help: Import-Module ActiveDirectory from remote server share RRS feed

  • Question

  • So here's the rub: I don't want to enable constrained delegation on the target server (WS2012R2 with latest WMF/RSAT); I'm betting this is why I see errors about AD Web Services being unavailable when I actually import this module in a possession from client to this server.

    What I WANT to do is simply load the ActiveDirectory module onto the client from a UNC share e.g. Import-Module -Name \\server\share\ActiveDirectory

    Now...this will work on a client with RSAT tools installed, but on any client that does NOT have RSAT tools installed, I'm stuck with this error:

    import-module : Could not load file or assembly
    'file://\\server\share\ActiveDirectory\Microsoft.ActiveDirectory.Management' or one of its dependencies. The system
    cannot find the file specified.
    At line:1 char:1
    + import-module -Name \\server\share\ActiveDirectory\ActiveDirectory.psd ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [Import-Module], FileNotFoundException
        + FullyQualifiedErrorId : FormatXmlUpdateException,Microsoft.PowerShell.Commands.ImportModuleCommand

    I'm assuming I could use Add-Type to similarly add the necessary file/assembly from a share, but I've had no luck figuring out exactly how to do so.

    born to learn!

    Thursday, April 6, 2017 2:45 PM

All replies

  • Now it seems like I could use [System.Reflection.Assembly]::LoadFile(\\server\share\assembly) to load all required assemblies, but so far I've had no luck with this.

    You may find yourself asking "why not simply install RSAT?" and here's why: we're upgrading to w10 1607, which removes RSAT if it's installed. I don't want to deal with reinstalling so many RSAT instances on so many clients. So why not a "jump box"? Only 2 users per, I'd have to make a huge amount of these. If I can get this to work with Powershell, basically infinity users can connect to ONE system that has RSAT installed using a script at a central location, and I just push a desktop shortcut to all my password resetters. This approach will scale MUCH better than the prior two and be easy to maintain since everything's on just one server that everything is run against remotely.

    If the remote server was a DC I could just import-module -PsSession like normal, but that would be a pretty huge security risk so the target server is NOT a DC and cannot host ADWS so I'm dealing with the 2-hop problem there and I'd like to NOT enable CredSSP to allow a second hop to a DC that actually does have ADWS running (all dc's are 2008r2+ and all clients are > win 7 so I don't have to worry about the gateways service in my environment)

    born to learn!

    • Edited by AJM Admin Thursday, April 6, 2017 4:34 PM
    Thursday, April 6, 2017 4:32 PM
  • RSAT MUST be installed in order for the module to work.


    Thursday, April 6, 2017 5:39 PM
  • right. it is. on the server.

    born to learn!

    Thursday, April 6, 2017 5:43 PM
  • It has to be installed where you want to use it not just on the server.


    Thursday, April 6, 2017 5:59 PM
  • Old thread, but I figured I'll post the workaround for anyone searching. You do NOT need RSAT installed on a workstation, as long as you copied the needed files from a server that had RSAT installed.

    1) Copy the folder "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory" to your network share.
    2) Find and copy ActiveDirectory.Management.dll to your share as well. On my server 2012 R2, I had it under the folder C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ActiveDirectory.Management.

    3) Edit ActiveDirectory.psd1 from the PS modules folder you copied and change the line RequiredAssemblies= to point to the full path of the DLL you copied from RSAT above. For example: RequiredAssemblies="\\server\share\ActiveDirectory\Microsoft.ActiveDirectory.Management.dll"

    4) Import-Module to the full path of your ActiveDirectory.psd1

    Friday, September 28, 2018 11:38 AM
  • To expand a little further on dr0h's answer, I followed the advice and more specifically I...

    1. Copied the "$PSHome\Modules\ActiveDirectory" to a network share from a machine which has RSAT installed
    2. Copied the C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ActiveDirectory.Management\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.ActiveDirectory.Management.dll file to the ~\ActiveDirectory folder I copied to the network share from that same machine with RSAT installed
    3. I edited the ActiveDirectory.psd1 file within the folder I copied to the network share and made the RequiredAssemblies="Microsoft.ActiveDirectory.Management.dll" line just like that basically just appending the .dll extension to the file
    4. I copy the ~\ActiveDirectory folder and all if its contents recursively to $PSHome\Modules on machines without RSAT installed/enabled and then I run Import-Modules ActiveDirectory and now it works.

    I've put some PowerShell logic around scripts I need to run with these modules which does not have RSAT installed, etc. so it only copies the folder if needed onto the local machine

    PowerShell Script

    If(!(Test-Path "$PSHome\Modules\ActiveDirectory")){
        Copy-Item "\\server\PSModules\ActiveDirectory" "$PSHome\Modules" -Recurse -Force
    Import-Module ActiveDirectory
    (Get-ADGroupMember -Identity "Group Name")

    • Edited by PJ Mahoney Saturday, July 20, 2019 8:55 PM
    Saturday, July 20, 2019 8:42 PM