Powershell Active Directory Module

Powershell Active Directory Module Rating: 3,6/5 1924 reviews

This guide explains how to install the Active Directory (AD) module for PowerShell Core 6.0 and Windows PowerShell. For Windows PowerShell, the document describes how to install the AD module for Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016.

Active

When first shipped, one of the most commonly asked questions was, 'Can I manage Active Directory (AD) using PowerShell?' At the time, Microsoft's answer wasn't what most administrators wanted to hear. PowerShell had a built-in Active Directory Service Interfaces (ADSI) 'type accelerator' that let you access AD objects, but you were pretty much on your own figuring out how to make it work to perform AD administrative tasks. Shortly thereafter, Quest Software offered a free set of cmdlets for performing AD administration tasks, such as creating, modifying, and deleting AD objects and searching for objects in AD. For a long time, this was the state of PowerShell and AD management.When Microsoft shipped Windows Server 2008 R2, everything changed because it introduced the Active Directory Module for Windows PowerShell. The AD module includes a set of cmdlets for managing AD as well as an AD Provider that lets you navigate AD as if it were a drive letter.

I'll describe how to install the AD module and how it works in detail.Installing the Active Directory ModuleUnlike previous tools that use LDAP to communicate with AD, the AD module uses the Active Directory Web Services (ADWS) protocols to communicate with an AD domain controller (DC). The MSDN blog posting ' describes these communication protocols in detail, but suffice it to say that both the PowerShell cmdlets in the AD module and the Active Directory Administrative Center (ADAC) use ADWS to communicate with and get information from AD.When you install or Server 2008 R2 DCs in your AD domain, ADWS will be installed and running by default on each of them. If you have a domain composed entirely of Windows Server 2008 or Windows Server 2003 DCs, you need to do a separate ADWS install. Microsoft provides the free package for this purpose.

If you install this package on at least one Server 2008 or Server 2003 AD DC in your domain, you can use the AD module for PowerShell as well as ADAC.The AD module itself is installed by default on any DC running Server 2012 or Server 2008 R2. If you're running a or Windows 7 box (or any non-DC running Server 2012 or Server 2008 R2), you need to install the Remote Server Administration Tools from the.No matter whether the Remote Server Administration Tools were already on your system or you installed them separately, the next step is to open the Control Panel Add/Remove Programs applet and select Turn Windows features on or off from the menu on the left. In the Windows Feature dialog box that appears, scroll down to the Remote Server Administration Tools section. Look for the Active Directory Module for Windows PowerShell check box, which will be in the Remote Server Administration ToolsRole Administration ToolsAD DS and AD LDS Tools folder, as shown in Figure 1. Select that check box and click OK to install the module. Figure 1: Installing the AD Module for PowerShellAfterward, you should see a shortcut labeled Active Directory Module for Windows PowerShell under Administrative Tools on the Start menu. Clicking that shortcut will launch PowerShell with the AD module loaded.

If you're already working in PowerShell and simply want to load the module so it's available for use, you can type the following command to get access to the AD cmdlets and the AD Provider: Import-Module ActiveDirectoryNow let's look at how you can navigate AD using the AD Provider.Using the Active Directory ProviderPowerShell incorporates the concept of PowerShell drives, which I like to simply refer to as PS drives. In simple terms, a PS drive is a way of representing a resource like a navigable file system that's composed of folders and leaf items.

Not every resource can be represented this way, but many—including AD and the registry—fit well into that model. The AD module contains the provider for an AD PS drive. What this means is that you can navigate and even modify AD as if it were a file system.So, how do you navigate AD using the AD Provider? Assuming that you already have PowerShell open and the AD module loaded, the first step is to run the Set-Location cmdlet, which has several aliases, including sl and cd: Set-Location AD:This command changes the current working location to the AD PS drive. As a result, the PowerShell prompt will show AD: instead of C. Next, to see the items in the AD PS drive, you can use the Get-ChildItem cmdlet, which has an alias of dir: Get-ChildItemFigure 2 shows sample results from my machine.As you can see, this command returned a list of all the available domain partitions. The most interesting one for me is the domain partition named cpandl, which contains users and computers.

To change to that domain, I simply type: Set-Location 'dc=cpandl,dc=com'Note that I'm using the Set-Location cmdlet with the distinguished name (DN) of my AD domain. That's required to properly navigate into it. Once I'm in the domain directory (as indicated by AD:dc=cpandl,dc=com in the PowerShell prompt), I can use the Get-ChildItem cmdlet to see my top-level AD structure, which Figure 3 shows.Suppose I want to look at the users in the SDM organizational unit (OU). To get into that OU, I simply type: Set-Location 'OU=SDM'The PowerShell prompt will now show AD:ou=SDM,dc=cpandl,dc=com.

Powershell Active Directory Module Server 2008

At this point, I can use the Get-ChildItem cmdlet to see all the user objects in that OU. Let's say I want to change the Description property on the user object representing my user account Darren Mar-Elia. There's a cmdlet for that! The Set-ItemProperty cmdlet lets you change a property in an AD object.

If I want to change my user account's description to Chief Techie, I'd run the command: Set-ItemProperty -Path '.CN=Darren Mar-Elia' `-Name 'Description' -Value 'Chief Techie'As you can see from this command, I'm using the cmdlet's -Path parameter to point to my user account in the current directory. I'm also using the -Name parameter to indicate that I want to modify the Description property and the -Value parameter to indicate that I want the description to be Chief Techie.Note that if you want to find all objects that have a particular property value, you can use the Get-ItemProperty cmdlet. If you just want to get a reference to an AD object, the Get-Item cmdlet will do the trick.As you can see, it's pretty straightforward to work with AD this way. Although it might not be a mechanism you'd use for doing mass changes, it's handy to be able to deal with AD as if it were a file system.

With that said, I find that most administrators use the AD cmdlets rather than the AD PS drive to manage AD. So, let's see how some of these cmdlets work.Using the Active Directory CmdletsThe AD module that comes with Windows 7 contains 76 cmdlets for managing AD. You can use them for doing pretty much everything, including searching AD objects, creating and deleting AD objects, and manipulating AD configuration information (e.g., forest mode, fine-grained password policy). The cmdlets are generally grouped by their verbs, such as Add-, Remove-, Get-, and Set. Note that not every Get- cmdlet includes a corresponding Set- cmdlet and vice versa, so you might have to do some digging to find the cmdlet that's right for a task. For example, you can set the AD forest functionality level by using the Set-ADForestModecmdlet, but if you want to find out the current forest functionality level of a forest, you need to use the Get-ADForest cmdlet and view the ForestMode property on the returned object.Now let's take a look at some common tasks that you can perform using the AD cmdlets.

Specifically, I'll show you how to add user accounts, manage group membership, reset user account passwords, and search for AD objects.Adding User AccountsThe New-ADUser cmdlet provides an easy way to add user accounts to AD. Suppose I want to add a new user account named Bill Smith to my SDM OU. In the most basic form, I can create a new user using the command: New-ADUser -Name 'Bill Smith' -SamAccountName 'bsmith' `-GivenName 'Bill' -Surname 'Smith' `-DisplayName 'Bill Smith' -Path 'OU=SDM,DC=cpandl,DC=com'In this command, I'm filling in some basic information about the user account. Most notably, I'm using the -SamAccountName parameter to provide the SAM account name, which is required to create a user object. I'm also using the -Path parameter to tell the cmdlet where to put the object—in this case, in my SDM OU in the cpandl.com domain. In addition, I'm providing the user's first name (-GivenName parameter), last name (-Surname parameter), and display name (-DisplayName parameter).Although running this command would create the user account, there would be two caveats.

First, the account would be disabled. Second, the account wouldn't have a password associated with it, which is required in most domains.To avoid having to enable the account and add a password separately, you can modify the New-ADUser command I showed you. To have New-ADUser automatically enable the account, you need to specify the -Enabled $true parameter in the command.

An enabled account requires a password, so you also need to specify the password in the command.To provide a password, you can use the -AccountPassword parameter. However, you can't simply enter the password in plaintext on the command line. This parameter requires that the password be passed in as a secure string (i.e., have a data type of SecureString). There are two ways to convert the password into a secure string, both of which involve using a variable.The first method uses the ConvertTo-SecureString cmdlet, which converts plaintext strings to secure strings. For example, if I want to convert the password into a secure string and assign it to the $pwd variable, I'd run the command: $pwd = ConvertTo-SecureString -string ' `-AsPlainText -forceThis isn't the safest method for providing a password, because someone could be looking over my shoulder as I type this command.

A safer way is to have the New-ADUser command prompt me for the password and mask the password as I type it. This can be done with the Read-Hostcmdlet and its -AsSecureString parameter: $pwd = Read-Host -AsSecureStringAfter this command runs, I'll see the familiar.

character as I type my password.

The Active Directory module for Windows PowerShell is a PowerShell module that consolidates a group of cmdlets. You can use these cmdlets to manage your Active Directory domains, Active Directory Lightweight Directory Services (AD LDS) configuration sets, and Active Directory Database Mounting Tool instances in a single, self-contained package.If you don't have the Active Directory module installed on your machine, you need to download the correct Remote Server Administration Tools (RSAT) package for your OS. If you're running windows 7, you will also need to run the import-module ActiveDirectory command from an elevated PowerShell prompt.

Posted on