PowerShell AD Module on Any Domain Host as Any User

Borrow a DLL

Normally, one must install RSAT (Remote Server Administration Tools) on a host to make remote calls to Active Directory from a client computer. And, one must normally be an administrative user to import the PowerShell Active Directory module.

The trick here is borrowing the Microsoft.ActiveDirectory.Management.dll from a domain-joined host with RSAT installed.

Getting the DLL

The quickest and safest way to acquire the DLL would be to setup a Windows 10 or Windows 11 VM, and copy the DLL after installing RSAT.

Get-WindowsCapability -Name RSAT*ActiveDirectory* -Online | Add-WindowsCapability -Online


Path          :
Online        : True
RestartNeeded : False

I have seen it mentioned that the directory is found in C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ActiveDirectory.Management , however when I installed RSAT on my Windows 11 VM, it was in a different directory.

Finding the DLL

gci -Path 'C:\Windows' -Recurse -Filter 'Microsoft.ActiveDirectory.Management.dll' -EA SilentlyContinue | ? {$_.FullName -like '*GAC_64*' -or $_.FullName -like '*amd64*'} | select -Expand FullName

Import to PowerShell

Import-Module 'C:\Path\to\file.dll'

Using the Module

Check Available Commands

Get-Command -Module Microsoft.ActiveDirectory.Management

References

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges