Cloning Parallel OU Hierarchy

Earlier we looked at how to create an organizational unit and delegate management control over it. A related but different question also arose recently in class. A somewhat succinct summary is “How would you copy an OU hierarchy without its contents?”

In other words, what if you have an OU called Miami with a number of subordinate OUs, which happen to be full of users, computers, groups, and other such objects. These sub-OUs could represent departments, projects, and other such divisions within the Miami operations of the organization. How would you create a copy of this OU structure, the departments, for a new branch office in Vancouver? Let’s take a look at how we could do this in Windows PowerShell. The technique here doesn’t assume PowerShell 2.0 nor the use of Active Directory cmdlets – just plain old ds* commands.*

To understand a possible solution, first let’s see how we could enumerate the OUs in the Miami OU.

dsquery ou | select-string “Miami”

While “dsquery ou” could be given a DN such as “ou=Miami,dc=woodgrovebank,dc=com” as the search base for the query, simply using select-string, although less precise, doesn’t require knowing or typing the DN. Furthermore, dsquery’s “-o rdn” option could be used to simply display just the relative distinguished name of the matching OUs, and the -scope option could be used with one of the keywords: subtree, base, or onelevel to yield the whole hierarchy beneath the Miami base OU (subtree), just Miami (base), or just the immediate sub-OUs (onelevel). Again, here none of those options were used – we’re just selecting any OUs whose DN includes the string Miami.

Let’s assume that the sub-OUs are BranchManagers, CustomerService, Investments, and Marketing, then this would result in the list:

ou=Miami,dc=woodgrovebank,dc=com

ou=BranchManagers,ou=Miami,dc=woodgrovebank,dc=com

ou=CustomerService,ou=Miami,dc=woodgrovebank,dc=com

ou=Investments,ou=Miami,dc=woodgrovebank,dc=com

ou=Marketing,ou=Miami,dc=woodgrovebank,dc=com

To create a Vancouver OU with BranchManagers, CustomerService, Investments, and Marketing sub-OUs in it, merely do the following:

dsquery ou | select-string “Miami” | foreach-object { dsadd ou “$($_ -replace ‘Miami’,’Vancouver’)” }

Note that we used apostrophes in the -replace operator rather than quotations marks because the strings ‘Miami’ and ‘Vancouver’ are already within a pair of quotation marks around the whole expression “$($_ -replace ‘Miami’,’Vancouver’)”. As an alternative, escaping the inner quotation marks with a grave accent could have been used instead of the apostrophes. Also, the ForEach-Object cmdlet could have been invoked using its alias % or the alias foreach.

In summary, creating an OU with the same sub-OUs as another can be done rather easily, without even knowing or typing the full name of the original OU. In this case, we described confirming the list of original OUs first before diving into the attempt to create the new ones. Remember that just using the up-arrow key recalls the previous command, so the sanity check isn’t really much extra typing.

There are many operations which can be done in PowerShell rather simply, without getting into complicated APIs, cmdlets, or variables.

*Note, if you are managing from a Windows Server 2008 machine which is not a domain controller, you can install the AD DS remote management tools for domain controllers including the ds* commands (e.g. dsquery) by running:

servermanagercmd -install RSAT-ADDC

Good luck!

-Brad

In this article

Join the Conversation

1 comment

  1. CMRamos Reply

    Great tip, but I’d like to add something and followup with a question…

    1) DSQUERY has a default limit of 100, so if the Hierarchy being cloned has more than 100 OU’s, you’ll need to add the -limit 0 for Unlimited.
    2) If your Source OU happens to have the same as your Domain, it will fail because the -REPLACE will also replace the DC of the domain with the name of the Target OU. The Source OU name MUST be different from your Domain name.
    Example: Source MIAMI.NET/MIAMI will fail because the Replace will attempt to DSADD VANCOUVER.NET/VANCOUVER.

    dsquery ou -LIMIT 0 | select-string “Miami” | foreach-object { dsadd ou “$($_ –replace ‘Miami’,‘Vancouver’)” }

    Now, for my follow up Question… Is there a followup to this that will mirror the GPO’s Linked, Enforcement, Inheritance, Permissions and Delegation applied on the Source OU’s in the new parallel OU? Example: So Users and Workstations has the same Desktop GPO’s applied in the New OU as there was in the Source OU, rather than having to go painstakingly through each individual new OU.