Good way for non-technical HR person to create new user accounts?

We use Windows Server 2012 R2, and Microsoft Exchange 2010 in our organization.

Our user accounts are set up so that they are placed in a specific OU in active directory, and they are made a member of one or more "departmental" groups (and all of the departmental groups are located in a specific OU in active directory). The group membership dictates the rights that the user has and which computers they are allowed to login to.

Our HR person has to constantly deal with setting up new employees who enter the company, and disabling ones who leave. We recently migrated away from SBS 2003, and back then they actually RDP'd into the SBS 2003 server as the administrator user, and went through the "Create User wizard" in the Dashboard. This is very scary, as you could imagine, and I've put a stop to it since we migrated away from it to Server 2012 R2.

My proposed solution for them to simply open a ticket with IT (e.g. me) every time an employee enters or leaves the company or needs a change in security group membership, since this is an IT issue... but they don't like that,. They want to be able to do it themselves because that's what they were doing in the past. Also they have a habit of telling me about new hires literally the evening before or sometimes the day that they start, turning it into a big emergency every time somebody new is hired.

So... now I need a way for the HR person to be able to manage the users of the company in a fairly idiot-proof manner so they can't break anything.

Basically  they need to:

   - create users, assign them to the relevant security groups, and create an Exchange mailbox for them with an appropriately named email address, and fill in all their contact details (telephone number, title, etc.)
   - later, they need to be able to re-assign the user to a new department (e.g. remove or add departmental security groups).
   - And finally, they need to be able to disable the user, grant full access delegation privileges for their mailbox to another user, and/or forward their mail somewhere, when the employee leaves
   - Being able to automatically generate a little "welcome to xyz company! here's what you need to know..." document that they can print out and give to the employee as part of their welcome package would be awfully nice, too

Does anyone know an easy way to accomplish this?

I was thinking of writing a whole Powershell script thing to do it but it's looking like a lot of work... a web interface would be pretty nice but I again, creating it will be a lot of work. Anything out there that already does this?
LVL 31
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gabriel CliftonNet AdminCommented:
One thing I did, was to create an HTA script for creating users and being able to manage them. You can see the script here, you would need to adjust it for your organization. Just give the users that are using it the rights to create, delete, and modify user accounts.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dale HarrisProfessional Services EngineerCommented:
I would use Powershell Studio 2014 (Free trial, costs $ though), to create a customized GUI for them.

Or if they are comfortable with Active Directory, turn it on for Windows 7 on their computer, install the Exchange add-on to allow you to deal with exchange stuff, and you'll have their workstation be a fully functional entity with rights that you give them.  Active Directory should be locked down to certain OUs for them to mess with, but they can create users within their specific OUs, assign membership, mess with Exchange type stuff, all on their own computer without messing with your production environment outside of their OUs they have access to.  This would also work great with auditing so you could see the changes happen.

Lastly, if you aren't entirely familiar with PowerShell, check out this article I wrote:
Add your HR users to Accounts Operators built-in group in active directory

Members of this group can create, modify, and delete accounts for users, groups, and computers located in the Users or Computers containers and organizational units in the domain, except the Domain Controllers organizational unit. Members of this group do not have permission to modify the Administrators or the Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Members of this group can log on locally to domain controllers in the domain and shut them down. Because this group has significant power in the domain, add users with caution.

If you want more restricted permissions, you can right click domain and provide them custom delegated control with delegate control wizard

Also you can add them to recipient management exchange group to manage mailboxes
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Dale HarrisProfessional Services EngineerCommented:
Mahesh, great tip!  I never realized that.
Frosty555Author Commented:
I think making a GUI for them as Gabriel suggested is probably the correct answer here, but man that is a lot of code to sift through and alter to my needs. I think I might go with Mahesh's idea of just delegating access to the OU and putting RSAT on the user's machine.
Gabriel CliftonNet AdminCommented:
There is a lot of code there because I work for a school district and I have a tab for create staff, a tab for create students, and a tab to modify user records. The tabs are labeled for vbs and html if you want to try to separate it.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.