What's New in AD DS: Active Directory Module for Windows PowerShell
Applies To: Windows Server 2008 R2
What are the major changes?
The Active Directory module for Windows PowerShell provides command-line scripting for administrative, configuration, and diagnostic tasks, with a consistent vocabulary and syntax. The Active Directory module enables end-to-end manageability with Exchange Server, Group Policy, and other services.
What does the Active Directory module do?
Windows PowerShell™ is a command-line shell and scripting language that can help information technology (IT) professionals control system administration more easily and achieve greater productivity.
The Active Directory module for Windows PowerShell consolidates a group of cmdlets. You can use these cmdlets to manage your Active Directory domains, Active Directory Lightweight Directory Services (AD LDS) configuration sets, and Active Directory Database Mounting Tool instances in a single, self-contained package.
In Windows Server 2000, Windows Server 2003, and Windows Server 2008, administrators used a variety of command-line tools and Microsoft Management Console (MMC) snap-ins to connect to their Active Directory domains and AD LDS configuration sets to monitor and manage them. The Active Directory module for Windows PowerShell now provides a centralized experience for administering your directory service.
Who will be interested in this feature?
The following groups might be interested in the Active Directory module:
Enterprise IT planners and designers
Active Directory Domain Services (AD DS) management teams
AD DS administrators
Are there any special considerations?
The Active Directory module can be installed only on computers that are running Windows Server 2008 R2 or Windows Server 2012. The Active Directory module cannot be installed on computers running Windows 2000, Windows Server 2003, or Windows Server 2008.
You can also install the Active Directory module on Windows 7 or Windows 8 Release Preview as part of Remote Server Administration Tools (RSAT). However, if you want to install the Active Directory module to remotely manage an Active Directory domain, an AD LDS instance or configuration set, or an Active Directory Database Mounting Tool instance, you must have at least one Windows Server 2008 R2 or Windows Server 2012 domain controller in your domain or at least one instance in an AD LDS configuration set that is running on a Windows Server 2008 R2 or Windows Server 2012 server.
What new functionality does the Active Directory module provide?
The Active Directory module consists of the Active Directory module provider and the Active Directory module cmdlets.
Active Directory module provider
Administrators can use the Active Directory module provider to easily navigate and access data that is stored in Active Directory domains, Active Directory Database Mounting Tool instances, and AD LDS instances and configuration sets. The Active Directory module provider exposes the Active Directory database through a hierarchical navigation system, which is very similar to the file system. For example, while you are using the Active Directory module, you can use the following commands to navigate through your directory:
cd
dir
remove
.
..
You can use the Active Directory module provider to map Active Directory domains, AD LDS instances, and Active Directory Database Mounting Tool instances to specific provider drives. When the Active Directory module is first loaded, a default Active Directory drive (AD:) is mounted. To connect to that drive, run the cd AD: command. To connect a new provider drive to an Active Directory domain, an AD LDS server, or an Active Directory Database Mounting Tool instance, you can use the following cmdlet:
New-PSDrive -Name <name of the drive> -PSProvider ActiveDirectory -Root "<DN of the partition/NC>" –Server <server or domain name (NetBIOS/FQDN)[:port number]> -Credential <domain name>\<username>
| Parameter | Description |
|---|---|
-Name <name of the drive> |
Specifies the name of the drive that is being added. |
-PSProvider ActiveDirectory |
The name of the provider, in this case, ActiveDirectory. |
-Root "<DN of the partition/NC>" |
Specifies the internal root or path of the provider. |
–Server <server or domain name (NetBIOS/FQDN)[:port number]> |
Specifies the server that hosts your Active Directory domain or an AD LDS instance. |
-Credential <domain name>\<username> |
Specifies the credentials that you must have to connect to the Active Directory domain or the AD LDS server. |
Active Directory module cmdlets
You can use the Active Directory module cmdlets to perform various administrative, configuration, and diagnostic tasks in your AD DS and AD LDS environments. You can use the Active Directory module to manage existing Active Directory user and computer accounts, groups, organizational units (OUs), domains and forests, domain controllers, and password policies, or to create new ones.
The following table lists all the cmdlets that are available in this release of the Active Directory module in Windows Server 2008 R2.
Note
For more information on Active Directory PowerShell features that are new to Windows Server 2012, please refer to the following topics:
- Active Directory Replication and Topology Management Using Windows PowerShell
- Installing AD DS Using Windows PowerShell
- Removing AD DS Using Windows PowerShell
- In the Dynamic Access Control deployment documentation, look for any sections that are labeled Windows PowerShell equivalent commands
- In the Active Directory Domain Services (AD DS) Virtualization documentation, see the steps for deploying a virtualized domain controller.
| Cmdlet | Description |
|---|---|
Disable-ADAccount |
Disables an Active Directory account. |
Enable-ADAccount |
Enables an Active Directory account. |
Search-ADAccount |
Gets Active Directory user, computer, and service accounts. |
Unlock-ADAccount |
Unlocks an Active Directory account. |
Get-ADAccountAuthorizationGroup |
Gets the Active Directory security groups that contain an account. |
Set-ADAccountControl |
Modifies user account control (UAC) values for an Active Directory account. |
Clear-ADAccountExpiration |
Clears the expiration date for an Active Directory account. |
Set-ADAccountExpiration |
Sets the expiration date for an Active Directory account. |
Set-ADAccountPassword |
Modifies the password of an Active Directory account. |
Get-ADAccountResultantPasswordReplicationPolicy |
Gets the resultant password replication policy for an Active Directory account. |
Get-ADComputer |
Gets one or more Active Directory computers. |
New-ADComputer |
Creates a new Active Directory computer. |
Remove-ADComputer |
Removes an Active Directory computer. |
Set-ADComputer |
Modifies an Active Directory computer. |
Add-ADComputerServiceAccount |
Adds one or more service accounts to an Active Directory computer. |
Get-ADComputerServiceAccount |
Gets the service accounts that are hosted by an Active Directory computer. |
Remove-ADComputerServiceAccount |
Removes one or more service accounts from a computer. |
Get-ADDefaultDomainPasswordPolicy |
Gets the default password policy for an Active Directory domain. |
Set-ADDefaultDomainPasswordPolicy |
Modifies the default password policy for an Active Directory domain. |
Move-ADDirectoryServer |
Moves a domain controller in AD DS to a new site. |
Move-ADDirectoryServerOperationMasterRole |
Moves operation master (also known as flexible single master operations or FSMO) roles to an Active Directory domain controller. |
Get-ADDomain |
Gets an Active Directory domain. |
Set-ADDomain |
Modifies an Active Directory domain. |
Get-ADDomainController |
Gets one or more Active Directory domain controllers, based on discoverable services criteria, search parameters, or by providing a domain controller identifier, such as the NetBIOS name. |
Add-ADDomainControllerPasswordReplicationPolicy |
Adds users, computers, and groups to the Allowed List or the Denied List of the read-only domain controller (RODC) Password Replication Policy (PRP). |
Get-ADDomainControllerPasswordReplicationPolicy |
Gets the members of the Allowed List or the Denied List of the RODC PRP. |
Remove-ADDomainControllerPasswordReplicationPolicy |
Removes users, computers, and groups from the Allowed List or the Denied List of the RODC PRP. |
Get-ADDomainControllerPasswordReplicationPolicyUsage |
Gets the resultant password policy of the specified ADAccount on the specified RODC. |
Set-ADDomainMode |
Sets the domain functional level for an Active Directory domain. |
Get-ADFineGrainedPasswordPolicy |
Gets one or more Active Directory fine-grained password policies. |
New-ADFineGrainedPasswordPolicy |
Creates a new Active Directory fine-grained password policy. |
Remove-ADFineGrainedPasswordPolicy |
Removes an Active Directory fine-grained password policy. |
Set-ADFineGrainedPasswordPolicy |
Modifies an Active Directory fine-grained password policy. |
Add-ADFineGrainedPasswordPolicySubject |
Applies a fine-grained password policy to one more users and groups. |
Get-ADFineGrainedPasswordPolicySubject |
Gets the users and groups to which a fine-grained password policy is applied. |
Remove-ADFineGrainedPasswordPolicySubject |
Removes one or more users from a fine-grained password policy. |
Get-ADForest |
Gets an Active Directory forest. |
Set-ADForest |
Modifies an Active Directory forest. |
Set-ADForestMode |
Sets the forest mode for an Active Directory forest. |
Get-ADGroup |
Gets one or more Active Directory groups. |
New-ADGroup |
Creates an Active Directory group. |
Remove-ADGroup |
Removes an Active Directory group. |
Set-ADGroup |
Modifies an Active Directory group. |
Add-ADGroupMember |
Adds one or more members to an Active Directory group. |
Get-ADGroupMember |
Gets the members of an Active Directory group. |
Remove-ADGroupMember |
Removes one or more members from an Active Directory group. |
Get-ADObject |
Gets one or more Active Directory objects. |
Move-ADObject |
Moves an Active Directory object or a container of objects to a different container or domain. |
New-ADObject |
Creates an Active Directory object. |
Remove-ADObject |
Removes an Active Directory object. |
Rename-ADObject |
Changes the name of an Active Directory object. |
Restore-ADObject |
Restores an Active Directory object. |
Set-ADObject |
Modifies an Active Directory object. |
Disable-ADOptionalFeature |
Disables an Active Directory optional feature. |
Enable-ADOptionalFeature |
Enables an Active Directory optional feature. |
Get-ADOptionalFeature |
Gets one or more Active Directory optional features. |
Get-ADOrganizationalUnit |
Gets one or more Active Directory OUs. |
New-ADOrganizationalUnit |
Creates a new Active Directory OU. |
Remove-ADOrganizationalUnit |
Removes an Active Directory OU. |
Set-ADOrganizationalUnit |
Modifies an Active Directory OU. |
Add-ADPrincipalGroupMembership |
Adds a member to one or more Active Directory groups. |
Get-ADPrincipalGroupMembership |
Gets the Active Directory groups that have a specified user, computer, or group. |
Remove-ADPrincipalGroupMembership |
Removes a member from one or more Active Directory groups. |
Get-ADRootDSE |
Gets the root of a domain controller information tree. |
Get-ADServiceAccount |
Gets one or more Active Directory service accounts. |
Install-ADServiceAccount |
Installs an Active Directory service account on a computer. |
New-ADServiceAccount |
Creates a new Active Directory service account. |
Remove-ADServiceAccount |
Remove an Active Directory service account. |
Set-ADServiceAccount |
Modifies an Active Directory service account. |
Uninstall-ADServiceAccount |
Uninstalls an Active Directory service account from a computer. |
Reset-ADServiceAccountPassword |
Resets the service account password for a computer. |
Get-ADUser |
Gets one or more Active Directory users. |
New-ADUser |
Creates a new Active Directory user. |
Remove-ADUser |
Removes an Active Directory user. |
Set-ADUser |
Modifies an Active Directory user. |
Get-ADUserResultantPasswordPolicy |
Gets the resultant password policy for a user. |
Note
To list all the cmdlets that are available in the Active Directory module, use the Get-Command -AD cmdlet.
For more information about—or for the syntax for—any of the Active Directory module cmdlets, use the Get-Help <cmdlet name> cmdlet, where <cmdlet name> is the name of the cmdlet that you want to research. For more detailed information, you can run any of the following cmdlets:
Get-Help <cmdlet name> -Detailed
Get-Help <cmdlet name> -Full
Get-Help <cmdlet name> -Detailed
Get-Help <cmdlet name> -Examples
How should I prepare to deploy the Active Directory module?
You can install the Active Directory module by using any of the following methods:
By default, on a Windows Server 2008 R2 or Windows Server 2012 server when you install the AD DS or AD LDS server roles
By default, when you make a Windows Server 2008 R2 or Windows Server 2012 server a domain controller by running Dcpromo.exe
Note
In Windows Server 2012, Dcpromo.exe is deprecated and installation of AD DS is done through Server Manager or using Windows PowerShell commands. For more information, Install Active Directory Domain Services.
As part of the RSAT feature on a Windows Server 2008 R2 or Windows Server 2012 server
As part of the RSAT feature on a Windows 7 or Windows 8 Release Preview computer
Important
If you want to use Active Directory module in Windows 7 or Windows 8 Release Preview to remotely manage an Active Directory domain, an AD LDS instance or configuration set, or an Active Directory Database Mounting Tool instance, you must have at least one Windows Server 2008 R2 or Windows Server 2012 domain controller in your domain or at least one instance in an AD LDS configuration set that is running on a Windows Server 2008 R2 or Windows Server 2012 server.
By default, the Active Directory module is installed with the following features:
Windows PowerShell
The Microsoft .NET Framework 3.5.1 or 4.5
For the Active Directory module to function correctly, Windows PowerShell and the .NET Framework 3.5.1 or 4.5 must be installed.
If you want to use the Active Directory module to manage an Active Directory domain, an AD LDS instance or configuration set, or an Active Directory Database Mounting Tool instance, the Active Directory Web Services (ADWS) service must be installed on at least one domain controller in this domain or on one server that hosts your AD LDS instance. For more information about ADWS, see What's New in AD DS: Active Directory Web Services.
Warning
To function correctly, the Active Directory module relies on ADWS service, which requires TCP port 9389 to be open on the domain controller where ADWS service is running. If you configure your firewall by using a Group Policy object (GPO), you must update the GPO to make sure that this port is open for ADWS.
Note
In Windows Server 2008 R2, when the Active Directory module is installed, to start it click Start, point to Administrative Tools, and then click Active Directory Module for Windows PowerShell. You can also load the Active Directory module manually by running the Import-Module ActiveDirectory command at the Windows PowerShell prompt. In Windows Server 2012, the Active Directory module for Windows PowerShell can be accessed using Start screen tile, and module autoloading enables you to use Active Directory PowerShell commands without having to first import the module into your Windows PowerShell session.
Which editions include the Active Directory module?
The Active Directory module is available in the following editions of Windows and Windows Server:
Windows Server 2012 Foundation
Standard
Datacenter
Windows Server 2008 R2 Standard
Windows Server 2008 R2 Enterprise
Windows Server 2008 R2 Datacenter
Windows 7
The Active Directory module is not available in the following editions of Windows Server:
Windows Server 2008 R2 for Itanium-Based Systems
Windows Web Server 2008 R2
Additional references
For more information about Windows PowerShell, see Windows PowerShell (https://go.microsoft.com/fwlink/?LinkID=102372).