PowerShell - ActiveDirectory Module

0
votes

I need the ability to have users run a script that requires the ActiveDirectory module. I copied over the following:

"C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory", "Microsoft.ActiveDirectory.Management.resources.dll", "Microsoft.ActiveDirectory.Management.dll".

The script runs two Get-ADUser commands, 1 without the -Server parameter and the other with. The issue is that the former is working but the latter is not.

Is there another module that I need to copy over?

2
powershellactive-directoryimport-module
A workaround is to rewrite your script using adsi and adsisearcher. - Santiago Squarzon
You do not need ADDS tools on any workstation to use ADDS cmdlets. This is what implicit PSRemoting is for. Just remote to a machine with the ADDS/RSAT already installed and proxy the cmdlets to your, or whatever workstation. The cmdlets via an implicit PSRemote session are only available during that session. Once the session is closed, they are no longer available, until a new session is started and they are called again. Note this is not just a thing for ADDS cmdlets, as you can do the same for Exchange, SQL, etc. There is also the WebJea or PowerShell Web Access. - postanote
Install and Use Windows PowerShell Web Access. Have RSAT installed there, then the user just uses their browser to run commands, code, scripts, etc. - postanote

2 Answers

4
votes

I don't like the idea of installing administrative tools for non-admins. Even if you could get away with copying files and not doing the full-blown RSAT installation. Not the least of reasons is you are dramatically increasing the attack surface for malicious actors. The better solution is (Just Enough Administration) JEA, or a philosophically similar approach.

JEA / Contrained endpoints can get complicated, but a summary of what you can do looks something like this:

New-PSSessionConfigurationFile -Path 'C:\PSSessionConfigs\DemoPSEndpointConfig.pssc' -ModulesToImport ActiveDirectory -VisibleCmdlets "Get-ADUser"
Register-PSSessionConfiguration -Path 'C:\PSSessionConfigs\DemoPSEndpointConfig.pssc' -ShowSecurityDescriptorUI -Name DemoPSEndPoint

Run these commands on a system that has the ActiveDirectory module (likely the whole RSAT component) installed, it doesn't need to be a Domain Controller. It will create a new PowerShell remoting endpoint configuration that exposes only the commands you wish. The Register-PSSessionConfiguration command will display a security dialog where you can permission which users you want to allow to connect, you want to grant them read & execute permission. Once that's done, you can get the results with an Invoke-Command command like this:

Invoke-Command -ComputerName <ServerName> -ConfigurationName DemoPSEndPoint -ScriptBlock { Get-ADUser <UserName> }

You can add the -Server parameter in the command without issue. You can expand the cmdlets you are allowing in the New-PSSessionConfiguration command.

Again this is very much a summary of a more complex topic but should be enough to get what you want.

Personally, I don't use configuration files as much as I use startup scripts. I think the latter is more flexible. You can get some information about that here. If you really want to dig into this there are references at the end of the article including a link to the PowerShell JEA documentation. There's also a link to some of the MVP articles I used to develop my own endpoints.

1
votes

The ActiveDirectory module is dependent on the RSAT (remote server administration tool). This is avalible to install/activate through powershell: https://mikefrobbins.com/2018/10/03/use-powershell-to-install-the-remote-server-administration-tools-rsat-on-windows-10-version-1809/

With this installed you automatically also get the Activedirectory module installed.