What's New in Active Directory Domain Services (AD DS) in Windows Server 2008 R2: Active Directory PowerShell

What's New in Active Directory Doma...

What's New in AD DS: Active Directory Module for Windows PowerShell

Updated: January 9, 2009

Applies To: Windows Server 2008 R2

What are the major changes?

The Active Directory module for Windows PowerShell provides command-line scripting for administrative, configuration, and diagnostic tasks, with a consistent vocabulary and syntax. The Active Directory module enables end-to-end manageability with Exchange Server, Group Policy, and other services.

What does the Active Directory module do?

Windows PowerShell™ is a command-line shell and scripting language that can help information technology (IT) professionals control system administration more easily and achieve greater productivity.

The Active Directory module in Windows Server 2008 R2 is a Windows PowerShell module (named Active Directory) that consolidates a group of cmdlets. You can use these cmdlets to manage your Active Directory domains, Active Directory Lightweight Directory Services (AD LDS) configuration sets, and Active Directory Database Mounting Tool instances in a single, self-contained package.

In Windows Server 2000, Windows Server 2003, and Windows Server 2008, administrators used a variety of command-line tools and Microsoft Management Console (MMC) snap-ins to connect to their Active Directory domains and AD LDS configuration sets to monitor and manage them. The Active Directory module in Windows Server 2008 R2 now provides a centralized experience for administering your directory service.

Who will be interested in this feature?

The following groups might be interested in the Active Directory module:

Early adopters of Windows Server 2008 R2 and IT planners and analysts who are technically evaluating Windows Server 2008 R2
Enterprise IT planners and designers
Active Directory Domain Services (AD DS) management teams
AD DS administrators

Are there any special considerations?

The Active Directory module can be installed only on computers that are running Windows Server 2008 R2. The Active Directory module cannot be installed on computers running Windows 2000, Windows Server 2003, or Windows Server 2008.
You can also install the Active Directory module on Windows 7 as part of Windows Server 2008 R2 Remote Server Administration Tools (RSAT). However, if you want to install the Active Directory module on Windows 7 to remotely manage an Active Directory domain, an AD LDS instance or configuration set, or an Active Directory Database Mounting Tool instance, you must have at least one Windows Server 2008 R2 domain controller in your domain or at least one instance in an AD LDS configuration set that is running on a Windows Server 2008 R2 server.

What new functionality does the Active Directory module provide?

The Active Directory module consists of the Active Directory module provider and the Active Directory module cmdlets.

Active Directory module provider

Administrators can use the Active Directory module provider to easily navigate and access data that is stored in Active Directory domains, Active Directory Database Mounting Tool instances, and AD LDS instances and configuration sets. The Active Directory module provider exposes the Active Directory database through a hierarchical navigation system, which is very similar to the file system. For example, while you are using the Active Directory module, you can use the following commands to navigate through your directory:

cd
dir
remove
.
..

You can use the Active Directory module provider to map Active Directory domains, AD LDS instances, and Active Directory Database Mounting Tool instances to specific provider drives. When the Active Directory module is first loaded, a default Active Directory drive (AD:) is mounted. To connect to that drive, run the cd AD: command. To connect a new provider drive to an Active Directory domain, an AD LDS server, or an Active Directory Database Mounting Tool instance, you can use the following cmdlet:

New-PSDrive -Name <name of the drive> -PSProvider ActiveDirectory -Root "<DN of the partition/NC>" –Server <server or domain name (NetBIOS/FQDN)[:port number]> -Credential <domain name>\<username>

Parameter	Description
-Name <name of the drive>	Specifies the name of the drive that is being added.
-PSProvider ActiveDirectory	The name of the provider, in this case, ActiveDirectory.
-Root "<DN of the partition/NC>"	Specifies the internal root or path of the provider.
–Server <server or domain name (NetBIOS/FQDN)[:port number]>	Specifies the server that hosts your Active Directory domain or an AD LDS instance.
-Credential <domain name>\<username>	Specifies the credentials that you must have to connect to the Active Directory domain or the AD LDS server.

Active Directory module cmdlets

You can use the Active Directory module cmdlets to perform various administrative, configuration, and diagnostic tasks in your AD DS and AD LDS environments. In this release of Windows Server 2008 R2, you can use the Active Directory module to manage existing Active Directory user and computer accounts, groups, organizational units (OUs), domains and forests, domain controllers, and password policies, or to create new ones.

The following table lists all the cmdlets that are available in this release of the Active Directory module in Windows Server 2008 R2.

Cmdlet	Description
Disable-ADAccount	Disables an Active Directory account.
Enable-ADAccount	Enables an Active Directory account.
Search-ADAccount	Gets Active Directory user, computer, and service accounts.
Unlock-ADAccount	Unlocks an Active Directory account.
Get-ADAccountAuthorizationGroup	Gets the Active Directory security groups that contain an account.
Set-ADAccountControl	Modifies user account control (UAC) values for an Active Directory account.
Clear-ADAccountExpiration	Clears the expiration date for an Active Directory account.
Set-ADAccountExpiration	Sets the expiration date for an Active Directory account.
Set-ADAccountPassword	Modifies the password of an Active Directory account.
Get-ADAccountResultantPasswordReplicationPolicy	Gets the resultant password replication policy for an Active Directory account.
Get-ADComputer	Gets one or more Active Directory computers.
New-ADComputer	Creates a new Active Directory computer.
Remove-ADComputer	Removes an Active Directory computer.
Set-ADComputer	Modifies an Active Directory computer.
Add-ADComputerServiceAccount	Adds one or more service accounts to an Active Directory computer.
Get-ADComputerServiceAccount	Gets the service accounts that are hosted by an Active Directory computer.
Remove-ADComputerServiceAccount	Removes one or more service accounts from a computer.
Get-ADDefaultDomainPasswordPolicy	Gets the default password policy for an Active Directory domain.
Set-ADDefaultDomainPasswordPolicy	Modifies the default password policy for an Active Directory domain.
Move-ADDirectoryServer	Moves a domain controller in AD DS to a new site.
Move-ADDirectoryServerOperationMasterRole	Moves operation master (also known as flexible single master operations or FSMO) roles to an Active Directory domain controller.
Get-ADDomain	Gets an Active Directory domain.
Set-ADDomain	Modifies an Active Directory domain.
Get-ADDomainController	Gets one or more Active Directory domain controllers, based on discoverable services criteria, search parameters, or by providing a domain controller identifier, such as the NetBIOS name.
Add-ADDomainControllerPasswordReplicationPolicy	Adds users, computers, and groups to the Allowed List or the Denied List of the read-only domain controller (RODC) Password Replication Policy (PRP).
Get-ADDomainControllerPasswordReplicationPolicy	Gets the members of the Allowed List or the Denied List of the RODC PRP.
Remove-ADDomainControllerPasswordReplicationPolicy	Removes users, computers, and groups from the Allowed List or the Denied List of the RODC PRP.
Get-ADDomainControllerPasswordReplicationPolicyUsage	Gets the resultant password policy of the specified ADAccount on the specified RODC.
Set-ADDomainMode	Sets the domain functional level for an Active Directory domain.
Get-ADFineGrainedPasswordPolicy	Gets one or more Active Directory fine-grained password policies.
New-ADFineGrainedPasswordPolicy	Creates a new Active Directory fine-grained password policy.
Remove-ADFineGrainedPasswordPolicy	Removes an Active Directory fine-grained password policy.
Set-ADFineGrainedPasswordPolicy	Modifies an Active Directory fine-grained password policy.
Add-ADFineGrainedPasswordPolicySubject	Applies a fine-grained password policy to one more users and groups.
Get-ADFineGrainedPasswordPolicySubject	Gets the users and groups to which a fine-grained password policy is applied.
Remove-ADFineGrainedPasswordPolicySubject	Removes one or more users from a fine-grained password policy.
Get-ADForest	Gets an Active Directory forest.
Set-ADForest	Modifies an Active Directory forest.
Set-ADForestMode	Sets the forest mode for an Active Directory forest.
Get-ADGroup	Gets one or more Active Directory groups.
New-ADGroup	Creates an Active Directory group.
Remove-ADGroup	Removes an Active Directory group.
Set-ADGroup	Modifies an Active Directory group.
Add-ADGroupMember	Adds one or more members to an Active Directory group.
Get-ADGroupMember	Gets the members of an Active Directory group.
Remove-ADGroupMember	Removes one or more members from an Active Directory group.
Get-ADObject	Gets one or more Active Directory objects.
Move-ADObject	Moves an Active Directory object or a container of objects to a different container or domain.
New-ADObject	Creates an Active Directory object.
Remove-ADObject	Removes an Active Directory object.
Rename-ADObject	Changes the name of an Active Directory object.
Restore-ADObject	Restores an Active Directory object.
Set-ADObject	Modifies an Active Directory object.
Disable-ADOptionalFeature	Disables an Active Directory optional feature.
Enable-ADOptionalFeature	Enables an Active Directory optional feature.
Get-ADOptionalFeature	Gets one or more Active Directory optional features.
Get-ADOrganizationalUnit	Gets one or more Active Directory OUs.
New-ADOrganizationalUnit	Creates a new Active Directory OU.
Remove-ADOrganizationalUnit	Removes an Active Directory OU.
Set-ADOrganizationalUnit	Modifies an Active Directory OU.
Add-ADPrincipalGroupMembership	Adds a member to one or more Active Directory groups.
Get-ADPrincipalGroupMembership	Gets the Active Directory groups that have a specified user, computer, or group.
Remove-ADPrincipalGroupMembership	Removes a member from one or more Active Directory groups.
Get-ADRootDSE	Gets the root of a domain controller information tree.
Get-ADServiceAccount	Gets one or more Active Directory service accounts.
Install-ADServiceAccount	Installs an Active Directory service account on a computer.
New-ADServiceAccount	Creates a new Active Directory service account.
Remove-ADServiceAccount	Remove an Active Directory service account.
Set-ADServiceAccount	Modifies an Active Directory service account.
Uninstall-ADServiceAccount	Uninstalls an Active Directory service account from a computer.
Reset-ADServiceAccountPassword	Resets the service account password for a computer.
Get-ADUser	Gets one or more Active Directory users.
New-ADUser	Creates a new Active Directory user.
Remove-ADUser	Removes an Active Directory user.
Set-ADUser	Modifies an Active Directory user.
Get-ADUserResultantPasswordPolicy	Gets the resultant password policy for a user.

Note
To list all the cmdlets that are available in the Active Directory module, use the Get-Command -AD cmdlet.

For more information about—or for the syntax for—any of the Active Directory module cmdlets, use the Get-Help <cmdlet name> cmdlet, where <cmdlet name> is the name of the cmdlet that you want to research. For more detailed information, you can run any of the following cmdlets:

Get-Help <cmdlet name> -Detailed
Get-Help <cmdlet name> -Full
Get-Help <cmdlet name> -Detailed
Get-Help <cmdlet name> -Examples

How should I prepare to deploy the Active Directory module?

You can install the Active Directory module by using any of the following methods:

By default, on a Windows Server 2008 R2 server when you install the AD DS or AD LDS server roles
By default, when you make a Windows Server 2008 R2 server a domain controller by running Dcpromo.exe
As part of the RSAT feature on a Windows Server 2008 R2 server

As part of the RSAT feature on a Windows 7 computer

Important
If you want to use Active Directory module in Windows 7 to remotely manage an Active Directory domain, an AD LDS instance or configuration set, or an Active Directory Database Mounting Tool instance, you must have at least one Windows Server 2008 R2 domain controller in your domain or at least one instance in an AD LDS configuration set that is running on a Windows Server 2008 R2 server.

By default, the Active Directory module is installed with the following features:
- Windows PowerShell
- The Microsoft .NET Framework 3.5.1
For the Active Directory module to function correctly, Windows PowerShell and the .NET Framework 3.5.1 must be installed on your Windows Server 2008 R2 or Windows 7 computer.

If you want to use the Active Directory module to manage an Active Directory domain, an AD LDS instance or configuration set, or an Active Directory Database Mounting Tool instance, the Windows Server 2008 R2 Active Directory Web Services (ADWS) service must be installed on at least one domain controller in this domain or on one server that hosts your AD LDS instance. For more information about ADWS, see What's New in AD DS: Active Directory Web Services.

Warning
To function correctly, the Active Directory module relies on ADWS service, which requires TCP port 9389 to be open on the domain controller where ADWS service is running. If you configure your firewall by using a Group Policy object (GPO), you must update the GPO to make sure that this port is open for ADWS.

Note
When the Active Directory module is installed, to start it click Start, point to Administrative Tools, and then click Active Directory Module for Windows PowerShell. You can also load the Active Directory module manually by running the Import-Module ActiveDirectory command at the Windows PowerShell prompt.

Which editions include the Active Directory module?

The Active Directory module is available in the following editions of Windows Server 2008 R2 and Windows 7:

Windows Server 2008 R2 Standard
Windows Server 2008 R2 Enterprise
Windows Server 2008 R2 Datacenter
Windows 7

The Active Directory module is not available in the following editions of Windows Server 2008 R2:

Windows Server 2008 R2 for Itanium-Based Systems
Windows Web Server 2008 R2

Additional references

For more information about Windows PowerShell, see Windows PowerShell (http://go.microsoft.com/fwlink/?LinkID=102372).