PowerShell Script – Active Directory Export and Import Tip

AD_IMP_EXP_Logo

 

Hello World,

As you have noticed, I’m not posting as regularly as I would lately.  Sorry about that but I’m really busy with some difficult projects lately. So, I do not have much time for me.  But, today, hey….I’ve managed to get some free time and I will use this time to quickly post a some tip about PowerShell script and Active Directory.  We will briefly show how you can export AD information in a smarter way in order to be able to reuse your exported data in an easy way while performing an import action.  Let’s see what does that means !

Background

Time to time some customers ask me to perform an export of the Active Directory infrastructure.  Using Powershell Script and the Active Directory module, we can export the OU Structure, the Groups, the group membership and the user information from the Active Directory.

Why would you import-export your OU structure ?

A first reason would be for documentation purposes. Another reason might be for Disaster Recovery purposes (I think more of the Group membership information).  If you do not have the AD Recycle Bin enabled in your Active Directory and you need to re-animate an object, you will only get the basic information.  Group membership information are lost.  Such export import operation can help you retrieving the group membership information.  Another option would be that you need to replicate the OU structure to another Active Directory domain for test and validation purposes. You need to validate a change in your Active Directory but you do not want to do that in your production infrastructure.  You can replicate the AD infrastructure using PowerShell scripting. If you have multiple Active Directory Forests/domain, you might want to standardize the OU structure and the GPO associated to it.

Whatever your reasons are, we will show how we can perform this operation.

How to Export the AD OU Structure

In this post, we will focus mainly on exporting the OU structure but you can apply the technique while exporting Groups or users objects.  If you google a bit, you will see that in order to export the OU Active Directory structure using PowerShell, you can issue the following command :

If you are using Windows 2008 R2, you will issue the following 

Import-module ActiveDirectory

Get-ADOrganizationalUnit -filter {name -like “*”} | Select Name, DistinguishedName | export-csv AD_OU_Tree.csv -NoTypeInformation

If you are running Windows 2012 or later,  you do not need to import the Active Directory module and you can simply issue the following command

Get-ADOrganizationalUnit -filter {name -like “*”} | Select Name, DistinguishedName | export-csv AD_OU_Tree.csv -NoTypeInformation

So far, nothing really complex.  You have achieved your target i.e. epxorting your OU structure.

Importing your Active Directory OU structure

Now, you will need to perform an import operation (let say that you need to replicate the OU structure in new Active Directory Forest), you will need to issue again a PowerShell command and you will use the export file as the input source for the operation.   To import the OU structure, we will basically need to create new OU in your target forest.  To recreate the OU structure, you will need to use the New-ADOrganizationalUnit.  You will issue something like this

New-ADOrganizationalUnit –Name <%Name%> -Path <%OU Path %>

Now, given the structure of the exported file, you will have a small issue to perform the import operation.  Indeed, in our export file, we do not have the information about the OU Path (at least not out of the box). We have the distinguishedName and the Name information but no OU Path information.

We have 2 ways to fix this issue.

Solution 1 – Create an Import function to obtain the OU Path

In this solution, we perform a standard export operation (as described above) but we need to write additional code in our import operation in order to obtain the OU Path information.  The script could be something like this below 

Note : This code has not been tested.  It’s just to give you an idea of what could be done…. 

import_ad_1

Click on picture for Better Resolution

Solution 2 – Change the way you perform the Export operation (smarter way)

 The other option is to modify the code that we use during the export operation.  By modifying the export code, we want to store in the input file the information about the OU Parent Path.  This export operation can be performed in a one-line command which might be simpler to do that creating a custom import function.

To dump the OU Parent Path information during the export operation, you will issue the following command,

$StrOU=Get-ADOrganizationalUnit -Filter {Name -like ‘*’} | select name,DistinguishedName,@{n=’OUPath’;e={$_.distinguishedName -replace ‘^.+?,(CN|OU.+)’,’$1′}}

$strOU | export-csv OUTree.csv -NoTypeInformation

Because you have the OU Path information already in your input file, your import function will look like the code below (not tested but should be working) 

 

import_ad_2a

Click on Picture for Better Resolution 

Final Notes

As you can see, performing export/import active directory operations are becoming easier with PowerShell scripting capabilities.  In this post, we have shown how you could perform a smarter export operation in order to get the needed information to be provided while performing the import operation.  Either way, you will achieve your goal.  So, you can choose your way but for me the second option seems simply more efficient and it’s easier to implement.

Now, you should be ready to customize your own scripts and perform good Import export AD operation.

 Till Next Time

See ya

 

 

10 thoughts on “PowerShell Script – Active Directory Export and Import Tip

  1. Thanks for the great piece of code. I’ve tested it and it works great (with some modifications, which I will explain later).

    The only issue I can see here is that the import function will not work as-is with the existing exported data. The reason that it will not work is in the way the export function exports the OU structure- it’s not in any particular order, so you end up with, as an example, something like this:

    OU=Service Accounts,OU=Melbourne,OU=Australia,DC=MyDomain,DC=com
    OU=Resources,OU=Service Accounts,OU=Melbourne,OU=Australia,DC=MyDomain,DC=com
    OU=Database Security,OU=Security Groups,OU=Melbourne,OU=Australia,DC=MyDomain,DC=com
    OU=Security Groups,OU=Melbourne,OU=Australia,DC=MyDomain,DC=com

    Using the above example, the “Resources” OU will be created OK, because the “Service Accounts” OU has already been created in the first row.

    However, the “Database Security” OU will not be created because the parent OU, “Security Groups”, has not yet been created- it’s on the next line!

    So I had to re-arrange the exported OUs so that the parent OUs came before the child OUs and this is how it worked OK.

    I would like to ask if there is a method to change the Export function so that it exports the OU using the tree structure and not any other method? So it should work like this:

    Parent
    Parent\Child001
    Parent\Child001\Child011
    Parent\Child002
    Parent\Child002\Child021
    etc

  2. Hello Julian,

    Yes, you are right. if you simply use the export script provided, you can end up with OU set in different orders. to overcome this situation, you would need to perform a recursive export function. We had noticed this situation because we have encountered the same issue. If we have some time within the next 10 days, we will post a new article that would update the information originally found in the article

    Till next
    See ya

  3. Here’s the way I get the file ordered so that when you import you create the hierarchy properly.
    Add a new parameter that counts the number of OUs:
    @{n=’OUNum’;e={([regex]::Matches($_.distinguishedName, “OU=” )).count}}
    and then pipe the whole thing into “sort OUNum” before exporting it.

  4. Is there people that could have a script that export in a file the security on 2 Domain Controller.
    And also a script to import theses securities from that same file.

    example : on 2 Domain controller, on the security i have a user that have security settings, I want to export that in a file.
    The objective is to delete theses securities for these 2 domain controllers.
    But I want a method to rollback.

    Thank you in advance,

Leave a Reply