ActiveDirectory module fails to update

I’ve recently upgraded a Windows 2008 R2 server that had the Powershell Active Directory module enabled to Windows Server 2012 R2.

When I invoked the Update-Help cmdlet on the newly upgraded server, I’ve got the following message:

update-help : Failed to update Help for the module(s) ‘ActiveDirectory’ with UI culture(s) {en-US} : Access to the path ‘C:\windows\system32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\Microsoft.ActiveDirectory.Management.dll-help.xml’ is denied.

I’ve first tried to remove the feature but it didn’t help

(NB: I haven’t tried the -Remove parameter to avoid a reboot, I guess… or worse)

As you can see below, there are actually multiple problems:

  1. the Builtin\Administrators group doesn’t have at least a write access to the file
  2. all the NTFS permissions aren’t inherited from the parent folder
  3. the owner of the file and parent folder is NT SERVICE\TrustedInstaller 😦

My fix consisted in giving back the ownership of the xml file to the Builtin\Administrators group and giving it as well the missing Write access.

$File = "C:\windows\system32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\Microsoft.ActiveDirectory.Management.dll-help.xml"            
takeown /F $File /A            
icacls $File --% /grant  *S-1-5-32-544:(W)

After that, I’ve got the help of the ActiveDirectory udpated successfully 😎


One thought on “ActiveDirectory module fails to update

  1. Thank you, Thank you, Thank you!!! I’ve looked for weeks trying to resolve this apparent old issue and none of them show your script…and thereby do not work. your script is obviously designed for the desktop…the others appear to work from the server itself–not always to way you want to work.

    Anyway, again…thanks for the answer I needed.

