Forum Discussion

IT-Engineer's avatar
IT-Engineer
Copper Contributor
Jul 18, 2023
Solved

Copy Groups between forests

Hi I am trying to copy the groups from an OU in one domain to another domain. It looks like it does like the name pipe. Is there a better way to do this? Also, would it be possible to copy the group ...
azure active directory
Windows PowerShell
  • LainRobertson's avatar
    LainRobertson
    Jul 19, 2023

    IT-Engineer 

     

    It's not enough to just set the name. The group's scope and category should also be preserved.

     

    You also do not need to store the groups from the first forest in a variable. This design doesn't scale well in larger environments.

     

    Rather, you can pipe the results of the Get-ADGroup straight into the New-ADGroup commandlet which is targeting the destination forest. This approach allows .NET to reclaim system resources earlier - even during the execution of the command if your environment's large enough.

     

    Get-ADObject -Filter * -SearchBase "OU=Groups,DC=DomainA,DC=local" |
    New-ADGroup -Path "OU=Groups,DC=DomainB,DC=local" -Server "DomainControllerB.DomainB.local" -Credential $DomainBCred;

     

     

    It's worth noting that this process will not copy across the group memberships.

     

    Cheers,

    Lain

LainRobertson's avatar
LainRobertson
Silver Contributor
Jul 19, 2023

IT-Engineer 

 

It's not enough to just set the name. The group's scope and category should also be preserved.

 

You also do not need to store the groups from the first forest in a variable. This design doesn't scale well in larger environments.

 

Rather, you can pipe the results of the Get-ADGroup straight into the New-ADGroup commandlet which is targeting the destination forest. This approach allows .NET to reclaim system resources earlier - even during the execution of the command if your environment's large enough.

 

Get-ADObject -Filter * -SearchBase "OU=Groups,DC=DomainA,DC=local" |
    New-ADGroup -Path "OU=Groups,DC=DomainB,DC=local" -Server "DomainControllerB.DomainB.local" -Credential $DomainBCred;

 

 

It's worth noting that this process will not copy across the group memberships.

 

Cheers,

Lain

  • IT-Engineer's avatar
    IT-Engineer
    Copper Contributor
    Jul 19, 2023
    Thanks Lain! It looks like it is trying to pass the DN though:

    InvalidArgument: (CN=somegroup,OU,DomainA,DC=local:PSObject) [New-ADGroup], ParameterBindingException
    • LainRobertson's avatar
      LainRobertson
      Silver Contributor
      Jul 20, 2023

      IT-Engineer 

       

      It's complaining that it cannot bind a parameter, which is a PowerShell error, not a directory service error.

       

      What is the precise command you are running? (Obviously, obscure the real domain names, etc. but the format is important)

       

      Cheers,

      Lain

      • IT-Engineer's avatar
        IT-Engineer
        Copper Contributor
        Jul 20, 2023

        I actually just got it to work by exporting to a CSV in the source domain and importing that CSV in the target. Thanks for your help Lain!

Resources