07 March 2019

Active Directory PowerShell Module Configuration Baseline

With the recent 1809, RSAT is now integrated into Windows, which is a major plus for the admin side. In my environment, I have the active directory PowerShell module enabled on all machines for two reasons. The first is I use it to move the machine in AD during the build process. The second is that I have an SCCM baseline that makes sure the Bitlocker key matches the one stored in AD. For these, I need the module installed and thankfully it is now just a simple Add-WindowsCapability cmdlet.

I implemented the following baseline that first checks to make sure the Rsat.ActiveDirectory.DS-LDS.Tools~~~~ feature is enabled. It returns a boolean value of $true if it is Installed and $false if it is Not Present. If $false is returned, then the remediation script will turn on the feature. 

I am going to assume you already know how to setup a configuration item, so I am not going to go through the screen by screen process. This is the main screen of the Item. 

Here is the PowerShell query for checking if it is enabled and returning the $true or $false. 

 If ((Get-WindowsCapability -Online -Name 'Rsat.ActiveDirectory.DS-LDS.Tools~~~~').State -eq 'Installed') {Echo $true} elseif ((Get-WindowsCapability -Online -Name 'Rsat.ActiveDirectory.DS-LDS.Tools~~~~').State -eq 'NotPresent') {echo $false}  

Here is the remediation script for enabling RSAT AD if it is not enabled.

 Add-WindowsCapability -Online -Name 'Rsat.ActiveDirectory.DS-LDS.Tools~~~~'  

Finally, this is the compliance rule that enables the remediation if it is not enabled.

Now to deploy the Configuration Item, the Baseline needs to be created and deployed. This is a very simple procedure. Here are screenshots of my setup of the Baseline.



Post a Comment