Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 524
  • Last Modified:

Good way for non-technical HR person to create new user accounts?

We use Windows Server 2012 R2, and Microsoft Exchange 2010 in our organization.

Our user accounts are set up so that they are placed in a specific OU in active directory, and they are made a member of one or more "departmental" groups (and all of the departmental groups are located in a specific OU in active directory). The group membership dictates the rights that the user has and which computers they are allowed to login to.

Our HR person has to constantly deal with setting up new employees who enter the company, and disabling ones who leave. We recently migrated away from SBS 2003, and back then they actually RDP'd into the SBS 2003 server as the administrator user, and went through the "Create User wizard" in the Dashboard. This is very scary, as you could imagine, and I've put a stop to it since we migrated away from it to Server 2012 R2.

My proposed solution for them to simply open a ticket with IT (e.g. me) every time an employee enters or leaves the company or needs a change in security group membership, since this is an IT issue... but they don't like that,. They want to be able to do it themselves because that's what they were doing in the past. Also they have a habit of telling me about new hires literally the evening before or sometimes the day that they start, turning it into a big emergency every time somebody new is hired.

So... now I need a way for the HR person to be able to manage the users of the company in a fairly idiot-proof manner so they can't break anything.

Basically  they need to:

   - create users, assign them to the relevant security groups, and create an Exchange mailbox for them with an appropriately named email address, and fill in all their contact details (telephone number, title, etc.)
   - later, they need to be able to re-assign the user to a new department (e.g. remove or add departmental security groups).
   - And finally, they need to be able to disable the user, grant full access delegation privileges for their mailbox to another user, and/or forward their mail somewhere, when the employee leaves
   - Being able to automatically generate a little "welcome to xyz company! here's what you need to know..." document that they can print out and give to the employee as part of their welcome package would be awfully nice, too

Does anyone know an easy way to accomplish this?

I was thinking of writing a whole Powershell script thing to do it but it's looking like a lot of work... a web interface would be pretty nice but I again, creating it will be a lot of work. Anything out there that already does this?
2 Solutions
Gabriel CliftonCommented:
One thing I did, was to create an HTA script for creating users and being able to manage them. You can see the script here http://www.experts-exchange.com/Networking/Misc/Q_28079223.html, you would need to adjust it for your organization. Just give the users that are using it the rights to create, delete, and modify user accounts.
Dale HarrisProfessional Services EngineerCommented:
I would use Powershell Studio 2014 (Free trial, costs $ though), to create a customized GUI for them.

Or if they are comfortable with Active Directory, turn it on for Windows 7 on their computer, install the Exchange add-on to allow you to deal with exchange stuff, and you'll have their workstation be a fully functional entity with rights that you give them.  Active Directory should be locked down to certain OUs for them to mess with, but they can create users within their specific OUs, assign membership, mess with Exchange type stuff, all on their own computer without messing with your production environment outside of their OUs they have access to.  This would also work great with auditing so you could see the changes happen.

Lastly, if you aren't entirely familiar with PowerShell, check out this article I wrote: http://www.experts-exchange.com/Programming/Languages/Scripting/Powershell/A_4327-PowerShell-Where-do-I-start.html
Add your HR users to Accounts Operators built-in group in active directory

Members of this group can create, modify, and delete accounts for users, groups, and computers located in the Users or Computers containers and organizational units in the domain, except the Domain Controllers organizational unit. Members of this group do not have permission to modify the Administrators or the Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Members of this group can log on locally to domain controllers in the domain and shut them down. Because this group has significant power in the domain, add users with caution.

If you want more restricted permissions, you can right click domain and provide them custom delegated control with delegate control wizard

Also you can add them to recipient management exchange group to manage mailboxes
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Dale HarrisProfessional Services EngineerCommented:
Mahesh, great tip!  I never realized that.
Frosty555Author Commented:
I think making a GUI for them as Gabriel suggested is probably the correct answer here, but man that is a lot of code to sift through and alter to my needs. I think I might go with Mahesh's idea of just delegating access to the OU and putting RSAT on the user's machine.
Gabriel CliftonCommented:
There is a lot of code there because I work for a school district and I have a tab for create staff, a tab for create students, and a tab to modify user records. The tabs are labeled for vbs and html if you want to try to separate it.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now