azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-05-16 13:49:46

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-16 13:49:46
This commit is contained in:
Howard Enos
2026-05-16 13:49:46 -07:00
parent 0c0cc45c3f
commit 2919b3dec6
5 changed files with 455 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
clients/cascades-tucson/docs/cloud/caregiver-m365-p2-rollout.md
View File

@@ -106,6 +106,7 @@ All UPNs above use the `@cascadestucson.com` suffix (standard).
- **Paty Doran** — **Resolved 2026-04-22:** legal name `Patricia Camarena Doran`. Account will be `patricia.doran@`.
- **Polett Pinazavala** — **Resolved 2026-04-22 (John's reply): departed.** Remove from roster. No AD/M365 account exists so no disable needed.
- **Patricia Sandoval-Beck** — **Resolved 2026-04-22 (CSV inline note from Meredith):** hyphen is correct. SamAccountName may still need to be `Patricia.SandovalBeck` if ALIS/MDM reject hyphens — test during Wave 3.
- **Espe Esperance** — **Resolved 2026-05-15:** one person. Legal name Niyonsaba Esperance (Niyonsaba = first, Esperance = last); goes by Espe at work. Account is `e.esperance@cascadestucson.com`, display name "Espe Esperance". She IS already in ALIS as "Niyonsaba Esperance" — Meredith must UPDATE that record's email field to `e.esperance@cascadestucson.com`, not add a new record.
- **Ederick Yuzon** — **Still pending:** spelling asked in 2026-04-22 email.
- **Maia Baker** — **Resolved 2026-04-22 (CSV inline note):** part-time, still employed.
- **Reliable Agency caregivers** — **Final decision 2026-04-22 (post-HIPAA review): NO shared logins.** Originally planned `reliable1@` / `reliable2@`; dropped because shared log-on IDs for PHI access violate 45 CFR §164.312(a)(2)(i) (Required spec, no compensating-control exception). Per-person accounts only, created when Reliable Agency supplies individual names. Rationale in `docs/security/hipaa-review-2026-04-22.md`.
@@ -174,14 +175,20 @@ Group-policy impact: the `CSC - Folder Redirection (LE)` work done for Life Enri
- [x] ~~Confirm Christine Nyanzunda is one person, not two~~ (resolved 2026-04-22 — one person, one account)
- [x] ~~HR spelling confirmation on Paty Doran, Polett Pinazavala, Patricia Sandoval-Beck, Maia Baker~~ (all resolved 2026-04-22)
- [ ] **Ederick Yuzon first-name spelling** — asked in 2026-04-22 email, still outstanding
- [x] ~~Espe Esperance identity~~ (resolved 2026-05-16 — one person, legal name Niyonsaba Esperance, goes by Espe; account e.esperance@cascadestucson.com)
- [x] ~~Create 37 caregiver AD accounts in OU=Caregivers~~ (done 2026-05-16 — 37 created, 0 failed; temp password Cascades2026!)
- [x] ~~Add all caregivers to SG-Caregivers~~ (done 2026-05-16 — 37 added, 0 failed)
- [ ] **Ederick Yuzon first-name spelling** — asked in 2026-04-22 email, still outstanding (created as Ederick from ALIS)
- [ ] **Christine Nyanzunda — Phase 2 handling (added 2026-05-14):** exclude her from caregiver AD account creation (she already has accounts). Her existing cloud-only M365 account must be moved/synced as part of the office-staff migration, not the caregiver rollout. See the SYNC WATCH-POINT under "Conflict / verify before creating" above.
- [x] ~~Reliable Agency shared-login short usernames~~ (SUPERSEDED 2026-04-22 by HIPAA review — no shared logins, per-person only)
- [ ] **Reliable Agency contract review** — confirm staffing contract says caregivers work under Cascades direct clinical control (workforce) vs. agency-supervised (BA). Get individual caregiver names before any PHI access.
- [ ] Will caregivers use ALIS on the shared phones (need ALIS accounts + Entra SSO) or only email?
- [ ] Does Cascades want to purchase 39 additional Business Premium licenses up-front, or roll out in waves (e.g., MedTechs first, then CCGs, then Caregivers)?
- [ ] **ALIS staff records (Meredith):** UPDATE Espe Esperance record email to e.esperance@cascadestucson.com; ADD records for Kasey Flores (k.flores@), Jahmeka Clarke (j.clarke@), Gloria Williford (g.williford@)
- [ ] **ALIS Email = Entra UPN for all caregivers** — set after accounts appear in M365 post-sync; required for ALIS SSO
- [ ] **M365 licensing** — 38 net-new Business Premium licenses needed; Meredith purchase decision; up-front vs. waves?
- [ ] **ALIS BAA (Medtelligent)** — Meredith to verify signed copy exists; if not, request from Medtelligent support
- [ ] **Reliable Agency per-person accounts** — waiting on individual names; cannot create until received
- [ ] Confirm pfSense WAN IP(s) are static enough to rely on in a CA Named Location policy
- [ ] Timeline expectations — tying this to the phone deployment, the MDM rollout (7-phase plan in `docs/security/mdm.md`), and the Business Premium purchase
- [ ] Timeline expectations — tying this to the phone deployment and Business Premium purchase
## Related docs

82
clients/cascades-tucson/scripts/add-caregivers-to-sg.ps1 Normal file
View File

@@ -0,0 +1,82 @@
# Cascades of Tucson -- Add caregivers to SG-Caregivers
# Date: 2026-05-16
# Run on: CS-SERVER as a domain admin
# Adds all 37 caregiver accounts to SG-Caregivers.
# This is a deliberate access-control step, separate from account creation.
$Group = "SG-Caregivers"
$Accounts = @(
"t.abainza",
"n.castro",
"e.esperance",
"b.johnson",
"k.flores",
"r.flores",
"m.kastner",
"b.mendoza",
"r.morales",
"s.padilla",
"w.reed",
"p.sandoval-beck",
"b.sika",
"j.andrade",
"j.clarke",
"k.aziakpo",
"j.dittbenner",
"a.mcferren",
"s.ramirez",
"e.sanchez",
"k.wyzykowski",
"c.tate",
"a.atwood",
"c.johnson",
"r.cooper",
"m.lopez",
"g.williford",
"s.carroll",
"l.hogan",
"g.williams",
"j.higdon",
"m.kariuki",
"c.lassey",
"p.doran",
"e.huerta",
"m.baker",
"e.yuzon"
)
$added = 0
$failed = 0
$skipped = 0
foreach ($sam in $Accounts) {
$user = Get-ADUser -Filter "SamAccountName -eq '$sam'" -ErrorAction SilentlyContinue
if (-not $user) {
Write-Host "[SKIP] $sam -- not found in AD"
$skipped++
continue
}
$inGroup = Get-ADGroupMember -Identity $Group -ErrorAction SilentlyContinue |
Where-Object { $_.SamAccountName -eq $sam }
if ($inGroup) {
Write-Host "[SKIP] $sam -- already in $Group"
$skipped++
continue
}
try {
Add-ADGroupMember -Identity $Group -Members $sam
Write-Host "[OK] $sam -- added to $Group"
$added++
}
catch {
Write-Host "[ERROR] $sam -- $_"
$failed++
}
}
Write-Host ""
Write-Host ("Result: {0} added, {1} failed, {2} skipped" -f $added, $failed, $skipped)

121
clients/cascades-tucson/scripts/create-caregiver-accounts.ps1 Normal file
View File

@@ -0,0 +1,121 @@
# Cascades of Tucson -- Caregiver AD Account Creation
# Date: 2026-05-16
# Run on: CS-SERVER as a domain admin
# OU: OU=Caregivers,OU=Departments,DC=cascades,DC=local
#
# Creates 37 caregiver accounts.
# Display names match ALIS (preferred/known names).
# UPN format: firstinitial.lastname@cascadestucson.com
#
# Exceptions:
# b.sika -- Charity Sika (legal first name Bariffa drives the initial)
# e.huerta -- Zeke Huerta (legal first name Ezekiel drives the initial)
#
# Excluded:
# Christine Nyanzunda -- already has accounts, do not create
# Polett Pinazavala -- departed, do not create
#
# Espe Esperance -- legal name Niyonsaba Esperance (Niyonsaba = first, Esperance = last)
# Goes by Espe at work. Already in ALIS as Niyonsaba Esperance.
# Meredith must UPDATE that ALIS staff record email to e.esperance@cascadestucson.com
#
# Kasey Flores, Jahmeka Clarke, Gloria Williford -- not in ALIS; Meredith must add staff records.
#
# PasswordNeverExpires = $true during rollout.
# Run enable-caregiver-password-rotation.ps1 when ready to activate 30-day FGPP rotation.
$OU = "OU=Caregivers,OU=Departments,DC=cascades,DC=local"
$Domain = "cascadestucson.com"
$TempPassword = ConvertTo-SecureString "Cascades2026!" -AsPlainText -Force
$Caregivers = @(
# --- Tue-Sat ---
@{ First="Thelma"; Last="Abainza"; Sam="t.abainza" },
@{ First="Niel"; Last="Castro"; Sam="n.castro" },
@{ First="Espe"; Last="Esperance"; Sam="e.esperance" },
@{ First="Barb"; Last="Johnson"; Sam="b.johnson" },
@{ First="Kasey"; Last="Flores"; Sam="k.flores" },
@{ First="Richard"; Last="Flores"; Sam="r.flores" },
@{ First="Marie"; Last="Kastner"; Sam="m.kastner" },
@{ First="Bella"; Last="Mendoza"; Sam="b.mendoza" },
@{ First="Rosa"; Last="Morales"; Sam="r.morales" },
@{ First="Sandra"; Last="Padilla"; Sam="s.padilla" },
@{ First="Whisper"; Last="Reed"; Sam="w.reed" },
@{ First="Patricia"; Last="Sandoval-Beck"; Sam="p.sandoval-beck" },
@{ First="Charity"; Last="Sika"; Sam="b.sika" },
# --- Sun-Thu (Christine Nyanzunda excluded -- already has accounts) ---
@{ First="Juan"; Last="Andrade"; Sam="j.andrade" },
@{ First="Jahmeka"; Last="Clarke"; Sam="j.clarke" },
@{ First="Karina"; Last="Aziakpo"; Sam="k.aziakpo" },
@{ First="Jinnelle"; Last="Dittbenner"; Sam="j.dittbenner" },
@{ First="Agnes"; Last="McFerren"; Sam="a.mcferren" },
@{ First="Samuel"; Last="Ramirez"; Sam="s.ramirez" },
@{ First="Erica"; Last="Sanchez"; Sam="e.sanchez" },
@{ First="Katrina"; Last="Wyzykowski"; Sam="k.wyzykowski" },
@{ First="Corey"; Last="Tate"; Sam="c.tate" },
# --- Fri-Mon ---
@{ First="Ashli"; Last="Atwood"; Sam="a.atwood" },
@{ First="Cole"; Last="Johnson"; Sam="c.johnson" },
@{ First="Roseline"; Last="Cooper"; Sam="r.cooper" },
@{ First="Monique"; Last="Lopez"; Sam="m.lopez" },
@{ First="Gloria"; Last="Williford"; Sam="g.williford" },
# --- Thu-Mon ---
@{ First="Sarah"; Last="Carroll"; Sam="s.carroll" },
@{ First="Luke"; Last="Hogan"; Sam="l.hogan" },
@{ First="Gina"; Last="Williams"; Sam="g.williams" },
# --- Split / other ---
@{ First="Jen"; Last="Higdon"; Sam="j.higdon" },
@{ First="Mary"; Last="Kariuki"; Sam="m.kariuki" },
@{ First="Celia"; Last="Lassey"; Sam="c.lassey" },
@{ First="Patricia"; Last="Camarena Doran"; Sam="p.doran" },
# --- PRN ---
@{ First="Zeke"; Last="Huerta"; Sam="e.huerta" },
@{ First="Maia"; Last="Baker"; Sam="m.baker" },
@{ First="Ederick"; Last="Yuzon"; Sam="e.yuzon" }
)
$created = 0
$failed = 0
$skipped = 0
foreach ($c in $Caregivers) {
$displayName = if ($c.Display) { $c.Display } else { "$($c.First) $($c.Last)" }
$upn = "$($c.Sam)@$Domain"
if (Get-ADUser -Filter "SamAccountName -eq '$($c.Sam)'" -ErrorAction SilentlyContinue) {
Write-Host "[SKIP] $displayName already exists ($($c.Sam))"
$skipped++
continue
}
try {
New-ADUser `
-Name $displayName `
-GivenName $c.First `
-Surname $c.Last `
-SamAccountName $c.Sam `
-UserPrincipalName $upn `
-Path $OU `
-AccountPassword $TempPassword `
-Enabled $true `
-ChangePasswordAtLogon $false `
-PasswordNeverExpires $true
Write-Host "[OK] $displayName -- $upn"
$created++
}
catch {
Write-Host "[ERROR] $displayName -- $_"
$failed++
}
}
Write-Host ""
Write-Host ("Result: {0} created, {1} failed, {2} skipped (already existed)" -f $created, $failed, $skipped)
Write-Host "NOTE: No licenses assigned. No security group memberships set. Both are deliberate next steps."
Write-Host ""
Write-Host "ALIS actions needed (Meredith):"
Write-Host " Espe Esperance -- UPDATE existing ALIS record (listed as Niyonsaba Esperance), set email to e.esperance@cascadestucson.com"
Write-Host " Kasey Flores -- ADD new ALIS staff record, k.flores@cascadestucson.com"
Write-Host " Jahmeka Clarke -- ADD new ALIS staff record, j.clarke@cascadestucson.com"
Write-Host " Gloria Williford -- ADD new ALIS staff record, g.williford@cascadestucson.com"

75
clients/cascades-tucson/scripts/enable-caregiver-password-rotation.ps1 Normal file
View File

@@ -0,0 +1,75 @@
# Cascades of Tucson — Enable Caregiver Password Rotation via FGPP
# Run on: CS-SERVER as a domain admin
#
# Step 1: Creates a Fine-Grained Password Policy (PSO) with 30-day max age.
# Step 2: Applies it to SG-Caregivers.
# Step 3: Clears PasswordNeverExpires on all caregiver accounts so the FGPP takes effect.
#
# IMPORTANT: Run create-caregiver-accounts.ps1 first (accounts must exist before step 3).
#
# After this runs:
# - Caregiver passwords expire after 30 days
# - No warning prompt on Android/MSDM phones (that prompt is Windows-only)
# - When a caregiver's sign-in fails, Howard resets via ADUC or GuruRMM
# - The "Interactive logon: Prompt user to change password before expiration" GPO
# setting (5 days) only affects Windows PC logons — not relevant for shared phones
$PolicyName = "PSO-Caregivers-30day"
$Group = "SG-Caregivers"
# --- Step 1: Create FGPP ---
if (Get-ADFineGrainedPasswordPolicy -Filter "Name -eq '$PolicyName'" -ErrorAction SilentlyContinue) {
Write-Host "[SKIP] FGPP '$PolicyName' already exists"
} else {
New-ADFineGrainedPasswordPolicy `
-Name $PolicyName `
-Precedence 10 `
-MaxPasswordAge "30.00:00:00" `
-MinPasswordAge "1.00:00:00" `
-MinPasswordLength 8 `
-PasswordHistoryCount 5 `
-ComplexityEnabled $true `
-LockoutThreshold 5 `
-LockoutDuration "00:30:00" `
-LockoutObservationWindow "00:30:00" `
-ReversibleEncryptionEnabled $false
Write-Host "[OK] FGPP '$PolicyName' created (30-day max age, precedence 10)"
}
# --- Step 2: Apply FGPP to SG-Caregivers ---
$existing = Get-ADFineGrainedPasswordPolicySubject -Identity $PolicyName -ErrorAction SilentlyContinue |
Where-Object { $_.Name -eq $Group }
if ($existing) {
Write-Host "[SKIP] FGPP already applied to $Group"
} else {
Add-ADFineGrainedPasswordPolicySubject -Identity $PolicyName -Subjects $Group
Write-Host "[OK] FGPP applied to $Group"
}
# --- Step 3: Clear PasswordNeverExpires on all caregiver accounts ---
Write-Host ""
Write-Host "Clearing PasswordNeverExpires on members of $Group..."
$cleared = 0
$failed = 0
Get-ADGroupMember -Identity $Group -Recursive | ForEach-Object {
try {
Set-ADUser $_.SamAccountName -PasswordNeverExpires $false
Write-Host "[OK] $($_.SamAccountName)"
$cleared++
}
catch {
Write-Host "[ERROR] $($_.SamAccountName)$_"
$failed++
}
}
Write-Host ""
Write-Host "Done. PasswordNeverExpires cleared on $cleared accounts | $failed failed"
Write-Host "FGPP '$PolicyName' is now active for $Group — passwords expire in 30 days."
Write-Host ""
Write-Host "Verify FGPP is applied correctly with:"
Write-Host " Get-ADUserResultantPasswordPolicy -Identity <samaccountname>"

166
clients/cascades-tucson/session-logs/2026-05-16-howard-caregiver-ad-account-creation.md Normal file
View File

@@ -0,0 +1,166 @@
# Cascades of Tucson -- Caregiver AD Account Creation
**Date:** 2026-05-16
**Syncro ticket:** #32214 (Entra setup -- In Progress)
## User
- **User:** Howard Enos (howard)
- **Machine:** HOWARD-HOME
- **Role:** tech
## Goal
Create all 37 caregiver AD accounts in OU=Caregivers and add them to SG-Caregivers.
This is the identity layer prerequisite for the shared-phone rollout -- accounts must
exist in AD so Entra Connect can sync them to M365 and CA policies can apply.
---
## Espe Esperance -- identity correction
The create-caregiver-accounts.ps1 script previously treated "Niyonsaba Esperance" and
"Espe Esperance" as two different people. Howard confirmed they are one person:
- Legal name: **Niyonsaba Esperance** (Niyonsaba = first, Esperance = last)
- Goes by **Espe** at work
Graph search confirmed no existing mailbox or user object for Esperance in the tenant
(searched by UPN prefix and display name -- both returned empty). Net-new account.
AD account created as:
- Display name: Espe Esperance
- GivenName: Espe
- Surname: Esperance
- sAMAccountName / UPN: e.esperance@cascadestucson.com
ALIS action (Meredith): UPDATE the existing ALIS staff record for "Niyonsaba Esperance"
-- set the Email field to e.esperance@cascadestucson.com. Do NOT add a new record.
Script updated in repo to reflect the correction. Script header, inline comment, and
output block all corrected.
---
## Account creation
Script: `clients/cascades-tucson/scripts/create-caregiver-accounts.ps1`
Run on: CS-SERVER, elevated PowerShell, sysadmin context
OU: `OU=Caregivers,OU=Departments,DC=cascades,DC=local`
Temp password: Cascades2026! (PasswordNeverExpires = true during rollout)
No licenses assigned. No security group memberships set at creation time.
**Result: 37 created, 0 failed, 0 skipped**
Accounts created:
| sAMAccountName | Display Name | Notes |
|---|---|---|
| t.abainza | Thelma Abainza | |
| n.castro | Niel Castro | |
| e.esperance | Espe Esperance | Legal: Niyonsaba Esperance |
| b.johnson | Barb Johnson | |
| k.flores | Kasey Flores | Not in ALIS -- Meredith must add |
| r.flores | Richard Flores | |
| m.kastner | Marie Kastner | |
| b.mendoza | Bella Mendoza | |
| r.morales | Rosa Morales | |
| s.padilla | Sandra Padilla | |
| w.reed | Whisper Reed | |
| p.sandoval-beck | Patricia Sandoval-Beck | |
| b.sika | Charity Sika | Legal first: Bariffa (drives initial) |
| j.andrade | Juan Andrade | |
| j.clarke | Jahmeka Clarke | Not in ALIS -- Meredith must add |
| k.aziakpo | Karina Aziakpo | |
| j.dittbenner | Jinnelle Dittbenner | |
| a.mcferren | Agnes McFerren | |
| s.ramirez | Samuel Ramirez | |
| e.sanchez | Erica Sanchez | |
| k.wyzykowski | Katrina Wyzykowski | |
| c.tate | Corey Tate | |
| a.atwood | Ashli Atwood | |
| c.johnson | Cole Johnson | |
| r.cooper | Roseline Cooper | |
| m.lopez | Monique Lopez | |
| g.williford | Gloria Williford | Not in ALIS -- Meredith must add |
| s.carroll | Sarah Carroll | |
| l.hogan | Luke Hogan | |
| g.williams | Gina Williams | |
| j.higdon | Jen Higdon | |
| m.kariuki | Mary Kariuki | |
| c.lassey | Celia Lassey | |
| p.doran | Patricia Camarena Doran | ALIS: "Camarena Doran, Patricia" |
| e.huerta | Zeke Huerta | Legal first: Ezekiel (drives initial) |
| m.baker | Maia Baker | |
| e.yuzon | Ederick Yuzon | Spelling from ALIS; email confirm still pending |
Excluded (intentional):
- Christine Nyanzunda -- already has AD + M365 accounts
- Polett Pinazavala -- departed
---
## SG-Caregivers
Script: `clients/cascades-tucson/scripts/add-caregivers-to-sg.ps1`
Run on: CS-SERVER, elevated PowerShell, sysadmin context
**Result: 37 added, 0 failed, 0 skipped**
All 37 caregiver accounts are now members of SG-Caregivers. This is the group that
controls Conditional Access policy coverage (Block-off-network, Sign-in-frequency,
Block-non-compliant) and the Registration Campaign exclusion (no Authenticator nudge).
---
## State after this session
The AD identity layer is complete:
- [x] 37 caregiver accounts exist in OU=Caregivers
- [x] All 37 in SG-Caregivers (CA coverage active on next sync)
- [x] Entra Connect live (exited staging 2026-05-14) -- next sync cycle will push accounts to cloud
- [x] SG-Caregivers already synced to cloud (ID: 8b8d9222-5d71-419a-936d-56d895c6c332)
- [x] CA policies target synced SG-Caregivers
After the next Entra Connect sync cycle (~30 min or force with Start-ADSyncSyncCycle
on CS-SERVER), M365 will provision Exchange mailboxes automatically for all 37 accounts.
---
## Remaining open items before phone rollout
| Item | Owner | Notes |
|---|---|---|
| Entra Connect sync -- push new accounts to cloud | Auto (next cycle) or force on CS-SERVER | Run: Start-ADSyncSyncCycle -PolicyType Delta |
| ALIS: UPDATE Espe Esperance staff record email | Meredith | Set to e.esperance@cascadestucson.com (she is Niyonsaba Esperance in ALIS) |
| ALIS: ADD Kasey Flores staff record | Meredith | k.flores@cascadestucson.com |
| ALIS: ADD Jahmeka Clarke staff record | Meredith | j.clarke@cascadestucson.com |
| ALIS: ADD Gloria Williford staff record | Meredith | g.williford@cascadestucson.com |
| Set ALIS Email = Entra UPN for ALL caregivers | Meredith / ALIS admin | Required for ALIS SSO to link; do after accounts appear in M365 |
| M365 licensing -- Business Premium for caregivers | Meredith (purchase decision) | 38 net-new licenses needed; $22/user/mo; proposal in docs/proposals/ |
| Reliable Agency per-person accounts | Howard (when names provided) | Cannot create until Reliable supplies individual names; HIPAA -- no shared logins |
| Ederick Yuzon first-name spelling confirm | Meredith (email) | Still outstanding; created as Ederick from ALIS |
| ALIS BAA (Medtelligent) | Meredith | Check if signed BAA was provided at contract time; if not, request from Medtelligent support |
| Stale vault entries cleanup | Howard | howard-enos-pilot.sops.yaml, pilot-test-user.sops.yaml |
## Deferred (not blocking rollout)
| Item | Notes |
|---|---|
| Knox OEMConfig (MHS half-screen) | Separate follow-up |
| MHS welcome-screen branding | Post-rollout |
| Portrait wallpaper upload | Post-rollout |
| Disable devices@cascadestucson.com | Post-rollout |
| SG-MedTech / SG-CCG groups | Create when ALIS licensing tiers confirmed |
| LinkRx SSO | Revisit only if vendor offers SSO |
| Folder redirection GPO rollout | Separate project track |
| Fleet hostname rename | Separate project track |
## Related docs
- `docs/cloud/caregiver-m365-p2-rollout.md` -- caregiver roster, AD placement, licensing
- `session-logs/2026-05-14-howard-cascades-phone-verification-closeout.md` -- architecture verified
- `session-logs/2026-05-08-howard-cascades-sdm-token-success-and-alis-sso.md` -- ALIS SSO proven
- `scripts/create-caregiver-accounts.ps1` -- account creation script
- `scripts/add-caregivers-to-sg.ps1` -- SG-Caregivers assignment script
- `scripts/enable-caregiver-password-rotation.ps1` -- run when ready for 30-day FGPP rotation