A common misconception, especially with new Windows system administrators, is they should log in to the domain controller server to manage the Active Directory. I’ve seen organizations where even the frontline service desk is allowed to log in to the domain controller servers just to provision new user accounts or create groups.
Microsoft has introduced the Remote Server Administration Tools (RSAT), allowing other computers (server or workstation) to remotely manage the Active Directory and other services running on Windows Server 2008 R2 and above. Part of the RSAT is the Active Directory PowerShell module, which administrators can use to manage the Active Directory using PowerShell cmdlets.
Stick around, and we’ll show different ways to have the Active Directory module on Windows Server and client computers.
Note. Any installation method involving the DISM module or DISM.exe installs all RSAT tools, not just the ActiveDirectory PowerShell module.
Table of Contents
Install PowerShell Active Directory Module on Windows Server
While the Active Directory Module is automatically installed on servers with the Active Directory Domain Services (AD DS) role, it has to be installed on other servers that don’t hold the same role.
There are a few ways to install the Active Directory Module on Windows Servers, and we’ll tackle them next.
Using the Add Roles and Features Wizard (Server Manager Console)
The Server Manager console is a graphical user interface to manage the local and remote servers. It also allows administrators to install roles and features, including the Active Directory Module.
On your server, open the Server Manager.
On the Dashboard, click “Add roles and features.”
When the “Add Roles and Features Wizard” window shows up, click Next until you reach the “Features” page.
Expand “Remote Server Administration Tools” → “AD DS and AD LDS Tools” and check the “Active Directory module for Windows PowerShell” box, then click Next.
On the Confirmation page, review the selection and click Install.
Wait for the installation to finish and click Close.
Using Install-WindowsFeature Cmdlet (ServerManager Module)
Installing features in the Server Manager console has a cmdlet counterpart in PowerShell called Install-WindowsFeature. This cmdlet also has an alias called Add-WindowsFeature. These cmdlets are part of the ServerManager module that’s built-in to Windows servers.
But first, let’s find out the Active Directory Module for Windows PowerShell feature status. Open Windows PowerShell as admin and run this command.
Get-WindowsFeature -Name RSAT*
As you can see below, the RSAT-AD-PowerShell feature install state is available. This status means we can install it.
Run this command to install the RSAT-AD-PowerShell feature.
Install-WindowsFeature -Name RSAT-AD-PowerShell
The screenshot below shows the result of a successful installation.
Install PowerShell Active Directory Module on Windows 10 or 11
On modern Windows 10 builds (1809 and newer), the RSAT became a part of Features on Demand (FoD). You can install RSAT directly via the Optional Features in Windows Settings, DISM.exe, and Add-WindowsCapability.
Using the Optional Features in Windows Settings
On your Windows computer, press WIN+R and run this command to open the Optional Features settings.
ms-settings:optionalfeatures
Click the “View features” button.
In the “Add an optional feature” window, search RSAT, check the “RSAT: Active Directory Domain Services Tools” box, and click Next.
Click Install on the next page.
Wait for the feature to finish installing.
Using the Add-WindowsCapability Cmdlet (DISM Module)
Another method to install RSAT via Feature on Demand is the Add-WindowsCapability cmdlet. This cmdlet is part of the DISM module in Windows PowerShell.
Open Windows PowerShell as admin and run this command to find the RSAT feature to install.
Get-WindowsCapability -Online -Name RSAT* | Format-Table
As you can see, multiple features match. But in this instance, what we want is the Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0. Notice that the State is NotPresent, which means it is not yet installed.
To install, run this command:
Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
Wait for the installation to finish.
Using DISM.exe
You can also install RSAT using the DISM.exe tool. To do so, open an elevated CMD or PowerShell and run this command.
DISM.exe /Online /Add-Capability /CapabilityName:Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
Import PowerShell Active Directory Module after Installing
Now that you’ve installed the PowerShell Active Directory Module, you can import it into Windows PowerShell using this command.
Import-Module ActiveDirectory
If you’re using PowerShell 7+, use the Windows PowerShell compatibility switch (-UseWindowsPowerShell).
Import PowerShell Active Directory Module without Installing
You can also import the PowerShell Active Directory Module from a remote computer that has it. This way, you do not have to install it first.
First, create a session object to the remote command by running this command on your local PowerShell window. This method uses PowerShell remoting via WinRM.
$session = New-PSSession -ComputerName DC1
Next, export the ActiveDirectory module from the remote computer to the local computer. The module is saved to $env:HOMEPATH\Documents\WindowsPowerShell\Modules\<MODULE NAME> folder.
Export-PSsession -Session $session -Module ActiveDirectory -OutputModule RemoteADModule
Now that the ActiveDirectory module is exported as RemoteADModule to your local machine, you can import it like so:
Import-Module RemoteADModule
Using the Active Directory PowerShell Module
So you’ve installed the Active Directory PowerShell Module. What’s next? Well, it’s up to you. You can now manage the Active Directory using the various cmdlets at your disposal.
If you’re looking for ideas on where to start, here are some of our Active Directory PowerShell-related articles that you might enjoy.
- How to Change Username in Active Directory?
- How to Get User Attributes from Active Directory?
- How to Restore Deleted Active Directory User?
- How to Extract Group Members from Active Directory and Export It to CSV file?
- Import Users Into Active Directory From CSV
- How to Unlock User Account in Active Directory Domain?
- How to Check Active Directory Replication?
- How to Disable Active Directory Account Using PowerShell?
- How to Delete Protected OU in Active Directory?
- How to Find Bad Password Attempts in Active Directory?
- How to Find Nested Groups in Active Directory?
Conclusion
This post showed you different ways to install and import the PowerShell Active Directory module, such as using the Server Manager, PowerShell cmdlets, and the DISM.exe tool. The installation methods differ between Windows Servers and Desktop operating systems.
Whichever method you choose to install the Active Directory PowerShell module, you can be sure that the functionality and experience are consistent across.
1 comment
Any way to install RSAT on a Windows 10 machine, but hide all the AD “modules” like AD Users and Computers, but we want to leverage the AD Powershell module only. Installing RSAT AD Tools on a few thousands machines just for the AD PowerShell module, seems silly.
Ideally it would be nice to be able to ONLY install the AD Powershell module to leverage its capabilities, but now allowing users to SEE all the “other modules”