none
Using PowerShell, export & import users in Active Directory? RRS feed

  • Question

  • Using PowerShell, can I export users from one domains active director, and then import them to another?  

    I'm looking to see if there are any shortcuts I can take on domain migrations, something like this would skip entering users manually.  

    Tuesday, September 11, 2012 5:17 PM

Answers

  • You definitely can do this, using Get-ADUser (for example) to export users in the old domain to a csv file, then using Set-ADUser to import into the new domain. Do not export/import attributes assigned by AD, such as objectClass, objectCategory, objectGUID, objectSID. Also do not export canonicalName. You must export/import distinguishedName and sAMAccountName. The only attribute in the resulting text file that needs to be modified is distinguishedName, where you need to do a global replace of the dc components (for example, change "dc=OldDomain,dc=com" to "dc=NewDomain,dc=com"). You can export attributes that correspond to the fields on most of the tabs in ADUC.

    Before importing the users in the new domain, you must create the containers and OU's to match the old domain. If you intend to copy group memberships, you need to plan carefully. Either export/import all groups first (without the member attribute but with the memberOf attribute to account for group nesting), then export/import all users with their memberOf attributes. Or do the reverse, export/import all users first without their memberOf attributes, then export/import all groups with both the member and memberOf attributes. The other group attributes you should copy are distinguishedName (with the same modification of the dc components), sAMAccountName, description, and groupType.

    Attributes of AD objects (corresponding to fields in ADUC) are documented in this Wiki article:

    http://social.technet.microsoft.com/wiki/contents/articles/6822.active-directory-attributes-in-the-aduc-gui-tool-en-us.aspx

    Besides the built help for the AD modules, the following Wiki article documents the default and extended parameters supported by the AD cmdlets (like Get-ADUser) and which AD attribute the correspond to:

    http://social.technet.microsoft.com/wiki/contents/articles/12031.active-directory-powershell-ad-module-properties-en-us.aspx

    Also, there may be examples in the Script Gallery where someone has done this before.


    Richard Mueller - MVP Directory Services

    • Marked as answer by TheSuperman76 Wednesday, September 12, 2012 12:04 AM
    Tuesday, September 11, 2012 6:11 PM
    Moderator
  • Using PowerShell, can I export users from one domains active director, and then import them to another?  

    I'm looking to see if there are any shortcuts I can take on domain migrations, something like this would skip entering users manually.  

    Microsoft publishes many domain migration tool sets.  Look into UMT and the deployment technologies.  All can migrate users, groups and permisisons as well as profiles.

    http://www.microsoft.com/en-us/download/details.aspx?id=8377

    Here is the latest migration guide:

    http://www.microsoft.com/en-us/download/details.aspx?id=19188


    ¯\_(ツ)_/¯


    • Edited by jrv Tuesday, September 11, 2012 9:27 PM
    • Marked as answer by TheSuperman76 Wednesday, September 12, 2012 12:04 AM
    Tuesday, September 11, 2012 9:26 PM

All replies

  • It would require that both AD structures are identical.  Otherwise, where will you put your new users?

    Grant Ward, a.k.a. Bigteddy

    Tuesday, September 11, 2012 5:58 PM
  • You definitely can do this, using Get-ADUser (for example) to export users in the old domain to a csv file, then using Set-ADUser to import into the new domain. Do not export/import attributes assigned by AD, such as objectClass, objectCategory, objectGUID, objectSID. Also do not export canonicalName. You must export/import distinguishedName and sAMAccountName. The only attribute in the resulting text file that needs to be modified is distinguishedName, where you need to do a global replace of the dc components (for example, change "dc=OldDomain,dc=com" to "dc=NewDomain,dc=com"). You can export attributes that correspond to the fields on most of the tabs in ADUC.

    Before importing the users in the new domain, you must create the containers and OU's to match the old domain. If you intend to copy group memberships, you need to plan carefully. Either export/import all groups first (without the member attribute but with the memberOf attribute to account for group nesting), then export/import all users with their memberOf attributes. Or do the reverse, export/import all users first without their memberOf attributes, then export/import all groups with both the member and memberOf attributes. The other group attributes you should copy are distinguishedName (with the same modification of the dc components), sAMAccountName, description, and groupType.

    Attributes of AD objects (corresponding to fields in ADUC) are documented in this Wiki article:

    http://social.technet.microsoft.com/wiki/contents/articles/6822.active-directory-attributes-in-the-aduc-gui-tool-en-us.aspx

    Besides the built help for the AD modules, the following Wiki article documents the default and extended parameters supported by the AD cmdlets (like Get-ADUser) and which AD attribute the correspond to:

    http://social.technet.microsoft.com/wiki/contents/articles/12031.active-directory-powershell-ad-module-properties-en-us.aspx

    Also, there may be examples in the Script Gallery where someone has done this before.


    Richard Mueller - MVP Directory Services

    • Marked as answer by TheSuperman76 Wednesday, September 12, 2012 12:04 AM
    Tuesday, September 11, 2012 6:11 PM
    Moderator
  • Using PowerShell, can I export users from one domains active director, and then import them to another?  

    I'm looking to see if there are any shortcuts I can take on domain migrations, something like this would skip entering users manually.  

    Microsoft publishes many domain migration tool sets.  Look into UMT and the deployment technologies.  All can migrate users, groups and permisisons as well as profiles.

    http://www.microsoft.com/en-us/download/details.aspx?id=8377

    Here is the latest migration guide:

    http://www.microsoft.com/en-us/download/details.aspx?id=19188


    ¯\_(ツ)_/¯


    • Edited by jrv Tuesday, September 11, 2012 9:27 PM
    • Marked as answer by TheSuperman76 Wednesday, September 12, 2012 12:04 AM
    Tuesday, September 11, 2012 9:26 PM
  • Thanks guys, you've given me a lot to look into, test an research.  Thanks again.  
    Wednesday, September 12, 2012 12:05 AM