A problem is just a solution waiting to be found

PowerShell Active Directory Module on Windows 10

Posted on by Remy Kuster

The PowerShell active directory module allows you to do the following things:

  • Manage and automate standard domain-related tasks
  • Check domain user Active Directory attributes and group memberships on the users workstation, if installed on users workstation (described in this post)

Requirements

The PowerShell Active Directory Module for Windows 10 is part of the Remote Server Administration Tools (RSAT) a feature on demand on Windows 10.
From Windows 10 1709, you can’t use WSUS to host Features on Demand and language packs for Windows 10 clients. Instead, you need to download them directly from Windows Update.

If you’re using SCCM or WSUS for your software updates, you need to set a few Group Policy settings that lets clients download these directly from Windows Update instead of your on-premise infrastructure. Without these group policy settings, all your installation tentative will fail with error 0x800f0954 or 0x8024002E. This is because your client will check on your on-premise servers instead of Microsoft Update and won’t be able to find the feature.

The windows version used for this post was Windows 10 1809 enterprise.

Lets put it in action

Set the following gpo setting: Enable the Specify settings for optional component installation and component repair policy

  • Open your group policy editor
  • Navigate to Configuration\Administrative Templates\System
  • Enable the Specify settings for optional component installation and component repair policy
  • Check Download repair content and optional features directly from Windows Update instead of Windows Server Update Services (WSUS)

Check if the following gpo setting: Turn off access to all Windows Updates Feature policy is set to enabled.

If the gpo is set to enabled:

  • Open your group policy editor
  • Navigate to Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication Settings\
  • Disable the Turn off access to all Windows Updates Features policy
Turn off access to all Windows update features Group policy setting

If you set the gpo above to disabled it could be possible that the users will see the following option in Windows Update settings:

Check online for updates from Microsoft Update.

To prevent users checking for updates with Microsoft set the following gpo Remove access to use All Windows Updates features:

  • Open your group policy editor
  • Navigate to Configuration\Administrative Templates\Windows Components\Windows Update\
  • Enable the Remove access to use All Windows Updates features

Now you can enable the powershell active directory module by installing a feature on demand: RSAT: Active Directory Domain Services and Lightweight Directory Services Tools.

You can do this with the Run Script feature in MECM (SCCM).

Add-WindowsCapability –online –Name “Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0”

Theme: Overlay by Kaira