How to install the PowerShell Active Directory module

Home Wiki How to install the PowerShell Active Directory module

4sysops - The online community for SysAdmins and DevOps

PowerShell’s Docs PowerShell Modules How to install the PowerShell Active Directory module

This guide has been updated for the latest Windows versions Windows 11 and Windows Server 2022. You'll learn how to install the Active Directory (AD) module for PowerShell Core 6.0, PowerShell 7 and Windows PowerShell. For Windows PowerShell, the tutorial describes how to install the AD module for Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016, Windows Server 2010 and Windows Server 2022. You'll also learn how to work with the AD module on other systems such as macOS or Linux with the help of PowerShell remoting.
Contents
  1. Windows 7
  2. Windows Server 2008 R2
  3. Windows 8, Windows 8.1
  4. Windows 10
  5. Windows 11
  6. On Windows 11 with PowerShell
  7. Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
  8. Install the AD module on PowerShell Core 6.x on a Windows computer
  9. Use the Active Directory module on Linux and macOS
  10. All versions: Import the ActiveDirectory module remotely
  11. PowerShell Core and Windows PowerShell modules
  12. Conclusion
Latest posts by Michael Pietroforte (see all)

Also read: How to install the PowerShell 7 Active Directory module.

The installation of the AD module varies significantly for the different Windows and PowerShell versions. At the time of this writing, the AD module that comes with RAST does not work with PowerShell Core 6.0. However, this guide explains how you can manage Active Directory from PowerShell Core even on macOS and Linux.

Windows 7

On a Windows 7 computer, you can follow this procedure to install the Active Directory module:

  1. Download the Remote Server Administration Tools (RSAT) for Windows 7.
  2. Open the Control Panel, start typing features, and then click Turn Windows features on or off.
  3. Scroll down to Remote Server Administration Tools and enable the Active Directory Module for Windows PowerShell in Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools.
  4. Run Import-Module ActiveDirectory on a PowerShell console.
Active Directory Module for Windows PowerShell on Windows 7

Active Directory Module for Windows PowerShell on Windows 7

If the Windows 7 machine only has PowerShell 2.0 installed, you have to add the Import-Module ActiveDirectory command to your profile because PowerShell doesn't load modules automatically. For instance, you can import the module in %UserProfile%\My Documents\WindowsPowerShell\profile.ps1. Makes sure you've set your execution policy to either RemoteSigned or Unrestricted: Set-ExecutionPolicy RemoteSigned.

Another option is to open the module from the Administrative Tools folder in the Control Panel.

Active Directory Module in Administrative Tools

Active Directory Module in Administrative Tools

Windows Server 2008 R2

If your Windows Server 2008 R2 machine is a domain controller, the PowerShell Active Directory Module is already installed. You only have to install the module on member servers. The procedure on Windows Server 2008 R2 is similar to that on Windows 7. (Note that the module is not available for Windows Server 2008.)

One difference is that you don't have to download RSAT because the tools are already available on Windows Server 2008 R2.

  1. In Server Manager, click Add features, and then:
  2. Select Active Directory module for Windows PowerShell in Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools.

Alternatively, you can install the module from a PowerShell console:

Import-Module ServerManagerAdd-WindowsFeature RSAT-AD-PowerShell

After copying the module to your computer, you have to import it:

Import-Module ActiveDirectory

Or you can right-click the PowerShell icon on the taskbar and select Import system modules.

Import system modules

Import system modules

As on Windows 7, if you want to make the import permanent, you have to add the above import command to your PowerShell profile. Notice this description assumes you haven't updated PowerShell 2 on your Windows Server 2008 R2 machine (see the description about Windows 7).

Windows 8, Windows 8.1

Things are a lot easier in Windows 8, Windows 8.1, and Windows 10. All you have to do is download and install RSAT (Windows 8Windows 8.1Windows 10). The installation enables all tools by default, and you also don't have to import the module. You can use the AD module right away after you install RSAT.

Windows 10

Since Windows 10, the RSAT tools were shifted from being a standalone package to being a feature on demand in Windows 10. Click the menu and then search for "features" and then navigate to App and Features > Optional Features > Add a feature. Type RSAT in the search field and select the second option—RSAT: Active Directory Domain Services and Lightweight Directory Services Tools.

Install the AD module in Windows 10

Install the AD module in Windows 10

Windows 11

In Windows 11, click the Start, type "Settings" in the Search field.

Apps in Windows 11

Apps in Windows 11

Now click Apps > Optional Features > View features.

Optinal Features in Windows 11

Optinal Features in Windows 11

Add an optional feature in Windows 11

Add an optional feature in Windows 11

Then type "RSAT" and select RSAT: Active Directory Domain Services and Lightweight Directory Services Tools and click Next and then Install.

Install RSAT on Windows 11

Install RSAT on Windows 11

To verify that RSAT has been installed launch a PowerShell console with Administrator privileges and then type this command:

Get-WindowsCapability -Name RSAT* -Online | Select-Object -Property DisplayName, State
Verfiying that RSAT is installed with PowerShell

Verfiying that RSAT is installed with PowerShell

On Windows 11 with PowerShell

If you don't want to avoid all this clicking you can install all the RSAT tools in one go with this PowerShell command below. Make sure that you are working on an elevated PowerShell console.

Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online
Intstall RSAT with PowerShell

Intstall RSAT with PowerShell

Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022

As on Windows Server 2008 R2, the AD module is already installed on domain controllers on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. On member servers, you can add the module as a feature in Server Manager.

  1. Start Server Manager.
  2. Click Manage > Add Roles and Features.
  3. Click Next until you reach Features.
  4. Enable Active Directory module for Windows PowerShell in Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools.
Install the AD module on Windows Server 2016

Install the AD module on Windows Server 2016

Alternatively, you can install the module from a PowerShell console:

Install-WindowsFeature RSAT-AD-PowerShell
Installing the AD module on Windows Server 2012 with PowerShell

Installing the AD module on Windows Server 2012 with PowerShell

There's no need to import the Server Manager module first, as on Windows Server 2008 R2. You also don't have to import the AD module after the installation.

If you want to verify the successful installation of the module, you can just run the Get-ADuser cmdlet.

Install the AD module on PowerShell Core 6.x on a Windows computer

  1. Install RSAT with the method matching to your operating system (see sections above).
  2. Install the WindowsCompatibility module.
    Install-Module -Name WindowsCompatibility
  3. Load the WindowsCompatibility module like usual with the Import-Module cmdlet
    Import-Module -Name WindowsCompatibility
  4. Load the ActiveDirectory module with the Import-WinModule cmdlet
    Import-WinModule -Name ActiveDirectory

Use the Active Directory module on Linux and macOS

On Linux and macOS you can't install Active Directory module. However, you use PowerShell remoting to connect to a Windows server with Active Directory and then work with the AD module in remoting session. Read ahead to learn how to use remoting with the AD module.

All versions: Import the ActiveDirectory module remotely

Create an interactive remote session

The simplest option is to create an interactive remote session to your domain controller with the Enter-PSsession cmdlet:

Enter-PSsession MyDomainConroller

You can then work right away with the AD cmdlets. This option is good if you only occasionally manage AD on a PowerShell console and if you don't have to execute local scripts.

Managing Active Directory on PowerShell Core in an interactive remote session

Managing Active Directory on PowerShell Core in an interactive remote session

Import the AD module from a remote session

The second option uses implicit remoting and allows you to run the AD cmdlets from a local session. However, you execute the AD cmdlets remotely on a domain controller. In practice, you won't notice much of difference in locally installed cmdlets. To import the AD module on PowerShell Core 6.0, execute these commands:

$S = New-PSSession -ComputerName MyDomainConroller
Import-Module -PSsession $S -Name ActiveDirectory
Import the AD module on PowerShell Core 6.0

Import the AD module on PowerShell Core 6.0

The first command creates a PowerShell session (PSsession) on the domain controller (replace MyDomainController with the name of your DC) and establishes a persistent connection. Next, we import the ActiveDirectory module from this remote PSsession into our local session.

You can now use all AD module cmdlets on your local PowerShell Core console. Just keep in mind the commands always execute remotely.

If you often work with AD, you can add the above commands to your profile, for instance in Documents\PowerShell\Profile.ps1.

Export the remote AD module to a local module

Alternatively, you can export the AD cmdlets from a remote session to a local module:

$S = New-PSSession -ComputerName MyDomainController
Export-PSsession -Session $S -Module ActiveDirectory -OutputModule RemoteAD
Remove-PSSession -Session $S
Import-Module RemoteAD
Exporting the Active Directory module to a local module

Exporting the Active Directory module to a local module

These commands will create a local module in your Documents folder under PowerShell\Modules\RemoteAD. However, like with the above solution, you will be working with implicit remoting, and all cmdlets will execute remotely. The local RemoteAD module only links to the cmdlets on the domain controller. If you want to use the RemoteAD module on other machines with PowerShell Core, simply copy the RemoteAD folder to the PowerShell Core module folder on the second machine.

The difference with the "import solution" is that in the "export solution," PowerShell only establishes a connection to the domain controller when you use an AD cmdlet the first time. You also don't have to add the above commands to your profile because PowerShell will load the local RemoteAD module automatically. However, the downside to this option is you might have to repeat the procedure after updating the AD module on the domain controller.

PowerShell Core and Windows PowerShell modules

Note that you can use Windows PowerShell together with PowerShell Core on the same machine and work with the different AD modules in both shells. If you installed RSAT, the AD module for Windows PowerShell will reside in this folder:

$env:windir/System32/WindowsPowerShell/v1.0/Modules/ActiveDirectory

If you used the export solution, the RemoteAD module will be in this folder:

$env:userprofile/Documents/PowerShell/Modules/RemoteAD

PowerShell Core and Windows PowerShell use different folders

PowerShell Core and Windows PowerShell use different folders

PowerShell Core does not import modules in WindowsPowerShell folders, and Windows PowerShell does not load PowerShell Core modules, which are always in PowerShell folders. Thus, you don't have to worry about conflicts between the different AD modules in PowerShell Core and Windows PowerShell.

Conclusion

Using the Active Directory module has become simpler with each PowerShell version up to Microsoft's release of PowerShell Core 6.0. However, working with implicit remoting and remote sessions has various advantages. One advantage is that you can use disconnected remote sessions. This allows you to start a script, shut down your client computer, and retrieve the results from the remote machine later. If you often work with remote sessions, you should become familiar with the different ways you can use PowerShell remote sessions. Once you get used to working with remoting, you probably won't miss the local AD module for PowerShell Core.

avataravataravataravataravatar

Attachments

Tags: active directory, powershell, powershell module

PowerShell Modules

Discussion (36)

  1. When attempting to import AD module to %UserProfile%My Documents I receive the following error:

    powershell a positional parameter cannot be found that accepts argument ‘%UserProfile%My’.

    At line:1 char:1

    Any help would be very much appreciated.

    avatar
    Reply

      • PS C:> Import-Module ActiveDirectory %UserProfile%My DocumentsWindowsPowershe
        llprofile.ps1
        Import-Module : A positional parameter cannot be found that accepts argument
        ‘%UserProfile%My’.
        At line:1 char:1
        + Import-Module ActiveDirectory %UserProfile%My
        DocumentsWindowsPowershellprofi …
        + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        ~~~
        + CategoryInfo          : InvalidArgument: (:) [Import-Module], ParameterB
        indingException
        + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell
        .Commands.ImportModuleCommand

        Reply

          • Forgive my ignorance, I’m assuming the command will create a .ps1, so that each time I run PowerShell from within my profile, it will execute the AD module import automatically.

            Anyways, it still throwing the same error, but this time it has recognised/picked up my profile name. I’ll go away and spend a bit of time researching t o resolve this and post any findings that may help anyone.

            Thank you for your time so far.

            Reply

  2. S C:> Import-Module ActiveDirectory %UserProfile%My DocumentsWindowsPowershe
    llprofile.ps1

    I have put also put it in quotation marks as there is a space in the name of the directory, but this also did not work.

    Reply

  4. Your issue is the space between My and Documents.  The line should read:

    Import-Module ActiveDirectory “$env:userprofileMy DocumentsWindowsPowershellprofile.ps1”

    However, this is not what the article said do.  It said add:

    Import-Module ActiveDirectory

    To:

    “$env:userprofileMy DocumentsWindowsPowershellprofile.ps1”

    So what you could do is the following to append the commend to the existing profile.ps1 or create it if missing.

    Import-Module ActiveDirectory >> “$env:userprofileMy DocumentsWindowsPowershellprofile.ps1”

    Reply

  7. I have this type of error (PowerShell 2.0, Win7 64 bit SP1) after having done all manipulations.

    WARNING: Default drive initialization error: “Can not find a default server with Active Directory Web Services running

    Reply

  8. The answer

    “A key requirement to use the AD cmdlet’s to manage an Active Directory deployment is the following:

    A Windows Server 2008 R2 Active Directory Web Services (ADWS) service must be installed on at least one domain controller in the AD domain or on one server that hosts your AD LDS instance. For more information about ADWS, see AD DS: Active Directory Web Services (http://go.microsoft.com/fwlink/?LinkID=141393).

    If you receive this error:

    ‘Unable to find a default server with Active Directory Web Service running’”

    You do not have ADWS installed on at least one DC.

    Reply

  9. Michael,

    Thank you for giving so much to the community and for this article in particular.  I recall the euphony that the PS community had when Windows Server 2008 R2 came out.  My question is can AD Modules and functionality be done on a Windows Server 2008 R1 Server; and are there instructions on how to accomplish this?

    Dennis

    Reply

      • To be able to run AD powershell scripts against a Windows Server 2008 domain controller, it seems the install of the Active Directory Management Gateway Service is required.

        To install the Active Directory Management Gateway Service on Windows Server 2008 domain controller, it requires a hotfix that is mentioned in the link you provided:

          https://support.microsoft.com/en-us/kb/969166

        However, the download site seems to no longer be valid. Does you or anyone know how to obtain this hotfix? Or perhaps if there's another workaround to be able to run Active Directory powershell scripts against a Windows Server 2008 domain controller?

        Reply

  10. Installed AD module for powershell in windows 7 . AD-getcomputer command works but it doesnot recognizes “-properties *” . Any idea

    Reply

  12. Thank you for a detailed answer. I did search on internet and still wasn’t quite clear how to get this working on Windows 10. There are so many different variations between different version of windows. Your blog explained in clear terms what to do along with the links. Thank a lot.

    Reply

  13. hi

    Please help me here.when i am trying to install windows server 2016 AD via Power shell.

    I am getting below error.

    PS C:\Users\vijay> $ouNameSync = ‘AccountsToSync’
    $ouNameNoSync = ‘AccountsNotToSync’

    New-ADOrganizationalUnit -Name $ouNameSync -Path “DC=adatum,DC=com” -ProtectedFromAccidentalDeletion $false
    New-ADOrganizationalUnit -Name $ouNameNoSync -Path “DC=adatum,DC=com” -ProtectedFromAccidentalDeletion $false

    New-ADUser -Name ‘Beverly Beach’ -GivenName ‘Beverly’ -Surname ‘Beach’ -SamAccountName ‘bbeach’ -UserPrincipalName ‘bbeach@adatum.com’ -AccountPassword (ConvertTo-SecureString -AsPlainText ‘Pa55w.rd’ -Force) -Path “OU=$ouNameSync,DC=adatum,DC=com” -PassThru | Enable-ADAccount
    New-ADUser -Name ‘Darwin Shivers’ -GivenName ‘Darwin’ -Surname ‘Shivers’ -SamAccountName ‘dshivers’ -UserPrincipalName ‘dshivers@adatum.com’ -AccountPassword (ConvertTo-SecureString -AsPlainText ‘Pa55w.rd’ -Force) -Path “OU=$ouNameNoSync,DC=adatum,DC=com” -PassThru | Enable-ADAccount

    New-ADOrganizationalUnit : The server is unwilling to process the request
    At line:4 char:1
    + New-ADOrganizationalUnit -Name $ouNameSync -Path “DC=adatum,DC=com” – …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (OU=AccountsToSync,DC=adatum,DC=com:String) [New-ADOrganizationalUnit],
    ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.NewADOrganizatio
    nalUnit

    New-ADOrganizationalUnit : The server is unwilling to process the request
    At line:5 char:1
    + New-ADOrganizationalUnit -Name $ouNameNoSync -Path “DC=adatum,DC=com” …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (OU=AccountsNotToSync,DC=adatum,DC=com:String) [New-ADOrganizationalUnit
    ], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.NewADOrganizatio
    nalUnit

    New-ADUser : The server is unwilling to process the request
    At line:7 char:1
    + New-ADUser -Name ‘Beverly Beach’ -GivenName ‘Beverly’ -Surname ‘Beach …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (CN=Beverly Beac…C=adatum,DC=com:String) [New-ADUser], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.NewADUser

    New-ADUser : The server is unwilling to process the request
    At line:8 char:1
    + New-ADUser -Name ‘Darwin Shivers’ -GivenName ‘Darwin’ -Surname ‘Shive …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (CN=Darwin Shive…C=adatum,DC=com:String) [New-ADUser], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.NewADUser

    PS C:\Users\vijay>

     

    Reply

  14. What's the difference between Enable-WindowsOptionalFeature, Install-WindowsFeature, and Add-WindowsFeature? When I try to run either of these I get "The term 'Add-WindowsFeature' is not recognized as the name of a cmdlet, function, script file,
    or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
    try again."

    Reply

  16. That works brilliantly, but it just has not been that perfect because it won't work if I set it as a task scheduller.

     

    The import-module won't import the Active Directory if run from Task scheduler.

     

    Any ideas?

    Reply

  20. There’s a typo in the Windows 11 PowerShell command.
    Instead of :
    Get-WindowsCapability -Name RSAT* -Online | Add-Windows Capability -Online

    It should be:
    Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online

    Reply

  21. Hi Micheal, I am trying to update our ADFS environment with the new Cert, however on some of the DCs I am missing ADFS cmdlet, and when I look for it on these servers it’s missing and I am not able to install it. Without it I cannot run any of the cmdlet for ADFS such as: Set-AdfsCertificate and others..

    I tried everything possible I could find online, but no luck..I have latest powershell instaled on these servers. Can u please give me some ideas of what I can do? I was only able to have the ADFS cmdlet on the ADFS server (which has the Role for ADFS).
    Thanks in advance,

    Reply

  22. Hi Michael
    The PowerShell command that you have listed for installing the RSAT tools on Windows 11 appears to install a LOT more than what is required, –

    Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online

    looks like it gets every available option starting with RSAT and then pipes them all to be added. There are lots of them, and according to the more ‘clicky’ version above it, it could be modified to just install the required ‘lightweight’ option. Is this right, or am I missing something? Thanks!

    Reply

    • Well, doesn’t this apply to all Microsoft products? Windows installs a LOT more than required, say evil tongues. 😉

      But I think you can just install the RSAT tools that you need. For instance, to only install the AD management tools, you can run this command:

      Add-WindowsCapability –online –Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0

      More info here

      avatar
      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account