Now that we’ve exported the OUs, user objects, computer objects, groups, and group memberships, we’re ready to import them into our new domain.
We’ll walk through some key pieces and possible suggested edits to enhance the basic functionality.
You must have the AD PowerShell module installed on the computer where you run both scripts. This script was developed using a Server 2016 domain controller with a domain functional level of 2016.
Parameters
Like the export script, there are several parameters that you need to specify before running the script. These are on lines 1-21.
$prd_dom = “dc=redmond,DC=local”
$sandbox_dom = “dc=contoso,DC=local”
# what to build. 1 for true, 0 for false
$build_ous = 1
$build_users = 1
$build_comps = 1
$build_groups = 1
$build_group_membership = 1
# csv files
$export_path = “C:\AD_export\Desktop\AD_export-fs”
$ou_csv = “$export_path\export-ous.csv”
$user_csv = “$export_path\export-users.csv”
$computer_csv = “$export_path\export-computers.csv”
$group_csv = “$export_path\export-groups.csv”
$grp_mbr_folder_path = “$export_path\group_mbr”
# protect OUs from Accidental Deletion
$ou_protect_accdelete = 0
First, change $prd_dom to match your production domain. Then change $sandbox_dom to match your sandbox domain.
The next five variables tell the script which objects to build. This should match what you exported from your production domain, with “1” telling it to build the objects and “0” being don’t build. For example, if you only want the OU structure, set $build_ous equal to 1 and the remaining variables equal to 0:
$build_ous = 1
$build_users = 0
$build_comps = 0
$build_groups = 0
$build_group_membership = 0
Next, change the $export_path variable to the folder containing the export files. Don’t modify the next 5 variables.
Finally, set whether you want your OUs created with or without protection from accidental deletion by setting the $ou_protect_accdelete variable to “0” (do not protect) or “1” (enable protect from accidental deletion). By default, OUs are created with this turned on. If you think you’ll need to run this script multiple times, you might want the option to turn off protect from accidental deletion. It makes mass deleting the OU structure much easier.
Build OUs
This section of script imports the OU csv and builds the OU. It has to do some splitting of the distinguished name (a common theme of this script), then pass that to the New-ADOgranizationalUnit cmdlet.
# OUs
if ($build_ous -eq 1) {
$success = 0
$failed = 0
$errors = @()
$ou_list = Import-Csv $ou_csv
foreach ($build_ou in $ou_list) {
write-progress “Building OU $build_ou.name”
# capture path from DN
$ou_dn = $build_ou.Distinguishedname -replace $prd_dom,$sandbox_dom
$ou_dn_split = $ou_dn -split ‘,’,2
# create OU
$new_OU = New-ADOrganizationalUnit -name $build_ou.Name -path $ou_dn_split[1] -ProtectedFromAccidentalDeletion $ou_protect_accdelete
}
}
Build Users
This section of the script builds the user objects. It follows a similar process as the OU section, but sets one additional parameter based on whether or not the user was enabled in the production domain.
Another important note about this section is that all user accounts are created without a password and with the PasswordNotRequried flag. As I stated in the export blog, you would not want to use this to create a production domain. This is one of the primary reasons why.
# USERS
if ($build_users -eq 1) {
$success = 0
$failed = 0
$errors = @()
$user_list = Import-Csv $user_csv
foreach ($build_user in $user_list) {
write-progress “Building User $build_user.name”
# capture path from DN
$user_dn = $build_user.Distinguishedname -replace $prd_dom,$sandbox_dom
$user_dn_split = $user_dn -split ‘,’,2
# create user
if ($build_user.Enabled -eq $true) {$enabled = 1} else {$enabled = 0}
$new_user = New-ADUser -name $build_user.Name -path $user_dn_split[1] -Enabled $enabled -passwordnotrequired $true
}
}
This is one section of the export script that could be enhanced to move additional attributes. If added additional attributes, be sure to update this section to include those in the creation process.
Build Computers and Build Groups
These two sections of the script are exactly like the build OU section. The only difference is the PowerShell cmdlet that is called to build the respective objects.
# COMPUTERS
if ($build_comps -eq 1) {
$success = 0
$failed = 0
$errors = @()
$computer_list = Import-Csv $computer_csv
foreach ($build_computer in $computer_list) {
write-progress “Building Computer $build_computer.name”
# capture path from DN
$computer_dn = $build_computer.Distinguishedname -replace $prd_dom,$sandbox_dom
$computer_dn_split = $computer_dn -split ‘,’,2
# create computer
$new_computer = New-ADcomputer -name $build_computer.name -path $computer_dn_split[1]
}
}
# GROUPS
If ($build_groups -eq 1) {
$success = 0
$failed = 0
$errors = @()
$group_list = Import-Csv $group_csv
foreach ($build_group in $group_list) {
write-progress “Building Group $build_group.name”
# capture path from DN
$group_dn = $build_group.Distinguishedname -replace $prd_dom,$sandbox_dom
$group_dn_split = $group_dn -split ‘,’,2
# create group
$new_group = New-ADGroup -name $build_group.Name -path $group_dn_split[1] -groupscope 1
}
}
That’s it. After using both of these scripts, you’ll be able to replicate the structure and objects from one domain to another.
Disclaimer
All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.
