param(
  [Parameter(Mandatory=$true)]
  [ValidatePattern('^[a-zA-Z0-9._-]{1,32}$')]
  [string]$Username,

  [Parameter(Mandatory=$true)]
  [ValidateLength(1, 64)]
  [string]$Vorname,

  [Parameter(Mandatory=$true)]
  [ValidateLength(1, 64)]
  [string]$Nachname,

  [Parameter(Mandatory=$true)]
  [ValidateLength(8, 128)]
  [string]$Passwort,

  # Gruppe als Name / DN / SamAccountName der Gruppe
  [Parameter(Mandatory=$true)]
  [ValidateLength(1, 128)]
  [string]$Benutzergruppe
)

$ErrorActionPreference = "Stop"

try {
  Import-Module ActiveDirectory

  # Existiert User schon?
  $existing = Get-ADUser -Filter "SamAccountName -eq '$Username'" -ErrorAction SilentlyContinue
  if ($null -ne $existing) {
    throw "Benutzer existiert bereits: $Username"
  }

  # Existiert Gruppe?
  $grp = Get-ADGroup -Identity $Benutzergruppe -ErrorAction SilentlyContinue
  if ($null -eq $grp) {
    throw "Gruppe nicht gefunden: $Benutzergruppe"
  }

  $displayName = "$Vorname $Nachname"
  $securePw = ConvertTo-SecureString -AsPlainText $Passwort -Force

  New-ADUser `
    -SamAccountName $Username `
    -Name $displayName `
    -GivenName $Vorname `
    -Surname $Nachname `
    -DisplayName $displayName `
    -AccountPassword $securePw `
    -Enabled $true `
    -ChangePasswordAtLogon $true

  Add-ADGroupMember -Identity $Benutzergruppe -Members $Username

  [pscustomobject]@{
    ok = $true
    username = $Username
    displayName = $displayName
    group = $Benutzergruppe
  } | ConvertTo-Json -Depth 4

  exit 0
}
catch {
  [pscustomobject]@{
    ok = $false
    error = $_.Exception.Message
  } | ConvertTo-Json -Depth 4

  exit 1
}