If you are planning to run a Powershell script with Active Directory command-lets on a Windows 7 machine or any other machine that DOES NOT have AD role then you need to do some preliminary steps as listed below.

By default one can not import Active Directory module in Powershell in Windows 7. You need to do either of the below:

• Download "Active Directory Management Gateway Service" on 2003 or 2008 server [LINK]
• Download "Remote Server Administration Tools" on Win 7 [KB958830: LINK]

NOTE: For KB958830 select either the x86 or x64 version, as appropriate for your Windows 7/8 workstation.

By doing this you will get the Active Directory module to be used in the Powershell scripting.

After the installation of the KB958830 (on a Windows 7/8 client)go to Windows Features and enabled the highlighted items as below.

Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > Active Directory Module for Windows PowerShell.

Open a PowerShell prompt and type:

Get-Module –ListAvailable

To ensure the Active Directory Module is present, using PowerShell type Import-Module ActiveDirectory.

Once you have Active Directory Web Services running on at least one domain controller and the AD PowerShell module is installed, you are ready to run the AD PowerShell module. You can do this in one of two ways. First, you can access the “Active Directory Module for Windows PowerShell” shortcut in Administrative Tools as shown here:

Right click the shortcut and select “Run as administrator” in order to start PowerShell with elevated permissions.

Setting up your Domain Controllers

In order to use the Active Directory Module for Windows PowerShell on 2008 R2 and Windows 7, you first need to be running Active Directory Web Services (ADWS) on at least one Domain Controller. To install Active Directory Web Services (ADWS) you’ll need one of the following:

Windows Server 2008 R2 AD DS

You can load Active Directory Web Services (ADWS) on a Windows Server 2008 R2 Domain Controller when you install the AD DS role. The AD PowerShell module will also be installed during this process. Active Directory Web Services (ADWS) will be enabled when you promote the server to a DC using DCPromo.

Active Directory Management Gateway Service

If you cannot run Windows Server 2008 R2 Domain Controllers, you can install the Active Directory Management Gateway Service. Installing this will allow you to run the same Active Directory web service that runs on Windows Server 2008 R2 DC’s.

You can install the Active Directory Management Gateway Service on DC’s running the following operating systems:

• Windows Server 2003 R2 with Service Pack 2
• Windows Server 2003 SP2
• Windows Server 2008
• Windows Server 2008 SP2

NOTE: You can also use AD PowerShell to manage AD LDS instances on Windows Server 2008 R2. If you plan on using AD LDS, Active Directory web services will be installed with the AD LDS role, the AD PowerShell module will also be installed during this process. The ADWS service will be enabled when your LDS instance is created.

Once you’ve got Active Directory Web Services up and running on your Domain Controller(s), you’ll notice you now have an ADWS service as shown here:

At this point, you should be ready to install the AD PowerShell module. You can run AD PowerShell on all versions of Windows Server 2008 R2 (except the Web Edition) and on Windows 7.

Installing the Active Directory Module for Windows PowerShell on 2008 R2 member servers

You can install the Active Directory Module on Windows 2008 R2 member servers (non-domain controllers) by adding the RSAT-AD-PowerShell feature using the Server Manager.You can usually use the ServerManager module to do this because it is quick and easy. To install the feature using the ServerManager module, launch PowerShell and run the following commands:

Import-Module ServerManager


Add-WindowsFeature RSAT-AD-PowerShell

Remember, this only needs to be done on Windows Server 2008 R2 member servers. The RSAT-AD-PowerShell feature will be added automatically to 2008 R2 DC’s during the DCPromo process.

Windows 8 and Windows 8.1

Things are a lot easier in Windows 8 and Windows 8.1. All you have to do is download (Windows 8, Windows 8.1) and install RSAT. By default, all tools are enabled after the installation, and you also don’t have to import the module. You can use the Active Directory PS Module right away after you install RSAT.

Windows Server 2012 and Windows Server 2012 R2

As on Windows Server 2008 R2, the Active Directory Module is already installed on domain controllers on Windows Server 2012 and Windows Server 2012 R2. On member servers, you can add the module as a feature in Server Manager.

Enable Active Directory module for Windows PowerShell in Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools.

Active Directory PSDrive

If the machine is joined to a domain then a default drive named AD: is created. You can CD (change directory) into this drive and use all the regular file system commands to navigate the directory. The paths are in X500 format.

PS C:\> cd AD:


PS AD:\>


PS AD:\> dir


...


PS AD:\> cd "DC=fabrikam,DC=com"


PS AD:\DC=fabrikam,DC=com> md "OU=myNewOU"


...


PS AD:\DC=fabrikam,DC=com> del "OU=myNewOU" 

If you want to create a new drive connected to another domain/forest or use the more readable canonical path format, type:

PS C:\> New-PSDrive -PSProvider ActiveDirectory -Server "contoso.fabrikam.com" -Credential "Contoso\Administrator" -Root "" -Name Contoso -FormatType Canonical


...


PS C:\> cd Contoso:


PS Contoso:\> dir | ft CanonicalName


...


PS Contoso:\> cd "contoso.fabrikam.com/"

Managing Groups (some easy examples)

There are different commands available to manipulate AD objects (in this case, groups).

Get-ADGroup: Returns one or more Active Directory Groups.
New-ADGroup: Creates an active directory group.
Remove-ADGroup: Removes an active directory group.
Set-ADGroup: It modifies an Active directory group.

We'll list out the commands to accomplish most common Group management tasks.

How to get list of security groups but not Distribution group?

Get-ADGroup –Filter 'GroupCategory –eq "Security"'

How to get list of Distribution groups but not Security group?

Get-ADGroup –Filter 'GroupCategory –eq "Distribution"'

List out all Domain Local Groups in the domain:

Get-ADGroup –Filter 'GroupScope –eq "DomainLocal"'

List out all Global Groups in the domain:

Get-ADGroup –Filter 'GroupScope –eq "Global"'

List out Universal Groups:

Get-ADGroup –Filter 'GroupScope –eq "Universal"'

You can also use wildcard character to search for groups. Following command lists out all the group containing word "admin":

Get-ADGroup –Filter 'Name –like "*admin*"'

We can also combine conditions. For example we want to list out all the Universal groups containing "admin" word.

Get-ADGroup –Filter 'Name –like "*admin*" –and GroupScope –eq "Universal"'

You can use following operators in Active Directory PowerShell.

Example of New-ADGroup Command:

The following command creates a Domain Local Security Group named "Helpdesk Admins" under Users AD container.

New-ADGroup –Name "HelpDesk Admins" –SamAccountName HelpDeskAdmins –GroupCategory Security –GroupScope DomainLocal –DisplayName "HelpDesk Admins" –Path “CN=Users,DC=W2k8Microsoft,DC=local”

Example of Remove-ADGroup command: the following command removes the group created in 2nd step.

Remove-ADGroup HelpDeskAdmins

You can also remove groups based on Wildcard Character. For example, you want to delete all the groups ending with "admins":

Get-ADGroup –Filter 'Name –like "*admins"' | Remove-ADGroup

The above command combines 2 commands with help of "|" sign. Pipe sign redirects the output of Get-ADGroup command as input to Remove-ADGroup command.

Example of Set-ADGroup command: the following command will convert the HelpDeskAdmins Domain Local group to Universal group. We have created this group in the previous step.

Set-ADGroup HelpDeskAdmins –GroupScope Universal

The following command populates the Description field of HelpDeskAdmin group.

Set-ADGroup HelpDeskAdmins –Description "This is Help Desk Administrator Group" 

You can also combine the multiple commands with help of |. For example, if we want to convert all Domain Local Groups ending with admins to universal group.

Get-ADGroup –Filter 'Name –like "*admins" –and GroupScope –eq "DomainLocal"' | Set-ADGroup –GroupScope Universal