---

function New-UserFromRecord {
    param([PSCustomObject]$UserRecord)
    
    $logon = $UserRecord.Logon
    $firstName = $UserRecord.FirstName
    $lastName = $UserRecord.LastName
    $ou = $UserRecord.OU
    $group = $UserRecord.Group
    $title = $UserRecord.Title
    
    $exists = Get-ADUser -Filter "SamAccountName -eq '$logon'"
    if ($exists) { Write-Log "$logon уже существует"; return $false }
    
    $password = New-RandomPassword
    $securePass = ConvertTo-SecureString $password -AsPlainText -Force
    
    New-ADUser -Name "$firstName $lastName" -GivenName $firstName -Surname $lastName `
        -SamAccountName $logon -UserPrincipalName "$logon@contoso.local" -Path $ou `
        -AccountPassword $securePass -Enabled $true -ChangePasswordAtLogon $true -Title $title
    
    $groupExists = Get-ADGroup -Identity $group -ErrorAction SilentlyContinue
    if ($groupExists) { Add-ADGroupMember -Identity $group -Members $logon }
    
    $homePath = "\\fs\home\$logon"
    New-Item -Path $homePath -ItemType Directory -Force
    $acl = Get-Acl $homePath
    $acl.SetAccessRuleProtection($true, $false)
    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$logon", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
    $acl.AddAccessRule($rule)
    Set-Acl -Path $homePath -AclObject $acl
    Set-ADUser -Identity $logon -HomeDrive "H:" -HomeDirectory $homePath
    
    Write-Log "СОЗДАН: $logon (пароль: $password)"
    return $true
}