Clone AD to a Sandbox: Part 2

Now that we’ve exported the OUs, user objects, computer objects, groups, and group memberships, we’re ready to import them into our new domain.

We’ll walk through some key pieces and possible suggested edits to enhance the basic functionality.

You must have the AD PowerShell module installed on the computer where you run both scripts. This script was developed using a Server 2016 domain controller with a domain functional level of 2016.


Like the export script, there are several parameters that you need to specify before running the script. These are on lines 1-21.

$prd_dom = “dc=redmond,DC=local”
$sandbox_dom = “dc=contoso,DC=local”

# what to build. 1 for true, 0 for false
$build_ous = 1
$build_users = 1
$build_comps = 1
$build_groups = 1
$build_group_membership = 1

# csv files
$export_path = “C:\AD_export\Desktop\AD_export-fs”

$ou_csv = “$export_path\export-ous.csv”
$user_csv = “$export_path\export-users.csv”
$computer_csv = “$export_path\export-computers.csv”
$group_csv = “$export_path\export-groups.csv”
$grp_mbr_folder_path = “$export_path\group_mbr”

# protect OUs from Accidental Deletion
$ou_protect_accdelete = 0

First, change $prd_dom to match your production domain. Then change $sandbox_dom to match your sandbox domain.

The next five variables tell the script which objects to build. This should match what you exported from your production domain, with “1” telling it to build the objects and “0” being don’t build. For example, if you only want the OU structure, set $build_ous equal to 1 and the remaining variables equal to 0:

$build_ous = 1
$build_users = 0
$build_comps = 0
$build_groups = 0
$build_group_membership = 0

Next, change the $export_path variable to the folder containing the export files. Don’t modify the next 5 variables.

Finally, set whether you want your OUs created with or without protection from accidental deletion by setting the $ou_protect_accdelete variable to “0” (do not protect) or “1” (enable protect from accidental deletion). By default, OUs are created with this turned on. If you think you’ll need to run this script multiple times, you might want the option to turn off protect from accidental deletion. It makes mass deleting the OU structure much easier.

Build OUs

This section of script imports the OU csv and builds the OU. It has to do some splitting of the distinguished name (a common theme of this script), then pass that to the New-ADOgranizationalUnit cmdlet.

# OUs
if ($build_ous -eq 1) {
$success = 0
$failed = 0

$errors = @()

$ou_list = Import-Csv $ou_csv

foreach ($build_ou in $ou_list) {
write-progress “Building OU $”

# capture path from DN
$ou_dn = $build_ou.Distinguishedname -replace $prd_dom,$sandbox_dom
$ou_dn_split = $ou_dn -split ‘,’,2

# create OU
$new_OU = New-ADOrganizationalUnit -name $build_ou.Name -path $ou_dn_split[1] -ProtectedFromAccidentalDeletion $ou_protect_accdelete

Build Users

This section of the script builds the user objects. It follows a similar process as the OU section, but sets one additional parameter based on whether or not the user was enabled in the production domain.

Another important note about this section is that all user accounts are created without a password and with the PasswordNotRequried flag. As I stated in the export blog, you would not want to use this to create a production domain. This is one of the primary reasons why.

if ($build_users -eq 1) {
$success = 0
$failed = 0

$errors = @()

$user_list = Import-Csv $user_csv

foreach ($build_user in $user_list) {
write-progress “Building User $”

# capture path from DN
$user_dn = $build_user.Distinguishedname -replace $prd_dom,$sandbox_dom
$user_dn_split = $user_dn -split ‘,’,2

# create user
if ($build_user.Enabled -eq $true) {$enabled = 1} else {$enabled = 0}
$new_user = New-ADUser -name $build_user.Name -path $user_dn_split[1] -Enabled $enabled -passwordnotrequired $true

This is one section of the export script that could be enhanced to move additional attributes. If added additional attributes, be sure to update this section to include those in the creation process.

Build Computers and Build Groups

These two sections of the script are exactly like the build OU section. The only difference is the PowerShell cmdlet that is called to build the respective objects.

if ($build_comps -eq 1) {
$success = 0
$failed = 0

$errors = @()

$computer_list = Import-Csv $computer_csv

foreach ($build_computer in $computer_list) {
write-progress “Building Computer $”

# capture path from DN
$computer_dn = $build_computer.Distinguishedname -replace $prd_dom,$sandbox_dom
$computer_dn_split = $computer_dn -split ‘,’,2

# create computer
$new_computer = New-ADcomputer -name $ -path $computer_dn_split[1]

If ($build_groups -eq 1) {
$success = 0
$failed = 0

$errors = @()

$group_list = Import-Csv $group_csv

foreach ($build_group in $group_list) {
write-progress “Building Group $”

# capture path from DN
$group_dn = $build_group.Distinguishedname -replace $prd_dom,$sandbox_dom
$group_dn_split = $group_dn -split ‘,’,2

# create group
$new_group = New-ADGroup -name $build_group.Name -path $group_dn_split[1] -groupscope 1

That’s it. After using both of these scripts, you’ll be able to replicate the structure and objects from one domain to another.

All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.



Contact Us

On Key

More Posts

WME Cybersecurity Briefings No. 004
Cyber Security

WME Security Briefing 11 April 2024

Mispadu Trojan Exploits Windows Vulnerability to Target Financial Data Overview The Mispadu banking trojan has intensified its operations as it’s exploiting an already patched Windows SmartScreen flaw. Since its initial identification in 2019, Mispadu has primarily preyed on

Read More »
WME Cybersecurity Briefings No. 003
Cyber Security

WME Security Briefing 29 March 2024

Russian hackers escalating their cyber warfare, deploying TinyTurla-NG to breach European NGOs. Cisco Talos reveals a targeted attack against organizations advocating democracy and supporting Ukraine. With their sophisticated methods, these cyber attackers are bypassing antivirus defenses

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.