Using the Active Directory module remotely

Once you begin using PowerShell to interact with different systems on the network, you will run into a situation where you want to gather information from Active Directory. Then you will have a choice to make about how you get this accomplished…

1) You might decide to logon to a domain controller each time you want to get things done. This is OK if you just are running stand-alone scripts and you like doing things that way.

2) You might consider installing the Remote Server Administration Tools on your workstation. This is good if you are going to run scripts frequently from a specific computer, and you don’t mind going through the hoops of installing a handful of components and possibly rebooting along the way. I don’t like doing this, so I never bother to install it. Also sometimes it isn’t even available for your operating system, such as when Windows 10 was very new or in preview mode.

3) You may not want to bother with installing RSAT on one or multiple computers, or you might have to share your scripts with many other people who also don’t want to bother preparing their workstations. In this case you want to make something that “just works”. I can think of two ways to do this, and both are shown below. Pick your poison and then drink it 😛

The first way, is to use Export-PSSession to copy the remote Active Directory module from one of your domain controllers to your local workstation. This will work without RSAT, and so saves you a lot of time. The downside is it takes quite a few seconds to initialize the module when you are going to load it.

The second way, is to use Invoke-Command to remotely run all your commands directly on the domain controller. This will work the same as the above option, but is much faster to use since you don’t have to export any commands. The downside is you have to manage your open sessions and also have a bit more lines each time you are going to send/receive information to the domain controller.


Below is a simple task of getting the results of Get-ADUser using both methods…

Option 1: using Export-PSSession:
First, create a function that you can use to import the AD module to your local workstation whenever you need it…

# loads AD module
function Get-ModuleAD() {
<# 
.SYNOPSIS 
 Imports the Active Directory PowerShell module for use on remote systems.
.DESCRIPTION 
 This function will create a copy of the Active Directory PowerShell module,
 renamed so any -AD commands are -RemAD on the remote system. The session 
 is created, the module loaded, and then the session is exported out. 
 Then that exported session is imported as a new module on the remote system. 
.EXAMPLE 
 Get-TremorModuleAD 
#>
    If ((Get-Module -Name RemAD | Measure-Object).Count -lt 1) {
        # Adding Active Directory connection...
        # https://technet.microsoft.com/en-us/magazine/ff720181.aspx
        If ((Get-Module -ListAvailable -Name RemAD | Measure-Object).Count -lt 1) {
            $sessionAD = New-PSSession -ComputerName 'YOUR-DC-NAME'
            Invoke-Command { Import-Module ActiveDirectory } -Session $sessionAD
            Export-PSSession -Session $sessionAD -CommandName *-AD* -OutputModule RemAD -AllowClobber -Force | Out-Null
            Remove-PSSession -Session $sessionAD
        } Else { Write-Output "Active Directory Module is already exported..." }

        #create copy of the module on the local computer...
        Import-Module RemAD -Prefix Rem -DisableNameChecking
    }
}


Then call that module and pull some AD user information using it, such as with your new Get-RemADUser function…

#call the function that checks for / imports the AD module...
Get-ModuleAD

# use your new AD module to get information about an AD user...
$getUserInfo = Get-RemADUser -Identity 'userNameHere'



Option 2: using Invoke-Command:
First, prepare the variable that holds the username and create a session which you’ll need to send the variable to…

# variable to store the identity of an AD user you want to get information about...
$var1 = 'userNameHere'

# make the session if you don't have it already...
If (!($sessionAD)) { $sessionAD = New-PSSession -ComputerName 'YOUR-DC-NAME'}


Then use that session to do something. Send the variable and run the commands you would as if you were on the domain controller locally…

# use the session you have setup...
Invoke-Command -Session $sessionAD -ScriptBlock {
    # accept incoming parameters on the remote session...
    Param ($var1)
    
    # import the AD module on the remote domain controller session...
    Import-Module ActiveDirectory

    # load the information you want into a variable...
    $thisUser = Get-ADUser -Identity $var1

# send the variable(s) you need to use in the remote session here...
} -ArgumentList $var1


The work is done, now you just need to extract your output and close the session…

# load the variable from the remote session into a local variable...
$getUserInfo2 = Invoke-Command -Session $sessionAD -ScriptBlock { $thisUser }

# for house cleaning purposes, close the session once you're done using it...
$sessionAD | Remove-PSSession



That was just one quick example, hope that it might be helpful for someone. 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s