import: ingested 160 files from C:\Users\howar\Clients
Howard's personal MSP client documentation folder imported into shared
ClaudeTools repo via /import command. Scope:
Clients (structured MSP docs under clients/<name>/docs/):
- anaise (NEW) - 13 files
- cascades-tucson - 47 files merged (existing had only reports/)
- dataforth - 18 files merged (alongside incident reports)
- instrumental-music-center - 14 files merged
- khalsa (NEW) - 22 files, multi-site (camden, river)
- kittle (NEW) - 16 files incl. fix-pdf-preview, gpo-intranet-zone
- lens-auto-brokerage (NEW) - 3 files (name matches SOPS vault)
- _client_template - 13-file scaffold for new clients
MSP tooling (projects/msp-tools/):
- msp-audit-scripts/ - server_audit.ps1, workstation_audit.ps1, README
- utilities/ - clean_printer_ports, win11_upgrade,
screenconnect-toolbox-commands
Credential handling:
- Extracted 1 inline password (Anaise DESKTOP-O8GF4SD / david)
to SOPS vault: clients/anaise/desktop-o8gf4sd.sops.yaml
- Redacted overview.md with vault reference pattern
- Scanned all 160 files for keys/tokens/connection strings -
no other credentials found
Skipped:
- Cascades/.claude/settings.local.json (per-machine config)
- Source-root CLAUDE.md (personal, claudetools has its own)
- scripts/server_audit.ps1 and workstation_audit.ps1 at source root
(identical duplicates of msp-audit-scripts versions)
Memory updates:
- reference_client_docs_structure.md (layout, conventions, active list)
- reference_msp_audit_scripts.md (locations, ScreenConnect 80-char rule)
Session log: session-logs/2026-04-16-howard-client-docs-import.md
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
266
clients/cascades-tucson/docs/migration/phase2-server-prep.md
Normal file
266
clients/cascades-tucson/docs/migration/phase2-server-prep.md
Normal file
@@ -0,0 +1,266 @@
|
||||
# Step 4: Server Preparation — AD & Shares (~4-6 hours, remote via ScreenConnect)
|
||||
|
||||
**No user impact — server-side work only.**
|
||||
|
||||
---
|
||||
|
||||
## 4a — DNS cleanup
|
||||
|
||||
Run `scripts/phase2-dns-cleanup.ps1` on CS-SERVER.
|
||||
|
||||
Actions:
|
||||
- Remove stale A records pointing to old IPs (192.168.0.5, 192.168.2.59, etc.)
|
||||
- Fix DomainDnsZones/ForestDnsZones records to point to 192.168.2.254
|
||||
- Enable DNS scavenging (7-day interval)
|
||||
- Enable aging on cascades.local zone
|
||||
- Create reverse lookup zones for 192.168.0.0/22 and 10.0.20.0/24
|
||||
|
||||
**Verify after:** `nslookup cs-server.cascades.local` should return only 192.168.2.254.
|
||||
|
||||
---
|
||||
|
||||
## 4b — AD cleanup
|
||||
|
||||
Run `scripts/phase2-ad-setup.ps1` on CS-SERVER.
|
||||
|
||||
### Security fixes (immediate)
|
||||
- Remove disabled Monica.Ramirez from **Domain Admins** group
|
||||
- Disable Haris.Durut (still enabled, no longer employed)
|
||||
- Rename "Quickboosk acccess" group → "QuickBooks Access"
|
||||
- Add lauren.hasselman to QuickBooks Access (replaced Jeff Bristol)
|
||||
|
||||
### OU cleanup
|
||||
- Fix misspelled OU: "Managment" → "Management"
|
||||
- Create OU structure: `Workstations\Staff PCs`
|
||||
|
||||
### Security groups (created and populated with members)
|
||||
|
||||
| Group | Members |
|
||||
|-------|---------|
|
||||
| SG-Management-RW | Meredith.Kuhn, Ashley.Jensen, Megan.Hiatt, Crystal.Rodriguez, Tamra.Matthews, britney.thompson, Veronica.Feller, strozzi, Alyssa.Brooks, lauren.hasselman |
|
||||
| SG-Sales-RW | Megan.Hiatt, Crystal.Rodriguez, Tamra.Matthews |
|
||||
| SG-Server-RW | Ashley.Jensen, britney.thompson, Christina.DuPras, Veronica.Feller, Meredith.Kuhn |
|
||||
| SG-Chat-RW | Ashley.Jensen, britney.thompson, Veronica.Feller |
|
||||
| SG-Culinary-RW | JD.Martin, Ramon.Castaneda, Alyssa.Brooks |
|
||||
| SG-IT-RW | howard, sysadmin |
|
||||
| SG-Receptionist-RW | Cathy.Kingston, Shontiel.Nunn, Ray.Rai, Sebastian.Leon, Michelle.Shestko |
|
||||
| SG-Directory-RW | Cathy.Kingston, Shontiel.Nunn, Christina.DuPras |
|
||||
| SG-AllShares-RO | (populated as needed) |
|
||||
|
||||
### Account removals (client confirmed)
|
||||
|
||||
**Already disabled — delete:**
|
||||
- Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, jeff.bristol
|
||||
|
||||
**Still enabled — disable + delete (not in HR list, former employees):**
|
||||
- Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, alyssa.brooks, Isabella.Islas, ann.dery
|
||||
|
||||
**Keep:** lauren.hasselman (took over Bristol's role as Business Office Director)
|
||||
|
||||
### Move computers to Workstations OU
|
||||
- CRYSTAL-PC, ACCT2-PC, DESKTOP-H6QHRR7, DESKTOP-1ISF081
|
||||
|
||||
---
|
||||
|
||||
## 4c — Sync data from Synology NAS — DONE 2026-03-07
|
||||
|
||||
~~Run `scripts/phase2-sync-synology.ps1` on CS-SERVER.~~
|
||||
|
||||
**Synology Drive Client** reinstalled on CS-SERVER and configured for live sync to `D:\Shares\Main`. All Synology shares sync continuously to this location.
|
||||
|
||||
**Sync method:** Synology Drive Client (live, ongoing sync)
|
||||
**Sync destination:** `D:\Shares\Main` on CS-SERVER
|
||||
**Direction:** Synology → CS-SERVER (one-way)
|
||||
|
||||
### Synology shares visible via SMB (2026-03-07 audit)
|
||||
|
||||
| Synology Share | Size | Syncing to `D:\Shares\Main` |
|
||||
|---|---|---|
|
||||
| `homes` | 228.14 GB | Yes |
|
||||
| `Public` | 50.15 GB | Yes |
|
||||
| `SalesDept` | 12.61 GB | Yes |
|
||||
| `Server` | 1.84 GB | Yes |
|
||||
| `Management` | 1.4 GB | Yes |
|
||||
| `chat` | 0 GB (empty) | Yes |
|
||||
| `home` | 0 GB (empty) | Yes |
|
||||
|
||||
**Total:** ~294 GB syncing. D: had 635 GB free — sufficient.
|
||||
|
||||
### Shares NOT visible via SMB
|
||||
|
||||
| Synology Share | Notes |
|
||||
|---|---|
|
||||
| `Activities` | Not shared via SMB — may be internal Synology folder or removed |
|
||||
| `pacs` | Not shared via SMB — verify on Synology DSM |
|
||||
| `Sandra Fish` | Not shared via SMB — verify on Synology DSM |
|
||||
| `web` | Not shared via SMB — verify on Synology DSM |
|
||||
|
||||
**Note:** Synology uses local accounts (not AD-joined). Authenticated from CS-SERVER via `net use \\192.168.0.120 /user:admin`.
|
||||
|
||||
Already on CS-SERVER (no sync needed): Culinary, IT, Receptionist, directoryshare
|
||||
|
||||
`SaleShare` is the old/duplicate folder — ignore it. `SalesDept` is the real one.
|
||||
|
||||
---
|
||||
|
||||
## 4d — Set up file share permissions (HIPAA: access control + audit)
|
||||
|
||||
Run `scripts/phase2-file-shares.ps1` on CS-SERVER (AFTER sync completes).
|
||||
|
||||
Creates SMB shares for synced folders and sets NTFS permissions matching Synology access. **HIPAA §164.312(b):** After shares are created, enable Advanced Audit Logging on all PHI-containing shares (Management, Server, homes) to track read/write/delete operations.
|
||||
|
||||
| Share | NTFS Access | SMB Share |
|
||||
|---|---|---|
|
||||
| Management | SG-Management-RW = Modify | `\\CS-SERVER\Management` |
|
||||
| SalesDept | SG-Sales-RW = Modify | `\\CS-SERVER\SalesDept` |
|
||||
| Server | SG-Server-RW = Modify | `\\CS-SERVER\Server` |
|
||||
| chat | SG-Chat-RW = Modify | `\\CS-SERVER\chat` |
|
||||
| Public | Authenticated Users = Modify | `\\CS-SERVER\Public` |
|
||||
| Culinary | SG-Culinary-RW = Modify | `\\CS-SERVER\Culinary` (exists) |
|
||||
| IT | SG-IT-RW = Modify | `\\CS-SERVER\IT` (exists) |
|
||||
| Receptionist | SG-Receptionist-RW = Modify | `\\CS-SERVER\Receptionist` (exists) |
|
||||
| directoryshare | SG-Directory-RW = Modify | `\\CS-SERVER\directoryshare` (exists) |
|
||||
| homes | CREATOR OWNER = Full (subfolder) | `\\CS-SERVER\homes` (ABE enabled) |
|
||||
|
||||
All shares also get: Domain Admins = Full Control, SYSTEM = Full Control.
|
||||
|
||||
---
|
||||
|
||||
## 4e — Set up print server
|
||||
|
||||
Run `scripts/phase2-print-server.ps1` on CS-SERVER.
|
||||
|
||||
Creates TCP/IP printer ports for each printer. Drivers must be downloaded separately from manufacturer websites and installed manually, then the script can create the shared printers.
|
||||
|
||||
| Printer | IP | Driver Source |
|
||||
|---------|-----|---------------|
|
||||
| Front Desk - Epson ET-5800 | 192.168.2.147 | epson.com |
|
||||
| Business Office - Canon MF455DW | 192.168.3.227 | canon.com |
|
||||
| Marketing - Brother MFC-L8900CDW | 192.168.2.21 | brother.com |
|
||||
| 206 Health - Brother MFC-L8900CDW | 192.168.1.138 | brother.com |
|
||||
| MemCare MedTech - Brother MFC-L8900CDW | 192.168.2.53 | brother.com |
|
||||
| MemCare Director - Canon MF451CDW | 192.168.3.52 | canon.com |
|
||||
| Kitchen Printer | 192.168.0.121 | _TBD_ |
|
||||
|
||||
**Test:** Print a test page from CS-SERVER to each shared printer before deploying via GPO.
|
||||
|
||||
---
|
||||
|
||||
## 4f — Create GPOs (DO NOT link yet)
|
||||
|
||||
### GPO 1: "CSC - Drive Mappings"
|
||||
User Configuration → Preferences → Drive Maps
|
||||
|
||||
| Drive | Path | Targeting |
|
||||
|-------|------|-----------|
|
||||
| S: | `\\CS-SERVER\Shares` | All domain users |
|
||||
| M: | `\\CS-SERVER\Management` | SG-Management-RW members |
|
||||
| T: | `\\CS-SERVER\SalesDept` | SG-Sales-RW members |
|
||||
| K: | `\\CS-SERVER\Culinary` | SG-Culinary-RW members |
|
||||
| I: | `\\CS-SERVER\IT` | SG-IT-RW members |
|
||||
| R: | `\\CS-SERVER\Receptionist` | SG-Receptionist-RW members |
|
||||
| P: | `\\CS-SERVER\Public` | All domain users |
|
||||
|
||||
Use Item-Level Targeting → Security Group for department-specific drives.
|
||||
|
||||
### GPO 2: "CSC - Printer Deployment"
|
||||
Computer Configuration → Preferences → Printers
|
||||
|
||||
Deploy shared printers with Item-Level Targeting by computer name or security group:
|
||||
- `\\CS-SERVER\FrontDesk-Epson` → Front desk PCs
|
||||
- `\\CS-SERVER\BizOffice-Canon` → Accounting PCs
|
||||
- `\\CS-SERVER\Marketing-Brother` → Marketing group
|
||||
- (etc.)
|
||||
|
||||
### GPO 3: "CSC - Security Baseline"
|
||||
Computer Configuration → Security Settings
|
||||
|
||||
| Setting | Value |
|
||||
|---------|-------|
|
||||
| Min password length | 12 characters |
|
||||
| Password complexity | Enabled |
|
||||
| Max password age | 90 days |
|
||||
| Password history | 10 |
|
||||
| Account lockout threshold | 5 attempts |
|
||||
| Account lockout duration | 30 minutes |
|
||||
| Lockout counter reset | 30 minutes |
|
||||
| Screen lock timeout | 15 minutes |
|
||||
| Windows Firewall | All profiles ON |
|
||||
|
||||
### GPO 4: "CSC - Windows Update"
|
||||
Computer Configuration → Admin Templates → Windows Update
|
||||
|
||||
- Auto download + scheduled install
|
||||
- Schedule: Sundays at 3:00 AM
|
||||
- No auto-restart with logged-on users
|
||||
|
||||
### GPO 6: "CSC - Shared Workstation"
|
||||
Linked to: `OU=Shared PCs,OU=Workstations,DC=cascades,DC=local`
|
||||
|
||||
Applies only to machines in the Shared PCs OU. Uses Item-Level Targeting by computer name so different shared PCs get different printers/drives/mailboxes.
|
||||
|
||||
**User Configuration → Preferences → Drive Maps**
|
||||
|
||||
| Drive | Path | ILT |
|
||||
|-------|------|-----|
|
||||
| R: | `\\CS-SERVER\Receptionist` | Computer Name = [TBD — front desk PC] |
|
||||
|
||||
**User Configuration → Preferences → Printers**
|
||||
|
||||
| Printer | Set Default | ILT |
|
||||
|---------|-------------|-----|
|
||||
| `\\CS-SERVER\FrontDesk-Epson` | Yes | Computer Name = [TBD — front desk PC] |
|
||||
|
||||
**User Configuration → Admin Templates → Microsoft Outlook 2016 → Account Settings → Exchange**
|
||||
|
||||
| Setting | Value |
|
||||
|---------|-------|
|
||||
| Cached Exchange Mode | Disabled (forces Online Mode) |
|
||||
|
||||
Online mode prevents shared mailbox data from caching on every shared PC — important when multiple users rotate through the same machine.
|
||||
|
||||
**User Configuration → Preferences → Registry**
|
||||
|
||||
Auto-mount shared mailbox via registry (only on targeted shared PCs):
|
||||
|
||||
| Key Path | Value | Data | ILT |
|
||||
|----------|-------|------|-----|
|
||||
| `HKCU\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002` | `001f6610` | `reception@[tenant-domain]` | Computer Name = [TBD] |
|
||||
|
||||
> **Note:** The registry path above is a placeholder — the exact profile key varies per installation. The shared mailbox SMTP address depends on the M365 tenant domain (Step 3 blocker). Computer names will be filled in after the onsite visit identifies which PCs are shared.
|
||||
|
||||
**Onsite TODO (before this GPO is functional):**
|
||||
- [ ] Identify shared workstation computer names and roles
|
||||
- [ ] Move shared PCs into `OU=Shared PCs,OU=Workstations`
|
||||
- [ ] Fill in ILT computer names above
|
||||
- [ ] Create shared mailbox in M365 (see Step 4 in shared workstation plan)
|
||||
- [ ] Document user-to-shared-PC rotation matrix
|
||||
- [ ] Test: log into shared PC → verify R: drive, default printer, and shared mailbox appear
|
||||
- [ ] Test: log into normal PC → verify reception drive/printer/mailbox do NOT appear
|
||||
|
||||
---
|
||||
|
||||
### GPO 5: "CSC - Folder Redirection"
|
||||
User Configuration → Policies → Windows Settings → Folder Redirection
|
||||
|
||||
| Folder | Redirect to | Setting |
|
||||
|--------|------------|---------|
|
||||
| Desktop | `\\CS-SERVER\homes\%username%\Desktop` | Basic, create folder |
|
||||
| Documents | `\\CS-SERVER\homes\%username%\Documents` | Basic, create folder |
|
||||
| Downloads | `\\CS-SERVER\homes\%username%\Downloads` | Basic, create folder |
|
||||
|
||||
Settings:
|
||||
- Grant user exclusive rights: **Yes**
|
||||
- Move contents to new location: **Yes** (first time only)
|
||||
- Policy removal: Leave contents
|
||||
- Also applies to Windows 10/11
|
||||
|
||||
This replaces roaming profiles — user data lives on the server but profiles stay local (fast logon, no corruption issues).
|
||||
|
||||
---
|
||||
|
||||
## Rollback
|
||||
|
||||
- Unlink any GPO from GPMC — takes effect at next `gpupdate`
|
||||
- DNS records were exported in Step 1
|
||||
- AD changes can be reverted from Step 1 exports
|
||||
Reference in New Issue
Block a user