Good way for non-technical HR person to create new user accounts?
We use Windows Server 2012 R2, and Microsoft Exchange 2010 in our organization.
Our user accounts are set up so that they are placed in a specific OU in active directory, and they are made a member of one or more "departmental" groups (and all of the departmental groups are located in a specific OU in active directory). The group membership dictates the rights that the user has and which computers they are allowed to login to.
Our HR person has to constantly deal with setting up new employees who enter the company, and disabling ones who leave. We recently migrated away from SBS 2003, and back then they actually RDP'd into the SBS 2003 server as the administrator user, and went through the "Create User wizard" in the Dashboard. This is very scary, as you could imagine, and I've put a stop to it since we migrated away from it to Server 2012 R2.
My proposed solution for them to simply open a ticket with IT (e.g. me) every time an employee enters or leaves the company or needs a change in security group membership, since this is an IT issue... but they don't like that,. They want to be able to do it themselves because that's what they were doing in the past. Also they have a habit of telling me about new hires literally the evening before or sometimes the day that they start, turning it into a big emergency every time somebody new is hired.
So... now I need a way for the HR person to be able to manage the users of the company in a fairly idiot-proof manner so they can't break anything.
Basically they need to:
- create users, assign them to the relevant security groups, and create an Exchange mailbox for them with an appropriately named email address, and fill in all their contact details (telephone number, title, etc.)
- later, they need to be able to re-assign the user to a new department (e.g. remove or add departmental security groups).
- And finally, they need to be able to disable the user, grant full access delegation privileges for their mailbox to another user, and/or forward their mail somewhere, when the employee leaves
- Being able to automatically generate a little "welcome to xyz company! here's what you need to know..." document that they can print out and give to the employee as part of their welcome package would be awfully nice, too
Does anyone know an easy way to accomplish this?
I was thinking of writing a whole Powershell script thing to do it but it's looking like a lot of work... a web interface would be pretty nice but I again, creating it will be a lot of work. Anything out there that already does this?
Our user accounts are set up so that they are placed in a specific OU in active directory, and they are made a member of one or more "departmental" groups (and all of the departmental groups are located in a specific OU in active directory). The group membership dictates the rights that the user has and which computers they are allowed to login to.
Our HR person has to constantly deal with setting up new employees who enter the company, and disabling ones who leave. We recently migrated away from SBS 2003, and back then they actually RDP'd into the SBS 2003 server as the administrator user, and went through the "Create User wizard" in the Dashboard. This is very scary, as you could imagine, and I've put a stop to it since we migrated away from it to Server 2012 R2.
My proposed solution for them to simply open a ticket with IT (e.g. me) every time an employee enters or leaves the company or needs a change in security group membership, since this is an IT issue... but they don't like that,. They want to be able to do it themselves because that's what they were doing in the past. Also they have a habit of telling me about new hires literally the evening before or sometimes the day that they start, turning it into a big emergency every time somebody new is hired.
So... now I need a way for the HR person to be able to manage the users of the company in a fairly idiot-proof manner so they can't break anything.
Basically they need to:
- create users, assign them to the relevant security groups, and create an Exchange mailbox for them with an appropriately named email address, and fill in all their contact details (telephone number, title, etc.)
- later, they need to be able to re-assign the user to a new department (e.g. remove or add departmental security groups).
- And finally, they need to be able to disable the user, grant full access delegation privileges for their mailbox to another user, and/or forward their mail somewhere, when the employee leaves
- Being able to automatically generate a little "welcome to xyz company! here's what you need to know..." document that they can print out and give to the employee as part of their welcome package would be awfully nice, too
Does anyone know an easy way to accomplish this?
I was thinking of writing a whole Powershell script thing to do it but it's looking like a lot of work... a web interface would be pretty nice but I again, creating it will be a lot of work. Anything out there that already does this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Mahesh, great tip! I never realized that.
ASKER
I think making a GUI for them as Gabriel suggested is probably the correct answer here, but man that is a lot of code to sift through and alter to my needs. I think I might go with Mahesh's idea of just delegating access to the OU and putting RSAT on the user's machine.
There is a lot of code there because I work for a school district and I have a tab for create staff, a tab for create students, and a tab to modify user records. The tabs are labeled for vbs and html if you want to try to separate it.
Or if they are comfortable with Active Directory, turn it on for Windows 7 on their computer, install the Exchange add-on to allow you to deal with exchange stuff, and you'll have their workstation be a fully functional entity with rights that you give them. Active Directory should be locked down to certain OUs for them to mess with, but they can create users within their specific OUs, assign membership, mess with Exchange type stuff, all on their own computer without messing with your production environment outside of their OUs they have access to. This would also work great with auditing so you could see the changes happen.
Lastly, if you aren't entirely familiar with PowerShell, check out this article I wrote: https://www.experts-exchange.com/Programming/Languages/Scripting/Powershell/A_4327-PowerShell-Where-do-I-start.html