Find if users from one domain exist in another

Question

I'm trying to learn some sys-admin type stuff on the side, and am very new at this. My question seems simple, but I can't seem to find a way to do this. Here's the scenario:

• I have setup 2 Windows Server 2012 machines under Hyper-V on my laptop
• I setup new forests on both and promoted each one to a DC. Lets say one domain is called mydomain.com, and the other is called yourdomain.com. There is a 2 way trust between both domains, and I have validated that trust.
• I have added some dummy users in mydomain.com and yourdomain.com, some with the same names and some with different ones

Now, what I want to do is to check which users in mydomain.com exist in yourdomain.com as well. For instance, I have a user called "fred.flintstone" in mydomain.com, and I want to check if he exists in yourdomain.com as well.

I am limited to using VBScript/Perl/Python/Batchfile and/or the DS tools (like dsquery,dsget etc), unfortunately powershell is out (for now)

Any pointers on how to script this would be welcome.

Thanks in advance

PS: The goal of this exercise is eventually to check all the groups in mydomain.com, and check to see if those groups exist in yourdomain.com as well. If they exists, then move the users from mydomain.com into yourdomain.com in the corresponding groups, and if they don't exist, then create the group in yourdomain.com and create the corresponding user.

Answer 1

I managed to write the VBScript which does what I wanted, so I will share it here. The script probably needs a very good cleanup, but for now it does the job so I'm hoping it can help other people too.

' Get OU

strOU1 = "OU=here,DC=mydomain,DC=com"
strOU2 = "OU=there,DC=yourdomain,DC=com"

Dim samid
Dim ldap_command

' Create connection to AD
'
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"

' Create command
'
Set objCommand1 = CreateObject("ADODB.Command")
objCommand1.ActiveConnection = objConnection
objCommand1.Properties("Page Size") = 1000

' Execute command to get all users in OU
'
objCommand1.CommandText = _
  "<LDAP://" & strOU1 & ">;" & _
  "(&(objectclass=user)(objectcategory=person));" & _
  "adspath,distinguishedname,sAMAccountName;subtree"

Set objRecordSet = objCommand1.Execute

' Show info for each user in OU
'
Do Until objRecordSet.EOF

  ' Show required info for a user
  '  
   samid = objRecordSet.Fields("sAMAccountName").Value
   WScript.Echo "Processing " & objRecordSet.Fields("sAMAccountName").Value
   Set objCommand2 = CreateObject("ADODB.Command")
   ldap_command = _
   "<LDAP://" & strOU2 & ">;" & _
   "(&(objectclass=user)(objectcategory=person)" & _
   "(sAMAccountName=" & samid & "));" & _
   "adspath,distinguishedname,sAMAccountName;subtree"

   objCommand2.CommandText = ldap_command

   objCommand2.ActiveConnection = objConnection 
   objCommand2.Properties("Chase referrals") = &H40  

   Set objRecordSet2 = objCommand2.Execute

   If objRecordSet2.RecordCount = 0 Then
      Wscript.Echo "The sAMAccountName is not in use."
   Else
      Wscript.Echo "This ID is in use"
   End If

  ' Move to the next user
  '
   objRecordSet.MoveNext

Loop

Answer 2

If your ultimate goal is to migrate the users from mydomain.com to yourdomain.com, you should should seriously stop now and consider a different path.

Creating users and groups with the same name will not allow those users and groups to access resources in mydomain.com. This is because the name is not actually used, but a Security identifier called SID. This will be totaly different in yourdomain.com.

If you must access resources in mydomain.com you will need to modify the Access Control Lists (ACLs). This is a huge teask even if there are few users, groups and servers.

This is why Microsoft offers a free tool called ADMT (Active Directory Migration Tool). It can be downloaded here. Unfortunatly it does not yet support Server 2012 so you need a 2008 R2 Server in the target domain as well. Look here. ADMT will allow you to add the users SID to an attribute called SIDHistory. The SIDHistory attribute is checked by the resource owner when deciding wheteh to give access or not. SIDHistory con not be modified manually.

Answer 3

Active-Directory is first a directory, when you think Directory, you think LDAP.

You first have to think about what two identical users are. I mean, you have to create the list of the attributes that have to be identical to make a decision.

Second you can use LDIFDE.EXE (or perhaps here CSVDE.EXE) tools to export all the users, but just with interesting attributes, DN and significants attributs. Be careful for the exraction consider the starting in your LDAP tree (in order to avoid common system users), consider also that it exists two classes for the users : 'user' and 'inetOrgPerson'.

Then you can use conventional scripting tools and algorithm to compare the two list. and why not use LDIFDE.EXE again to create missing users.