Windows/Powershell: Migrating Users in Windows Server 2008 R2 Active Directory to Server 2016 Active Directory

Created: 1/2/20

Updated: 1/8/20

Below is a script that allow you to export the First Name, Last Name and Login Username of users in Active Directory (Server 2008 R2), based on a solo OU into a .csv spreadsheet that can then be imported into Active Directory (Server 2019) on a newer server.

Found this from many different technet snippets all over the internet and put it together piece-by-piece and working through the syntax errors.

I hope this helps someone. 🙂

# Export AD User from Active Directory 2008 R2 to Active Directory Server 2019 in a .csv format of GivenName (First Name), Surname (Last Name), and SamAccountName (Login Username)
# Create a Folder on D:\ or whatever drive you have
# Create an ‘ADExport’ Folder

# Note: OU=ChildOU,OU=ParentOU,OU=Domain,OU=com

Get-ADUser -Filter * -SearchBase ‘OU=Users,OU=G15IT,DC=G15,DC=lab’ -Properties GivenName, Surname, SamAccountName | select GivenName, Surname, SamAccountName | Export-CSV -Path “C:\ADExport\ADUsers5-1.csv”

# Import Users into New AD

# Import active directory module
Import-Module activedirectory

#Place holder for the Server 2008 AD Records that this script will pull from for each user
$ADUsers = Import-csv -Path C:\ADExport\ADUsers5.csv

#This ‘foreach’ will loop the script for each user’s AD settings in the .csv file
# note: I just wanted to mass import them, but you could add another field to the .csv called OU and reference it below like $OU = $User.OU if you want to place them in specific OU’s
# take note that LDAP setting for each OU are under Advanced Features for each OU in AD when your right click on them, then go to Attribute Editor and scroll down to DistringuishedName
foreach ($User in $ADUsers)

$UsernamefromoldAD = $User.SamAccountName
$Password = “PasswordReset1”
$Firstname = $User.GivenName
$Lastname = $User.Surname
$OU = “OU=Users,OU=G15IT,DC=G15IT,DC=lab”

#This checks to see if the user is in AD
if (Get-ADUser -F {SamAccountName -eq $UsernamefromoldAD})

Write-Warning “$UsernamefromoldAD already exist in AD.”
New-ADUser `
-SamAccountName $UsernamefromAD `
-UserPrincipalName “[email protected]” `
-Name “$Firstname $Lastname” `
-GivenName $Firstname `
-Surname $Lastname `
-Enabled $True `
-DisplayName “$Lastname, $Firstname” `
-Path $OU `
-AccountPassword (convertto-securestring $Password -AsPlainText -Force) -ChangePasswordAtLogon $True



Take note of the image below as a reference to how the script refers to the AD data:

GivenName = First Name

Surname = Last Name

SamAccountName = username (the one users use to log into the AD)