Forum Discussion

Thedarkpools's avatar
Thedarkpools
Copper Contributor
May 07, 2021

Export/Import Users/Groups from AD to Test AD

I'm trying to compile a script that will help in my project. Project scope:  Mirror Prod to Dev AD.  Export all users and security group membership (including nested groups) to a csv.  Users live in...
PowerShell - AD
farismalaeb's avatar
farismalaeb
Steel Contributor
May 08, 2021
Hi,
I dont think you need PowerShell more than restore a backup of your AD.
I would recommend to create a mother ISOLATED environment and restore your Active Directory to this environment and do your test in the way you want.
  • Thedarkpools's avatar
    Thedarkpools
    Copper Contributor
    May 10, 2021
    That sounds like an idea however, this AD needs to reach the internet, communicate with SSO and Office365. I feel that would create a conflict if so. I worked a bit with PS but just unable to come up with a script that will complete this task.
    • SteveMacNZ's avatar
      SteveMacNZ
      Iron Contributor
      May 11, 2021

      Thedarkpools 

       

      restoring domain controllers and other critical servers into a segregated environment is normally the best method - as recreating the server / users is not a true representation of the production domain, and would potentially lead to non predictable results - things like SIDs etc will be different and the potential for configuring differences between Prod and Test is greater.

       

      As for requiring access to SSO and Office365 if you are using the same namespace/forest/domain/upn trying to connect to the same tenant you will run into issues regardless of the approach (PowerShell verses cloned/restored). Typically we would have the test domain going into a test tenant...

      if forest/domain namespaces are different then you could connect both domains into the same tenant - with AD Connect in Production network connecting to the test network (Two different domains in one Office 365 tenant - Microsoft Tech Community) for more information. But again if your user details UPNs etc are the same you will run into issues and potentially have your production users soft-matched to the test domain user account 

      • Thedarkpools's avatar
        Thedarkpools
        Copper Contributor
        May 12, 2021
        That makes sense and I hear what you are saying. This is a test Office tenant, and test AD, the only thing that is the same is the username, and security groups, albeit going from john.doe@mycompany.com to john.doe@testcompany.com I just simply want to match the user and security groups. So far, what I have tested does work but this is only a few OU's and a few Users. I didn't think this would be that difficult to obtain as seems there are tons of PS commands to make this happen, but I just am stuck on OU specific and not the full AD structure.
        Would it make it easier to paste what script I have and then try to see if someone can modify?

Resources