ActiveDirectory

The Active Directory module for Windows PowerShell is a PowerShell module that consolidates a group of cmdlets. You can use these cmdlets to manage your Active Directory domains, Active Directory Lightweight Directory Services (AD LDS) configuration sets, and Active Directory Database Mounting Tool instances in a single, self-contained package.

If you don't have the Active Directory module installed on your machine, you need to download the correct Remote Server Administration Tools (RSAT) package for your OS. If you're running Windows 7, you will also need to run the import-module ActiveDirectory command from an elevated PowerShell prompt. For more detail, see RSAT for Windows operating systems. Starting with Windows 10 October 2018 Update, RSAT is included as a set of Features on Demand right from Windows 10. Now, instead of downloading an RSAT package you can just go to Manage optional features in Settings and click Add a feature to see the list of available RSAT tools. Select and install the specific RSAT tools you need. To see installation progress, click the Back button to view status on the Manage optional features page.

If you want to use this module in PowerShell 7, see PowerShell 7 module compatibility.

ActiveDirectory

Add-ADCentralAccessPolicyMember

Adds central access rules to a central access policy in Active Directory.

Add-ADComputerServiceAccount

Adds one or more service accounts to an Active Directory computer.

Add-ADDomainControllerPasswordReplicationPolicy

Adds users, computers, and groups to the allowed or denied list of a read-only domain controller password replication policy.

Add-ADFineGrainedPasswordPolicySubject

Applies a fine-grained password policy to one more users and groups.

Add-ADGroupMember

Adds one or more members to an Active Directory group.

Add-ADPrincipalGroupMembership

Adds a member to one or more Active Directory groups.

Add-ADResourcePropertyListMember

Adds one or more resource properties to a resource property list in Active Directory.

Clear-ADAccountExpiration

Clears the expiration date for an Active Directory account.

Clear-ADClaimTransformLink

Removes a claims transformation from being applied to one or more cross-forest trust relationships in Active Directory.

Complete-ADServiceAccountMigration

Completes the migration process and supersedes a normal user account to a delegated managed service account.

Disable-ADAccount

Disables an Active Directory account.

Disable-ADOptionalFeature

Disables an Active Directory optional feature.

Enable-ADAccount

Enables an Active Directory account.

Enable-ADOptionalFeature

Enables an Active Directory optional feature.

Get-ADAccountAuthorizationGroup

Gets the accounts token group information.

Get-ADAccountResultantPasswordReplicationPolicy

Gets the resultant password replication policy for an Active Directory account.

Get-ADAuthenticationPolicy

Gets one or more Active Directory Domain Services authentication policies.

Get-ADAuthenticationPolicySilo

Gets one or more Active Directory Domain Services authentication policy silos.

Get-ADCentralAccessPolicy

Retrieves central access policies from Active Directory.

Get-ADCentralAccessRule

Retrieves central access rules from Active Directory.

Get-ADClaimTransformPolicy

Returns one or more Active Directory claim transform objects based on a specified filter.

Get-ADClaimType

Returns a claim type from Active Directory.

Get-ADComputer

Gets one or more Active Directory computers.

Get-ADComputerServiceAccount

Gets the service accounts hosted by a computer.

Get-ADDCCloningExcludedApplicationList

Gets a list of installed programs and services present on this domain controller that are not in the default or user defined inclusion list.

Get-ADDefaultDomainPasswordPolicy

Gets the default password policy for an Active Directory domain.

Get-ADDomain

Gets an Active Directory domain.

Get-ADDomainController

Gets one or more Active Directory domain controllers based on discoverable services criteria, search parameters or by providing a domain controller identifier, such as the NetBIOS name.

Get-ADDomainControllerPasswordReplicationPolicy

Gets the members of the allowed list or denied list of a read-only domain controller's password replication policy.

Get-ADDomainControllerPasswordReplicationPolicyUsage

Gets the Active Directory accounts that are authenticated by a read-only domain controller or that are in the revealed list of the domain controller.

Get-ADFineGrainedPasswordPolicy

Gets one or more Active Directory fine-grained password policies.

Get-ADFineGrainedPasswordPolicySubject

Gets the users and groups to which a fine-grained password policy is applied.

Get-ADForest

Gets an Active Directory forest.

Get-ADGroup

Gets one or more Active Directory groups.

Get-ADGroupMember

Gets the members of an Active Directory group.

Get-ADObject

Gets one or more Active Directory objects.

Get-ADOptionalFeature

Gets one or more Active Directory optional features.

Get-ADOrganizationalUnit

Gets one or more Active Directory organizational units.

Get-ADPrincipalGroupMembership

Gets the Active Directory groups that have a specified user, computer, group, or service account.

Get-ADReplicationAttributeMetadata

Gets the replication metadata for one or more Active Directory replication partners.

Get-ADReplicationConnection

Returns a specific Active Directory replication connection or a set of AD replication connection objects based on a specified filter.

Get-ADReplicationFailure

Returns a collection of data describing an Active Directory replication failure.

Get-ADReplicationPartnerMetadata

Returns the replication metadata for a set of one or more replication partners.

Get-ADReplicationQueueOperation

Returns the contents of the replication queue for a specified server.

Get-ADReplicationSite

Returns a specific Active Directory replication site or a set of replication site objects based on a specified filter.

Get-ADReplicationSiteLink

Returns a specific Active Directory site link or a set of site links based on a specified filter.

Get-ADReplicationSiteLinkBridge

Gets a specific Active Directory site link bridge or a set of site link bridge objects based on a specified filter.

Get-ADReplicationSubnet

Gets one or more Active Directory subnets.

Get-ADReplicationUpToDatenessVectorTable

Displays the highest Update Sequence Number (USN) for the specified domain controller.

Get-ADResourceProperty

Gets one or more resource properties.

Get-ADResourcePropertyList

Gets resource property lists from Active Directory.

Get-ADResourcePropertyValueType

Gets a resource property value type from Active Directory.

Get-ADRootDSE

Gets the root of a directory server information tree.

Get-ADServiceAccount

Gets one or more Active Directory managed service accounts or group managed service accounts.

Get-ADTrust

Gets all trusted domain objects in the directory.

Get-ADUser

Gets one or more Active Directory users.

Get-ADUserResultantPasswordPolicy

Gets the resultant password policy for a user.

Grant-ADAuthenticationPolicySiloAccess

Grants permission to join an authentication policy silo.

Install-ADServiceAccount

Installs an Active Directory managed service account on a computer or caches a group managed service account on a computer.

Move-ADDirectoryServer

Moves a directory server in Active Directory to a new site.

Move-ADDirectoryServerOperationMasterRole

Moves operation master roles to an Active Directory directory server.

Move-ADObject

Moves an Active Directory object or a container of objects to a different container or domain.

New-ADAuthenticationPolicy

Creates an Active Directory Domain Services authentication policy object.

New-ADAuthenticationPolicySilo

Creates an Active Directory Domain Services authentication policy silo object.

New-ADCentralAccessPolicy

Creates a new central access policy in Active Directory containing a set of central access rules.

New-ADCentralAccessRule

Creates a central access rule in Active Directory.

New-ADClaimTransformPolicy

Creates a new claim transformation policy object in Active Directory.

New-ADClaimType

Creates a new claim type in Active Directory.

New-ADComputer

Creates a new Active Directory computer object.

New-ADDCCloneConfigFile

Performs prerequisite checks for cloning a domain controller and generates a clone configuration file if all checks succeed.

New-ADFineGrainedPasswordPolicy

Creates a new Active Directory fine-grained password policy.

New-ADGroup

Creates an Active Directory group.

New-ADObject

Creates an Active Directory object.

New-ADOrganizationalUnit

Creates an Active Directory organizational unit.

New-ADReplicationSite

Creates an Active Directory replication site in the directory.

New-ADReplicationSiteLink

Creates a new Active Directory site link for in managing replication.

New-ADReplicationSiteLinkBridge

Creates a site link bridge in Active Directory for replication.

New-ADReplicationSubnet

Creates an Active Directory replication subnet object.

New-ADResourceProperty

Creates a resource property in Active Directory.

New-ADResourcePropertyList

Creates a resource property list in Active Directory.

New-ADServiceAccount

Creates a new Active Directory managed service account or group managed service account object.

New-ADUser

Creates an Active Directory user.

Remove-ADAuthenticationPolicy

Removes an Active Directory Domain Services authentication policy object.

Remove-ADAuthenticationPolicySilo

Removes an Active Directory Domain Services authentication policy silo object.

Remove-ADCentralAccessPolicy

Removes a central access policy from Active Directory.

Remove-ADCentralAccessPolicyMember

Removes central access rules from a central access policy in Active Directory.

Remove-ADCentralAccessRule

Removes a central access rule from Active Directory.

Remove-ADClaimTransformPolicy

Removes a claim transformation policy object from Active Directory.

Remove-ADClaimType

Removes a claim type from Active Directory.

Remove-ADComputer

Removes an Active Directory computer.

Remove-ADComputerServiceAccount

Removes one or more service accounts from a computer.

Remove-ADDomainControllerPasswordReplicationPolicy

Removes users, computers, and groups from the allowed or denied list of a read-only domain controller password replication policy.

Remove-ADFineGrainedPasswordPolicy

Removes an Active Directory fine-grained password policy.

Remove-ADFineGrainedPasswordPolicySubject

Removes one or more users from a fine-grained password policy.

Remove-ADGroup

Removes an Active Directory group.

Remove-ADGroupMember

Removes one or more members from an Active Directory group.

Remove-ADObject

Removes an Active Directory object.

Remove-ADOrganizationalUnit

Removes an Active Directory organizational unit.

Remove-ADPrincipalGroupMembership

Removes a member from one or more Active Directory groups.

Remove-ADReplicationSite

Deletes the specified replication site object from Active Directory.

Remove-ADReplicationSiteLink

Deletes an Active Directory site link used to manage replication.

Remove-ADReplicationSiteLinkBridge

Deletes a replication site link bridge from Active Directory.

Remove-ADReplicationSubnet

Deletes the specified Active Directory replication subnet object from the directory.

Remove-ADResourceProperty

Removes a resource property from Active Directory.

Remove-ADResourcePropertyList

Removes one or more resource property lists from Active Directory.

Remove-ADResourcePropertyListMember

Removes one or more resource properties from a resource property list in Active Directory.

Remove-ADServiceAccount

Removes an Active Directory managed service account or group managed service account object.

Remove-ADUser

Removes an Active Directory user.

Rename-ADObject

Changes the name of an Active Directory object.

Reset-ADServiceAccountMigration

Resets the state of a migration to an delegated managed service account and unlinks the delegated managed service account from the user account.

Reset-ADServiceAccountPassword

Resets the password for a standalone managed service account.

Restore-ADObject

Restores an Active Directory object.

Revoke-ADAuthenticationPolicySiloAccess

Revokes membership in an authentication policy silo for the specified account.

Search-ADAccount

Gets Active Directory user, computer, or service accounts.

Set-ADAccountAuthenticationPolicySilo

Modifies the authentication policy or authentication policy silo of an account.

Set-ADAccountControl

Modifies user account control (UAC) values for an Active Directory account.

Set-ADAccountExpiration

Sets the expiration date for an Active Directory account.

Set-ADAccountPassword

Modifies the password of an Active Directory account.

Set-ADAuthenticationPolicy

Modifies an Active Directory Domain Services authentication policy object.

Set-ADAuthenticationPolicySilo

Modifies an Active Directory Domain Services authentication policy silo object.

Set-ADCentralAccessPolicy

Modifies a central access policy in Active Directory.

Set-ADCentralAccessRule

Modifies a central access rule in Active Directory.

Set-ADClaimTransformLink

Applies a claims transformation to one or more cross-forest trust relationships in Active Directory.

Set-ADClaimTransformPolicy

Sets the properties of a claims transformation policy in Active Directory.

Set-ADClaimType

Modify a claim type in Active Directory.

Set-ADComputer

Modifies an Active Directory computer object.

Set-ADDefaultDomainPasswordPolicy

Modifies the default password policy for an Active Directory domain.

Set-ADDomain

Modifies an Active Directory domain.

Set-ADDomainMode

Sets the domain mode for an Active Directory domain.

Set-ADFineGrainedPasswordPolicy

Modifies an Active Directory fine-grained password policy.

Set-ADForest

Modifies an Active Directory forest.

Set-ADForestMode

Sets the forest mode for an Active Directory forest.

Set-ADGroup

Modifies an Active Directory group.

Set-ADObject

Modifies an Active Directory object.

Set-ADOrganizationalUnit

Modifies an Active Directory organizational unit.

Set-ADReplicationConnection

Sets properties on Active Directory replication connections.

Set-ADReplicationSite

Sets the replication properties for an Active Directory site.

Set-ADReplicationSiteLink

Sets the properties for an Active Directory site link.

Set-ADReplicationSiteLinkBridge

Sets the properties of a replication site link bridge in Active Directory.

Set-ADReplicationSubnet

Sets the properties of an Active Directory replication subnet object.

Set-ADResourceProperty

Modifies a resource property in Active Directory.

Set-ADResourcePropertyList

Modifies a resource property list in Active Directory.

Set-ADServiceAccount

Modifies an Active Directory managed service account or group managed service account object.

Set-ADUser

Modifies an Active Directory user.

Show-ADAuthenticationPolicyExpression

Displays the Edit Access Control Conditions window update or create security descriptor definition language (SDDL) security descriptors.

Start-ADServiceAccountMigration

Starts the migration process by linking a normal user account to a delegated managed service account.

Sync-ADObject

Replicates a single object between any two domain controllers that have partitions in common.

Test-ADServiceAccount

Tests a managed service account from a computer.

Undo-ADServiceAccountMigration

Reverts the previous migration phase of a migration to an delegated managed service account. If the migration process is currently in the start phase, the accounts will be unlinked from each other. If the migration is in the completed phase, it'll return back to the state in the start phase.

Uninstall-ADServiceAccount

Uninstalls an Active Directory managed service account from a computer or removes a cached group managed service account from a computer.

Unlock-ADAccount

Unlocks an Active Directory account.