---

function New-UserFromRecord {
    param([PSCustomObject]$UserRecord)
    
    $logon = $UserRecord.Logon
    $firstName = $UserRecord.FirstName
    $lastName = $UserRecord.LastName
    $ou = $UserRecord.OU
    $group = $UserRecord.Group
    $title = $UserRecord.Title
    
    try {
        $exists = Get-ADUser -Identity $logon -ErrorAction SilentlyContinue
        if ($exists) { 
            Write-Log "$logon уже существует"
            return $false 
        }
    }
    catch { }
    
    $password = New-RandomPassword
    $securePass = ConvertTo-SecureString $password -AsPlainText -Force
    
    New-ADUser -Name "$firstName $lastName" `
        -GivenName $firstName `
        -Surname $lastName `
        -SamAccountName $logon `
        -UserPrincipalName "$logon@contoso.local" `
        -Path $ou `
        -AccountPassword $securePass `
        -Enabled $true `
        -ChangePasswordAtLogon $true `
        -Title $title
    
    try {
        $groupExists = Get-ADGroup -Identity $group -ErrorAction SilentlyContinue
        if ($groupExists) { 
            Add-ADGroupMember -Identity $group -Members $logon 
        }
    }
    catch { }
    
    $homePath = "\\fs\home\$logon"
    
    if (Test-Path "\\fs\home") {
        New-Item -Path $homePath -ItemType Directory -Force
        
        $acl = Get-Acl $homePath
        $acl.SetAccessRuleProtection($true, $false)
        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$logon", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
        $acl.AddAccessRule($rule)
        Set-Acl -Path $homePath -AclObject $acl
        
        Set-ADUser -Identity $logon -HomeDrive "H:" -HomeDirectory $homePath
    }
    
    Write-Log "СОЗДАН: $logon (пароль: $password)"
    return $true
}