azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-06-09 10:33:12

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-09 10:33:12
This commit is contained in:
Howard Enos
2026-06-09 10:33:22 -07:00
parent 95b89c56a8
commit 2029fa5429
7 changed files with 199 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.claude/memory/MEMORY.md
View File

@@ -83,6 +83,7 @@
### Cascades
- [Cascades operational rules](feedback_cascades.md) — Two active rules: (1) folder redirection (fdeploy) needs subfolders PRE-CREATED before first logon or it caches a failure forever; recovery via fix-shell-redirect.ps1. (2) ALWAYS ask which security group(s) a new user goes into — never auto-derive from OU.
- [Cascades FR GPO fix](reference_cascades_fr_gpo_fix.md) — Native Folder Redirection was DOA on every machine: redirect targets were in a misnamed `fdeploy1.ini` (Windows reads `fdeploy.ini`) → empty target path → silent no-op → per-user registry workaround every time. Fixed 2026-06-08 (correct fdeploy.ini + version bump). Also: CS-SERVER live RMM agent is `c39f1de7...` (old `6766e973` stale).
## Machine
- [GURU-5070 Workstation Setup](reference_workstation_setup.md) — Mike's primary (owner confirmed 2026-05-26). Windows 11 Pro. Renamed from OC-5070 → ACG-5070/acg-guru-5070 → GURU-5070; all the same box, all Mike's.

2
.claude/memory/feedback_cascades.md
View File

@@ -10,6 +10,8 @@ Current-state context: [[project_cascades]]. Root cause / incident detail: [[pro
## 1. Folder redirection — pre-create subfolders BEFORE first logon
**UPDATE 2026-06-08:** the real reason every machine needed the manual workaround was a **misnamed GPO config file** (`fdeploy1.ini` instead of `fdeploy.ini`) — native FR was DOA tenant-wide. Now fixed; native FR redirects all 5 folders on first logon. Full detail: [[reference_cascades_fr_gpo_fix]]. Still pre-create the home folder before first logon (below). The `fix-shell-redirect.ps1` workaround should no longer be needed for new users — if it ever is again, check that the GPO still has a valid `fdeploy.ini` first.
fdeploy caches failures and never retries if subfolders don't exist at first logon. "No changes detected" = stuck forever without manual intervention.
**Mandatory order for every new user:**

18
.claude/memory/reference_cascades_fr_gpo_fix.md Normal file
View File

@@ -0,0 +1,18 @@
---
name: Cascades Folder Redirection GPO — DOA root cause + fix (misnamed fdeploy)
description: Why native Folder Redirection failed on EVERY Cascades machine (LE + staff) and forced the per-user registry workaround — the GPO's redirect targets were saved in a misnamed fdeploy1.ini; Windows only reads fdeploy.ini. Fixed 2026-06-08. Read when touching Cascades folder redirection or onboarding a new Cascades user.
metadata:
type: reference
---
**Root cause (found 2026-06-08):** Native Folder Redirection never worked at Cascades — every machine needed `fix-shell-redirect.ps1`. The FR GPO `CSC - Folder Redirection` (`{512B43A4-F049-4CE5-BFAC-860AD13E92BE}`) had its redirect targets in a file named **`fdeploy1.ini`**, but the Windows FR client-side extension reads **`fdeploy.ini`** only. No `fdeploy.ini` existed → the client knew which 5 folders to redirect but got an **empty target path** (FR Operational log event 1006 shows `Path = ""`, and there is NO event 1008 "successfully redirected"). It silently no-op'd. The GPO had been hand-built by editing the wrong filename.
**Fix:** wrote a correct `fdeploy.ini` (5 folders, `Flags=187`, `FullPath=\\CS-SERVER\Homes\%USERNAME%\<Folder>`) into `{512B43A4-...}\User\Documents & Settings\`, then bumped the GPO version 917506→983042 keeping **GPT.INI Version AND the AD `versionNumber` attribute in sync** (FR is a foreground/logon CSE; it only re-applies when the version changes). Canonical artifact: `clients/cascades-tucson/gpo/fdeploy.ini`. Backup of original `\User` tree + GPT.INI: `C:\Windows\Temp\frfix-20260608-161144` on CS-SERVER.
**How to apply / diagnose elsewhere:**
- Diagnose: on the client, `Get-WinEvent -LogName 'Microsoft-Windows-Folder Redirection/Operational'``Path = ""` in event 1006 + no 1008 = the GPO is delivering no target path (missing/empty/misnamed `fdeploy.ini`).
- The dead `fdeploy1.ini` was LEFT in place (Windows ignores it) — do NOT edit it. Edit redirection via GPMC, or replace `fdeploy.ini` from the repo artifact.
- The **LE GPO** `CSC - Folder Redirection (LE)` (`{889BE7BE-...}`) is also broken — `\User` tree completely empty. Retire it / move LE users into SG-FolderRedirect, or apply the same fix.
- After the fix, the per-user registry workaround should no longer be needed; native FR redirects all 5 folders on first logon. Still pre-create the home folder (`New-HomeFolder`) before first logon. See [[feedback_cascades]].
**Also (2026-06-08):** CS-SERVER live GuruRMM agent re-enrolled to `c39f1de7-d5b6-45ae-b132-e06977ab1713` (old `6766e973` is stale) — always resolve the agent live by hostname, never hardcode. Related: [[project_cascades]].

4
clients/cascades-tucson/docs/servers/active-directory.md
View File

@@ -322,8 +322,8 @@ GPOs exist but effectiveness is limited since most PCs are not domain-joined. Al
| Default Domain Controllers Policy | OU=Domain Controllers | IIS app pool audit rights, print operator driver loading. | OK |
| Power Options | — | "Cascades Default" power plan: never sleep/hibernate, display off 15 min (plugged in) / 10 min (battery), password on wake. | Keep |
| CSC - Always Wait For Network | — | AlwaysWaitForNetwork + synchronous logon | Pre-existing |
| CSC - Folder Redirection (LE) | OU=Life Enrichment | Documents + Downloads → `\\CS-SERVER\homes\%USERNAME%\`. GrantExclusive=false, MoveContents=true. | LIVE — Sharon Edwards + Susan Hicks |
| CSC - Folder Redirection | — | Same as LE GPO but for all staff OUs. UNLINKED. | Blocked on Phase 3 |
| CSC - Folder Redirection (LE) | OU=Life Enrichment | **BROKEN — `\User` tree is completely empty (no fdeploy at all).** Sharon/Susan only ever worked via the manual registry workaround. Retire it (move LE users into SG-FolderRedirect) or apply the `fdeploy.ini` fix. | `{889BE7BE-202E-4153-89AD-B5DB62A52D25}` |
| CSC - Folder Redirection | OU=Departments (filtered to SG-FolderRedirect) | 5 folders (Desktop/Documents/Downloads/Music/Pictures) → `\\CS-SERVER\Homes\%USERNAME%\`, Flags=187. **FIXED 2026-06-08:** redirect targets were in a misnamed `fdeploy1.ini` (Windows reads `fdeploy.ini`, which was absent) → native FR was DOA, hence the per-machine registry workaround. Wrote correct `fdeploy.ini` (`clients/cascades-tucson/gpo/fdeploy.ini`) + version bump 917506→983042 (GPT.INI + AD versionNumber). Native FR now works on first logon. | `{512B43A4-F049-4CE5-BFAC-860AD13E92BE}`. Backup: `C:\Windows\Temp\frfix-20260608-161144` |
| CSC - Life Enrichment Printers | OU=Life Enrichment | Printer preferences for LE staff | LIVE |
| CSC - Security Baseline | UNLINKED | Screen lock 15 min / password on resume (HKCU). GptTmpl.inf: password min 12, history 24, max-age 90, lockout 5/30. | Created 2026-05-20. Link at domain root at Phase 3. |
| CSC - Windows Update | UNLINKED | AUOptions=4 (auto DL+install), Sunday 3 AM, NoAutoRebootWithLoggedOnUsers=1, featured software off. | Created 2026-05-20. Link at domain root at Phase 3. |

23
clients/cascades-tucson/gpo/fdeploy.ini Normal file
View File

@@ -0,0 +1,23 @@
[version]
version=100
[Folder_Redirection]
{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}=s-1-1-0;
{FDD39AD0-238F-46AF-ADB4-6C85480369C7}=s-1-1-0;
{33E28130-4E1E-4676-835A-98395C3BC3BB}=s-1-1-0;
{374DE290-123F-4565-9164-39C4925E467B}=s-1-1-0;
{4BD8D571-6D19-48D3-BE97-422220080E43}=s-1-1-0;
[{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}_s-1-1-0]
Flags=187
FullPath=\\CS-SERVER\Homes\%USERNAME%\Desktop
[{FDD39AD0-238F-46AF-ADB4-6C85480369C7}_s-1-1-0]
Flags=187
FullPath=\\CS-SERVER\Homes\%USERNAME%\Documents
[{33E28130-4E1E-4676-835A-98395C3BC3BB}_s-1-1-0]
Flags=187
FullPath=\\CS-SERVER\Homes\%USERNAME%\Pictures
[{374DE290-123F-4565-9164-39C4925E467B}_s-1-1-0]
Flags=187
FullPath=\\CS-SERVER\Homes\%USERNAME%\Downloads
[{4BD8D571-6D19-48D3-BE97-422220080E43}_s-1-1-0]
Flags=187
FullPath=\\CS-SERVER\Homes\%USERNAME%\Music

133
clients/cascades-tucson/session-logs/2026-06/2026-06-09-howard-cascades-billing-recovery-wiki.md Normal file
View File

@@ -0,0 +1,133 @@
# Cascades of Tucson — Session Log 2026-06-09 — Crashed-session billing recovery + machine wiki update
## User
- **User:** Howard Enos (howard)
- **Machine:** Howard-Home
- **Role:** tech
## Session Summary
Recovered from a crashed prior session (transcript `179fa696`, 2026-06-08 17:02) to confirm billing
state and finish documentation. Reconstructed the crashed session's work from the transcript: Chris
Knight workstation setup + the Folder Redirection GPO root-cause fix (both already documented), then
an ASSISTNURSE-PC reinstall cleanup (delete stale RMM agent, deploy caregiver shortcuts) that ran
right before the crash. The open question was "did billing get entered?"
Reconciled the crashed transcript's billing claims against live Syncro and found the narrative was
partly wrong. Ticket #32330 "New computer for Chris Knight" (id 111216087) **was** genuinely billed
during the crashed session — invoice #67790 exists ($0.00 prepaid, 1.0h onsite line item attributed
to Howard) — so that work persisted server-side despite the crash. But two transcript claims did NOT
match reality: it claimed status was set to Invoiced (live showed **Resolved**) and claimed prepay
went 8.75→7.75 (live block was **57.75**, a ~50h discrepancy — almost certainly a prepaid top-up
between 06-08 and 06-09). Corrected #32330 status Resolved→Invoiced. The ASSISTNURSE-PC reinstall
work had no ticket and was never billed.
Per Howard's direction, prepared (but did NOT execute) billing for the ASSISTNURSE-PC reinstall:
1.0h onsite on existing ticket **#32303 "Domain setup-entra sync"** (id 110680053), for the clean
Windows 11 reinstall (was Win10; in-place upgrades failed, clean install the only option). Built the
full billing preview (resolution comment + line item + prepaid invoice that nets $0.00 and draws
57.75→56.75) and paused at the confirmation gate — Howard pivoted to other questions, so this
billing remains pending his confirm.
Answered two inventory questions: (1) Cascades machines upgraded to Win11 with our key
(DESKTOP-ROK7VNM, MAINTENANCE-PC documented "manual key"; DESKTOP-DLTAGOI same 04-13 batch;
ASSISTNURSE-PC just done — with the caveat that in-place Win10 Pro→11 Pro reuses the existing digital
license and consumes no key, so a live partial-product-key RMM sweep is the only definitive check);
and (2) the caregiver/medtech laptops+desktops we upgraded (LAPTOP-DRQ5L558 + LAPTOP-E0STJJE8 were
Win10 Home→Win11 Pro = our key, Laptop2 already Pro, LAPTOP-8P7HDSEI Win10→Win11, ASSISTNURSE-PC
clean reinstall, NURSESTATION-PC Pro→Pro = no key). Finally updated the Cascades wiki to reflect the
machine changes and the corrected hour balance.
## Key Decisions
- **Did not redo #32330 billing.** Live Syncro confirmed invoice #67790 already exists and the line
item is on the ticket; re-billing would double-charge. Only the cosmetic status flag (Resolved→
Invoiced) needed fixing.
- **Trusted live Syncro over the crashed transcript and the wiki.** The transcript's prepay figures
(8.75→7.75) and the wiki's 7.75 were both wrong against the live 57.75 block. Recorded the live
value and flagged the old chain as pre-top-up so future sessions don't trust it.
- **Paused ASSISTNURSE-PC billing at the preview.** Howard confirmed ticket (#32303), time (1.0h),
and channel (onsite), but moved to other questions before approving the write. Per skill rule
(show payload + wait for explicit confirm), did not execute.
- **Billed the reinstall to #32303, not a new ticket.** Howard's explicit instruction — #32303 is the
umbrella domain-migration ticket and already carries incremental onsite/remote labor.
- **Distinguished "upgraded to Win11" from "upgraded with OUR key."** Only Home→Pro and clean
installs consume our key; in-place Pro→Pro reuses the device's digital license. Static docs can't
reliably tell them apart — offered a read-only RMM partial-product-key sweep as the definitive check.
## Problems Encountered
- **Crashed-session transcript narrated false "done" claims.** The dying session reported #32330 as
Invoiced with prepay 8.75→7.75; live Syncro showed Resolved / 57.75. Resolved by GET-verifying every
claim (ticket status, line items, invoice #67790, customer prepay) against the live API before
taking any action — the invoice was real, the status/prepay claims were not.
- **No ticket existed for the ASSISTNURSE-PC reinstall.** The crashed session did the RMM cleanup as
an aside to Chris Knight's billing and never opened/billed a ticket. Resolved by asking Howard,
who directed it to existing ticket #32303.
## Configuration Changes
- **Syncro:** PUT ticket #32330 (id 111216087) `status` Resolved → **Invoiced**. Bot alert posted
(message_id 1513948832772395230). No new line items or invoices created this session.
- **Wiki** (`wiki/clients/cascades-tucson.md`) — 4 edits:
1. Profile → Hours remaining: corrected to **57.75 hrs (live 2026-06-09)**, flagged the ~50h
top-up vs the old 7.75/8.75/15.75 chain, noted #32330 status fix + pending ASSISTNURSE-PC billing.
2. Caregiver device allow-list table: bumped to 6 devices, added **ASSISTNURSE-PC** row (Win11 Pro
for WS 24H2, new agent `62d108d6`, old `88891eb8` deleted, needs re-join/re-tag), annotated each
laptop's upgrade/key origin, marked LAPTOP-8P7HDSEI state "verify".
3. Enrollment-progress note: marked ASSISTNURSE-PC upgraded 2026-06-08 (was "pending").
4. History Highlights: added a 2026-06-08 ASSISTNURSE-PC reinstall row.
- No repo code changes. This session log created.
## Credentials & Secrets
- None discovered or created this session. (Syncro Howard API key + Cascades customer id are already
in the `/syncro` skill and wiki.)
## Infrastructure & Servers
- **Syncro customer:** Cascades of Tucson, id **20149445**, prepaid block **57.75 hrs** (live 2026-06-09).
- **Tickets:** #32330 / 111216087 (Chris Knight new computer — Invoiced, inv #67790 $0.00);
#32303 / 110680053 ("Domain setup-entra sync" — Resolved; ASSISTNURSE-PC 1.0h onsite billing pending).
- **ASSISTNURSE-PC:** Win11 Pro for Workstations 24H2 after clean reinstall 2026-06-08. GuruRMM agent
**`62d108d6`** (`Assistnurse-pc`, v0.6.57, online); stale Win10 agent **`88891eb8`** deleted (HTTP 204).
Shared MC medtech device. New Entra device object after reinstall → re-join + re-tag pending.
- **Caregiver shortcuts deployed** to `C:\Users\Public\Desktop` on ASSISTNURSE-PC (2026-06-08):
ALIS `https://cascadestucson.alisonline.com/Login`, LinkRx `https://pharmcare.linkrxnow.com/Login.aspx`,
Helpany `https://app.safe-living.com/login`.
## Commands & Outputs
```bash
BASE="https://computerguru.syncromsp.com/api/v1"; API_KEY=<howard key>
# Verify #32330 — was Resolved with line item present; invoice #67790 exists ($0.00, ticket_id 111216087)
curl -s "$BASE/tickets/111216087?api_key=$API_KEY"
curl -s "$BASE/invoices/67790?api_key=$API_KEY" # id 1650613747, total 0.0, 1 line
curl -s "$BASE/customers/20149445?api_key=$API_KEY" | jq .customer.prepay_hours # 57.75 (not 7.75)
# Fix status
curl -s -X PUT "$BASE/tickets/111216087?api_key=$API_KEY" -d '{"status":"Invoiced"}' # -> Invoiced
```
## Pending / Incomplete Tasks
- **[BILLING — awaiting Howard confirm] ASSISTNURSE-PC reinstall:** 1.0h onsite on #32303 (id 110680053),
product 26118 (Labor - Onsite Business, $175), prepaid → $0.00, draws 57.75→56.75. Preview built;
paused at confirmation gate. Resolution comment drafted (Win10→Win11 clean reinstall + RMM re-enroll +
shortcuts). Execute on Howard's "yes."
- **[OFFERED] Win11 license-key verification sweep:** read-only RMM pull of partial product key (last 5)
+ license channel across the 6 caregiver machines (and optionally the fleet) to definitively identify
which carry our key vs reused digital licenses.
- **ASSISTNURSE-PC re-join + re-tag** `CSCCaregiverDevice` (new Entra object after reinstall) + clean old
Entra device record — at caregiver cutover.
- **LAPTOP-8P7HDSEI:** confirm Win11 25H2 upgrade + Entra join/tag state (was pending as of 06-04).
- **Unrelated coord todo (not picked up):** Safesite forensic sweep #32395 (coord todo 5766a59f) — two
offline recipient machines; flagged from GURU-5070 broadcast, left for a free session.
## Reference Information
- Crashed transcript: `~/.claude/projects/C--claudetools/179fa696-48bf-443f-b900-62b05fd408ad.jsonl`.
- Tickets: #32330 https://computerguru.syncromsp.com/tickets/111216087 ; #32303 https://computerguru.syncromsp.com/tickets/110680053
- Invoice #67790 (id 1650613747) — Chris Knight, $0.00 prepaid.
- Win11/key inventory sources: `clients/cascades-tucson/docs/workstations.md` (audited 2026-03-20),
`clients/cascades-tucson/session-logs/2026-06-04-howard-caregiver-laptop-enrollment.md` (caregiver device set).
- Wiki: `wiki/clients/cascades-tucson.md`.

33
wiki/clients/cascades-tucson.md
View File

@@ -111,9 +111,9 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn
- Sharon Edwards — Life Enrichment Assistant (DESKTOP-DLTAGOI)
- Ashley Jensen — Accountant (DESKTOP-U2DHAP0)
- Shelby Trozzi — MemCare Director (MDIRECTOR-PC)
- Chris Knight — staff; chris.knight@cascadestucson.com (alias: c.knight@cascadestucson.com); bill.com and BOK Financial recipient (issue investigated 2026-06-04)
- Chris Knight — Accounting / Business Office (same access tier as Lauren Hasselman); chris.knight@cascadestucson.com (alias: c.knight@cascadestucson.com); bill.com and BOK Financial recipient (issue investigated 2026-06-04). **Workstation setup 2026-06-08:** machine **DESKTOP-N5G1ROO** (Win 11 Pro for Workstations) domain-joined + GuruRMM-enrolled (agent `205025ee-2676-4498-8a27-e88562a6f69a`, site CascadesTucson), Office (O365) installed. AD account `chris.knight` (OU=Administrative) finished to match Lauren: home folder created, added to `SG-FolderRedirect`, `mail` set, AD password `Cascades2026!` (change-at-logon cleared). Mailbox remains cloud-only/unsynced (same split state as Lauren — see Entra sync note).
- **Billing rate:** $175/hr all labor (prepaid block customer)
- **Hours remaining:** 8.75 hrs as of 2026-06-05 (after 7.0h onsite billed 2026-06-05 on ticket #32303, invoice #67782 $0.00 prepaid; prior balance was 15.75 after 2026-06-04 billing). Always live-check via `GET /customers/20149445` before billing — balance is unreliable across sessions.
- **Hours remaining:** **57.75 hrs (live Syncro pull 2026-06-09).** This is ~50h HIGHER than the 7.75 the 2026-06-08 session log/prior wiki recorded — the block was almost certainly topped up (prepaid renewal) between 06-08 and 06-09. The old 7.75→8.75→15.75 chain in History/Compilation Notes reflects pre-top-up readings; **trust the live value, not the chain.** 1.0h onsite WAS billed 2026-06-08 on #32330/111216087 "New computer for Chris Knight" (invoice #67790, $0.00 prepaid; ticket status corrected Resolved→Invoiced 2026-06-09). **PENDING:** 1.0h onsite for the ASSISTNURSE-PC Win11 reinstall to be billed on #32303 (will draw 57.75→56.75). Always live-check via `GET /customers/20149445` before billing — balance is unreliable across sessions.
- **Syncro customer ID:** 20149445
- **Active tickets:**
- #110680053 / #32303 — Entra / domain migration project ("Domain setup-entra sync"). Status: **Invoiced** as of 2026-06-05. Latest billing: 7.0h onsite 2026-06-05, invoice #67782 ($0.00 prepaid). Monday caregiver cutover will generate further work on this ticket. Plan: `C:\Users\Howard\.claude\plans\wise-discovering-panda.md`
@@ -132,7 +132,7 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn
| Host | IP | Role | OS | Notes |
|---|---|---|---|---|
| CS-SERVER | 192.168.2.254 | DC, DNS, DHCP (no scopes), File Server, Hyper-V host, Print Server | Windows Server 2019 Standard | Dell PowerEdge R610 (~2009 hardware, 16+ years old). **Single DC — CRITICAL risk. No backup.** GuruRMM agent ID: `6766e973-e703-47c1-be56-76950290f87c` |
| CS-SERVER | 192.168.2.254 | DC, DNS, DHCP (no scopes), File Server, Hyper-V host, Print Server | Windows Server 2019 Standard | Dell PowerEdge R610 (~2009 hardware, 16+ years old). **Single DC — CRITICAL risk. No backup.** GuruRMM agent ID: `c39f1de7-d5b6-45ae-b132-e06977ab1713` (re-enrolled; the older `6766e973-...` is stale — **always resolve the agent live by hostname**, never hardcode the UUID) |
| CS-SERVER iDRAC | 192.168.2.65 | Out-of-band management | — | Dell OOB interface |
| CS-QB (Hyper-V VM on CS-SERVER) | 192.168.2.228 | VoIP server | — | [REVIEW — transitioning away from traditional landlines to wireless phones; revisit this entry] |
| cascadesDS (Synology NAS) | 192.168.0.120 | NAS / legacy file storage | DSM | Port 5000 HTTP. Workgroup name is "CASCADES" — same as AD short name, causing Kerberos auth failures from domain-joined machines. Slated to become backup-only. |
@@ -189,7 +189,7 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn
## Access
- **CS-SERVER:** Via ScreenConnect or GuruRMM (agent ID: `6766e973-e703-47c1-be56-76950290f87c`)
- **CS-SERVER:** Via ScreenConnect or GuruRMM (live agent ID `c39f1de7-d5b6-45ae-b132-e06977ab1713` as of 2026-06-08; re-enrolls — resolve live by hostname, do not hardcode)
- **CS-SERVER iDRAC:** 192.168.2.65
- **pfSense admin:** https://192.168.0.1 — vault: `clients/cascades-tucson/pfsense-firewall.sops.yaml`
- **Synology DSM:** http://192.168.0.120:5000 — vault: `clients/cascades-tucson/` (existing entry)
@@ -233,6 +233,10 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn
- **fdeploy1.ini flags:** Changed from `Flags=1211` (included `Grant Exclusive Rights` bit 0x400, causing WRITE_DAC failures on new subfolders) to `Flags=187`. File at `{512B43A4-F049-4CE5-BFAC-860AD13E92BE}\User\Documents & Settings\fdeploy1.ini` on CS-SERVER.
- **[ROOT CAUSE + FIX 2026-06-08] Native Folder Redirection was DOA on every machine — the config file was MISNAMED.** Every Cascades machine (LE + staff) had needed the manual `fix-shell-redirect.ps1` registry workaround because native FR never worked. Root cause: the redirect targets in GPO `CSC - Folder Redirection` (`{512B43A4-...}`) were saved in a file named **`fdeploy1.ini`**, but the Windows Folder Redirection client-side extension only ever reads **`fdeploy.ini`**. No `fdeploy.ini` existed, so the client knew *which* 5 folders to redirect but received an **empty target path** (FR Operational event 1006 shows `Path = ""`, no 1008 "successfully redirected") and silently did nothing. The file was hand-built by editing `fdeploy1.ini` (the wrong filename). **Fix:** wrote a correct `fdeploy.ini` (5 folders, `Flags=187`, `FullPath=\\CS-SERVER\Homes\%USERNAME%\<Folder>`) into `{512B43A4-...}\User\Documents & Settings\`, bumped the GPO version 917506→983042 (GPT.INI **and** AD `versionNumber` kept in sync), confirmed FR CSE registered. Backup of the original `\User` tree + GPT.INI at `C:\Windows\Temp\frfix-20260608-161144` on CS-SERVER. **Native FR now redirects all 5 folders on first logon — the registry workaround should no longer be needed for new users.** The dead `fdeploy1.ini` was left in place (ignored by Windows) — do NOT edit it; edit redirection only via GPMC or the `fdeploy.ini` artifact in `clients/cascades-tucson/gpo/`.
- **LE GPO also broken:** `CSC - Folder Redirection (LE)` (`{889BE7BE-...}`, linked at OU=Life Enrichment) has a **completely empty `\User` tree** — no fdeploy at all. Sharon Edwards / Susan Hicks have likewise only ever worked via the registry workaround. Follow-up: retire the LE GPO and put LE users into `SG-FolderRedirect` (covered by the now-working all-staff GPO inherited at OU=Departments), or apply the same `fdeploy.ini` fix to the LE GPO. **Caveat:** Sharon/Susan are NOT currently in `SG-FolderRedirect` (the all-staff GPO is security-filtered to that group), so add them before relying on inheritance.
- **Note:** the all-staff `CSC - Folder Redirection` GPO is linked at **OU=Departments** and security-filtered to **`SG-FolderRedirect`** (members as of 2026-06-08: Megan.Hiatt, Crystal.Rodriguez, Lois.Lane, Ashley.Jensen, lauren.hasselman, Zachary.Nelson, Nurses, chris.knight). Existing members get native redirection at their next sign-in.
- **Login-screen hide (SpecialAccounts\UserList):** An enabled local admin that does not appear in the Windows sign-in picker is a `SpecialAccounts\UserList` suppression, not a disabled account. Registry path: `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList`, value `<username>=0`. Fix: delete the DWORD value (or set it to 1); account reappears after sign-out/reboot. Confirmed on NURSESTATION-PC (RMM agent `f5a89784-834f-47b1-82e2-7e3e9dd337ff`) 2026-06-05 — `localadmin=0` removed; account was already enabled and in Administrators (unchanged).
### Conditional Access / Caregiver Policies
@@ -246,20 +250,21 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn
- `CSC - Caregivers: allow-listed devices only (REPORT-ONLY)` — id `1b7fd025-1aad-47c8-9274-c32c3e0b163c`; state `enabledForReportingButNotEnforced`
- Target group: `SG-Caregivers` (`8b8d9222`). Excludes: `sysadmin@`, `admin@`, `SG-CA-BreakGlass` (`131e51ac-d69b-44b8-9c81-56890537a796`)
- Device filter (mode `exclude`): `(device.displayName -startsWith "CSC-") -or (device.extensionAttribute1 -eq "CSCCaregiverDevice")`
- **Allowed device list (target — 5 devices tagged `CSCCaregiverDevice`):**
- **Allowed device list (target — 6 caregiver/medtech devices, tagged `CSCCaregiverDevice`):**
| Device | OS | GuruRMM agent |
|---|---|---|
| NURSESTATION-PC | Win 11 | `8164c6fa-62e7-4aa5-88e4-624f2f656932` |
| Laptop2 | Win 11 | `dc8daf71-a2e6-4181-8cf2-c463c95dcd7d` |
| LAPTOP-8P7HDSEI | Win 10 (EOL — upgrade) | `9b74852c-623a-4d4a-bdda-1709ee75ae44` |
| LAPTOP-DRQ5L558 | Win 11 | `f9e25b3b-da63-40ff-94a6-8cec3b9a19ce` |
| LAPTOP-E0STJJE8 | Win 11 | `4ac00700-9a9b-4e7f-a7aa-c51857b77661` |
| Device | OS | GuruRMM agent | Notes |
|---|---|---|---|
| NURSESTATION-PC | Win 11 (26200) | `8164c6fa-62e7-4aa5-88e4-624f2f656932` | hybrid-join track; tagged |
| Laptop2 | Win 11 (26200) | `dc8daf71-a2e6-4181-8cf2-c463c95dcd7d` | already Pro; Entra-joined + tagged |
| LAPTOP-DRQ5L558 | Win 11 (26200) | `f9e25b3b-da63-40ff-94a6-8cec3b9a19ce` | Win10 Home→Win11 Pro (our key); joined + tagged |
| LAPTOP-E0STJJE8 | Win 11 (26200) | `4ac00700-9a9b-4e7f-a7aa-c51857b77661` | Win10 Home→Win11 Pro (our key); joined + tagged |
| LAPTOP-8P7HDSEI | Win 10/11 — verify | `9b74852c-623a-4d4a-bdda-1709ee75ae44` | was Win10 19045; Win11 25H2 upgrade + join/tag pending verification |
| ASSISTNURSE-PC | **Win 11 Pro for Workstations 24H2 (clean reinstall 2026-06-08)** | **`62d108d6` (new — re-enrolled after reinstall; old `88891eb8` deleted)** | shared MC medtech device (Christine Nyanzunda + medtechs). **NEW Entra device object** after reinstall → needs re-join + re-tag `CSCCaregiverDevice` before allow-list cutover; old Entra device record to clean. 3 caregiver Public-Desktop shortcuts (ALIS/LinkRx/Helpany) deployed via RMM 2026-06-08 |
- **Join model (decided 2026-06-03):** The 4 laptops are **Entra-joined (cloud join)**, NOT domain-joined — a domain-only PC has no Entra device object, so the CA device filter cannot allow-list it. The laptops are shared ALIS/Teams/Outlook access points and do not need the on-prem GPO stack. NURSESTATION-PC stays domain-joined and gets **Hybrid Entra Join** (needs on-prem printers + ALDocs share); requires a one-time device-options config in Entra Connect on CS-SERVER, and its stale 2021 Entra record (Workplace, last seen 2021-07-03) should be cleaned. Mixed model is supported.
- **Enrollment account:** `devices@cascadestucson.com` (Cloud Device Administrator, `aaca80c6-861b-4294-8068-1033c68d7667`). **Licensed Business Premium + usageLocation=US on 2026-06-04** and ready to join/auto-enroll. The license is needed **only at enrollment time** so auto-MDM-enroll fires; the device stays enrolled and allow-listed afterward regardless of the enroller's license, so the SPB seat can be reclaimed after the batch (30 SPB seats free as of 2026-06-03). One license covers sequential enrollments. Mark each laptop a shared device (remove primary user) to drop per-user license dependency. Confirm MDM user scope = All (Entra -> Devices -> Mobility) before joining — not verifiable via API.
- **Printing:** does NOT require domain join — Entra-joined laptops print via direct IP network printers or an Intune-pushed `Add-Printer` config. Printers: FrontDesk Epson ET-5800 `192.168.2.147`, CopyRoom Canon C478iF `192.168.2.230`, MCReception Epson ET-5800.
- **Enrollment progress (2026-06-04):** 3 of the laptops Entra-joined + tagged `CSCCaregiverDevice` — Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8 (all Win11 26200). Pending Win11 25H2 upgrade then join+tag: LAPTOP-8P7HDSEI, ASSISTNURSE-PC. NURSESTATION-PC confirmed permanent caregiver device (hybrid-join pending). Full set = phones + those 6 machines. All joined laptops show `isManaged=null` (auto-MDM-enroll did not fire — MDM user scope likely not =All, and only local logins so far). Intune is OPTIONAL: the allow-list is tag-based and works on Entra-join alone; Intune only needed for printer-push / a Windows compliance policy. Intune/MDM decision deferred until all devices on Win11 25H2. Enrollment account `devices@` (Cloud Device Admin), licensed Business Premium transiently (reclaim after batch).
- **Enrollment progress (updated 2026-06-08):** 3 laptops Entra-joined + tagged `CSCCaregiverDevice` — Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8 (all Win11 26200). **ASSISTNURSE-PC upgraded 2026-06-08** — clean Win11 reinstall (was Win10 19045; in-place upgrades failed), RMM re-enrolled (`62d108d6`), but the reinstall created a NEW Entra device object so it still needs re-join + re-tag before cutover. Still pending: LAPTOP-8P7HDSEI Win11 25H2 upgrade + join/tag (verify current state). NURSESTATION-PC confirmed permanent caregiver device (hybrid-joined 2026-06-05). Full set = phones + those 6 machines. All joined laptops show `isManaged=null` (auto-MDM-enroll did not fire — MDM user scope likely not =All, and only local logins so far). Intune is OPTIONAL: the allow-list is tag-based and works on Entra-join alone; Intune only needed for printer-push / a Windows compliance policy. Intune/MDM decision deferred until all devices on Win11 25H2. Enrollment account `devices@` (Cloud Device Admin), licensed Business Premium transiently (reclaim after batch).
- **Cutover (low-risk, can be all-at-once):** verified no gap — only `CSC-` phones are compliant today and the allow-list also permits them, so enabling the allow-list ADDS the laptops without removing phone access; nobody on a phone gets locked out. Per-user go-live gate is the ALIS email-match + test sign-in (one at a time), not a CA change. Cutover = enable `CSC - Caregivers: allow-listed devices only` + disable `CSC - Block caregivers on non-compliant device`.
- **Restricted vs privileged classification (2026-06-04):** Restricted/inside (SG-Caregivers) = the 38 + Veronica Feller (caretaker; inventory shows her remote/PA — confirm on-site) + Christine Nyanzunda (MC admin asst + PT medtech; uses ASSISTNURSE-PC; directory surname typo "Nyanzuda" to fix). Privileged/outside (NOT in SG-Caregivers; ALIS via SSO + offsite MFA) = Lois Lane, Karen Rossini, Christina DuPras, and all admins/directors/managers; nurses ruled OUTSIDE. Zachary Nelson is accounting/no-ALIS (not a caregiver). Still pending classification: Judith Palmer, Patricia Sandoval-Beck, Joey Ty, Alejandra Vallejo, Celia Lassey. Worklist: `clients/cascades-tucson/reports/2026-06-04-caregiver-alis-sso-worklist.md`.
- **User<->computer map source:** Syncro `kabuto_information.last_user` (GuruRMM does not expose logged-in user). DuPras=ALASSIST-PC, Lois Lane=DESKTOP-KQSL232, Karen Rossini=DESKTOP-LPOPV30, shared medtech=ASSISTNURSE-PC, shared MemCare reception=MEMRECEPT-PC (excluded from caregiver allow-list, receptionist-only). CONTEXT.md GuruRMM roster stale (27->32) — refresh pending.
@@ -363,6 +368,8 @@ Primary active project as of 2026-05-24: dept-by-dept domain migration (Syncro #
| 2026-05-26 | Access control vendor meeting onsite (ticket #32324). 0.5h Howard + 0.5h Mike billed against prepaid block. Block at 28.0h. Remote diagnosis of UniFi controller confirmed impossible (no Tailscale route, GuruRMM WebSocket-only, pfSense SSH blocked). |
| 2026-06-03 | ALIS AADSTS65001 diagnosed and resolved: granted tenant-wide admin consent (`AllPrincipals` `User.Read`) on ALIS SP `e1cae4ad`. Caregiver device allow-list CA policy created in report-only (`CSC - Caregivers: allow-listed devices only (REPORT-ONLY)`, id `1b7fd025`). Allow-list = CSC- phones + 5 tagged devices (NURSESTATION-PC, Laptop2, LAPTOP-8P7HDSEI, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8). Cutover pending laptop Intune enrollment + validation. Three existing enforced caregiver CA policies left untouched. |
| 2026-06-04 | Three same-day tickets: #32381 Tamra scanner (0.5h onsite), #32382 Megan file access (1.5h onsite), #32383 Chris Knight bill.com/BOK email delivery (1.5h remote). Chris Knight mailbox investigation: full EXO/EOP/quarantine/message trace analysis — no tenant config issues found. No Inky in tenant (confirmed). bill.com delivering to other users; zero delivery to chris.knight/c.knight in 90 days. Root cause: wrong address in bill.com/BOK backends + SendGrid suppression on bill.com side. BOK resolved by correcting email in portal (delivery within minutes). bill.com fix requires support call. Resolved externally by Howard; no tenant config changes needed. EXO access token auth method documented (cert not in BEAST cert store). Prepay block: 17.25 → 15.75 hrs. |
| 2026-06-08 | **Chris Knight workstation setup (onsite).** Discovered his AD account `chris.knight` already existed (created 2026-05-27, OU=Administrative) but was incomplete; finished it to match Lauren Hasselman — `New-HomeFolder`, added to `SG-FolderRedirect`, set `mail`, reset AD password to `Cascades2026!` (change-at-logon cleared). Confirmed mailbox is cloud-only/unsynced (so are Lauren/Ashley/Meredith/Zachary/Alma — Entra Connect include-list is Caregivers+Groups+Caregiver Devices only; OU=Administrative NOT in scope). Machine **DESKTOP-N5G1ROO** domain-joined + GuruRMM-enrolled (agent `205025ee...`), Office installed, Chris logged in. **MAJOR: root-caused why folder redirection has failed on every machine** — the FR GPO's targets were in a misnamed `fdeploy1.ini`; Windows reads `fdeploy.ini` (absent) → empty path → silent no-op → manual registry workaround every time. Fixed by writing a correct `fdeploy.ini` to GPO `{512B43A4}` + version bump 917506→983042 (GPT.INI + AD versionNumber); backup at `C:\Windows\Temp\frfix-20260608-161144`. LE GPO found completely empty too. CS-SERVER live RMM agent is now `c39f1de7-...` (was `6766e973`). Billed 1.0h onsite (computer setup, ticket #111216087). |
| 2026-06-08 | **ASSISTNURSE-PC reinstalled (Win10→Win11).** Howard did a clean Windows 11 install (machine was Win10 19045; in-place upgrade attempts failed, clean install the only option) using our key, then reinstalled the RMM agent. Claude (RMM): deleted the stale pre-reinstall agent `88891eb8` (Win10, offline) — HTTP 204; kept the new agent `62d108d6` (`Assistnurse-pc`, Win11 Pro for Workstations 24H2, v0.6.57, online). Deployed 3 caregiver app shortcuts as `.url` files to `C:\Users\Public\Desktop` (machine-wide) matching the team's GPP definitions: ALIS `https://cascadestucson.alisonline.com/Login`, LinkRx `https://pharmcare.linkrxnow.com/Login.aspx`, Helpany `https://app.safe-living.com/login`. Heads-up: reinstall = new Entra device object → needs re-join + re-tag `CSCCaregiverDevice` (+ clean old Entra record) at caregiver cutover. Billing for the 1.0h onsite reinstall: **pending on #32303** as of 2026-06-09. |
| 2026-06-05 | NURSESTATION-PC localadmin login-screen issue: `SpecialAccounts\UserList` hide (`localadmin=0`) — removed via RMM (agent `f5a89784`); account was already enabled + admin. Vault hygiene: `sysadmin@` GA password vaulted (`clients/cascades-tucson/m365-sysadmin.sops.yaml`); voice MFA scoped group "MFA - Voice Call Scoped (sysadmin)" (`304f941e`) created; `alternateMobile` updated to +1 520-585-1310 (Howard). Caregiver test rig built: `SG-Caregivers-DeviceTest` (`db5849ec`, full rule set), `Cascades - Caregiver Devices` (`02c6f698`, static), `SG-Intune-Enrollment` (`13d94f6e`), `pilot.test@cascadestucson.com` (`d26e0e5a`, ephemeral). Hybrid Entra Join enabled in Entra Connect (SCP `ConfigureSCP.ps1`; `OU=Caregiver Devices` added to sync scope). NURSESTATION re-domain-joined (Win11 25H2) + hybrid-registered as `trustType: ServerAd`, new deviceId `d3bf931f-f128-4261-8398-b46c34a4b342` (object `de199a15`). Caregiver access model proven end-to-end on desktop: pilot.test + NURSESTATION — ALIS via silent SSO, CA off-network block + device allow-list holding. CA 53003 on `extensionAttribute1` tag lag (>70 min); resolved by adding deviceId directly to allow-list rule (immediate). Windows Hello does NOT auto-provision on hybrid-joined machines (`WillNotProvision: PolicyEnabled NO`). GPO `CSC - Caregiver Workstation` (`{3B5CD9A6-A278-4676-A9FD-9396D21A8261}`, User config GPP): 3 desktop shortcuts (ALIS, LinkRx, Helpany) + 6 `\\CS-SERVER\` printers with location-based default (Nurses for `SG-PC-MainTower`, MCMedTech for `SG-PC-MemoryCare`, computer-context ILT) + `LegacyDefaultPrinterMode=1` — built, linked at `OU=Caregivers`, security-filtered to `SG-Caregivers-Test` (pilot.test only), validated on NURSESTATION. GPO `CSC - Caregiver Device Lockdown` (`{E6174988-2721-4D96-ADF5-F5BB44E92769}`, computer-only): startup script (lock 3 min / auto sign-out 15 min / 90s warning / never sleep) + psscripts.ini in SYSVOL — deployed + linked at `OU=Caregiver Devices` (takes effect on next NURSESTATION reboot). Intune enrollment blocked tenant-wide (`INTUNE_A: PendingInput` on newly-licensed accounts); MS case open; GPO path used instead. Ticket #32303 billing reconciliation: work summary posted as customer-visible resolution note (comment 417582473); 7.0h onsite line item (42750851) + invoice #67782 ($0.00 prepaid); prepay block 15.75 → 8.75 hrs; ticket status → Invoiced. |
---