Adding AD users from workstation to specific groups

**Edit** I just wanted to clarify here, I am not specifically looking for someone to write this for me. If they had it that would be nice, :) I was just looking to be pointed in the right direction.

(Server 2012 R2)

I need information on if this is possible or not - I assume it is, with some work.
Change in procedure as lead to a need to allow specific non-admin users the ability to create users in AD.
We have a Sharepoint site for clients (hundred or so new clients a month on average), the way we do it now is admin logs in, goes to OU "SharepointClients" and looks for "Client X", if "Client X" exisits creates a new user in that OU, if no "Client X", creates it then adds the user. All these users are add to one Security Group, "SharepointClients".
Is it possible to have a script\winApp that asks these simple questions


New user
  or
Exisiting user (so we can just change the password if the client forgot it)

IF new user
Drop down menu displaying all OU's within "SharepointClients"
or else "Create New OU" called xxx
Add User OU
First Name
Last Name
User Login Name
Password Never Expires
Memeber of "SharepointClients"



if Exisiting user
would just allow them to reset password.


Does this make sense?
Error checking on user name should not be an issue (the users are created as their specific client ID number)
This does not need to have any bulk import or creation features.
These account also do not need any Exchange mailboxes or external email addresses at all, just a user within a specific OU.

I have looked at and have been playing with

https://gallery.technet.microsoft.com/scriptcenter/New-User-Creation-tool-14fa73cd

though I have not gotten it work yet,
LVL 1
RichardPhippenAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam BrownSr Solutions ArchitectCommented:
You can script the whole thing, but it would be a good bit of code. Not necessarily difficult, though. I don't have enough time to write the whole thing, but here are some powershell cmdlets that will come in handy for you.

Use Powershell's switch command to do the work of deciding between whether it's a new user or existing user. https://technet.microsoft.com/en-us/library/Ff730937.aspx has info. Basically you'd have the creation script in one part of the switch and the existing user stuff in the other part. This method is cleaner and easier to work with that nested if statements.

You'll want to use the AD powershell interface for this, assuming you have Windows 2008 R2 or higher (or if you have the 2008 R2 RSAT installed on a windows 7 machine). You can either launch that directly or run import-module activedirectory from a powershell console on a computer that has it.

get-adorganizationalunit will help you determine if an OU for the customer exists. https://technet.microsoft.com/en-us/library/Ee617236.aspx

new-adorganizationalunit will create a new OU for you
https://technet.microsoft.com/en-us/library/Ee617237.aspx

new-aduser will let you create a new user in that OU.
https://technet.microsoft.com/en-us/library/Ee617253.aspx

add-adgroupmember will let you add the new user to the group you want
https://technet.microsoft.com/en-us/library/Ee617210.aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Will SzymkowskiSenior Solution ArchitectCommented:
For something like this to work you need to Delegate Control First to the users that do not have admin access. You delegate control to a specific OU where the users can then create/modify current users within this specific OU.

From there the app you have listed in the link will work for these users. Delegation needs to be in place fisrt.

Delegate Control of an OU
https://technet.microsoft.com/en-us/library/cc775585%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

Will.
0
RichardPhippenAuthor Commented:
most excellent information. Thank you both.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.