Copy users and groups

0
votes

I have been tasked with copying users and groups from one domain to another.

These are two 2012 domains, without a trust. (Prod → model → dev domains). Passwords are not a concern (all will be reset). This will be written in powershell running on a member server of the source domain (if that matters).

My question is, should I

  • copy all of the groups, then copy the users adding them to the newly created groups as each one is copied, or
  • copy the users, then create the groups adding the memberships as each group is created, or
  • copy all the users, then all the groups, then go back thru the users (or groups) to confirm memberships are processed?

My gut leans me to #1, but would #2 be a better option (and is #3 really even a consideration?)

Note: This is not a directory migration. I understand users will have new SID's, and profiles. Rather, this is to set up as identical as I can lab environment.

1
powershellactive-directory
That is an infrastructure management question, not a programming question. ServerFault would be the right place for it.Ansgar Wiechers
I am writing a script to do the copy. The question I am asking is for advice on the best way to write the code (that is, which is the most ideal). I am not asking for help in managing the infrastructure, as the net result is the same in all cases. That is, I am seeking advice on the WAY to do something, not asking WHAT needs to be done. That makes it a programming question.user2883951
I would recommend your first bullet point. If you've got groups nested into groups in your domains, you'll be better off just creating groups in one pass, then users, then adding users to groups. You may want to check for circular memberships for nested groups.trebleCode
I would go with #1 as well. I've done something similar and had the best results when all the groups existed first.Shamus Berube
Have you given thought to the profiles on the user's machines? When they log in with their new accounts, Windows will create a whole new profile and they won't have access to their old one (My Documents, Desktop, etc)Gabriel Luci

1 Answers

0
votes

Create your Users first as no nesting membership concerns. Create your groups and add membership, you can be sure your User membership is correct on this first pass but not nested group membership. Rescan groups for missing (group) membership and record how many groups were modified, repeat until no further modifications are required. Done. This is basically the strategy you use with Microsoft Active Directory Migration Tool (ADMT).

You could create groups first, but your code would start with groups then users and then back to groups again. Not that this is a necessary a problem.

We did this approach in our test and dev for a while but eventually moved to Veeam Virtual Labs (Isolated Sandbox).