- Windows 7
- Windows Server 2008 R2
- Windows 8, Windows 8.1
- Windows 10
- Windows 11
- On Windows 11 with PowerShell
- Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
- Install the AD module on PowerShell Core 6.x on a Windows computer
- Use the Active Directory module on Linux and macOS
- All versions: Import the ActiveDirectory module remotely
- PowerShell Core and Windows PowerShell modules
- Conclusion
- Poll: How reliable are ChatGPT and Bing Chat? - Tue, May 23 2023
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
Also read: How to install the PowerShell 7 Active Directory module.
The installation of the AD module varies significantly for the different Windows and PowerShell versions. At the time of this writing, the AD module that comes with RAST does not work with PowerShell Core 6.0. However, this guide explains how you can manage Active Directory from PowerShell Core even on macOS and Linux.
Windows 7
On a Windows 7 computer, you can follow this procedure to install the Active Directory module:
- Download the Remote Server Administration Tools (RSAT) for Windows 7.
- Open the Control Panel, start typing features, and then click Turn Windows features on or off.
- Scroll down to Remote Server Administration Tools and enable the Active Directory Module for Windows PowerShell in Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools.
- Run Import-Module ActiveDirectory on a PowerShell console.
Active Directory Module for Windows PowerShell on Windows 7
If the Windows 7 machine only has PowerShell 2.0 installed, you have to add the Import-Module ActiveDirectory command to your profile because PowerShell doesn't load modules automatically. For instance, you can import the module in %UserProfile%\My Documents\WindowsPowerShell\profile.ps1. Makes sure you've set your execution policy to either RemoteSigned or Unrestricted: Set-ExecutionPolicy RemoteSigned.
Another option is to open the module from the Administrative Tools folder in the Control Panel.
Active Directory Module in Administrative Tools
Windows Server 2008 R2
If your Windows Server 2008 R2 machine is a domain controller, the PowerShell Active Directory Module is already installed. You only have to install the module on member servers. The procedure on Windows Server 2008 R2 is similar to that on Windows 7. (Note that the module is not available for Windows Server 2008.)
One difference is that you don't have to download RSAT because the tools are already available on Windows Server 2008 R2.
- In Server Manager, click Add features, and then:
- Select Active Directory module for Windows PowerShell in Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools.
Alternatively, you can install the module from a PowerShell console:
Import-Module ServerManagerAdd-WindowsFeature RSAT-AD-PowerShell
After copying the module to your computer, you have to import it:
Import-Module ActiveDirectory
Or you can right-click the PowerShell icon on the taskbar and select Import system modules.
Import system modules
As on Windows 7, if you want to make the import permanent, you have to add the above import command to your PowerShell profile. Notice this description assumes you haven't updated PowerShell 2 on your Windows Server 2008 R2 machine (see the description about Windows 7).
Windows 8, Windows 8.1
Things are a lot easier in Windows 8, Windows 8.1, and Windows 10. All you have to do is download and install RSAT (Windows 8, Windows 8.1, Windows 10). The installation enables all tools by default, and you also don't have to import the module. You can use the AD module right away after you install RSAT.
Windows 10
Since Windows 10, the RSAT tools were shifted from being a standalone package to being a feature on demand in Windows 10. Click the menu and then search for "features" and then navigate to App and Features > Optional Features > Add a feature. Type RSAT in the search field and select the second option—RSAT: Active Directory Domain Services and Lightweight Directory Services Tools.
Install the AD module in Windows 10
Windows 11
In Windows 11, click the Start, type "Settings" in the Search field.
Apps in Windows 11
Now click Apps > Optional Features > View features.
Optinal Features in Windows 11
Add an optional feature in Windows 11
Then type "RSAT" and select RSAT: Active Directory Domain Services and Lightweight Directory Services Tools and click Next and then Install.
Install RSAT on Windows 11
To verify that RSAT has been installed launch a PowerShell console with Administrator privileges and then type this command:
Get-WindowsCapability -Name RSAT* -Online | Select-Object -Property DisplayName, State
Verfiying that RSAT is installed with PowerShell
On Windows 11 with PowerShell
If you don't want to avoid all this clicking you can install all the RSAT tools in one go with this PowerShell command below. Make sure that you are working on an elevated PowerShell console.
Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online
Intstall RSAT with PowerShell
Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
As on Windows Server 2008 R2, the AD module is already installed on domain controllers on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. On member servers, you can add the module as a feature in Server Manager.
- Start Server Manager.
- Click Manage > Add Roles and Features.
- Click Next until you reach Features.
- Enable Active Directory module for Windows PowerShell in Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools.
Install the AD module on Windows Server 2016
Alternatively, you can install the module from a PowerShell console:
Install-WindowsFeature RSAT-AD-PowerShell
Installing the AD module on Windows Server 2012 with PowerShell
There's no need to import the Server Manager module first, as on Windows Server 2008 R2. You also don't have to import the AD module after the installation.
If you want to verify the successful installation of the module, you can just run the Get-ADuser cmdlet.
Install the AD module on PowerShell Core 6.x on a Windows computer
- Install RSAT with the method matching to your operating system (see sections above).
- Install the WindowsCompatibility module.
Install-Module -Name WindowsCompatibility
- Load the WindowsCompatibility module like usual with the Import-Module cmdlet
Import-Module -Name WindowsCompatibility
- Load the ActiveDirectory module with the Import-WinModule cmdlet
Import-WinModule -Name ActiveDirectory
Use the Active Directory module on Linux and macOS
On Linux and macOS you can't install Active Directory module. However, you use PowerShell remoting to connect to a Windows server with Active Directory and then work with the AD module in remoting session. Read ahead to learn how to use remoting with the AD module.
All versions: Import the ActiveDirectory module remotely
Create an interactive remote session
The simplest option is to create an interactive remote session to your domain controller with the Enter-PSsession cmdlet:
Enter-PSsession MyDomainConroller
You can then work right away with the AD cmdlets. This option is good if you only occasionally manage AD on a PowerShell console and if you don't have to execute local scripts.
Managing Active Directory on PowerShell Core in an interactive remote session
Import the AD module from a remote session
The second option uses implicit remoting and allows you to run the AD cmdlets from a local session. However, you execute the AD cmdlets remotely on a domain controller. In practice, you won't notice much of difference in locally installed cmdlets. To import the AD module on PowerShell Core 6.0, execute these commands:
$S = New-PSSession -ComputerName MyDomainConroller Import-Module -PSsession $S -Name ActiveDirectory
Import the AD module on PowerShell Core 6.0
The first command creates a PowerShell session (PSsession) on the domain controller (replace MyDomainController with the name of your DC) and establishes a persistent connection. Next, we import the ActiveDirectory module from this remote PSsession into our local session.
You can now use all AD module cmdlets on your local PowerShell Core console. Just keep in mind the commands always execute remotely.
If you often work with AD, you can add the above commands to your profile, for instance in Documents\PowerShell\Profile.ps1.
Export the remote AD module to a local module
Alternatively, you can export the AD cmdlets from a remote session to a local module:
$S = New-PSSession -ComputerName MyDomainController Export-PSsession -Session $S -Module ActiveDirectory -OutputModule RemoteAD Remove-PSSession -Session $S Import-Module RemoteAD
Exporting the Active Directory module to a local module
These commands will create a local module in your Documents folder under PowerShell\Modules\RemoteAD. However, like with the above solution, you will be working with implicit remoting, and all cmdlets will execute remotely. The local RemoteAD module only links to the cmdlets on the domain controller. If you want to use the RemoteAD module on other machines with PowerShell Core, simply copy the RemoteAD folder to the PowerShell Core module folder on the second machine.
The difference with the "import solution" is that in the "export solution," PowerShell only establishes a connection to the domain controller when you use an AD cmdlet the first time. You also don't have to add the above commands to your profile because PowerShell will load the local RemoteAD module automatically. However, the downside to this option is you might have to repeat the procedure after updating the AD module on the domain controller.
PowerShell Core and Windows PowerShell modules
Note that you can use Windows PowerShell together with PowerShell Core on the same machine and work with the different AD modules in both shells. If you installed RSAT, the AD module for Windows PowerShell will reside in this folder:
$env:windir/System32/WindowsPowerShell/v1.0/Modules/ActiveDirectory
If you used the export solution, the RemoteAD module will be in this folder:
$env:userprofile/Documents/PowerShell/Modules/RemoteAD
PowerShell Core and Windows PowerShell use different folders
PowerShell Core does not import modules in WindowsPowerShell folders, and Windows PowerShell does not load PowerShell Core modules, which are always in PowerShell folders. Thus, you don't have to worry about conflicts between the different AD modules in PowerShell Core and Windows PowerShell.
Conclusion
Using the Active Directory module has become simpler with each PowerShell version up to Microsoft's release of PowerShell Core 6.0. However, working with implicit remoting and remote sessions has various advantages. One advantage is that you can use disconnected remote sessions. This allows you to start a script, shut down your client computer, and retrieve the results from the remote machine later. If you often work with remote sessions, you should become familiar with the different ways you can use PowerShell remote sessions. Once you get used to working with remoting, you probably won't miss the local AD module for PowerShell Core.
When attempting to import AD module to %UserProfile%My Documents I receive the following error:
powershell a positional parameter cannot be found that accepts argument ‘%UserProfile%My’.
At line:1 char:1
Any help would be very much appreciated.
Can you post the exact command you are using?
PS C:> Import-Module ActiveDirectory %UserProfile%My DocumentsWindowsPowershe
llprofile.ps1
Import-Module : A positional parameter cannot be found that accepts argument
‘%UserProfile%My’.
At line:1 char:1
+ Import-Module ActiveDirectory %UserProfile%My
DocumentsWindowsPowershellprofi …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~
+ CategoryInfo : InvalidArgument: (:) [Import-Module], ParameterB
indingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell
.Commands.ImportModuleCommand
You have to use $env:userprofile instead of %UserProfile% What is profile.ps1 for?
Forgive my ignorance, I’m assuming the command will create a .ps1, so that each time I run PowerShell from within my profile, it will execute the AD module import automatically.
Anyways, it still throwing the same error, but this time it has recognised/picked up my profile name. I’ll go away and spend a bit of time researching t o resolve this and post any findings that may help anyone.
Thank you for your time so far.
S C:> Import-Module ActiveDirectory %UserProfile%My DocumentsWindowsPowershe
llprofile.ps1
I have put also put it in quotation marks as there is a space in the name of the directory, but this also did not work.
If you want to load a module automatically, you have to copy it to a module folder. Run $env:PSModulePath to get a list of your module folders.
Your issue is the space between My and Documents. The line should read:
Import-Module ActiveDirectory “$env:userprofileMy DocumentsWindowsPowershellprofile.ps1”
However, this is not what the article said do. It said add:
Import-Module ActiveDirectory
To:
“$env:userprofileMy DocumentsWindowsPowershellprofile.ps1”
So what you could do is the following to append the commend to the existing profile.ps1 or create it if missing.
Import-Module ActiveDirectory >> “$env:userprofileMy DocumentsWindowsPowershellprofile.ps1”
i am using windows server r-2 but cannot fount AD-Lds tools
I am using PowerShell on my macOS. Can I import the AD module to manage my AD from macOS?
Last time I played with PowerShell on a Mac, most sophisticated modules didn’t work. My guess is that the Active Directory Module is also not supported on OS X.
I have this type of error (PowerShell 2.0, Win7 64 bit SP1) after having done all manipulations.
“WARNING: Default drive initialization error: “Can not find a default server with Active Directory Web Services running“
The answer
“A key requirement to use the AD cmdlet’s to manage an Active Directory deployment is the following:
If you receive this error:
You do not have ADWS installed on at least one DC.
Thanks for the tip!
Michael,
Thank you for giving so much to the community and for this article in particular. I recall the euphony that the PS community had when Windows Server 2008 R2 came out. My question is can AD Modules and functionality be done on a Windows Server 2008 R1 Server; and are there instructions on how to accomplish this?
Dennis
Dennis, thanks! Do you mean Windows Server 2008 R2 or Windows Server 2008? There is no R1. On R2, it should work (as discussed in the article). I am unsure if the AD module works on Windows Server 2008 because this Windows version only supports PowerShell 2. I think you will need this.
To be able to run AD powershell scripts against a Windows Server 2008 domain controller, it seems the install of the Active Directory Management Gateway Service is required.
To install the Active Directory Management Gateway Service on Windows Server 2008 domain controller, it requires a hotfix that is mentioned in the link you provided:
https://support.microsoft.com/en-us/kb/969166
However, the download site seems to no longer be valid. Does you or anyone know how to obtain this hotfix? Or perhaps if there's another workaround to be able to run Active Directory powershell scripts against a Windows Server 2008 domain controller?
Installed AD module for powershell in windows 7 . AD-getcomputer command works but it doesnot recognizes “-properties *” . Any idea
Do you mean Get-ADComputer? What command did you try to execute?
Very good man. Thanks a lot.
Thank you for a detailed answer. I did search on internet and still wasn’t quite clear how to get this working on Windows 10. There are so many different variations between different version of windows. Your blog explained in clear terms what to do along with the links. Thank a lot.
Thanks!
hi
Please help me here.when i am trying to install windows server 2016 AD via Power shell.
I am getting below error.
PS C:\Users\vijay> $ouNameSync = ‘AccountsToSync’
$ouNameNoSync = ‘AccountsNotToSync’
New-ADOrganizationalUnit -Name $ouNameSync -Path “DC=adatum,DC=com” -ProtectedFromAccidentalDeletion $false
New-ADOrganizationalUnit -Name $ouNameNoSync -Path “DC=adatum,DC=com” -ProtectedFromAccidentalDeletion $false
New-ADUser -Name ‘Beverly Beach’ -GivenName ‘Beverly’ -Surname ‘Beach’ -SamAccountName ‘bbeach’ -UserPrincipalName ‘bbeach@adatum.com’ -AccountPassword (ConvertTo-SecureString -AsPlainText ‘Pa55w.rd’ -Force) -Path “OU=$ouNameSync,DC=adatum,DC=com” -PassThru | Enable-ADAccount
New-ADUser -Name ‘Darwin Shivers’ -GivenName ‘Darwin’ -Surname ‘Shivers’ -SamAccountName ‘dshivers’ -UserPrincipalName ‘dshivers@adatum.com’ -AccountPassword (ConvertTo-SecureString -AsPlainText ‘Pa55w.rd’ -Force) -Path “OU=$ouNameNoSync,DC=adatum,DC=com” -PassThru | Enable-ADAccount
New-ADOrganizationalUnit : The server is unwilling to process the request
At line:4 char:1
+ New-ADOrganizationalUnit -Name $ouNameSync -Path “DC=adatum,DC=com” – …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (OU=AccountsToSync,DC=adatum,DC=com:String) [New-ADOrganizationalUnit],
ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.NewADOrganizatio
nalUnit
New-ADOrganizationalUnit : The server is unwilling to process the request
At line:5 char:1
+ New-ADOrganizationalUnit -Name $ouNameNoSync -Path “DC=adatum,DC=com” …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (OU=AccountsNotToSync,DC=adatum,DC=com:String) [New-ADOrganizationalUnit
], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.NewADOrganizatio
nalUnit
New-ADUser : The server is unwilling to process the request
At line:7 char:1
+ New-ADUser -Name ‘Beverly Beach’ -GivenName ‘Beverly’ -Surname ‘Beach …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (CN=Beverly Beac…C=adatum,DC=com:String) [New-ADUser], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.NewADUser
New-ADUser : The server is unwilling to process the request
At line:8 char:1
+ New-ADUser -Name ‘Darwin Shivers’ -GivenName ‘Darwin’ -Surname ‘Shive …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (CN=Darwin Shive…C=adatum,DC=com:String) [New-ADUser], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.NewADUser
PS C:\Users\vijay>
What's the difference between Enable-WindowsOptionalFeature, Install-WindowsFeature, and Add-WindowsFeature? When I try to run either of these I get "The term 'Add-WindowsFeature' is not recognized as the name of a cmdlet, function, script file,
or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
try again."
Chris, I guess you tried the commands on a Windows client. As described in the article, Add-WindowsFeature only works on Windows Server. Install-WindowsFeature replaces Ad-WindowsFeature. But I guess Ad-WindowsFeature will still work for a while.
@luke thanks for adding a new section to the wiki doc:
Install the AD module on PowerShell Core 6.x on a Windows computer
You received 60 member points.
That works brilliantly, but it just has not been that perfect because it won't work if I set it as a task scheduller.
The import-module won't import the Active Directory if run from Task scheduler.
Any ideas?
Great Article after long searching on net i got the solution. Thanks
Thanks – this article really helps us ..
Yes powershell saves the day especially when I need to connect to office 365. Thank you for the helpful details!
This reminds me I need to get the new RSAT
Cheers
https://www.microsoft.com/en-us/download/confirmation.aspx?id=45520&6B49FDFB-8E5B-4B07-BC31-15695C5A2143=1
There’s a typo in the Windows 11 PowerShell command.
Instead of :
Get-WindowsCapability -Name RSAT* -Online | Add-Windows Capability -Online
It should be:
Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online
Many thanks! I fixed the typo now.
Hi Micheal, I am trying to update our ADFS environment with the new Cert, however on some of the DCs I am missing ADFS cmdlet, and when I look for it on these servers it’s missing and I am not able to install it. Without it I cannot run any of the cmdlet for ADFS such as: Set-AdfsCertificate and others..
I tried everything possible I could find online, but no luck..I have latest powershell instaled on these servers. Can u please give me some ideas of what I can do? I was only able to have the ADFS cmdlet on the ADFS server (which has the Role for ADFS).
Thanks in advance,
The cmdlets are in in the AD FS module. Did you install AD FS on these servers?
Hi Michael
The PowerShell command that you have listed for installing the RSAT tools on Windows 11 appears to install a LOT more than what is required, –
Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online
looks like it gets every available option starting with RSAT and then pipes them all to be added. There are lots of them, and according to the more ‘clicky’ version above it, it could be modified to just install the required ‘lightweight’ option. Is this right, or am I missing something? Thanks!
Well, doesn’t this apply to all Microsoft products? Windows installs a LOT more than required, say evil tongues. 😉
But I think you can just install the RSAT tools that you need. For instance, to only install the AD management tools, you can run this command:
More info here