Many organisations use Hybrid environments to store their information. With the help of Azure AD Sync (also known as Azure AD Connect), they synchronize their user accounts, groups, and credentials from an on-premises Active Directory (AD) instance to Azure AD.
In current world, with the verge of mergers and acquisitions around the corner, it is vital to frame a mechanism to provision these on-premises Active Directory entities to the Target Environment.
Apps4.Pro Migration Manager which has been a key player in Migration of the Microsoft Workloads has figured a way to get the Key Active Directory entities(Users, Groups & Organizational units) provisioned via PowerShell scripts without the need of a TRUSTED NETWORK relationship.
In this BLOG we will find how to migrate the Active Directory Source Groups from one on-premises environment to another in a jiffy with 2 simple steps.
Step 1 : Export the Active Directory Groups from your Source Tenant
Step 2 : Import them to the Target Tenant
The Script exports the the below Group details
🠊 Group Name
🠊 Description
🠊 Mail
🠊 Display Name
🠊 Distinguished Name
🠊 Domain Name
🠊 Managed By
🠊 Group Scope
🠊 Group Category
🠊 Member
🠊 Property : ProtectedFromAccidentalDeletion
Let’s get started !
Pre-requisites : Please install the Microsoft Graph PowerShell and the required modules before running this script.
All you need to do is :
- Execute the below scripts by feeding in
- Path to the CSV to import / export the groups
- Fully qualified Domain Name
- Sign-in as Domain Admin / Enterprise Admin
Script to Export Active Directory Groups
You can download the PowerShell script from location : https://cdn.apps4.pro/scripts/export-active-directory-groups.ps1
function Export-ADGroups
{
param (
[string]$OutputPath
)
$ADPowerShell = Get-Module -Name ActiveDirectory
if($ADPowerShell -eq $null)
{
#Install the module
Install-WindowsFeature -Name "RSAT-AD-PowerShell" -IncludeAllSubFeature
}
# Import the Active Directory module
Import-Module ActiveDirectory
$domainDN = (Get-ADDomain).DistinguishedName
# Create an array to store group information
$groupData = @()
# Get all groups along with specific properties
$groups = Get-ADGroup -Filter * -Properties *
foreach ($group in $groups)
{
# Display progress
Write-Progress -Activity "Exporting $($group.Name) Group"
#Get all ad group members
$members = Get-ADGroupMember -Identity $group.name
$memberscount= $members.count
if($memberscount -gt 1 )
{
$memberslist = $members -join ";"
}
else
{
$memberslist = $members
}
#Create a custom object to store group and member properties
$groupObject = New-Object PSObject -Property @{
domainName = $domainDN
cn = $group.CN
description = $group.Description
distinguishedName = $group.DistinguishedName
groupType = $group.groupType
GroupCategory = $group.GroupCategory
GroupScope = $group.GroupScope
info = $group.info
instanceType = $group.instanceType
mail = $group.mail
managedBy = $group.ManagedBy
member = $memberslist
name = $group.Name
objectCategory = $group.ObjectCategory
sAMAccountName = $group.SamAccountName
DisplayName = $group.DisplayName
ProtectedFromAccidentalDeletion = $group.ProtectedFromAccidentalDeletion
}
# Add the object to the groupData array
$groupData += $groupObject
}
# Export the data to a CSV file
$groupData | Export-Csv -Path $OutputPath -NoTypeInformation
}
Export-ADGroups -OutputPath "Path of the CSV to Export Groups"
# For example
# Export-ADGroups -OutputPath "C:\Users\admin\groups_exported.csv
Snippet of the exported data
Script to Import Active Directory Groups
You can download the PowerShell script from location : https://cdn.apps4.pro/scripts/import-active-directory-groups.ps1
function Import-ADGroups
{
param (
$csvFilePath
)
process
{
# Import the Active Directory module
Import-Module ActiveDirectory
# Import the group data from the CSV file
$groups = Import-Csv $csvFilePath
$targetDN = (Get-ADDomain).DistinguishedName
# Create a new AD group with specified properties
foreach ($group in $groups)
{
try
{
$adGroup = Get-ADGroup -Identity $group.SamAccountName
}
catch
{
Write-Host $group.SamAccountName "Group not found in target"
}
if($adGroup -ne $null)
{
Write-Host $group.SamAccountName "Group Already exist"
}
else
{
$split = $group.DistinguishedName -split ","
$parentDN = (($split | Select-Object -Skip 1) -join ",") -replace $group.domainName, $targetDN
$groupParams = @{
Name = $group.Name
GroupCategory = $group.GroupCategory # You can also use "Distribution" if needed
GroupScope = $group.GroupScope # Choose from "Global", "DomainLocal", or "Universal"
Description = $group.Description
DisplayName = $group.DisplayName
Path = $parentDN # Specify the Organizational Unit (OU) path where you want to create the group
}
# Display progress
Write-Progress -Activity "Creating $($group.Name) Group"
New-ADGroup @groupParams
write-Host "Group $($group.Name) created successfully."
$targetGrp = Get-ADGroup -Identity $group.Name
#Update ad group properties
if($group.sAMAccountName -ne $null)
{
Set-ADGroup -Identity $targetGrp.Name -SamAccountName $group.sAMAccountName -ErrorAction SilentlyContinue
}
#update the managedby
if($group.managedBy -ne $null)
{
$managedGrp = $group.managedBy -replace $group.domainName, $targetDN
Set-ADObject -Identity $targetGrp.distinguishedName -Add @{ManagedBy=$managedGrp} -ErrorAction SilentlyContinue
}
#update the info
if($group.info -ne $null)
{
Set-ADObject -Identity $targetGrp.distinguishedName -Replace @{info=$group.info} -ErrorAction SilentlyContinue
}
#update the mail
if($group.mail -ne $null)
{
Set-ADGroup -Identity $targetGrp.Name -Replace @{mail=$group.mail} -ErrorAction SilentlyContinue
}
if($group.ProtectedFromAccidentalDeletion -eq "TRUE")
{
Set-ADObject -Identity $targetGrp.distinguishedName -ProtectedFromAccidentalDeletion $true -ErrorAction SilentlyContinue
}
}
#Add the ad group members
$members = $null
$members = $group.member
$membersplits = $null
If($members -like "*;*")
{
$membersplits = $members -split ";"
}
else
{
$membersplits = $members
}
$memberscount = $null
$memberscount= $membersplits.count
if($members)
{
if($memberscount -gt 1 )
{
foreach($membersplit in $membersplits)
{
If($membersplit)
{
$TargetMember= $membersplit -replace $group.domainName, $targetDN
Add-ADGroupMember -Identity $group.Name -Members $TargetMember -ErrorAction SilentlyContinue
}
}
}
else
{
$TargetMember= $membersplits -replace $group.domainName, $targetDN
Add-ADGroupMember -Identity $group.Name -Members $TargetMember -ErrorAction SilentlyContinue
}
}
write-Host "$($group.Name) Group updated successfully."
$adGroup = $null
}
}
}
Import-ADGroups -csvFilePath "Path of the exported CSV"
# For example
# Import-ADGroups -csvFilePath "C:\Users\admin\groups_exported.csv"
Please refer our other BLOGs for the handy scripts to migrate the Active Directory Users and Organizational units(OUs)
https://blog.apps4.pro/migrate-your-active-directory-users-across-tenants
https://blog.apps4.pro/migrate-your-active-directory-ous-across-tenants
