sync: auto-sync from HOWARD-HOME at 2026-05-29 12:39:04
Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-05-29 12:39:04
This commit is contained in:
126
clients/cascades-tucson/session-logs/2026-05-29-session.md
Normal file
126
clients/cascades-tucson/session-logs/2026-05-29-session.md
Normal file
@@ -0,0 +1,126 @@
|
||||
# Session Log — 2026-05-29
|
||||
|
||||
## User
|
||||
- **User:** Howard Enos (howard)
|
||||
- **Machine:** Howard-Home
|
||||
- **Role:** tech
|
||||
|
||||
---
|
||||
|
||||
## Session Summary
|
||||
|
||||
This session focused on preparing Lois Lane's domain account and setting up her new workstation (Health-Services-Director) for domain migration as part of the ongoing Cascades of Tucson department-by-department migration (Syncro #110680053).
|
||||
|
||||
First, the AD account for Lois Lane was verified via GuruRMM remote PowerShell on CS-SERVER. The account existed (SAM=Lois.Lane, UPN=Lois.Lane@cascadestucson.com, OU=Care-Assisted Living, enabled) but had no home folder and was not in SG-FolderRedirect. The home folder D:\Homes\Lois.Lane was created with all five subfolders (Desktop/Documents/Downloads/Music/Pictures) and correct CASCADES\Lois.Lane ACL. Lois.Lane was added to SG-FolderRedirect. The domain password was set to Imbirowicz1$ and vaulted at clients/cascades-tucson/lois-lane.sops.yaml.
|
||||
|
||||
Howard used Fab's Auto Backup to restore Lois Lane's profile from the old machine (DESKTOP-KQSL232) to Health-Services-Director, then ran ProfWiz to domain-join the machine and migrate her local account (Lois Lane) to CASCADES\Lois.Lane. Lois accidentally logged in before the prep-profile-for-redirection.ps1 script could be run, which caused the GPO folder redirection CSE to fire under SYSTEM context and poison the User Shell Folders registry values with C:\Windows\system32\config\systemprofile\* paths. Desktop was redirected correctly to \\CS-SERVER\homes\lois.lane\Desktop; all other folders were poisoned.
|
||||
|
||||
The hive cleanup script (hive-cleanup-shellfolders.ps1) was run against the offline NTUSER.DAT, fixing Personal/My Music/My Pictures/My Video/Favorites/{FDD39AD0}/\{374DE290\} back to %USERPROFILE%\ defaults. However, after Lois logged in, the folders remained local rather than redirecting to the server. An attempt to move data and fix registry via SYSTEM context failed because SYSTEM on Health-Services-Director does not have NTFS access to \\CS-SERVER\homes\Lois.Lane\* — the machine account is not in the ACL. This caused a stray C:\CS-SERVER\ folder to be created locally and the quick access links were broken. Howard manually removed the broken links and moved the data to the correct server locations.
|
||||
|
||||
Finally, the shell folder registry values were corrected using user_session context (running as Lois Lane) with UNC paths constructed via [char]92 to work around a confirmed encoding issue: double backslashes in PowerShell scripts dispatched via RMM user_session context are consistently halved to single backslashes when using string literals. The [char]92 workaround produced correct \\CS-SERVER paths. Explorer was restarted and the shell folders now point correctly to the server. Lois needs to re-pin the sidebar shortcuts manually (right-click folder → Pin to Quick Access) since the broken ones were removed.
|
||||
|
||||
---
|
||||
|
||||
## Key Decisions
|
||||
|
||||
- Used [char]92 to build UNC paths in RMM user_session scripts rather than string literals — confirmed that "\\CS-SERVER" literals are halved to "\CS-SERVER" in user_session context, producing local paths instead of UNC. System context does not exhibit this behavior.
|
||||
- Ran hive cleanup (offline NTUSER.DAT) after accidental first login poisoned shell folder paths — this was the correct recovery path per the established Cascades folder redirection runbook.
|
||||
- Data movement from local to server must run as the domain user (user_session context), not as SYSTEM — SYSTEM on a domain-joined workstation authenticates as the machine account to the network, which has no NTFS rights on user home folders.
|
||||
- The new machine name Health-Services-Director reflects Lois Lane's actual role; the old blocked machine DESKTOP-KQSL232 is now superseded for her migration entry.
|
||||
- Domain join credential: sysadmin / r3tr0gradE99# (same as local Localadmin account on the new machine).
|
||||
|
||||
---
|
||||
|
||||
## Problems Encountered
|
||||
|
||||
- **Accidental first login before prep script**: Lois logged in as domain user before prep-profile-for-redirection.ps1 could run. GPO CSE fired under SYSTEM, poisoned shell folder paths. Fixed via hive-cleanup-shellfolders.ps1 on offline NTUSER.DAT.
|
||||
- **SYSTEM context cannot access UNC home folders**: Move-Item and Test-Path against \\CS-SERVER\homes\Lois.Lane\* silently routed to a local C:\CS-SERVER\ path when run as SYSTEM. Files appeared to move but went to a stray local folder. Root cause: machine account not in home folder NTFS ACL. Fixed by using user_session context for all file operations touching the Homes share.
|
||||
- **UNC path encoding in user_session scripts**: `$base = "\\CS-SERVER\..."` produced `\CS-SERVER` (single backslash) in user_session context. Workaround: `$bs = [char]92; $base = "${bs}${bs}CS-SERVER\homes\Lois.Lane"`. Saved as feedback memory feedback-rmm-unc-path-encoding.md.
|
||||
- **RMM server offline at session start**: GuruRMM server had been rebuilt (Mike deployed 0.3.36 at 18:51 UTC). Re-authenticated after server came back up.
|
||||
- **jq escaping failure on inline SCRIPT variable**: Multi-line PowerShell scripts with backslashes failed when passed through jq --arg. Resolved by writing scripts to temp files and using jq -Rs to encode.
|
||||
|
||||
---
|
||||
|
||||
## Configuration Changes
|
||||
|
||||
- `clients/cascades-tucson/session-logs/2026-05-29-session.md` — created (this file)
|
||||
- `.claude/memory/feedback-rmm-unc-path-encoding.md` — created (RMM user_session UNC path encoding rule)
|
||||
- `.claude/memory/MEMORY.md` — updated (added new feedback memory entry)
|
||||
- `C:\Users\Howard\.claude\plans\wise-discovering-panda.md` — updated CURRENT SAVE POINT, added Lois Lane completed entry, updated next actions to include Health-Services-Director domain join
|
||||
|
||||
---
|
||||
|
||||
## Credentials & Secrets
|
||||
|
||||
- **Lois Lane domain account**
|
||||
- SAMAccountName: Lois.Lane
|
||||
- UPN: Lois.Lane@cascadestucson.com
|
||||
- Domain password: Imbirowicz1$
|
||||
- Local account on Health-Services-Director: Lois Lane (no password)
|
||||
- Vault: clients/cascades-tucson/lois-lane.sops.yaml
|
||||
- **Health-Services-Director local admin**: Localadmin / r3tr0gradE99#
|
||||
- **Domain join credential**: sysadmin / r3tr0gradE99#
|
||||
|
||||
---
|
||||
|
||||
## Infrastructure & Servers
|
||||
|
||||
- CS-SERVER: Dell R610, Windows Server 2019, DC for cascades.local, GuruRMM agent c39f1de7-d5b6-45ae-b132-e06977ab1713
|
||||
- Health-Services-Director: new workstation for Lois Lane, GuruRMM agent 3d6a6fed-500b-41d4-a785-6032e3d5297f, Windows 11, domain-joined cascades.local, OU=Staff PCs,OU=Workstations
|
||||
- Homes share: \\CS-SERVER\homes → D:\Homes on CS-SERVER
|
||||
- Lois Lane home folder: D:\Homes\Lois.Lane (Desktop/Documents/Downloads/Music/Pictures created, CASCADES\Lois.Lane FullControl)
|
||||
|
||||
---
|
||||
|
||||
## Commands & Outputs
|
||||
|
||||
**Verify AD account (CS-SERVER):**
|
||||
```
|
||||
Name: Lois Lane | SAM: Lois.Lane | UPN: Lois.Lane@cascadestucson.com
|
||||
OU: CN=Lois Lane,OU=Care-Assisted Living,OU=Departments,DC=cascades,DC=local
|
||||
Enabled: True | HomeDirectory: (none) | MemberOf: (none)
|
||||
```
|
||||
|
||||
**New-HomeFolder result:**
|
||||
```
|
||||
D:\Homes\Lois.Lane created with clean ACL
|
||||
Created: Desktop, Documents, Downloads, Music, Pictures
|
||||
```
|
||||
|
||||
**Hive cleanup result:**
|
||||
```
|
||||
[FIXED] Personal, My Music, My Pictures, My Video, Favorites, {374DE290} — all poisoned -> %USERPROFILE%\*
|
||||
[KEEP] Desktop = \\CS-SERVER\homes\lois.lane\Desktop (already correct)
|
||||
```
|
||||
|
||||
**Shell folder fix (user_session, [char]92 workaround):**
|
||||
```
|
||||
Documents : \\CS-SERVER\homes\Lois.Lane\Documents
|
||||
Music : \\CS-SERVER\homes\Lois.Lane\Music
|
||||
Pictures : \\CS-SERVER\homes\Lois.Lane\Pictures
|
||||
Downloads : \\CS-SERVER\homes\Lois.Lane\Downloads
|
||||
Explorer restarted.
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Pending / Incomplete Tasks
|
||||
|
||||
- Lois Lane needs to re-pin Quick Access sidebar links (Documents, Music, Pictures, Downloads) — removed when broken, now point correctly to server
|
||||
- Verify folder redirection is fully working after next login (gpresult /r on Health-Services-Director, or have Lois confirm folders open correctly)
|
||||
- Check for stray C:\CS-SERVER\ folder on Health-Services-Director — should be cleaned up
|
||||
- Migration plan next actions: Ashley Jensen verification, RECEPTIONIST-PC verification, NURSESTATION-PC auto-lock GPO, Phase 3 remaining joins (CHEF-PC, SALES4-PC, MDIRECTOR-PC)
|
||||
- M365 relicensing: 31 users still on suspended Business Standard → Business Premium (31 SPB seats free, time-sensitive)
|
||||
- Vault nurses credential: clients/cascades-tucson/nurses-shared.sops.yaml
|
||||
|
||||
---
|
||||
|
||||
## Reference Information
|
||||
|
||||
- Syncro ticket: #110680053 (department migration)
|
||||
- Migration plan: C:\Users\Howard\.claude\plans\wise-discovering-panda.md
|
||||
- GuruRMM server: http://172.16.3.30:3001 (rebuilt to v0.3.36 / commit 9b34393 at 18:51 UTC today)
|
||||
- Lois Lane domain SID: S-1-5-21-388235164-2207693853-3666415804-1113
|
||||
- prep-profile-for-redirection.ps1: clients/cascades-tucson/scripts/prep-profile-for-redirection.ps1
|
||||
- hive-cleanup-shellfolders.ps1: clients/cascades-tucson/scripts/hive-cleanup-shellfolders.ps1
|
||||
- fix-live-shellfolders.ps1: clients/cascades-tucson/scripts/fix-live-shellfolders.ps1
|
||||
Reference in New Issue
Block a user