In this tutorial, I will demonstrate moving Active Directory users from one domain to another. I’ll also include steps to move organizational units, groups, and group membership.
I’m going to move 2747 users from one domain (running server 2019) to a new domain running server 2022. You can move accounts to an existing domain or a new one.
The tools used in this guide will work with domain controllers running 2008 and later operating systems. Also, you can move accounts in the same domain forest, a different forest, domain trust, or no trust.
In this article:
- Step 1. Migrate Organizational Units to another domain (optional)
- Step 2. Migrate Groups to another domain
- Step 3. Migrate users to another domain
Reasons for moving users:
- Creating a test environment
- Merging with another company
- Moving or upgrading to a new server
- No trust between domains
- Moving users to a single domain (consolidating domains)
Note: This method does not migrate computer user profiles or SID history. It will move user data from Active Directory such as OUs, group membership, and user fields (address, manager, phone number, state, etc) from one domain and import it into another domain.
Video Demonstration
In this video, I demonstrate how to move users from one domain to another in Active Directory.
Step 1. Migrate Organizational Units to another domain (optional)
This first step is optional.
If you want to move your organizational units from the source domain to the new domain then follow these steps.
1. Export OUs from the source domain
Click on OU Reports -> All organizational units.
Select the entire domain to export all OUs or select the OUs you want to export.
Click run and then export the list of OUs to a CSV file.
If your destination domain has a different name you will need to modify the CSV before running the import.
In this example, my source domain is ad.activedirectorypro.com, and my destination domain is ad.adpro.com.
I will need to open the CSV and replace dc=ad.activedirectorypro.com with dc=ad.adpro.com
Use find and replace to easily update the csv file.
2. Import OUs into the Destination Domain
Open the toolkit on the destination domain and run the Import OUs tool.
Select your CSV and click run.
You can see in the screenshot below on the right all the OUs that were created in the destination domain. The left screenshot is before the import.
Step 2. Migrate Groups to another domain
Follow these steps to migrate groups from one domain to another. This step must be completed first if you want to migrate users group membership.
1. Export groups from the source domain
Click on Group Reports -> All Groups
Click run and then export to CSV.
2. Import groups to the destination domain
Next, open the toolkit on the destination domain and click on “Create Groups”.
Select your CSV file and click run.
You should now see the groups in the destination domain.
Next, move to step 3 to import user accounts.
Step 3. Migrate Users to Another Domain
If you need to move users to another domain and keep their group membership and OU settings, then you must complete steps 1 and 2 first.
1. Export users from the source domain
On the source domain open the export users tool. Review the list of default columns and add or remove any user settings you want to migrate. By default, there are many attributes included, including group membership.
You can also change the columns to preserve user settings when moving to the new domain.
Below is a screenshot of the CSV file exported from my source domain. I exported 2747 users and it includes 31 columns of user properties. Again, you can use the attribute selector to add or remove columns. These user properties will be preserved and imported into the other domain.
2. Modify CSV File for the new domain
To import these accounts into the new domain you will need to add a password column. If it is a different domain you will also need to modify the OU path. I’m going from ad.activedirectorypro.com to ad2.activedirectorypro.com so I’ll need to update the ou path. You can easily do this in Excel with a search and replace.
You can change additional details in the CSV to reflect the new domain. For example, you can change proxyAddresses to the new domain name or change the userPrincipalName.
Now I’m ready to import all 2747 accounts into the new domain. This will import them into the new domain, add them to the OUs, add them to groups, and keep their user settings from the old domain.
3. Import Users Into the New Domain (or existing domain)
On the destination domain open the import users tool.
Select your CSV file, import options, and click run.
When the import is complete you can check the logs and Active Directory to verify the import.
Above you can see a screenshot of the source and the new domain. All of the accounts are imported into the same OUs and groups.
Using the export and import tool makes it really easy to move users to a new domain while keeping their group membership and user properties from Active Directory. It also is very flexible as you can move users from an old domain such as 2008 to a newer server like 2019 or later.
You also don’t have to worry about trust relationships or connections between the two domains.
Below are some PowerShell commands to help you verify the numbers in Active Directory.
Count the Number of Active Directory Objects using PowerShell
Here are some PowerShell commands I used to count the number of objects in the source domain.
Get the number of AD users
(Get-ADUser -filter *).countThe above command gets the count for all users in the domain. To get the count for just an OU use this command. Change the SearchBase to the path of your root OU.
(Get-ADUser -filter * -SearchBase "OU=ADPRO Users,DC=ad,DC=activedirectorypro,DC=com").count
2747 is the number of users in my source domain so this means all the users imported into the new domain successfully.
Get the number of AD Computers
(Get-ADComputer -Filter *).countGet the number of Organizational Units
(Get-ADOrganizationalUnit -filter *).countGet the number of AD Security groups
(Get-ADGroup -Filter *).CountConclusion
In this tutorial, I walked through moving users, groups, and OUs from one domain to another using the AD Pro Toolkit. An alternative to moving users to another domain is by using the Microsoft Active Directory Migration Tool. The ADMT (Active Directory Migration Tool) will migrate SID and computer profiles. The only problem with this tool is it is not updated, has no support, and often fails. It also is not as flexible as the method I demonstrated in this guide.
If you need support or have questions using the tools from this guide let me know in the comments section below.
Hi,
In our context, we use exchange on-premise. I want use the tool to migrate users from domain A to domain B.
The tool moves exchange attributes ?
Hi,
There are a few exchange attributes included. You can add any additional attribute to the tool by clicking on settings -> Custom Attributes.
Will this tool work with Hybrid Azure AD environments where the mailbox is located in the cloud?
Yes. If you are moving accounts that exist in Azure you need to make sure the required attributes are configured so it will sync up and match the existing accounts.
Here is a detailed guide on this.
How to Sync On-Prem AD With Existing Azure AD Users
Hi, I need migrate users’s SID and computer profiles. Is this possible using this tool?
Thank you!
Paula
No, this tool does not migrate SID or computer profiles.
Hi,
How are you?
What about users’ passwords that will not migrate using this tool.
Thank you.
Robert,
I came across your info. What I need to do is migrate all users from one domain to another but we need to change the format of a username. ex. smithj@domain1.com to jsmith@domain2.com This new name format will align with their Azure tenant and their assigned O365 accounts. Can we do this with your tool?
Yes. After exporting you can modify the CSV to include details for the new domain. For example, change the userPrincipalName and proxyaddress from robert@activedirectorypro.com to robert@new-domain.com