Export/Import Users/Groups from AD to Test AD

Question

I'm trying to compile a script that will help in my project.

Project scope: Mirror Prod to Dev AD. Export all users and security group membership (including nested groups) to a csv. Users live in Sub OU's and sub OU's of the previous OU so would need to capture all. My current script you have to manually change each OU when running and this is not doable long term.

I need to incorporate the correct attributes needed to build a new AD account on import (FirstName, email address, UPN, etc.)

After the export, I can massage the csv to use the new test domain information so the import process will work correctly. Import process should build new users, assign temp password and also overlook any users that are already built in the new test AD. I did get some users there and need the script to overlook ones that may already exists but still add them to the right group memberships.

AD server is 2016Datacenter

Any help is truly appreciated!

farismalaeb · Answer

Hi,I dont think you need PowerShell more than restore a backup of your AD.I would recommend to create a mother ISOLATED environment and restore your Active Directory to this environment and do your test in the way you want.

thedarkpools · Answer

That sounds like an idea however, this AD needs to reach the internet, communicate with SSO and Office365. I feel that would create a conflict if so. I worked a bit with PS but just unable to come up with a script that will complete this task.

stevemacnz · Answer

Thedarkpools&nbsp;&nbsp;restoring domain controllers and other critical servers into a segregated environment is normally the best method - as recreating the server / users is not a true representation of the production domain, and would potentially lead to non predictable results - things like SIDs etc will be different and the potential for configuring differences between Prod and Test is greater.&nbsp;As for requiring access to SSO and Office365 if you are using the same namespace/forest/domain/upn trying to connect to the same tenant you will run into issues regardless of the approach (PowerShell verses cloned/restored). Typically we would have the test domain going into a test tenant...if forest/domain namespaces are different then you could connect both domains into the same tenant - with AD Connect in Production network connecting to the test network (Two different domains in one Office 365 tenant - Microsoft Tech Community) for more information. But again if your user details UPNs etc are the same you will run into issues and potentially have your production users soft-matched to the test domain user account&nbsp;

thedarkpools · Answer

That makes sense and I hear what you are saying. This is a test Office tenant, and test AD, the only thing that is the same is the username, and security groups, albeit going from john.doe@mycompany.com to john.doe@testcompany.com I just simply want to match the user and security groups. So far, what I have tested does work but this is only a few OU's and a few Users. I didn't think this would be that difficult to obtain as seems there are tons of PS commands to make this happen, but I just am stuck on OU specific and not the full AD structure.Would it make it easier to paste what script I have and then try to see if someone can modify?

Forum Discussion

Export/Import Users/Groups from AD to Test AD

Share

Resources