Zoho Banner September 2011

Occasionally, I have a need to merge the attributes of one AD user into another.  This requirement is typically the result of a migration where some users have had accounts informally created in the target environment in advance of the formal migration process.  In other words, a user ends up with two accounts and needs to merge the authoritative attribute values from one of user object to another.   The Powershell script below shows an example of how selected attributes on one object can be replaced with those from another object.  

#########################################################
#
# Name: Merge-UserAttributes.ps1
# Author: Tony Murray
# Version: 1.0
# Date: 12/06/2013
# Comment: PowerShell 2.0 script to copy a fixed set of
# attributes from one user object to another
#
#########################################################

# Import the AD module
ipmo activedirectory

#### Function to test the existence of an AD user
function Test-ADUser() {
   [CmdletBinding(ConfirmImpact="Low")]
   Param (
      [Parameter(Mandatory=$true,
                 Position=0,
                 ValueFromPipeline=$true,
                 HelpMessage="Identity of the AD object to verify if exists or not."
                )]
      [Object] $Identity
   )
   trap [Exception] {
      return $false
   }
   $auxObject = Get-ADUser -Identity $Identity -Server $dc
   return $true
}
####

#### Global variables
$dc = (Get-ADDomainController).hostname

# Create an array of the attributes we want to copy
$atts2copy = @("ipphone","mobile","facsimileTelephoneNumber",
"telephonenumber","streetAddress","st","l","c","physicalDeliveryOfficeName",
"description","department","postofficebox","thumbnailPhoto","manager")

# Users to merge 
$source = "User1"
$target = "User2"

write-host "Working on source target pair: $source --> $target"
if ( (Test-ADUser $source) -and (Test-ADUser $target) ) { $greenlight = $true }
if ($greenlight) {
    $srcatts = Get-ADUser -Identity $source -pr * -Server $dc
    # Create a hashtable to store the attributes
    $replaceHashTable = New-Object HashTable
    # Add the attributes one-by-one to the hashtable
    foreach ($att2copy in $atts2copy){
        $attvalue = $srcatts.$att2copy
        if ($attvalue) {
            if ( ($attvalue.gettype()).name -eq "ADPropertyValueCollection") {
                # We have a collection which need to convert to an array
                # otherwise the set-aduser cmdlet doesn't set the value
                $attarray = @($attvalue)
                $replaceHashTable.Add($att2copy,$attarray)
            } # end if
            else {
                $replaceHashTable.Add($att2copy,$attvalue)
            } # end else
        } # end if
        Remove-Variable -ErrorAction SilentlyContinue -Name att2copy
        Remove-Variable -ErrorAction SilentlyContinue -Name attvalue
        Remove-Variable -ErrorAction SilentlyContinue -Name attarray
    } #end foreach
    # Set the attributes on the target user
    write-host "Setting attributes on target"
    $replaceHashTable
    Set-ADUser -Identity $target -Replace $replaceHashTable -Server $dc
    } # end if
Else {
    Write-Host "No match found for either $source or $target - please check CSV"
} # end else
Remove-Variable -ErrorAction SilentlyContinue -Name source
Remove-Variable -ErrorAction SilentlyContinue -Name target
Remove-Variable -ErrorAction SilentlyContinue -Name greenlight
Remove-Variable -ErrorAction SilentlyContinue -Name srceatts
$replaceHashTable = @{}

Another scenario where this script might be useful is merging attributes from an AD Snapshot (taken with NTDSUtil) into a “live” object, e.g. following the corruption of attribute values in the production environment.  In this case you would need to modify or remove the test for the existence of the user objects.

You can download a copy of the script here: Merge-UserAttributes

One Comment

  1. Carsten Ringgaard says:

    Hi.
    Thanks a very handy script.

    I need to merge AD attributes from one domain to another within the same forest. I can look up users i Powershell in both domains with “-Server”….

    Is it possible to modify the script to look for user attributes in source domain and copy them to user in destination domain?

    I have tried, but with no luck.

    Can you help me modify the script?

    Regards Carsten

Leave a Reply