How to use
==========

A script collection to export OUs, users, and groups (including group members) from one domain and to import those into another domain. This is mainly meant to facilitate the creation of test lab environments. Do not use as a productive migration tool as it is not.
Written by Nils Kaczenski, faq-o-matic.net
Version 1.0 of 2016-03-04

NO WARRANTY.
USE AT YOUR OWN RISK ONLY.

Overview
========
The process consists of two or three steps:

1. Export objects from the source domain
2. Import the objects to the target domain
3. (optional) Set passwords for the user objects and activate them

Exporting objects from the source domain
========================================
This step is harmless regarding domain security. It only reads objects from AD and writes some of their data to text files. It does not include passwords. It does not change anything in the domain.

Copy the script Export-ADObjectsForLab.ps1 to a folder of your choice. Open the script with a text editor.
The script exports all OUs, users, and groups starting from an OU of your choice. Enter the LDAP path (or Distinguished Name) in the script area that says "CUSTOMIZE HERE" as the value for $OUtoStart. Example:
	$OUtoStart = 'OU=Firma,DC=lab,DC=faq-o-matic,DC=net'
Save the modified script.

Note: If necessary you can adjust the three "Attribs" variables that you find in the CUSTOMIZE section as well. Make sure not to remove any critical attribute names. Add only attributes that are single-valued. Usually, you will leave the attribute selection as it is.

Launch PowerShell or PowerShell ISE with a user account that can read all objects to export. Change to the folder where the script is stored.
Make sure to allow script execution:
	Set-ExecutionPolicy RemoteSigned
Run the script like this:
	.\Export-ADObjectsForLab.ps1

Now you should find four text files in your script folder:
	OUs.txt
	Users.txt
	Groups.txt
	Members.txt

Remember to set your PowerShell execution policy back if needed:
	Set-ExecutionPolicy Restricted

Importing objects into the target domain
========================================
Caution: This step adds objects to your target domain. Depending on the number of exported objects it may import a large number of objects. This may affect your domain's security. Use at your own risk only!

Copy the script Import-ADObjectsForLab.ps1 to a folder of your choice. Open the script with a text editor.
The script imports OUs, users, and groups into your domain. If the target domain name is different from the source domai name you need to adjust the values in the script. Enter the LDAP path (or Distinguished Name) for each domain in the script area that says "CUSTOMIZE HERE" as the values for $FromDN (source domain) and $ToDN (target domain). Example:
	$FromDN = 'DC=lab,DC=faq-o-matic,DC=net'
	$ToDN = 'DC=MSC,DC=demo'
If both domains use the same name or if you're re-importing to the source domain set both values as empty strings. Example:
	$FromDN = ''
	$ToDN = ''

Save the modified script.
Copy the following files from the source system into the script folder on the target system:
	OUs.txt
	Users.txt
	Groups.txt
	Members.txt

Launch PowerShell or PowerShell ISE with a Domain Admin account. Change to the folder where the script is stored.
Make sure to allow script execution:
	Set-ExecutionPolicy RemoteSigned
Run the script like this:
	.\Import-ADObjectsForLab.ps1

The script will use csvde.exe to import OUs, users, and groups. It then uses PowerShell to import group members. A status bar gives you an overview of the group member import as this may take a while.

Remember to set your PowerShell execution policy back if needed:
	Set-ExecutionPolicy Restricted

Activating imported user objects
================================
Caution: This last step activates all imported users with a default password. This will definitely affect your target domain's security!

The import script has created all user object as deactivated users with a blank password. To activate them you need to set a password for each. The third script helps you to do so in a lab environment.

Copy the script Set-PasswordForAllLabUsers.ps1 to a folder of your choice. Open the script with a text editor.
Set the OU path where your imported users are stored in the CUSTOMIZE section. Example:
	$OUtoStart = 'OU=Firma,DC=lab,DC=faq-o-matic,DC=net'
Enter your lab user default password as the value for $LabPassword. Example:
	$LabPassword = 'abc123!'

Save the modified script.

Launch PowerShell or PowerShell ISE with a Domain Admin account. Change to the folder where the script is stored.
Make sure to allow script execution:
	Set-ExecutionPolicy RemoteSigned
Run the script like this:
	.\Set-PasswordForAllLabUsers.ps1

You need to confirm your action once the script has evaluated the number of objects to modify. The progress will take a while, displaying a progress bar.
