• Approach is fine. The other way to do it if possible would be to give role membership(s) to AD group(s), and control user membership in AD.

    That way you won't need to create a new user everywhere all the time.

    Or look into using powershell - might give you a slightly tidier script that can easily be pointed at multiple servers.