directory cmdlets as follows:

(get-help New-ADComputer).examples

It’s handy to use the pop-up hints when typing cmdlet parameters in PowerShell ISE.

active directory powershell module parameter tool tip in ise

Active Directory Administration with RSAT-AD-PowerShell Module

Let’s have a look at some typical duties of an administrator you are able to do utilizing the Active Directory for PowerShell cmdlets.

You can discover some helpful examples on how to use AD for PowerShell cmdlets on the WOSHub web site. Follow the hyperlinks to get the detailed directions.

New-ADUser: Creating AD Users

To create a brand new AD person, you should utilize the New-ADUser cmdlet. You can create a person with the following command:

New-ADUser -Name "Mila Beck" -GivenName "Mila" -Surname "Beck" -SamAccountName "mbeck" -UserPrincipalName "[email protected]" -Path "OU=Users,OU=Berlin,OU=DE,DC=woshub,DC=com" -AccountPassword(Read-Host -AsSecureString "Input User Password") -Enabled $true

For an in depth data about New-ADUser cmdlet (together with the instance on how to create person area accounts in bulk), see this .

Get-ADComputer: Getting Computer Properties

To show the details about laptop properties in the particular OU (the laptop title and the final logon date), use the cmdlet:

Get-ADComputer -SearchBase ‘OU=CA,OU=USA,DC=woshub,DC=com’ -Filter * -Properties * | FT Name, LastLogonDate -Autosize

Add-AdGroupMember: Add AD User to Groups

To add customers to an current safety group in your AD area, run this command:

Add-AdGroupMember -Identity LondonSales -Members e.braun, l.wolf

Display the listing of customers in the AD group and export it to a CSV file:

Get-ADGroupMember LondonSales -recursive| ft samaccountname| Out-File c:psexport_ad_users.csv

Learn extra about .

Set-ADAccountPassword: Reset a User Password in AD

In order to reset , run the following command:

Set-ADAccountPassword m.lorenz -Reset -NewPassword (ConvertTo-SecureString -AsPlainText “Ne8Pa$$0rd1” -Force -Verbose) –PassThru

How to Unlock, Enable and Disable AD Account?

To disable AD person account:

Disable-ADAccount m.lorenz

To allow an account:

Enable-ADAccount m.lorenz

To unlock an account after it has been blocked by a :

Unlock-ADAccount m.lorenz

Search-ADAccount: How to Find Inactive and Disabled Objects?

To discover and disable all computer systems in the AD area that haven’t logged on for greater than 90 days, use the cmdlet:

$timespan = New-Timespan –Days 90
Search-ADAccount -AccountInactive -ComputersOnly –TimeSpan $timespan | Disable-ADAccount

New-ADOrganizationalUnit: Create an Organizational Unit in AD

To shortly create a typical Organizational Unit construction in AD, you should utilize a PowerShell script. Suppose you need to create a number of OUs with states as their names and create typical object containers in them. It is sort of time consuming to create this AD construction manually by way of the graphical ADUC snap-in. AD module for PowerShell permits to do it in seconds (besides the time to write the script):

$fqdn = Get-ADDomain
$fulldomain = $fqdn.DNSRoot
$area = $fulldomain.cut up(".")
$Dom = $area[0]$Ext = $area[1]$Sites = ("Nevada","Texas","California","Florida")
$Services = ("Users","Admins","Computers","Servers","Contacts","Service Accounts")
$FirstOU ="USA"
New-ADOrganizationalUnit -Name $FirstOU -Description $FirstOU -Path "DC=$Dom,DC=$EXT" -ProtectedFromAccidentalDeletion $false
foreach ($S in $Sites)

After operating the script, the following OU construction seems in Active Directory.

creating complex AD OU structure with New-ADOrganizationalUnit

To transfer objects between AD containers, you should utilize the Move-ADObject cmdlet:

$TargetOU = "OU=Sales,OU=Computers,DC=woshub,DC=com"
Get-ADComputer -Filter 'Name -like "SalesPC*"' | Move-ADObject -TargetPath $TargetOU

Get-ADReplicationFailure: Check AD Replication Failures

Using the cmdlet you may verify the state of replication between AD area controllers:

Get-ADReplicationFailure -Target NY-DC01,NY-DC02

To get details about all DCs in the area, use the Get-AdvertDomainController cmdlet:

Get-ADDomainController –filter * | choose hostname,IPv4Address,IsGlobalCatalog,IsReadOnly,OperatingSystem | format-table –auto

Get-ADDomainController - powershell get domain controller info

So, we now have thought of the fundamental options of the Active Directory PowerShell module to administer AD area. I hope it should encourage you to additional discover different options of the module and automate most of AD administration job.

Check Also

How to Enable and Configure MPIO on Windows Server 2016/2012R2?

In this text we’ll contemplate how to set up and configure MPIO on Windows Server …

Leave a Reply

Your email address will not be published. Required fields are marked *