Clone AD to a Sandbox: Part 1

On occasion, you might need to replicate your Active Directory to a sandbox to test various changes. This provides a PowerShell script that exports OUs, users, computers, groups, and group memberships to CSV files. You can use these CSV files with another script (coming in part 2) to replicate this structure in another domain.

Please do NOT use this to create a production replica, migrate from one domain to another, or any other production scenario. There’s a lot of data that is not exported that you need in a production environment.

This blog will focus on the first part of this process – the script and export of your domain. The entire script is available for download at the end of this blog. We’ll walk through some key pieces and possible suggested edits to enhance the basic functionality.

You must have the AD PowerShell module installed on the computer where you run both scripts. This script was developed using a Server 2016 domain controller with a domain functional level of 2016.


There are seven parameters at the top of the script that you need to fill out. These are on lines 1-12 when you open the script.

# path to export csv files
$export_path = “C:\AD_export”

# OU to export
$export_searchbase = “ou=Accounts,dc=redmond,dc=local”

# what to export. 1 for true, 0 for false
$export_ous = 1
$export_users = 1
$export_comps = 1
$export_groups = 1
$export_group_membership = 1

The first parameter ($export_path) is the location to store the CSV files that the script outputs. This should be a directory on your computer. It will build the directory if it doesn’t already exist.

The second parameter ($export_searchbase) is the distinguished name of the OU that you want to export. You could theoretically run this against the root of your domain, but it’s not recommended, as there’s no logic to exclude any of the built-in items. Running it against the root was also not tested.

The remaining parameters tells the script what to export, with “1” being export and “0” being don’t export. For example, if you only want the OU structure, set $export_ous equal to 1 and the remaining variables equal to 0:

$export_ous = 1
$export_users = 0
$export_comps = 0
$export_groups = 0
$export_group_membership = 0

Create Export Directory and Export OUs

The next two sections of the script are simple. The “create export directory” line creates the directory you set in the second parameter. The “ou” section exports all of the OUs in hierarchical order.

# create export directory
if ((test-path $export_path) -eq $false) { new-item -type directory $export_path}

# ous
if ($export_ous -eq 1) {
write-progress “Exporting OUs”
$ou_csv = “$export_path\$ou_export”
Get-ADOrganizationalUnit -Filter * -SearchBase $export_searchbase | Sort {-join ($_.distinguishedname[($_.distinguishedname.length-1)..0])} | export-csv $ou_csv


The users section as written is basic. It will export the username, distinguished name, and whether or not the account is enabled. The account’s password or any other attributes are not being exported. With some tweaking, you could export more attributes if you want – you would just need to add them to the “select” portion of the get-aduser line. You would also need to modify the build script to set that attribute when creating the account.

# users
if ($export_users -eq 1) {
write-progress “Exporting Users”
$user_csv = “$export_path\$user_export”
get-aduser -Filter * -SearchBase $export_searchbase -properties * | select Name,DistinguishedName,Enabled | export-csv $user_csv


The computers section is also basic. It grabs the same attributes as user – object name, distinguished name, and whether or not the object is enabled. Also along the lines of user, you can also expand what it exports by adding additional attributes – just don’t forget to add them to the build script.

# computers
if ($export_comps -eq 1) {
write-progress “Exporting Computers”
$comp_csv = “$export_path\$comp_export”
get-adcomputer -Filter * -SearchBase $export_searchbase | select Name,DistinguishedName,Enabled | export-csv $comp_csv


The groups section of the script just exports group name and distinguished name.

# groups
if ($export_groups -eq 1) {
write-progress “Exporting Groups”
$group_csv = “$export_path\$group_export”
get-adgroup -Filter * -SearchBase $export_searchbase -properties * | select Name,DistinguishedName | export-csv $group_csv

Group Memberships

This section exports all of the membership of the groups. It exports each group as its own CSV file, so the folder that holds these could get large if you have a lot of groups.

# group memberships
if ($export_group_membership -eq 1) {
$groups = (get-adgroup -Filter * -SearchBase $export_searchbase).Name

If ((test-path $group_mbr_export_path) -eq $false) {new-item -type directory $group_mbr_export_path}

ForEach ($group in $groups) {
write-progress “Exporting Group Membership – $group”
get-adgroup -identity $group | Get-ADGroupMember | export-csv $group_mbr_export_path\$group.csv
} # end foreach loop
} # end if statement

Once the script runs, you will have several CSV files and a folder containing your group memberships.

I hope this helps with replicating your domain to a sandbox. Come back in a few days for the second half on using this export to build your sandbox.


All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.



Contact Us

On Key

More Posts

NERC CIP Compliance with Microsoft 365 and Azure

NERC CIP Compliance with Microsoft 365 and Azure

As the landscape of cybersecurity evolves, regulations are also driving transformative shifts across utilities. The electrical sector is no exception. NERC’s Critical Infrastructure Protection (CIP) is one such sophisticated set of guidelines for safeguarding utility control

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.