From 2029fa54297ae9894bfc5afe6a21df3e0037402e Mon Sep 17 00:00:00 2001 From: Howard Enos Date: Tue, 9 Jun 2026 10:33:22 -0700 Subject: [PATCH] sync: auto-sync from HOWARD-HOME at 2026-06-09 10:33:12 Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-09 10:33:12 --- .claude/memory/MEMORY.md | 1 + .claude/memory/feedback_cascades.md | 2 + .../memory/reference_cascades_fr_gpo_fix.md | 18 +++ .../docs/servers/active-directory.md | 4 +- clients/cascades-tucson/gpo/fdeploy.ini | 23 +++ ...9-howard-cascades-billing-recovery-wiki.md | 133 ++++++++++++++++++ wiki/clients/cascades-tucson.md | 33 +++-- 7 files changed, 199 insertions(+), 15 deletions(-) create mode 100644 .claude/memory/reference_cascades_fr_gpo_fix.md create mode 100644 clients/cascades-tucson/gpo/fdeploy.ini create mode 100644 clients/cascades-tucson/session-logs/2026-06/2026-06-09-howard-cascades-billing-recovery-wiki.md diff --git a/.claude/memory/MEMORY.md b/.claude/memory/MEMORY.md index 13f0672..9932d92 100644 --- a/.claude/memory/MEMORY.md +++ b/.claude/memory/MEMORY.md @@ -83,6 +83,7 @@ ### Cascades - [Cascades operational rules](feedback_cascades.md) — Two active rules: (1) folder redirection (fdeploy) needs subfolders PRE-CREATED before first logon or it caches a failure forever; recovery via fix-shell-redirect.ps1. (2) ALWAYS ask which security group(s) a new user goes into — never auto-derive from OU. +- [Cascades FR GPO fix](reference_cascades_fr_gpo_fix.md) — Native Folder Redirection was DOA on every machine: redirect targets were in a misnamed `fdeploy1.ini` (Windows reads `fdeploy.ini`) → empty target path → silent no-op → per-user registry workaround every time. Fixed 2026-06-08 (correct fdeploy.ini + version bump). Also: CS-SERVER live RMM agent is `c39f1de7...` (old `6766e973` stale). ## Machine - [GURU-5070 Workstation Setup](reference_workstation_setup.md) — Mike's primary (owner confirmed 2026-05-26). Windows 11 Pro. Renamed from OC-5070 → ACG-5070/acg-guru-5070 → GURU-5070; all the same box, all Mike's. diff --git a/.claude/memory/feedback_cascades.md b/.claude/memory/feedback_cascades.md index 0fa1e36..2d0c953 100644 --- a/.claude/memory/feedback_cascades.md +++ b/.claude/memory/feedback_cascades.md @@ -10,6 +10,8 @@ Current-state context: [[project_cascades]]. Root cause / incident detail: [[pro ## 1. Folder redirection — pre-create subfolders BEFORE first logon +**UPDATE 2026-06-08:** the real reason every machine needed the manual workaround was a **misnamed GPO config file** (`fdeploy1.ini` instead of `fdeploy.ini`) — native FR was DOA tenant-wide. Now fixed; native FR redirects all 5 folders on first logon. Full detail: [[reference_cascades_fr_gpo_fix]]. Still pre-create the home folder before first logon (below). The `fix-shell-redirect.ps1` workaround should no longer be needed for new users — if it ever is again, check that the GPO still has a valid `fdeploy.ini` first. + fdeploy caches failures and never retries if subfolders don't exist at first logon. "No changes detected" = stuck forever without manual intervention. **Mandatory order for every new user:** diff --git a/.claude/memory/reference_cascades_fr_gpo_fix.md b/.claude/memory/reference_cascades_fr_gpo_fix.md new file mode 100644 index 0000000..e3b9df4 --- /dev/null +++ b/.claude/memory/reference_cascades_fr_gpo_fix.md @@ -0,0 +1,18 @@ +--- +name: Cascades Folder Redirection GPO — DOA root cause + fix (misnamed fdeploy) +description: Why native Folder Redirection failed on EVERY Cascades machine (LE + staff) and forced the per-user registry workaround — the GPO's redirect targets were saved in a misnamed fdeploy1.ini; Windows only reads fdeploy.ini. Fixed 2026-06-08. Read when touching Cascades folder redirection or onboarding a new Cascades user. +metadata: + type: reference +--- + +**Root cause (found 2026-06-08):** Native Folder Redirection never worked at Cascades — every machine needed `fix-shell-redirect.ps1`. The FR GPO `CSC - Folder Redirection` (`{512B43A4-F049-4CE5-BFAC-860AD13E92BE}`) had its redirect targets in a file named **`fdeploy1.ini`**, but the Windows FR client-side extension reads **`fdeploy.ini`** only. No `fdeploy.ini` existed → the client knew which 5 folders to redirect but got an **empty target path** (FR Operational log event 1006 shows `Path = ""`, and there is NO event 1008 "successfully redirected"). It silently no-op'd. The GPO had been hand-built by editing the wrong filename. + +**Fix:** wrote a correct `fdeploy.ini` (5 folders, `Flags=187`, `FullPath=\\CS-SERVER\Homes\%USERNAME%\`) into `{512B43A4-...}\User\Documents & Settings\`, then bumped the GPO version 917506→983042 keeping **GPT.INI Version AND the AD `versionNumber` attribute in sync** (FR is a foreground/logon CSE; it only re-applies when the version changes). Canonical artifact: `clients/cascades-tucson/gpo/fdeploy.ini`. Backup of original `\User` tree + GPT.INI: `C:\Windows\Temp\frfix-20260608-161144` on CS-SERVER. + +**How to apply / diagnose elsewhere:** +- Diagnose: on the client, `Get-WinEvent -LogName 'Microsoft-Windows-Folder Redirection/Operational'` — `Path = ""` in event 1006 + no 1008 = the GPO is delivering no target path (missing/empty/misnamed `fdeploy.ini`). +- The dead `fdeploy1.ini` was LEFT in place (Windows ignores it) — do NOT edit it. Edit redirection via GPMC, or replace `fdeploy.ini` from the repo artifact. +- The **LE GPO** `CSC - Folder Redirection (LE)` (`{889BE7BE-...}`) is also broken — `\User` tree completely empty. Retire it / move LE users into SG-FolderRedirect, or apply the same fix. +- After the fix, the per-user registry workaround should no longer be needed; native FR redirects all 5 folders on first logon. Still pre-create the home folder (`New-HomeFolder`) before first logon. See [[feedback_cascades]]. + +**Also (2026-06-08):** CS-SERVER live GuruRMM agent re-enrolled to `c39f1de7-d5b6-45ae-b132-e06977ab1713` (old `6766e973` is stale) — always resolve the agent live by hostname, never hardcode. Related: [[project_cascades]]. diff --git a/clients/cascades-tucson/docs/servers/active-directory.md b/clients/cascades-tucson/docs/servers/active-directory.md index fe9bb2f..3e494a1 100644 --- a/clients/cascades-tucson/docs/servers/active-directory.md +++ b/clients/cascades-tucson/docs/servers/active-directory.md @@ -322,8 +322,8 @@ GPOs exist but effectiveness is limited since most PCs are not domain-joined. Al | Default Domain Controllers Policy | OU=Domain Controllers | IIS app pool audit rights, print operator driver loading. | OK | | Power Options | — | "Cascades Default" power plan: never sleep/hibernate, display off 15 min (plugged in) / 10 min (battery), password on wake. | Keep | | CSC - Always Wait For Network | — | AlwaysWaitForNetwork + synchronous logon | Pre-existing | -| CSC - Folder Redirection (LE) | OU=Life Enrichment | Documents + Downloads → `\\CS-SERVER\homes\%USERNAME%\`. GrantExclusive=false, MoveContents=true. | LIVE — Sharon Edwards + Susan Hicks | -| CSC - Folder Redirection | — | Same as LE GPO but for all staff OUs. UNLINKED. | Blocked on Phase 3 | +| CSC - Folder Redirection (LE) | OU=Life Enrichment | **BROKEN — `\User` tree is completely empty (no fdeploy at all).** Sharon/Susan only ever worked via the manual registry workaround. Retire it (move LE users into SG-FolderRedirect) or apply the `fdeploy.ini` fix. | `{889BE7BE-202E-4153-89AD-B5DB62A52D25}` | +| CSC - Folder Redirection | OU=Departments (filtered to SG-FolderRedirect) | 5 folders (Desktop/Documents/Downloads/Music/Pictures) → `\\CS-SERVER\Homes\%USERNAME%\`, Flags=187. **FIXED 2026-06-08:** redirect targets were in a misnamed `fdeploy1.ini` (Windows reads `fdeploy.ini`, which was absent) → native FR was DOA, hence the per-machine registry workaround. Wrote correct `fdeploy.ini` (`clients/cascades-tucson/gpo/fdeploy.ini`) + version bump 917506→983042 (GPT.INI + AD versionNumber). Native FR now works on first logon. | `{512B43A4-F049-4CE5-BFAC-860AD13E92BE}`. Backup: `C:\Windows\Temp\frfix-20260608-161144` | | CSC - Life Enrichment Printers | OU=Life Enrichment | Printer preferences for LE staff | LIVE | | CSC - Security Baseline | UNLINKED | Screen lock 15 min / password on resume (HKCU). GptTmpl.inf: password min 12, history 24, max-age 90, lockout 5/30. | Created 2026-05-20. Link at domain root at Phase 3. | | CSC - Windows Update | UNLINKED | AUOptions=4 (auto DL+install), Sunday 3 AM, NoAutoRebootWithLoggedOnUsers=1, featured software off. | Created 2026-05-20. Link at domain root at Phase 3. | diff --git a/clients/cascades-tucson/gpo/fdeploy.ini b/clients/cascades-tucson/gpo/fdeploy.ini new file mode 100644 index 0000000..cacbf5d --- /dev/null +++ b/clients/cascades-tucson/gpo/fdeploy.ini @@ -0,0 +1,23 @@ +[version] +version=100 +[Folder_Redirection] +{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}=s-1-1-0; +{FDD39AD0-238F-46AF-ADB4-6C85480369C7}=s-1-1-0; +{33E28130-4E1E-4676-835A-98395C3BC3BB}=s-1-1-0; +{374DE290-123F-4565-9164-39C4925E467B}=s-1-1-0; +{4BD8D571-6D19-48D3-BE97-422220080E43}=s-1-1-0; +[{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}_s-1-1-0] +Flags=187 +FullPath=\\CS-SERVER\Homes\%USERNAME%\Desktop +[{FDD39AD0-238F-46AF-ADB4-6C85480369C7}_s-1-1-0] +Flags=187 +FullPath=\\CS-SERVER\Homes\%USERNAME%\Documents +[{33E28130-4E1E-4676-835A-98395C3BC3BB}_s-1-1-0] +Flags=187 +FullPath=\\CS-SERVER\Homes\%USERNAME%\Pictures +[{374DE290-123F-4565-9164-39C4925E467B}_s-1-1-0] +Flags=187 +FullPath=\\CS-SERVER\Homes\%USERNAME%\Downloads +[{4BD8D571-6D19-48D3-BE97-422220080E43}_s-1-1-0] +Flags=187 +FullPath=\\CS-SERVER\Homes\%USERNAME%\Music diff --git a/clients/cascades-tucson/session-logs/2026-06/2026-06-09-howard-cascades-billing-recovery-wiki.md b/clients/cascades-tucson/session-logs/2026-06/2026-06-09-howard-cascades-billing-recovery-wiki.md new file mode 100644 index 0000000..3ded4f7 --- /dev/null +++ b/clients/cascades-tucson/session-logs/2026-06/2026-06-09-howard-cascades-billing-recovery-wiki.md @@ -0,0 +1,133 @@ +# Cascades of Tucson — Session Log 2026-06-09 — Crashed-session billing recovery + machine wiki update + +## User +- **User:** Howard Enos (howard) +- **Machine:** Howard-Home +- **Role:** tech + +## Session Summary + +Recovered from a crashed prior session (transcript `179fa696`, 2026-06-08 17:02) to confirm billing +state and finish documentation. Reconstructed the crashed session's work from the transcript: Chris +Knight workstation setup + the Folder Redirection GPO root-cause fix (both already documented), then +an ASSISTNURSE-PC reinstall cleanup (delete stale RMM agent, deploy caregiver shortcuts) that ran +right before the crash. The open question was "did billing get entered?" + +Reconciled the crashed transcript's billing claims against live Syncro and found the narrative was +partly wrong. Ticket #32330 "New computer for Chris Knight" (id 111216087) **was** genuinely billed +during the crashed session — invoice #67790 exists ($0.00 prepaid, 1.0h onsite line item attributed +to Howard) — so that work persisted server-side despite the crash. But two transcript claims did NOT +match reality: it claimed status was set to Invoiced (live showed **Resolved**) and claimed prepay +went 8.75→7.75 (live block was **57.75**, a ~50h discrepancy — almost certainly a prepaid top-up +between 06-08 and 06-09). Corrected #32330 status Resolved→Invoiced. The ASSISTNURSE-PC reinstall +work had no ticket and was never billed. + +Per Howard's direction, prepared (but did NOT execute) billing for the ASSISTNURSE-PC reinstall: +1.0h onsite on existing ticket **#32303 "Domain setup-entra sync"** (id 110680053), for the clean +Windows 11 reinstall (was Win10; in-place upgrades failed, clean install the only option). Built the +full billing preview (resolution comment + line item + prepaid invoice that nets $0.00 and draws +57.75→56.75) and paused at the confirmation gate — Howard pivoted to other questions, so this +billing remains pending his confirm. + +Answered two inventory questions: (1) Cascades machines upgraded to Win11 with our key +(DESKTOP-ROK7VNM, MAINTENANCE-PC documented "manual key"; DESKTOP-DLTAGOI same 04-13 batch; +ASSISTNURSE-PC just done — with the caveat that in-place Win10 Pro→11 Pro reuses the existing digital +license and consumes no key, so a live partial-product-key RMM sweep is the only definitive check); +and (2) the caregiver/medtech laptops+desktops we upgraded (LAPTOP-DRQ5L558 + LAPTOP-E0STJJE8 were +Win10 Home→Win11 Pro = our key, Laptop2 already Pro, LAPTOP-8P7HDSEI Win10→Win11, ASSISTNURSE-PC +clean reinstall, NURSESTATION-PC Pro→Pro = no key). Finally updated the Cascades wiki to reflect the +machine changes and the corrected hour balance. + +## Key Decisions + +- **Did not redo #32330 billing.** Live Syncro confirmed invoice #67790 already exists and the line + item is on the ticket; re-billing would double-charge. Only the cosmetic status flag (Resolved→ + Invoiced) needed fixing. +- **Trusted live Syncro over the crashed transcript and the wiki.** The transcript's prepay figures + (8.75→7.75) and the wiki's 7.75 were both wrong against the live 57.75 block. Recorded the live + value and flagged the old chain as pre-top-up so future sessions don't trust it. +- **Paused ASSISTNURSE-PC billing at the preview.** Howard confirmed ticket (#32303), time (1.0h), + and channel (onsite), but moved to other questions before approving the write. Per skill rule + (show payload + wait for explicit confirm), did not execute. +- **Billed the reinstall to #32303, not a new ticket.** Howard's explicit instruction — #32303 is the + umbrella domain-migration ticket and already carries incremental onsite/remote labor. +- **Distinguished "upgraded to Win11" from "upgraded with OUR key."** Only Home→Pro and clean + installs consume our key; in-place Pro→Pro reuses the device's digital license. Static docs can't + reliably tell them apart — offered a read-only RMM partial-product-key sweep as the definitive check. + +## Problems Encountered + +- **Crashed-session transcript narrated false "done" claims.** The dying session reported #32330 as + Invoiced with prepay 8.75→7.75; live Syncro showed Resolved / 57.75. Resolved by GET-verifying every + claim (ticket status, line items, invoice #67790, customer prepay) against the live API before + taking any action — the invoice was real, the status/prepay claims were not. +- **No ticket existed for the ASSISTNURSE-PC reinstall.** The crashed session did the RMM cleanup as + an aside to Chris Knight's billing and never opened/billed a ticket. Resolved by asking Howard, + who directed it to existing ticket #32303. + +## Configuration Changes + +- **Syncro:** PUT ticket #32330 (id 111216087) `status` Resolved → **Invoiced**. Bot alert posted + (message_id 1513948832772395230). No new line items or invoices created this session. +- **Wiki** (`wiki/clients/cascades-tucson.md`) — 4 edits: + 1. Profile → Hours remaining: corrected to **57.75 hrs (live 2026-06-09)**, flagged the ~50h + top-up vs the old 7.75/8.75/15.75 chain, noted #32330 status fix + pending ASSISTNURSE-PC billing. + 2. Caregiver device allow-list table: bumped to 6 devices, added **ASSISTNURSE-PC** row (Win11 Pro + for WS 24H2, new agent `62d108d6`, old `88891eb8` deleted, needs re-join/re-tag), annotated each + laptop's upgrade/key origin, marked LAPTOP-8P7HDSEI state "verify". + 3. Enrollment-progress note: marked ASSISTNURSE-PC upgraded 2026-06-08 (was "pending"). + 4. History Highlights: added a 2026-06-08 ASSISTNURSE-PC reinstall row. +- No repo code changes. This session log created. + +## Credentials & Secrets + +- None discovered or created this session. (Syncro Howard API key + Cascades customer id are already + in the `/syncro` skill and wiki.) + +## Infrastructure & Servers + +- **Syncro customer:** Cascades of Tucson, id **20149445**, prepaid block **57.75 hrs** (live 2026-06-09). +- **Tickets:** #32330 / 111216087 (Chris Knight new computer — Invoiced, inv #67790 $0.00); + #32303 / 110680053 ("Domain setup-entra sync" — Resolved; ASSISTNURSE-PC 1.0h onsite billing pending). +- **ASSISTNURSE-PC:** Win11 Pro for Workstations 24H2 after clean reinstall 2026-06-08. GuruRMM agent + **`62d108d6`** (`Assistnurse-pc`, v0.6.57, online); stale Win10 agent **`88891eb8`** deleted (HTTP 204). + Shared MC medtech device. New Entra device object after reinstall → re-join + re-tag pending. +- **Caregiver shortcuts deployed** to `C:\Users\Public\Desktop` on ASSISTNURSE-PC (2026-06-08): + ALIS `https://cascadestucson.alisonline.com/Login`, LinkRx `https://pharmcare.linkrxnow.com/Login.aspx`, + Helpany `https://app.safe-living.com/login`. + +## Commands & Outputs + +```bash +BASE="https://computerguru.syncromsp.com/api/v1"; API_KEY= +# Verify #32330 — was Resolved with line item present; invoice #67790 exists ($0.00, ticket_id 111216087) +curl -s "$BASE/tickets/111216087?api_key=$API_KEY" +curl -s "$BASE/invoices/67790?api_key=$API_KEY" # id 1650613747, total 0.0, 1 line +curl -s "$BASE/customers/20149445?api_key=$API_KEY" | jq .customer.prepay_hours # 57.75 (not 7.75) +# Fix status +curl -s -X PUT "$BASE/tickets/111216087?api_key=$API_KEY" -d '{"status":"Invoiced"}' # -> Invoiced +``` + +## Pending / Incomplete Tasks + +- **[BILLING — awaiting Howard confirm] ASSISTNURSE-PC reinstall:** 1.0h onsite on #32303 (id 110680053), + product 26118 (Labor - Onsite Business, $175), prepaid → $0.00, draws 57.75→56.75. Preview built; + paused at confirmation gate. Resolution comment drafted (Win10→Win11 clean reinstall + RMM re-enroll + + shortcuts). Execute on Howard's "yes." +- **[OFFERED] Win11 license-key verification sweep:** read-only RMM pull of partial product key (last 5) + + license channel across the 6 caregiver machines (and optionally the fleet) to definitively identify + which carry our key vs reused digital licenses. +- **ASSISTNURSE-PC re-join + re-tag** `CSCCaregiverDevice` (new Entra object after reinstall) + clean old + Entra device record — at caregiver cutover. +- **LAPTOP-8P7HDSEI:** confirm Win11 25H2 upgrade + Entra join/tag state (was pending as of 06-04). +- **Unrelated coord todo (not picked up):** Safesite forensic sweep #32395 (coord todo 5766a59f) — two + offline recipient machines; flagged from GURU-5070 broadcast, left for a free session. + +## Reference Information + +- Crashed transcript: `~/.claude/projects/C--claudetools/179fa696-48bf-443f-b900-62b05fd408ad.jsonl`. +- Tickets: #32330 https://computerguru.syncromsp.com/tickets/111216087 ; #32303 https://computerguru.syncromsp.com/tickets/110680053 +- Invoice #67790 (id 1650613747) — Chris Knight, $0.00 prepaid. +- Win11/key inventory sources: `clients/cascades-tucson/docs/workstations.md` (audited 2026-03-20), + `clients/cascades-tucson/session-logs/2026-06-04-howard-caregiver-laptop-enrollment.md` (caregiver device set). +- Wiki: `wiki/clients/cascades-tucson.md`. diff --git a/wiki/clients/cascades-tucson.md b/wiki/clients/cascades-tucson.md index 1a1b552..a9eea6f 100644 --- a/wiki/clients/cascades-tucson.md +++ b/wiki/clients/cascades-tucson.md @@ -111,9 +111,9 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn - Sharon Edwards — Life Enrichment Assistant (DESKTOP-DLTAGOI) - Ashley Jensen — Accountant (DESKTOP-U2DHAP0) - Shelby Trozzi — MemCare Director (MDIRECTOR-PC) - - Chris Knight — staff; chris.knight@cascadestucson.com (alias: c.knight@cascadestucson.com); bill.com and BOK Financial recipient (issue investigated 2026-06-04) + - Chris Knight — Accounting / Business Office (same access tier as Lauren Hasselman); chris.knight@cascadestucson.com (alias: c.knight@cascadestucson.com); bill.com and BOK Financial recipient (issue investigated 2026-06-04). **Workstation setup 2026-06-08:** machine **DESKTOP-N5G1ROO** (Win 11 Pro for Workstations) domain-joined + GuruRMM-enrolled (agent `205025ee-2676-4498-8a27-e88562a6f69a`, site CascadesTucson), Office (O365) installed. AD account `chris.knight` (OU=Administrative) finished to match Lauren: home folder created, added to `SG-FolderRedirect`, `mail` set, AD password `Cascades2026!` (change-at-logon cleared). Mailbox remains cloud-only/unsynced (same split state as Lauren — see Entra sync note). - **Billing rate:** $175/hr all labor (prepaid block customer) -- **Hours remaining:** 8.75 hrs as of 2026-06-05 (after 7.0h onsite billed 2026-06-05 on ticket #32303, invoice #67782 $0.00 prepaid; prior balance was 15.75 after 2026-06-04 billing). Always live-check via `GET /customers/20149445` before billing — balance is unreliable across sessions. +- **Hours remaining:** **57.75 hrs (live Syncro pull 2026-06-09).** This is ~50h HIGHER than the 7.75 the 2026-06-08 session log/prior wiki recorded — the block was almost certainly topped up (prepaid renewal) between 06-08 and 06-09. The old 7.75→8.75→15.75 chain in History/Compilation Notes reflects pre-top-up readings; **trust the live value, not the chain.** 1.0h onsite WAS billed 2026-06-08 on #32330/111216087 "New computer for Chris Knight" (invoice #67790, $0.00 prepaid; ticket status corrected Resolved→Invoiced 2026-06-09). **PENDING:** 1.0h onsite for the ASSISTNURSE-PC Win11 reinstall to be billed on #32303 (will draw 57.75→56.75). Always live-check via `GET /customers/20149445` before billing — balance is unreliable across sessions. - **Syncro customer ID:** 20149445 - **Active tickets:** - #110680053 / #32303 — Entra / domain migration project ("Domain setup-entra sync"). Status: **Invoiced** as of 2026-06-05. Latest billing: 7.0h onsite 2026-06-05, invoice #67782 ($0.00 prepaid). Monday caregiver cutover will generate further work on this ticket. Plan: `C:\Users\Howard\.claude\plans\wise-discovering-panda.md` @@ -132,7 +132,7 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn | Host | IP | Role | OS | Notes | |---|---|---|---|---| -| CS-SERVER | 192.168.2.254 | DC, DNS, DHCP (no scopes), File Server, Hyper-V host, Print Server | Windows Server 2019 Standard | Dell PowerEdge R610 (~2009 hardware, 16+ years old). **Single DC — CRITICAL risk. No backup.** GuruRMM agent ID: `6766e973-e703-47c1-be56-76950290f87c` | +| CS-SERVER | 192.168.2.254 | DC, DNS, DHCP (no scopes), File Server, Hyper-V host, Print Server | Windows Server 2019 Standard | Dell PowerEdge R610 (~2009 hardware, 16+ years old). **Single DC — CRITICAL risk. No backup.** GuruRMM agent ID: `c39f1de7-d5b6-45ae-b132-e06977ab1713` (re-enrolled; the older `6766e973-...` is stale — **always resolve the agent live by hostname**, never hardcode the UUID) | | CS-SERVER iDRAC | 192.168.2.65 | Out-of-band management | — | Dell OOB interface | | CS-QB (Hyper-V VM on CS-SERVER) | 192.168.2.228 | VoIP server | — | [REVIEW — transitioning away from traditional landlines to wireless phones; revisit this entry] | | cascadesDS (Synology NAS) | 192.168.0.120 | NAS / legacy file storage | DSM | Port 5000 HTTP. Workgroup name is "CASCADES" — same as AD short name, causing Kerberos auth failures from domain-joined machines. Slated to become backup-only. | @@ -189,7 +189,7 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn ## Access -- **CS-SERVER:** Via ScreenConnect or GuruRMM (agent ID: `6766e973-e703-47c1-be56-76950290f87c`) +- **CS-SERVER:** Via ScreenConnect or GuruRMM (live agent ID `c39f1de7-d5b6-45ae-b132-e06977ab1713` as of 2026-06-08; re-enrolls — resolve live by hostname, do not hardcode) - **CS-SERVER iDRAC:** 192.168.2.65 - **pfSense admin:** https://192.168.0.1 — vault: `clients/cascades-tucson/pfsense-firewall.sops.yaml` - **Synology DSM:** http://192.168.0.120:5000 — vault: `clients/cascades-tucson/` (existing entry) @@ -233,6 +233,10 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn - **fdeploy1.ini flags:** Changed from `Flags=1211` (included `Grant Exclusive Rights` bit 0x400, causing WRITE_DAC failures on new subfolders) to `Flags=187`. File at `{512B43A4-F049-4CE5-BFAC-860AD13E92BE}\User\Documents & Settings\fdeploy1.ini` on CS-SERVER. +- **[ROOT CAUSE + FIX 2026-06-08] Native Folder Redirection was DOA on every machine — the config file was MISNAMED.** Every Cascades machine (LE + staff) had needed the manual `fix-shell-redirect.ps1` registry workaround because native FR never worked. Root cause: the redirect targets in GPO `CSC - Folder Redirection` (`{512B43A4-...}`) were saved in a file named **`fdeploy1.ini`**, but the Windows Folder Redirection client-side extension only ever reads **`fdeploy.ini`**. No `fdeploy.ini` existed, so the client knew *which* 5 folders to redirect but received an **empty target path** (FR Operational event 1006 shows `Path = ""`, no 1008 "successfully redirected") and silently did nothing. The file was hand-built by editing `fdeploy1.ini` (the wrong filename). **Fix:** wrote a correct `fdeploy.ini` (5 folders, `Flags=187`, `FullPath=\\CS-SERVER\Homes\%USERNAME%\`) into `{512B43A4-...}\User\Documents & Settings\`, bumped the GPO version 917506→983042 (GPT.INI **and** AD `versionNumber` kept in sync), confirmed FR CSE registered. Backup of the original `\User` tree + GPT.INI at `C:\Windows\Temp\frfix-20260608-161144` on CS-SERVER. **Native FR now redirects all 5 folders on first logon — the registry workaround should no longer be needed for new users.** The dead `fdeploy1.ini` was left in place (ignored by Windows) — do NOT edit it; edit redirection only via GPMC or the `fdeploy.ini` artifact in `clients/cascades-tucson/gpo/`. + - **LE GPO also broken:** `CSC - Folder Redirection (LE)` (`{889BE7BE-...}`, linked at OU=Life Enrichment) has a **completely empty `\User` tree** — no fdeploy at all. Sharon Edwards / Susan Hicks have likewise only ever worked via the registry workaround. Follow-up: retire the LE GPO and put LE users into `SG-FolderRedirect` (covered by the now-working all-staff GPO inherited at OU=Departments), or apply the same `fdeploy.ini` fix to the LE GPO. **Caveat:** Sharon/Susan are NOT currently in `SG-FolderRedirect` (the all-staff GPO is security-filtered to that group), so add them before relying on inheritance. + - **Note:** the all-staff `CSC - Folder Redirection` GPO is linked at **OU=Departments** and security-filtered to **`SG-FolderRedirect`** (members as of 2026-06-08: Megan.Hiatt, Crystal.Rodriguez, Lois.Lane, Ashley.Jensen, lauren.hasselman, Zachary.Nelson, Nurses, chris.knight). Existing members get native redirection at their next sign-in. + - **Login-screen hide (SpecialAccounts\UserList):** An enabled local admin that does not appear in the Windows sign-in picker is a `SpecialAccounts\UserList` suppression, not a disabled account. Registry path: `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList`, value `=0`. Fix: delete the DWORD value (or set it to 1); account reappears after sign-out/reboot. Confirmed on NURSESTATION-PC (RMM agent `f5a89784-834f-47b1-82e2-7e3e9dd337ff`) 2026-06-05 — `localadmin=0` removed; account was already enabled and in Administrators (unchanged). ### Conditional Access / Caregiver Policies @@ -246,20 +250,21 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn - `CSC - Caregivers: allow-listed devices only (REPORT-ONLY)` — id `1b7fd025-1aad-47c8-9274-c32c3e0b163c`; state `enabledForReportingButNotEnforced` - Target group: `SG-Caregivers` (`8b8d9222`). Excludes: `sysadmin@`, `admin@`, `SG-CA-BreakGlass` (`131e51ac-d69b-44b8-9c81-56890537a796`) - Device filter (mode `exclude`): `(device.displayName -startsWith "CSC-") -or (device.extensionAttribute1 -eq "CSCCaregiverDevice")` - - **Allowed device list (target — 5 devices tagged `CSCCaregiverDevice`):** + - **Allowed device list (target — 6 caregiver/medtech devices, tagged `CSCCaregiverDevice`):** - | Device | OS | GuruRMM agent | - |---|---|---| - | NURSESTATION-PC | Win 11 | `8164c6fa-62e7-4aa5-88e4-624f2f656932` | - | Laptop2 | Win 11 | `dc8daf71-a2e6-4181-8cf2-c463c95dcd7d` | - | LAPTOP-8P7HDSEI | Win 10 (EOL — upgrade) | `9b74852c-623a-4d4a-bdda-1709ee75ae44` | - | LAPTOP-DRQ5L558 | Win 11 | `f9e25b3b-da63-40ff-94a6-8cec3b9a19ce` | - | LAPTOP-E0STJJE8 | Win 11 | `4ac00700-9a9b-4e7f-a7aa-c51857b77661` | + | Device | OS | GuruRMM agent | Notes | + |---|---|---|---| + | NURSESTATION-PC | Win 11 (26200) | `8164c6fa-62e7-4aa5-88e4-624f2f656932` | hybrid-join track; tagged | + | Laptop2 | Win 11 (26200) | `dc8daf71-a2e6-4181-8cf2-c463c95dcd7d` | already Pro; Entra-joined + tagged | + | LAPTOP-DRQ5L558 | Win 11 (26200) | `f9e25b3b-da63-40ff-94a6-8cec3b9a19ce` | Win10 Home→Win11 Pro (our key); joined + tagged | + | LAPTOP-E0STJJE8 | Win 11 (26200) | `4ac00700-9a9b-4e7f-a7aa-c51857b77661` | Win10 Home→Win11 Pro (our key); joined + tagged | + | LAPTOP-8P7HDSEI | Win 10/11 — verify | `9b74852c-623a-4d4a-bdda-1709ee75ae44` | was Win10 19045; Win11 25H2 upgrade + join/tag pending verification | + | ASSISTNURSE-PC | **Win 11 Pro for Workstations 24H2 (clean reinstall 2026-06-08)** | **`62d108d6` (new — re-enrolled after reinstall; old `88891eb8` deleted)** | shared MC medtech device (Christine Nyanzunda + medtechs). **NEW Entra device object** after reinstall → needs re-join + re-tag `CSCCaregiverDevice` before allow-list cutover; old Entra device record to clean. 3 caregiver Public-Desktop shortcuts (ALIS/LinkRx/Helpany) deployed via RMM 2026-06-08 | - **Join model (decided 2026-06-03):** The 4 laptops are **Entra-joined (cloud join)**, NOT domain-joined — a domain-only PC has no Entra device object, so the CA device filter cannot allow-list it. The laptops are shared ALIS/Teams/Outlook access points and do not need the on-prem GPO stack. NURSESTATION-PC stays domain-joined and gets **Hybrid Entra Join** (needs on-prem printers + ALDocs share); requires a one-time device-options config in Entra Connect on CS-SERVER, and its stale 2021 Entra record (Workplace, last seen 2021-07-03) should be cleaned. Mixed model is supported. - **Enrollment account:** `devices@cascadestucson.com` (Cloud Device Administrator, `aaca80c6-861b-4294-8068-1033c68d7667`). **Licensed Business Premium + usageLocation=US on 2026-06-04** and ready to join/auto-enroll. The license is needed **only at enrollment time** so auto-MDM-enroll fires; the device stays enrolled and allow-listed afterward regardless of the enroller's license, so the SPB seat can be reclaimed after the batch (30 SPB seats free as of 2026-06-03). One license covers sequential enrollments. Mark each laptop a shared device (remove primary user) to drop per-user license dependency. Confirm MDM user scope = All (Entra -> Devices -> Mobility) before joining — not verifiable via API. - **Printing:** does NOT require domain join — Entra-joined laptops print via direct IP network printers or an Intune-pushed `Add-Printer` config. Printers: FrontDesk Epson ET-5800 `192.168.2.147`, CopyRoom Canon C478iF `192.168.2.230`, MCReception Epson ET-5800. - - **Enrollment progress (2026-06-04):** 3 of the laptops Entra-joined + tagged `CSCCaregiverDevice` — Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8 (all Win11 26200). Pending Win11 25H2 upgrade then join+tag: LAPTOP-8P7HDSEI, ASSISTNURSE-PC. NURSESTATION-PC confirmed permanent caregiver device (hybrid-join pending). Full set = phones + those 6 machines. All joined laptops show `isManaged=null` (auto-MDM-enroll did not fire — MDM user scope likely not =All, and only local logins so far). Intune is OPTIONAL: the allow-list is tag-based and works on Entra-join alone; Intune only needed for printer-push / a Windows compliance policy. Intune/MDM decision deferred until all devices on Win11 25H2. Enrollment account `devices@` (Cloud Device Admin), licensed Business Premium transiently (reclaim after batch). + - **Enrollment progress (updated 2026-06-08):** 3 laptops Entra-joined + tagged `CSCCaregiverDevice` — Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8 (all Win11 26200). **ASSISTNURSE-PC upgraded 2026-06-08** — clean Win11 reinstall (was Win10 19045; in-place upgrades failed), RMM re-enrolled (`62d108d6`), but the reinstall created a NEW Entra device object so it still needs re-join + re-tag before cutover. Still pending: LAPTOP-8P7HDSEI Win11 25H2 upgrade + join/tag (verify current state). NURSESTATION-PC confirmed permanent caregiver device (hybrid-joined 2026-06-05). Full set = phones + those 6 machines. All joined laptops show `isManaged=null` (auto-MDM-enroll did not fire — MDM user scope likely not =All, and only local logins so far). Intune is OPTIONAL: the allow-list is tag-based and works on Entra-join alone; Intune only needed for printer-push / a Windows compliance policy. Intune/MDM decision deferred until all devices on Win11 25H2. Enrollment account `devices@` (Cloud Device Admin), licensed Business Premium transiently (reclaim after batch). - **Cutover (low-risk, can be all-at-once):** verified no gap — only `CSC-` phones are compliant today and the allow-list also permits them, so enabling the allow-list ADDS the laptops without removing phone access; nobody on a phone gets locked out. Per-user go-live gate is the ALIS email-match + test sign-in (one at a time), not a CA change. Cutover = enable `CSC - Caregivers: allow-listed devices only` + disable `CSC - Block caregivers on non-compliant device`. - **Restricted vs privileged classification (2026-06-04):** Restricted/inside (SG-Caregivers) = the 38 + Veronica Feller (caretaker; inventory shows her remote/PA — confirm on-site) + Christine Nyanzunda (MC admin asst + PT medtech; uses ASSISTNURSE-PC; directory surname typo "Nyanzuda" to fix). Privileged/outside (NOT in SG-Caregivers; ALIS via SSO + offsite MFA) = Lois Lane, Karen Rossini, Christina DuPras, and all admins/directors/managers; nurses ruled OUTSIDE. Zachary Nelson is accounting/no-ALIS (not a caregiver). Still pending classification: Judith Palmer, Patricia Sandoval-Beck, Joey Ty, Alejandra Vallejo, Celia Lassey. Worklist: `clients/cascades-tucson/reports/2026-06-04-caregiver-alis-sso-worklist.md`. - **User<->computer map source:** Syncro `kabuto_information.last_user` (GuruRMM does not expose logged-in user). DuPras=ALASSIST-PC, Lois Lane=DESKTOP-KQSL232, Karen Rossini=DESKTOP-LPOPV30, shared medtech=ASSISTNURSE-PC, shared MemCare reception=MEMRECEPT-PC (excluded from caregiver allow-list, receptionist-only). CONTEXT.md GuruRMM roster stale (27->32) — refresh pending. @@ -363,6 +368,8 @@ Primary active project as of 2026-05-24: dept-by-dept domain migration (Syncro # | 2026-05-26 | Access control vendor meeting onsite (ticket #32324). 0.5h Howard + 0.5h Mike billed against prepaid block. Block at 28.0h. Remote diagnosis of UniFi controller confirmed impossible (no Tailscale route, GuruRMM WebSocket-only, pfSense SSH blocked). | | 2026-06-03 | ALIS AADSTS65001 diagnosed and resolved: granted tenant-wide admin consent (`AllPrincipals` `User.Read`) on ALIS SP `e1cae4ad`. Caregiver device allow-list CA policy created in report-only (`CSC - Caregivers: allow-listed devices only (REPORT-ONLY)`, id `1b7fd025`). Allow-list = CSC- phones + 5 tagged devices (NURSESTATION-PC, Laptop2, LAPTOP-8P7HDSEI, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8). Cutover pending laptop Intune enrollment + validation. Three existing enforced caregiver CA policies left untouched. | | 2026-06-04 | Three same-day tickets: #32381 Tamra scanner (0.5h onsite), #32382 Megan file access (1.5h onsite), #32383 Chris Knight bill.com/BOK email delivery (1.5h remote). Chris Knight mailbox investigation: full EXO/EOP/quarantine/message trace analysis — no tenant config issues found. No Inky in tenant (confirmed). bill.com delivering to other users; zero delivery to chris.knight/c.knight in 90 days. Root cause: wrong address in bill.com/BOK backends + SendGrid suppression on bill.com side. BOK resolved by correcting email in portal (delivery within minutes). bill.com fix requires support call. Resolved externally by Howard; no tenant config changes needed. EXO access token auth method documented (cert not in BEAST cert store). Prepay block: 17.25 → 15.75 hrs. | +| 2026-06-08 | **Chris Knight workstation setup (onsite).** Discovered his AD account `chris.knight` already existed (created 2026-05-27, OU=Administrative) but was incomplete; finished it to match Lauren Hasselman — `New-HomeFolder`, added to `SG-FolderRedirect`, set `mail`, reset AD password to `Cascades2026!` (change-at-logon cleared). Confirmed mailbox is cloud-only/unsynced (so are Lauren/Ashley/Meredith/Zachary/Alma — Entra Connect include-list is Caregivers+Groups+Caregiver Devices only; OU=Administrative NOT in scope). Machine **DESKTOP-N5G1ROO** domain-joined + GuruRMM-enrolled (agent `205025ee...`), Office installed, Chris logged in. **MAJOR: root-caused why folder redirection has failed on every machine** — the FR GPO's targets were in a misnamed `fdeploy1.ini`; Windows reads `fdeploy.ini` (absent) → empty path → silent no-op → manual registry workaround every time. Fixed by writing a correct `fdeploy.ini` to GPO `{512B43A4}` + version bump 917506→983042 (GPT.INI + AD versionNumber); backup at `C:\Windows\Temp\frfix-20260608-161144`. LE GPO found completely empty too. CS-SERVER live RMM agent is now `c39f1de7-...` (was `6766e973`). Billed 1.0h onsite (computer setup, ticket #111216087). | +| 2026-06-08 | **ASSISTNURSE-PC reinstalled (Win10→Win11).** Howard did a clean Windows 11 install (machine was Win10 19045; in-place upgrade attempts failed, clean install the only option) using our key, then reinstalled the RMM agent. Claude (RMM): deleted the stale pre-reinstall agent `88891eb8` (Win10, offline) — HTTP 204; kept the new agent `62d108d6` (`Assistnurse-pc`, Win11 Pro for Workstations 24H2, v0.6.57, online). Deployed 3 caregiver app shortcuts as `.url` files to `C:\Users\Public\Desktop` (machine-wide) matching the team's GPP definitions: ALIS `https://cascadestucson.alisonline.com/Login`, LinkRx `https://pharmcare.linkrxnow.com/Login.aspx`, Helpany `https://app.safe-living.com/login`. Heads-up: reinstall = new Entra device object → needs re-join + re-tag `CSCCaregiverDevice` (+ clean old Entra record) at caregiver cutover. Billing for the 1.0h onsite reinstall: **pending on #32303** as of 2026-06-09. | | 2026-06-05 | NURSESTATION-PC localadmin login-screen issue: `SpecialAccounts\UserList` hide (`localadmin=0`) — removed via RMM (agent `f5a89784`); account was already enabled + admin. Vault hygiene: `sysadmin@` GA password vaulted (`clients/cascades-tucson/m365-sysadmin.sops.yaml`); voice MFA scoped group "MFA - Voice Call Scoped (sysadmin)" (`304f941e`) created; `alternateMobile` updated to +1 520-585-1310 (Howard). Caregiver test rig built: `SG-Caregivers-DeviceTest` (`db5849ec`, full rule set), `Cascades - Caregiver Devices` (`02c6f698`, static), `SG-Intune-Enrollment` (`13d94f6e`), `pilot.test@cascadestucson.com` (`d26e0e5a`, ephemeral). Hybrid Entra Join enabled in Entra Connect (SCP `ConfigureSCP.ps1`; `OU=Caregiver Devices` added to sync scope). NURSESTATION re-domain-joined (Win11 25H2) + hybrid-registered as `trustType: ServerAd`, new deviceId `d3bf931f-f128-4261-8398-b46c34a4b342` (object `de199a15`). Caregiver access model proven end-to-end on desktop: pilot.test + NURSESTATION — ALIS via silent SSO, CA off-network block + device allow-list holding. CA 53003 on `extensionAttribute1` tag lag (>70 min); resolved by adding deviceId directly to allow-list rule (immediate). Windows Hello does NOT auto-provision on hybrid-joined machines (`WillNotProvision: PolicyEnabled NO`). GPO `CSC - Caregiver Workstation` (`{3B5CD9A6-A278-4676-A9FD-9396D21A8261}`, User config GPP): 3 desktop shortcuts (ALIS, LinkRx, Helpany) + 6 `\\CS-SERVER\` printers with location-based default (Nurses for `SG-PC-MainTower`, MCMedTech for `SG-PC-MemoryCare`, computer-context ILT) + `LegacyDefaultPrinterMode=1` — built, linked at `OU=Caregivers`, security-filtered to `SG-Caregivers-Test` (pilot.test only), validated on NURSESTATION. GPO `CSC - Caregiver Device Lockdown` (`{E6174988-2721-4D96-ADF5-F5BB44E92769}`, computer-only): startup script (lock 3 min / auto sign-out 15 min / 90s warning / never sleep) + psscripts.ini in SYSVOL — deployed + linked at `OU=Caregiver Devices` (takes effect on next NURSESTATION reboot). Intune enrollment blocked tenant-wide (`INTUNE_A: PendingInput` on newly-licensed accounts); MS case open; GPO path used instead. Ticket #32303 billing reconciliation: work summary posted as customer-visible resolution note (comment 417582473); 7.0h onsite line item (42750851) + invoice #67782 ($0.00 prepaid); prepay block 15.75 → 8.75 hrs; ticket status → Invoiced. | ---