Clone AD to a Sandbox: Part 2

Now that we’ve exported the OUs, user objects, computer objects, groups, and group memberships, we’re ready to import them into our new domain.

We’ll walk through some key pieces and possible suggested edits to enhance the basic functionality.

You must have the AD PowerShell module installed on the computer where you run both scripts. This script was developed using a Server 2016 domain controller with a domain functional level of 2016.


Like the export script, there are several parameters that you need to specify before running the script. These are on lines 1-21.

$prd_dom = “dc=redmond,DC=local”
$sandbox_dom = “dc=contoso,DC=local”

# what to build. 1 for true, 0 for false
$build_ous = 1
$build_users = 1
$build_comps = 1
$build_groups = 1
$build_group_membership = 1

# csv files
$export_path = “C:\AD_export\Desktop\AD_export-fs”

$ou_csv = “$export_path\export-ous.csv”
$user_csv = “$export_path\export-users.csv”
$computer_csv = “$export_path\export-computers.csv”
$group_csv = “$export_path\export-groups.csv”
$grp_mbr_folder_path = “$export_path\group_mbr”

# protect OUs from Accidental Deletion
$ou_protect_accdelete = 0

First, change $prd_dom to match your production domain. Then change $sandbox_dom to match your sandbox domain.

The next five variables tell the script which objects to build. This should match what you exported from your production domain, with “1” telling it to build the objects and “0” being don’t build. For example, if you only want the OU structure, set $build_ous equal to 1 and the remaining variables equal to 0:

$build_ous = 1
$build_users = 0
$build_comps = 0
$build_groups = 0
$build_group_membership = 0

Next, change the $export_path variable to the folder containing the export files. Don’t modify the next 5 variables.

Finally, set whether you want your OUs created with or without protection from accidental deletion by setting the $ou_protect_accdelete variable to “0” (do not protect) or “1” (enable protect from accidental deletion). By default, OUs are created with this turned on. If you think you’ll need to run this script multiple times, you might want the option to turn off protect from accidental deletion. It makes mass deleting the OU structure much easier.

Build OUs

This section of script imports the OU csv and builds the OU. It has to do some splitting of the distinguished name (a common theme of this script), then pass that to the New-ADOgranizationalUnit cmdlet.

# OUs
if ($build_ous -eq 1) {
$success = 0
$failed = 0

$errors = @()

$ou_list = Import-Csv $ou_csv

foreach ($build_ou in $ou_list) {
write-progress “Building OU $”

# capture path from DN
$ou_dn = $build_ou.Distinguishedname -replace $prd_dom,$sandbox_dom
$ou_dn_split = $ou_dn -split ‘,’,2

# create OU
$new_OU = New-ADOrganizationalUnit -name $build_ou.Name -path $ou_dn_split[1] -ProtectedFromAccidentalDeletion $ou_protect_accdelete

Build Users

This section of the script builds the user objects. It follows a similar process as the OU section, but sets one additional parameter based on whether or not the user was enabled in the production domain.

Another important note about this section is that all user accounts are created without a password and with the PasswordNotRequried flag. As I stated in the export blog, you would not want to use this to create a production domain. This is one of the primary reasons why.

if ($build_users -eq 1) {
$success = 0
$failed = 0

$errors = @()

$user_list = Import-Csv $user_csv

foreach ($build_user in $user_list) {
write-progress “Building User $”

# capture path from DN
$user_dn = $build_user.Distinguishedname -replace $prd_dom,$sandbox_dom
$user_dn_split = $user_dn -split ‘,’,2

# create user
if ($build_user.Enabled -eq $true) {$enabled = 1} else {$enabled = 0}
$new_user = New-ADUser -name $build_user.Name -path $user_dn_split[1] -Enabled $enabled -passwordnotrequired $true

This is one section of the export script that could be enhanced to move additional attributes. If added additional attributes, be sure to update this section to include those in the creation process.

Build Computers and Build Groups

These two sections of the script are exactly like the build OU section. The only difference is the PowerShell cmdlet that is called to build the respective objects.

if ($build_comps -eq 1) {
$success = 0
$failed = 0

$errors = @()

$computer_list = Import-Csv $computer_csv

foreach ($build_computer in $computer_list) {
write-progress “Building Computer $”

# capture path from DN
$computer_dn = $build_computer.Distinguishedname -replace $prd_dom,$sandbox_dom
$computer_dn_split = $computer_dn -split ‘,’,2

# create computer
$new_computer = New-ADcomputer -name $ -path $computer_dn_split[1]

If ($build_groups -eq 1) {
$success = 0
$failed = 0

$errors = @()

$group_list = Import-Csv $group_csv

foreach ($build_group in $group_list) {
write-progress “Building Group $”

# capture path from DN
$group_dn = $build_group.Distinguishedname -replace $prd_dom,$sandbox_dom
$group_dn_split = $group_dn -split ‘,’,2

# create group
$new_group = New-ADGroup -name $build_group.Name -path $group_dn_split[1] -groupscope 1

That’s it. After using both of these scripts, you’ll be able to replicate the structure and objects from one domain to another.

All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.



Contact Us

On Key

More Posts

Security Best Practices in SharePoint
Office 365

Security Best Practices in SharePoint

Microsoft SharePoint is an online collaboration platform that integrates with Microsoft Office. You can use it to store, organize, share, and access information online. SharePoint enables collaboration and content management and ultimately allows your teams to

Read More »
The Ultimate Guide to Microsoft Intune - Article by WME
Active Directory

The Ultimate Guide to Microsoft Intune

The corporate world is evolving fast. And with that, mobile devices are spreading everywhere. As we venture into the year 2024, they have already claimed a substantial 55% share of the total corporate device ecosystem. You

Read More »
Protecting Microsoft 365 from on-Premises Attacks
Cloud Security

How to Protect Microsoft 365 from On-Premises Attacks?

Microsoft 365 is diverse enough to enrich the capabilities of many types of private businesses. It complements users, applications, networks, devices, and whatnot. However, Microsoft 365 cybersecurity is often compromised and there are countless ways that

Read More »
Benefits of SharePoint Business Process Automation - Article by WME
Office 365

Benefits of SharePoint Business Process Automation

Modern businesses are relentlessly looking for ways to innovate themselves. SharePoint Business Process Automation (BPA) is one such technology that is making their lives easier. No doubt, SharePoint is a whole world of productivity that’s allowing

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.