Good way for non-technical HR person to create new user accounts?

Posted on 2014-08-19
Last Modified: 2014-08-26
We use Windows Server 2012 R2, and Microsoft Exchange 2010 in our organization.

Our user accounts are set up so that they are placed in a specific OU in active directory, and they are made a member of one or more "departmental" groups (and all of the departmental groups are located in a specific OU in active directory). The group membership dictates the rights that the user has and which computers they are allowed to login to.

Our HR person has to constantly deal with setting up new employees who enter the company, and disabling ones who leave. We recently migrated away from SBS 2003, and back then they actually RDP'd into the SBS 2003 server as the administrator user, and went through the "Create User wizard" in the Dashboard. This is very scary, as you could imagine, and I've put a stop to it since we migrated away from it to Server 2012 R2.

My proposed solution for them to simply open a ticket with IT (e.g. me) every time an employee enters or leaves the company or needs a change in security group membership, since this is an IT issue... but they don't like that,. They want to be able to do it themselves because that's what they were doing in the past. Also they have a habit of telling me about new hires literally the evening before or sometimes the day that they start, turning it into a big emergency every time somebody new is hired.

So... now I need a way for the HR person to be able to manage the users of the company in a fairly idiot-proof manner so they can't break anything.

Basically  they need to:

   - create users, assign them to the relevant security groups, and create an Exchange mailbox for them with an appropriately named email address, and fill in all their contact details (telephone number, title, etc.)
   - later, they need to be able to re-assign the user to a new department (e.g. remove or add departmental security groups).
   - And finally, they need to be able to disable the user, grant full access delegation privileges for their mailbox to another user, and/or forward their mail somewhere, when the employee leaves
   - Being able to automatically generate a little "welcome to xyz company! here's what you need to know..." document that they can print out and give to the employee as part of their welcome package would be awfully nice, too

Does anyone know an easy way to accomplish this?

I was thinking of writing a whole Powershell script thing to do it but it's looking like a lot of work... a web interface would be pretty nice but I again, creating it will be a lot of work. Anything out there that already does this?
Question by:Frosty555
    LVL 13

    Accepted Solution

    One thing I did, was to create an HTA script for creating users and being able to manage them. You can see the script here, you would need to adjust it for your organization. Just give the users that are using it the rights to create, delete, and modify user accounts.
    LVL 16

    Expert Comment

    by:Dale Harris
    I would use Powershell Studio 2014 (Free trial, costs $ though), to create a customized GUI for them.

    Or if they are comfortable with Active Directory, turn it on for Windows 7 on their computer, install the Exchange add-on to allow you to deal with exchange stuff, and you'll have their workstation be a fully functional entity with rights that you give them.  Active Directory should be locked down to certain OUs for them to mess with, but they can create users within their specific OUs, assign membership, mess with Exchange type stuff, all on their own computer without messing with your production environment outside of their OUs they have access to.  This would also work great with auditing so you could see the changes happen.

    Lastly, if you aren't entirely familiar with PowerShell, check out this article I wrote:
    LVL 34

    Assisted Solution

    Add your HR users to Accounts Operators built-in group in active directory

    Members of this group can create, modify, and delete accounts for users, groups, and computers located in the Users or Computers containers and organizational units in the domain, except the Domain Controllers organizational unit. Members of this group do not have permission to modify the Administrators or the Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Members of this group can log on locally to domain controllers in the domain and shut them down. Because this group has significant power in the domain, add users with caution.

    If you want more restricted permissions, you can right click domain and provide them custom delegated control with delegate control wizard

    Also you can add them to recipient management exchange group to manage mailboxes
    LVL 16

    Expert Comment

    by:Dale Harris
    Mahesh, great tip!  I never realized that.
    LVL 31

    Author Closing Comment

    I think making a GUI for them as Gabriel suggested is probably the correct answer here, but man that is a lot of code to sift through and alter to my needs. I think I might go with Mahesh's idea of just delegating access to the OU and putting RSAT on the user's machine.
    LVL 13

    Expert Comment

    by:Gabriel Clifton
    There is a lot of code there because I work for a school district and I have a tab for create staff, a tab for create students, and a tab to modify user records. The tabs are labeled for vbs and html if you want to try to separate it.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    This script checks a path to see if a folder exists. If the folder does exist you will get output "The folder has previously been created. No action taken" If not it will create the folder. Then adds one user modify permission to the folder. It …
    This is a PowerShell web interface I use to manage some task as a network administrator. Clicking an action button on the left frame will display a form in the middle frame to input some data in textboxes, process this data in PowerShell and display…
    In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
    This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now