Powershell AD module not installed but RSAT feature is installed

Question

Objective

• Local User Password change without admin rights -> Powershell AD Methods
• Logging on a distant PC using Remote Desktop Connection (RDP), on this PC the password shall be changed

Problem

• AD Module not recognized (cmdlet... error)
• Installed RSAT AD LDS via RDP and the windows "manage optional features" approach
• RSAT AD LDS is installed
• Powershell still does not know about AD module (get-aduser not working)
• Activated LDS in "turn on/off features" (https://i.ibb.co/WxF35VD/Capture.png)
• Powershell still does not find AD module (get-aduser not working)
• Listing "Get-WindowsCapability -Name RSAT* -Online | Select-Object -Property DisplayName, State" reveals that AD LDS tools are installed

Question

• Somehow, the tools are installed but there is no ActiveDirectory module in the powershell folder
• Am I missing a point somewhere?

Answer 1

• AFAIK, you won’t be able to make changes, i.e., add the RSAT roles required through ‘Programs and features’ section in Control Panel from Windows 8 and later versions. For this purpose and more clarity, kindly refer to the official documentation below for details: -

https://docs.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/remote-server-administration-tools

Thus, if your client Windows systems version is beyond Windows 8, then you would not be able to install the various roles and features as required under the ‘RSAT’ feature of optional feature in the Control Panel, rather you would need to install the RSAT’s various features regarding Windows Server roles through ‘Start --> Settings --> Apps --> Apps and Features --> Optional features’ section. Hence, from here, you can install any RSAT feature that you want to in your Windows 10 client system.

• Would suggest you to please execute the below cmdlet through an elevated console of Powershell on your Windows 10 client system and check again. It should be installed successfully. Also, do not forget to restart the system once the RSAT roles have been installed successfully, it would help to get the modified registry flags to get into effect: -

   Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 -Online

Once the above command has been executed successfully, please ensure that the below commands also get executed successfully. They will ensure that the ‘Active Directory’ module, if not present in the client system will be imported from the online Microsoft CDN library and installed.

Get-Module -Name ActiveDirectory -ListAvailable
Import-Module -Name ActiveDirectory

• You can also log into a distant PC using Remote Desktop Connection through your Windows 10 client system and change the password on that system by making a GPO (Group Policy Object) in your central policy server and set the policy as below to allow the users to access powershell without administrator privileges: -

 Default domain policy/New GPO --> Edit --> Computer Configuration --> 
 Policies --> Windows Settings --> Security settings --> Restricted groups --> Remote Management Users --> Click on ‘Add’ --> Select the users from Active Directory --> Ok

Once you do this, then ensure that this policy is pushed on all the systems where you want users to run powershell remotely with administrator privileges. You can also add those users in a group and then add that group as a member of the ‘Remote management users’ group through group policy.

• You can check the permissions of a powershell session through the below command which clearly states that ‘Remote Management users’ are allowed access to the powershell session remotely. Please note that Windows Remote Management service needs to be started and run for the below command to run successfully and provide you with results.

   (Get-PSSessionConfiguration -Name Microsoft.PowerShell).Permission