Powershell–Get my users from NT 4.0 to Windows Server 2012

Now before I go anywhere with this I have to take off my Tilley and bow to my co-worker Kevin McKeown.   I looked over at him the other day and said “Hey, any chance you have NT4 server anywhere in the archives?”

Kevin ran off into his private dungeon somewhere in Northern Canada, dug through piles of Commodore cables, various bits and pieces of SCSI1 drives and a small toad (don’t ask) and bounced into the office Monday.

“You mean these?” He laid out before be not ONLY the original NT4 Server media, the Option Pack but EVEN NT4 workstation.”

“I’m pretty certain these disks won’t work.  They’ve been buried in the basement for YEARS.”

I shrugged and started down the path to my Doom on my Windows 7 workstation, only armed with Windows Virtual PC, a pre-installed Windows XP Mode, some ancient media and a cross of the fingers.

The first part was installing NT4 into Windows Virtual PC.  Very interesting that it DID pick up the Native Network card and Windows Virtual PC provided a Video card NT4 liked.   I actually had COLORS and NETWORKING.

Spinning up the old Wizard, I choose to enable it as a Primary Domain Controller for the CONTOSO domain with a Static IP Address of 192.168.45.10

Then it was time to get workstation on this puppy that could use Powershell.  I initially tried Windows 7, it looked up at me and said “NT4, are you KIDDING?!” so I dropped to a machine I knew WOULD work with NT4 in the past, Windows XP, which could also use a currently supported version of Powershell.

We start off with an ordinary Windows XP workstation.  Nothing up this sleeve, nothing up here (tapping head) and

Join Windows XP to NT 4 Domain

We follow the following two articles first BEFORE joining Windows XP to the NT4 domain

Ensure NetBIOS over TCP/IP is Enabled under the WINS tab in TCP/IP and pointing to the NT 4.0 WINS Server

As per Knowledge Base: 318266 – A Windows XP Client Cannot Log On to a Windows NT 4.0 Domain Disable the option in the Windows XP workstation for “Domain Member:Digitally encrypt or sign secure channel data (always)” to Disabled

…and then join a computer to the Domain in whatever manner you deem normal (Yes, even if that means you’re juggling Eggs and singing the latest pop hits while wearing a beanie)

image

Now that you’ve dropped your Security pants, you can manage this sucker

Install .NET Framework 2.0 SP1 and Windows Management Framework 2.0 (Powershell 2.0) on that computer to make this all happen.  Without this, I wouldn’t be able to use the word “Powershell” in the title of the article.

Now the first trick is to Bind to the CONTOS Domain with Windows Powershell.  We’re going to be using the older WinNT provider here (Yes, Powershell was designed to talk to an NT4 Domain, how cool is that?)

$NTDomain=[ADSI]”WinNT://CONTOS”

Once you have bound yourself to the Albatross (er… security hol…. NT4 Domain!) you can at least start doing some queries.  

PHASE 1 – COLLECT UNDERPANTS!

No, wait.  Obtain DATA from old Domain CONTOSO

Get your list of User accounts

$userlist=$NTDomain.psbase.children |  Where { $-.SchemaClassName –eq “user” } | Select-object Description,Name,Fullname,HomeDirDrive,HomeDirectory,LoginScript,objectSID,PrimaryGroupID,UserFlags

image

Get a list of your Domain Groups

$grouplist=$NTDomain.psbase.children |  Where { $-.SchemaClassName –eq “group” } | Select-object Description,Name,GroupType,objectSID

And perhaps your computers?

$computerlist=$NTDomain.psbase.children |  Where { $-.SchemaClassName –eq “computer” } | Select-object Division,Name,OperatingSystem,OperatingSystemVersion,Owner,Processor,ProcessorCount

Now suddenly with this information in our hands, doesn’t it all seem possible?  We can store away the data as CSV files for our new Server 2012 domain in the following manner.

$userlist | export-csv c:powershelluserlist.csv

$grouplist | export-csv c:powershellgrouplist.csv

$computerlist | export-csv c:powershellcomputerlist.csv

Now that the data you want is in something clean like a CSV file, you can bring that over to your DC on the new Windows Server 2012 domain, or nearest handy workstation enabled with RSAT and the Active Directory Module.

PHASE 2 – ??? –

Oh right, Import Accounts, Computers and Groups into NEW Domain Fabrikam.local

Once you are on the new machine you can use the following script to rebuild the Groups in Active Directory

$grouplist Import-CSV C:PowershellGrouplist.csv

[array]$groups="Global"
[array]$groups+="DomainLocal"

$grouplist | foreach { new-adgroup –GroupScope ($groups[(([int]$-.GroupType)/2)-1] ) –DisplayName $-.Name –Name $-.Name –Description $-.Description }

Smiling now?  A LITTLE BIT LESS TYPING?

It gets better.   Now we can pre-populate all of your computers in Active Directory.

$computerlist Import-CSV C:PowershellComputerlist.csv

$computerlist | foreach { new-adcomputer –Name $-.Name –DisplayName $-.Name –description $-.Division }

Now importing staff is a little different.  We’re playing a very basic scenario in which we don’t have Exchange 5.5 (although if you are creative, Powershell I believe can query IT via LDAP) but we’ll have a simple scenario with the following details.  One of things we WILL have to do since Windows NT has a VERY basic UserID setup is Split the FullName into some userful details before creating it.

$userlist=import-csv C:poweshelluserlist.csv

$UPN=’@fabrikam.local’
$Path=’OU=Users,OU=Offices,DC=Fabrikam,DC=local’
$DOMAIN=’FABRIKAM’

$userlist | foreach {

$Password=(CONVERTTO-SecureString ‘BadPassword1’ –asplaintext –force)

$LoginID=$-.Name+$UPN

$GivenName=($-.Displayname.split(“ “))[0]

$Surname=($-.Displayname.split(“ “))[1]

NEW-ADUSER –path $Path -name $-.Displayname -displayname $-.DisplayName -description $-.Description –accountpassword $Password -changepasswordatlogon $TRUE -enabled $TRUE -givenname $Givenname -homedirectory $-.HomeDirectory -homedrive $-.HomeDirDrive -userprincipalname $LoginID -samaccount
name $-.Name -sc
riptpath $LoginScript -surname $Surname

}

PHASE 3 – PROFIT! (Yes sit back and let the computer do the work!)

The Scripts make take some time to populate your Active Directory depending on the size of your old Domain but imagine how you could just sit back and bill for what every else says “Whoa! dude! Migrate NT4 to Windows Server 2012? Not gonna happen”

Well we might not get a direct migration, but we can sure get our data out of the old Domain

Stick around, I’m going to try and create a user in this beast and see if I can pull some Group Memberships.

Remember, it’s all thanks to the POWER of Powershell!

Sean
The Energized Tech

Leave a Reply