In this tutorial, I will demonstrate moving Active Directory users from one domain to another.
I’m going to move 2747 users from one domain (running server 2019) to a new domain running server 2022. You can move accounts to an existing domain or a new one.
The tools used in this guide will work with domain controllers running 2008 and later operating systems. Also, you can move accounts in the same domain forest, a different forest, domain trust, or no trust.
Reasons for moving users:
- Creating a test environment
- Merging with another company
- Moving or upgrading to a new server
- No trust between domains
- Moving users to a single domain (consolidating domains)
Steps for Moving Users From One Domain To Another Domain
To complete the move I will use some PowerShell scripts to re-create the OUs and groups. I’ll then use the export and import tool from the AD Pro Toolkit to move the accounts.
This method does not migrate computer user profiles or SID history. It will move user data from Active Directory such as OUs, group membership, and user fields (address, manager, phone number, state, etc).
If you don’t like video tutorials or want more details, then continue reading the instructions below.
1. Export users from the source domain
First, you need to export a list of users to a CSV file. This can be done with PowerShell or the User Export Tool.
With the export tool, you can select to export from the entire domain, an OU or group.
You can also change the columns to preserve user settings when moving to the new domain.
Below is a screenshot of the CSV file exported from my source domain. I exported 2747 users and it includes 31 columns of user properties. Again, you can use the attribute selector to add or remove columns. These user properties will be preserved and imported into the other domain.
2. Modify CSV File for the new domain
To import these accounts into the new domain you will need to add a password column. If it is a different domain you will also need to modify the OU path. I’m going from ad.activedirectorypro.com to ad2.activedirectorypro.com so I’ll need to update the ou path. You can easily do this in excel with a search and replace.
You can change additional details in the CSV to reflect the new domain. For example, you can change proxyAddresses to the new domain name or change the userPrincipalName.
Now I’m ready to import all 2747 accounts into the new domain. This will import them into the new domain, add them into the OUs, add to groups and keep their user settings from the old domain.
3. Import Users Into the New Domain (or existing domain)
If you are moving the users to an existing domain you probably don’t need to create OUs or groups. If it’s a new domain and you want to replicate the AD structure of the source domain then you can use some PowerShell scripts. See the links below for step by step instructions.
Next, open the bulk import tool.
Select the CSV file, your import options, and click run.
When the import is complete you can check the logs and Active Directory to verify the import.
Above you can see a screenshot of the source and the new domain. All of the accounts are imported into the same OUs and groups.
Using the export and import tool makes it really easy to move users to a new domain while keeping their group membership and user properties from Active Directory. It also is very flexible as you can move users from an old domain such as 2008 to a newer server like 2019 or later.
You also don’t have to worry about trust relationships or connections between the two domains.
Below are some PowerShell commands to help you verify the numbers in Active Directory.
Count the Number of Active Directory Objects using PowerShell
Here are some PowerShell commands I used to count the number of objects in the source domain.
Get the number of AD users
(Get-ADUser -filter *).count
The above command gets the count for all users in the domain. To get the count for just an OU use this command. Change the SearchBase to the path of your root OU.
(Get-ADUser -filter * -SearchBase "OU=ADPRO Users,DC=ad,DC=activedirectorypro,DC=com").count
2747 is the number of users in my source domain so this means all the users imported into the new domain successfully.
Get the number of AD Computers
(Get-ADComputer -Filter *).count
Get the number of Organizational Units
(Get-ADOrganizationalUnit -filter *).count
Get the number of AD Security groups
(Get-ADGroup -Filter *).Count
That’s how you move users from one domain to another using tools from the AD Pro Toolkit and PowerShell. An alternative to moving users to another domain is by using the Microsoft Active Directory Migration Tool. The ADMT (Active Directory Migration Tool) will migrate SID and computer profiles. The only problem with this tool is it is not updated, has no support, and often fails. It also is not as flexible as the method I demonstrated in this guide.
Have you ever moved users to a new domain?
If so, how did it go?
Let me know in the comments section below.