diff --git a/clients/cascades-tucson/docs/migration/scripts/phase2-ad-groups-new.ps1 b/clients/cascades-tucson/docs/migration/scripts/phase2-ad-groups-new.ps1 new file mode 100644 index 0000000..32cf348 --- /dev/null +++ b/clients/cascades-tucson/docs/migration/scripts/phase2-ad-groups-new.ps1 @@ -0,0 +1,97 @@ +#Requires -RunAsAdministrator +<# +.SYNOPSIS + Phase 2.5a: Create new AD security groups for staged share rollout. +.DESCRIPTION + Creates three new global security groups for the new share structure. + Groups are created EMPTY — members are added per-department when each + department is ready to cut over to the new shares. + + Also removes Tamra.Matthews from SG-Sales-RW (she moves to SG-Sales-RO). + No other changes are made to existing groups or members. +.NOTES + IDEMPOTENT — safe to re-run. Existing groups are skipped, not overwritten. + Run on CS-SERVER via GuruRMM remote execution. + + Verify $GroupOU before running: + Get-ADGroup SG-Management-RW | Select DistinguishedName + The OU in $GroupOU must match the OU where existing SG- groups live. +#> + +Import-Module ActiveDirectory -ErrorAction Stop + +# --- VERIFY THIS MATCHES WHERE EXISTING SG- GROUPS LIVE --- +# Check with: Get-ADGroup SG-Management-RW | Select DistinguishedName +$GroupOU = "OU=Groups,DC=cascades,DC=local" + +Write-Host "=== Phase 2.5a: New AD Security Groups ===" -ForegroundColor Cyan +Write-Host "" + +# ============================================================ +# STEP 1: Create new groups (empty — members added later) +# ============================================================ +Write-Host "--- Creating New Security Groups ---" -ForegroundColor Yellow + +$newGroups = @( + @{ Name = "SG-Mgmt-RW"; Description = "Management share - Read/Write" } + @{ Name = "SG-Sales-RO"; Description = "Sales share - Read Only" } + @{ Name = "SG-Activities-RW"; Description = "Activities share - Read/Write" } +) + +foreach ($g in $newGroups) { + try { + $existing = Get-ADGroup -Filter "Name -eq '$($g.Name)'" -ErrorAction SilentlyContinue + if (-not $existing) { + New-ADGroup ` + -Name $g.Name ` + -GroupScope Global ` + -GroupCategory Security ` + -Path $GroupOU ` + -Description $g.Description ` + -ErrorAction Stop + Write-Host " [OK] Created: $($g.Name)" -ForegroundColor Green + } else { + Write-Host " [SKIP] $($g.Name) already exists" -ForegroundColor DarkGray + } + } + catch { + Write-Host " [ERROR] Failed to create $($g.Name): $_" -ForegroundColor Red + } +} + +# ============================================================ +# STEP 2: Remove Tamra.Matthews from SG-Sales-RW +# ============================================================ +Write-Host "`n--- Adjusting SG-Sales-RW Membership ---" -ForegroundColor Yellow + +try { + $isMember = Get-ADGroupMember -Identity "SG-Sales-RW" -ErrorAction Stop | + Where-Object { $_.SamAccountName -eq "Tamra.Matthews" } + + if ($isMember) { + Remove-ADGroupMember -Identity "SG-Sales-RW" -Members "Tamra.Matthews" -Confirm:$false -ErrorAction Stop + Write-Host " [OK] Removed Tamra.Matthews from SG-Sales-RW" -ForegroundColor Green + } else { + Write-Host " [SKIP] Tamra.Matthews is not a member of SG-Sales-RW" -ForegroundColor DarkGray + } +} +catch { + Write-Host " [ERROR] Failed to adjust SG-Sales-RW: $_" -ForegroundColor Red +} + +# ============================================================ +# SUMMARY: All SG- groups with member counts +# ============================================================ +Write-Host "`n=== SG- Group Summary ===" -ForegroundColor Cyan +Write-Host "" + +Get-ADGroup -Filter 'Name -like "SG-*"' -ErrorAction SilentlyContinue | + Sort-Object Name | + ForEach-Object { + $count = (Get-ADGroupMember $_ -ErrorAction SilentlyContinue | Measure-Object).Count + Write-Host (" {0,-25} {1,2} member(s)" -f $_.Name, $count) -ForegroundColor Cyan + } + +Write-Host "" +Write-Host "=== AD Groups Complete ===" -ForegroundColor Cyan +Write-Host "Next: Run phase2-new-shares.ps1 to create the folder structure and SMB shares" -ForegroundColor Green diff --git a/clients/cascades-tucson/docs/migration/scripts/phase2-new-shares.ps1 b/clients/cascades-tucson/docs/migration/scripts/phase2-new-shares.ps1 new file mode 100644 index 0000000..942684d --- /dev/null +++ b/clients/cascades-tucson/docs/migration/scripts/phase2-new-shares.ps1 @@ -0,0 +1,173 @@ +#Requires -RunAsAdministrator +<# +.SYNOPSIS + Phase 2.5b: Create new share folders, NTFS permissions, and SMB shares on CS-SERVER. +.DESCRIPTION + Builds the folder structure for the staged share rollout. Folders are created + empty — data sync runs separately after this script. Sets NTFS permissions with + broken inheritance and creates SMB shares with Access-Based Enumeration enabled. + + Shares created: Management, Sales, Activities, Server. + + Does NOT touch: D:\Shares\homes, D:\Shares\Culinary, D:\Shares\Receptionist, + D:\Shares\directoryshare, D:\Shares\IT, D:\Shares\chat, D:\Shares\Public, + or any other existing shares. +.NOTES + IDEMPOTENT — safe to re-run. NTFS permissions are always reapplied (not skipped). + Existing SMB shares have their description updated; share-level permissions are + left alone on re-run. + + Requires the ActiveDirectory module and must be run as Administrator on CS-SERVER. + Run AFTER phase2-ad-groups-new.ps1. +#> + +Import-Module ActiveDirectory -ErrorAction Stop + +$DestRoot = "D:\Shares" + +Write-Host "=== Phase 2.5b: New Share Folders & Permissions ===" -ForegroundColor Cyan +Write-Host "" + +# --- Share definitions --- +# RWGroup and ROGroup may be $null. $null means that ACE is omitted. +$shares = @( + @{ + Name = "Management" + Path = "$DestRoot\Management" + RWGroup = "CASCADES\SG-Mgmt-RW" + ROGroup = $null + Desc = "Management share (Directors only)" + }, + @{ + Name = "Sales" + Path = "$DestRoot\Sales" + RWGroup = "CASCADES\SG-Sales-RW" + ROGroup = "CASCADES\SG-Sales-RO" + Desc = "Sales share" + }, + @{ + Name = "Activities" + Path = "$DestRoot\Activities" + RWGroup = "CASCADES\SG-Activities-RW" + ROGroup = $null + Desc = "Activities share (Life Enrichment)" + }, + @{ + Name = "Server" + Path = "$DestRoot\Server" + RWGroup = "CASCADES\SG-IT-RW" + ROGroup = "CASCADES\Domain Users" + Desc = "Server share (IT tools and scripts)" + } +) + +foreach ($s in $shares) { + Write-Host "`n--- $($s.Name) ---" -ForegroundColor Yellow + + # Create folder if it doesn't exist + try { + if (-not (Test-Path $s.Path)) { + New-Item -Path $s.Path -ItemType Directory -Force | Out-Null + Write-Host " [OK] Created folder: $($s.Path)" -ForegroundColor Green + } else { + Write-Host " [SKIP] Folder already exists: $($s.Path)" -ForegroundColor DarkGray + } + } + catch { + Write-Host " [ERROR] Failed to create folder $($s.Path): $_" -ForegroundColor Red + continue + } + + # Set NTFS permissions (always reapplied — not skipped on re-run) + try { + $acl = New-Object System.Security.AccessControl.DirectorySecurity + # Break inheritance and discard all inherited entries + $acl.SetAccessRuleProtection($true, $false) + + $acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule( + "SYSTEM", + "FullControl", + "ContainerInherit,ObjectInherit", + "None", + "Allow" + ))) + + $acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule( + "CASCADES\Domain Admins", + "FullControl", + "ContainerInherit,ObjectInherit", + "None", + "Allow" + ))) + + if ($s.RWGroup) { + $acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule( + $s.RWGroup, + "Modify", + "ContainerInherit,ObjectInherit", + "None", + "Allow" + ))) + } + + if ($s.ROGroup) { + $acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule( + $s.ROGroup, + "ReadAndExecute", + "ContainerInherit,ObjectInherit", + "None", + "Allow" + ))) + } + + Set-Acl -Path $s.Path -AclObject $acl -ErrorAction Stop + Write-Host " [OK] NTFS permissions set" -ForegroundColor Green + } + catch { + Write-Host " [ERROR] NTFS permissions failed on $($s.Path): $_" -ForegroundColor Red + continue + } + + # Create or update SMB share + try { + $existingShare = Get-SmbShare -Name $s.Name -ErrorAction SilentlyContinue + if (-not $existingShare) { + New-SmbShare ` + -Name $s.Name ` + -Path $s.Path ` + -Description $s.Desc ` + -FullAccess "Authenticated Users" ` + -FolderEnumerationMode AccessBased ` + -ErrorAction Stop + Write-Host " [OK] Created SMB share: \\CS-SERVER\$($s.Name) (ABE enabled)" -ForegroundColor Green + } else { + # Update description only; share-level permissions are left alone + Set-SmbShare -Name $s.Name -Description $s.Desc -Force -ErrorAction Stop + Write-Host " [SKIP] SMB share already exists — description updated" -ForegroundColor DarkGray + } + } + catch { + Write-Host " [ERROR] SMB share failed for $($s.Name): $_" -ForegroundColor Red + } +} + +# ============================================================ +# SUMMARY +# ============================================================ +Write-Host "`n=== New Shares Summary ===" -ForegroundColor Cyan + +Write-Host "`nAll SMB shares on D:\:" -ForegroundColor Yellow +Get-SmbShare | Where-Object { $_.Path -like "D:\*" } | + Select-Object Name, Path, Description, FolderEnumerationMode | + Format-Table -AutoSize -Wrap + +Write-Host "NTFS permissions on new folders:" -ForegroundColor Yellow +foreach ($s in $shares) { + if (Test-Path $s.Path) { + Write-Host "`n $($s.Path):" -ForegroundColor Cyan + & icacls $s.Path + } +} + +Write-Host "`n=== New Share Setup Complete ===" -ForegroundColor Cyan +Write-Host "Folders are empty — sync data separately before activating each department." -ForegroundColor Green diff --git a/clients/cascades-tucson/docs/servers/active-directory.md b/clients/cascades-tucson/docs/servers/active-directory.md index 6ab5615..17c8496 100644 --- a/clients/cascades-tucson/docs/servers/active-directory.md +++ b/clients/cascades-tucson/docs/servers/active-directory.md @@ -8,67 +8,132 @@ - Sites: Default-First-Site-Name - No trusts configured -## AD Users (42 total — 40 enabled, 2 disabled) — cleaned 2026-04-13 +## AD Users (updated 2026-05-19) -**New since last doc update:** Allison Reibschied (2026-03-13), Lauren Hasselman (2026-02-26) +**Changes since 2026-04-13:** +- Alma.Montt added to OU=Administrative (provisioned 2026-05-19) — cloud-only M365 account also created same day; needs reconciliation (see Pending Issues) +- Kyla.QuickTiffany confirmed in OU=Resident Services (was listed as "needs account" in prior doc) +- Zachary.Nelson confirmed: Accounting Assistant (replacing Allison.Reibschied) +- Allison.Reibschied: no longer employed — account disabled in DC 2026-05-19 +- 38 caregiver accounts active in OU=Caregivers (new dedicated OU, all syncing to Entra) +- s.nunn confirmed as the correct Shontiel Nunn account (Caregivers/MedTech). Shontiel.Nunn (old format, OU=Resident Services) to be disabled. -### Enabled Accounts — HR Roster (updated 2026-04-13) -| Name | SamAccountName | Position | Department | Shared Email | Notes | -|------|---------------|----------|------------|-------------|-------| -| Administrator | Administrator | — | — | — | Built-in | -| localadmin | localadmin | — | — | — | Local admin | -| Sysadmin | sysadmin | — | — | — | System admin | -| Howard Dax | howard | Home Office | Administrative | first.last@ | MSP technician | -| Meredith Kuhn | Meredith.Kuhn | Executive Director | Administrative | first.last@ | | -| John Trozzi | John.Trozzi | Maintenance Director | Maintenance | first.last@ | PC: MAINTENANCE-PC | -| Lupe Sanchez | Lupe.Sanchez | Housekeeping Director | Housekeeping | first.last@ | Renamed from Guadalupe.Sanchez, duplicate deleted (2026-04-13) | -| Megan Hiatt | Megan.Hiatt | Sales Director | Marketing | first.last@, Sales@ | | -| Crystal Rodriguez | Crystal.Rodriguez | Sales Associate | Marketing | first.last@, Sales@ | PC: CRYSTAL-PC | -| Tamra Matthews | Tamra.Matthews | Move-In Coordinator | Marketing | first.last@ | Renamed from Tamra.Johnson (2026-04-13) | -| Lois Lane | Lois.Lane | Health Services Director | Care, Assisted Living | first.last@, Nurses@ | | -| Christina DuPras | Christina.DuPras | Resident Services Director | Resident Services | first.last@ | | -| Christine Nyanzunda | Christine.Nyanzunda | Memory Care Admin Assistant | Care, Memory Care | first.last@ | | -| Susan Hicks | Susan.Hicks | Life Enrichment Director | Life Enrichment | first.last@ | PC: DESKTOP-ROK7VNM | -| Ashley Jensen | Ashley.Jensen | Assistant Executive Director | Administrative | first.last@, Accounting@ | | -| Veronica Feller | Veronica.Feller | Care, Assisted Living Aide | Care, Assisted Living | first.last@ | | -| Sebastian Leon | Sebastian.Leon | RS Courtesy Patrol | Resident Services | Frontdesk@, Courtesypatrol@ | | -| JD Martin | JD.Martin | Culinary Director | Culinary | first.last@ | | -| Alyssa Brooks | Alyssa.Brooks | Dining Manager | Culinary | first.last@ | Renamed from Alyssa.Shestko, duplicate deleted (2026-04-13) | -| Matt Brooks | Matt.Brooks | Memory Care Receptionist | Maintenance | first.last@ | Dept says Maintenance (HR data) | -| Ramon Castaneda | Ramon.Castaneda | Kitchen Manager | Culinary | first.last@ | | -| Michelle Shestko | Michelle.Shestko | Resident Services Receptionist | Resident Services | MC Front Desk | | -| Sharon Edwards | Sharon.Edwards | Life Enrichment Assistant | Life Enrichment | first.last@ | PC: DESKTOP-DLTAGOI | -| Britney Thompson | britney.thompson | Memory Care Nurse | Care, Assisted Living | first.last@, Nurses@ | **DEPARTED 2026-04-22 per John — disable account + harvest license** | -| Shelby Trozzi | Shelby.Trozzi | Memory Care Director | Care, Memory Care | first.last@ | Renamed from strozzi (2026-04-13) | -| Karen Rossini | karen.rossini | Health Services Manager | Care, Assisted Living | first.last@, Nurses@ | lowercase SamAccountName | -| Sheldon Gardfrey | Sheldon.Gardfrey | RS Courtesy Patrol | Resident Services | Frontdesk@, Courtesypatrol@ | | -| Cathy Kingston | Cathy.Kingston | Resident Services Receptionist | Resident Services | Frontdesk@ | | -| Shontiel Nunn | Shontiel.Nunn | Resident Services Receptionist | Resident Services | Frontdesk@ | | -| Ray Rai | Ray.Rai | RS Courtesy Patrol | Resident Services | Frontdesk@ | | -| Richard Adams | Richard.Adams | Driver | Transportation | Transportation@ | **2026-04-22: disable — drivers no longer get IT access** | -| Julian Crim | Julian.Crim | Driver | Transportation | Transportation@ | **2026-04-22: disable — drivers no longer get IT access** | -| Christopher Holick | Christopher.Holick | Driver | Transportation | Transportation@ | Fixed from Holik (2026-04-13). **2026-04-22: disable — drivers no longer get IT access** | -| Lauren Hasselman | lauren.hasselman | Business Office Director | Administrative | first.last@, Accounting@ | Replaced Jeff Bristol. lowercase SamAccountName | -| Allison Reibschied | Allison.Reibschied | Accounting Assistant | Administrative | first.last@ | Added 2026-03-13. PC: ACCT2-PC | -| QBDataServiceUser34 | QBDataServiceUser34 | — | — | — | QuickBooks service account | -| Culinary | Culinary | — | — | — | Generic department account — replace Phase 5 | -| RECEPTIONIST | Receptionist | — | — | — | Generic role account — replace Phase 5 | -| saleshare | saleshare | — | — | — | Shared sales resource — replace Phase 5 | -| directoryshare | directoryshare | — | — | — | Shared directory resource — replace Phase 5 | +### Enabled Accounts — Staff (updated 2026-05-19) -### Not in AD — Needs Account Created -| Name | Position | Department | Shared Email | Notes | -|------|----------|------------|-------------|-------| -| Kyla Quick Tiffany | Resident Services Receptionist | Resident Services | Frontdesk@ | New — needs AD + M365 account | +**OU=Administrative** +| SamAccountName | Name | Position | Notes | +|---------------|------|----------|-------| +| Meredith.Kuhn | Meredith Kuhn | Executive Director | | +| Ashley.Jensen | Ashley Jensen | Assistant Executive Director | M365: Accounting@ | +| lauren.hasselman | Lauren Hasselman | Business Office Director | lowercase SAM. Replaced Jeff Bristol. M365: Accounting@ | +| Alma.Montt | Alma Montt | Life Enrichment | Provisioned 2026-05-19. **Cloud-only M365 account also created same day — reconcile before next Entra sync** (see Pending Issues) | +| Zachary.Nelson | Zachary Nelson | Accounting Assistant | Confirmed 2026-05-19. Replacing Allison.Reibschied. | +| ~~Allison.Reibschied~~ | ~~Allison Reibschied~~ | ~~Accounting Assistant~~ | **Disabled 2026-05-19 — no longer employed.** | + +**OU=Care-Assisted Living** +| SamAccountName | Name | Position | Notes | +|---------------|------|----------|-------| +| Lois.Lane | Lois Lane | Health Services Director | M365: Nurses@ | +| karen.rossini | Karen Rossini | Health Services Manager | lowercase SAM. M365: Nurses@ | +| Veronica.Feller | Veronica Feller | Care Assisted Living Aide | | +| britney.thompson | Britney Thompson | Memory Care Nurse | **DEPARTED 2026-04-22 — still enabled. Disable + harvest license.** | + +**OU=Care-Memorycare** +| SamAccountName | Name | Position | Notes | +|---------------|------|----------|-------| +| Christine.Nyanzunda | Christine Nyanzunda | Memory Care Admin Assistant | | +| Shelby.Trozzi | Shelby Trozzi | Memory Care Director | Renamed from strozzi (2026-04-13) | + +**OU=Caregivers** — 38 accounts, all shift caregivers/medtechs, all in SG-Caregivers, all syncing to Entra. See Caregiver Accounts section below. + +**OU=Culinary** +| SamAccountName | Name | Position | Notes | +|---------------|------|----------|-------| +| JD.Martin | JD Martin | Culinary Director | | +| Alyssa.Brooks | Alyssa Brooks | Dining Manager | Renamed from Alyssa.Shestko (2026-04-13) | +| Ramon.Castaneda | Ramon Castaneda | Kitchen Manager | | + +**OU=Housekeeping** +| SamAccountName | Name | Position | Notes | +|---------------|------|----------|-------| +| Lupe.Sanchez | Lupe Sanchez | Housekeeping Director | Renamed from Guadalupe.Sanchez, duplicate deleted (2026-04-13) | + +**OU=Life Enrichment** +| SamAccountName | Name | Position | Notes | +|---------------|------|----------|-------| +| Sharon.Edwards | Sharon Edwards | Life Enrichment Assistant | PC: DESKTOP-DLTAGOI | +| Susan.Hicks | Susan Hicks | Life Enrichment Director | PC: DESKTOP-ROK7VNM | + +**OU=Maintenance** +| SamAccountName | Name | Position | Notes | +|---------------|------|----------|-------| +| John.Trozzi | John Trozzi | Maintenance Director | PC: MAINTENANCE-PC | +| Matt.Brooks | Matt Brooks | Memory Care Receptionist | Dept listed as Maintenance in HR data | + +**OU=Marketing** +| SamAccountName | Name | Position | Notes | +|---------------|------|----------|-------| +| Megan.Hiatt | Megan Hiatt | Sales Director | M365: Sales@ | +| Crystal.Rodriguez | Crystal Rodriguez | Sales Associate | PC: CRYSTAL-PC. M365: Sales@ | +| Tamra.Matthews | Tamra Matthews | Move-In Coordinator | Renamed from Tamra.Johnson (2026-04-13) | + +**OU=Resident Services** +| SamAccountName | Name | Position | Notes | +|---------------|------|----------|-------| +| Christina.DuPras | Christina DuPras | Resident Services Director | | +| Cathy.Kingston | Cathy Kingston | RS Receptionist | M365: Frontdesk@ | +| Kyla.QuickTiffany | Kyla Quick Tiffany | RS Receptionist | M365: Frontdesk@. Previously listed as "needs account" — now confirmed in AD | +| Michelle.Shestko | Michelle Shestko | RS Receptionist | M365: MC Front Desk | +| Ray.Rai | Ray Rai | RS Courtesy Patrol | M365: Frontdesk@ | +| Sebastian.Leon | Sebastian Leon | RS Courtesy Patrol | M365: Frontdesk@, Courtesypatrol@ | +| Sheldon.Gardfrey | Sheldon Gardfrey | RS Courtesy Patrol | M365: Frontdesk@, Courtesypatrol@ | +| Shontiel.Nunn | Shontiel Nunn | RS Receptionist | M365: Frontdesk@. **Disable — s.nunn (Caregivers) is the correct current account (confirmed 2026-05-19)** | + +**OU=Transportation** — accounts still enabled but flagged for disable +| SamAccountName | Name | Position | Notes | +|---------------|------|----------|-------| +| Christopher.Holick | Christopher Holick | Driver | Fixed from Holik (2026-04-13). **Disable — drivers no longer get IT access** | +| Julian.Crim | Julian Crim | Driver | **Disable — drivers no longer get IT access** | +| Richard.Adams | Richard Adams | Driver | **Disable — drivers no longer get IT access** | + +**CN=Users — Service Accounts** +| SamAccountName | Notes | +|---------------|-------| +| Administrator | Built-in | +| localadmin | Local admin | +| sysadmin | System admin (IT) | +| MSOL_12be42ce1269 | Entra Connect service account | +| QBDataServiceUser34 | QuickBooks service account | + +**OU=Excluded-From-Sync — Shared/Generic Accounts** (intentionally not syncing to Entra) +| SamAccountName | Notes | +|---------------|-------| +| Culinary | Generic dept account — replace Phase 5 | +| directoryshare | Shared resource — replace Phase 5 | +| RECEPTIONIST | Generic role account — replace Phase 5 | +| saleshare | Shared resource — replace Phase 5 | + +**OU=ServiceAccounts** +| SamAccountName | Notes | +|---------------|-------| +| svc-audit-upload | GuruRMM audit upload service account | + +### Disabled Accounts +| SamAccountName | Notes | +|---------------|-------| +| Guest | Built-in — correct to leave disabled | +| krbtgt | Built-in Kerberos — **password 569+ days old as of 2026-03-20, needs rotation** | ### Accounts Deleted (2026-04-13 cleanup) -Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, Isabella.Islas, ann.dery, alyssa.brooks (duplicate), Lupe.Sanchez (duplicate), jeff.bristol +Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, Isabella.Islas, ann.dery, alyssa.brooks (lowercase duplicate), Lupe.Sanchez (duplicate), jeff.bristol -### Disabled Accounts (2) — cleaned 2026-04-13 -| Name | SamAccountName | Notes | -|------|---------------|-------| -| Guest | Guest | Built-in — correct to leave disabled | -| krbtgt | krbtgt | Built-in Kerberos — correct to leave disabled. **Password 569+ days old — needs rotation** | +## Caregiver Accounts (OU=Caregivers) + +38 accounts, all shift caregivers/medtechs, first-initial-last format (e.g., a.mcferren). All members of SG-Caregivers. All syncing to Entra ID (full-domain sync scope includes this OU). + +a.atwood, a.mcferren, b.johnson, b.mendoza, b.sika, c.johnson, c.lassey, c.tate, d.fierros, e.esperance, e.huerta, e.sanchez, e.yuzon, g.williams, g.williford, j.andrade, j.clarke, j.dittbenner, j.higdon, k.aziakpo, k.flores, k.wyzykowski, l.fuster, l.hogan, m.baker, m.kariuki, m.kastner, m.lopez, p.doran, p.sandoval-beck, r.cooper, r.flores, r.morales, s.carroll, s.nunn, s.padilla, s.ramirez, t.abainza, t.lassey-assiakoley, w.reed + +s.nunn confirmed as the correct account (2026-05-19). Shontiel.Nunn (OU=Resident Services) is the old-format account — disable it. ## Domain-Joined Computers (8) @@ -82,7 +147,7 @@ Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, Haris.Durut, Nuri |----------|------| | CS-QB | Hyper-V VM — VoIP server | -### OU=Staff PCs,OU=Workstations (moved 2026-04-13) +### OU=Staff PCs,OU=Workstations | Computer | User | Role | |----------|------|------| | ACCT2-PC | Allison Reibschied | Accounting | @@ -92,103 +157,77 @@ Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, Haris.Durut, Nuri | DESKTOP-DLTAGOI | Sharon Edwards | Life Enrichment Assistant | | DESKTOP-ROK7VNM | Susan Hicks | Life Enrichment Director | -### Missing from AD (listed in overview but NOT domain-joined) -- **SALES4-PC** — Sales workstation (10.0.20.203) — NOT in AD -- **CHEF-PC** — Kitchen workstation (10.0.20.232) — NOT in AD -- **MDIRECTOR-PC** — MemCare Director (192.168.3.20) — NOT in AD -- **DESKTOP-KQSL232** — Unknown (10.0.20.227) — NOT in AD +### OU=Shared PCs,OU=Workstations +Empty — created for future shared/rotation workstations (GPO: CSC - Shared Workstation). -These 4 machines are on the network but not domain-joined. They may be workgroup machines or were never joined to the domain. +### Not Domain-Joined (on network but workgroup/unjoined) +- **SALES4-PC** — Sales workstation (10.0.20.203) +- **CHEF-PC** — Kitchen workstation (10.0.20.232) +- **MDIRECTOR-PC** — MemCare Director (192.168.3.20) +- **DESKTOP-KQSL232** — Unknown (10.0.20.227) -## Organizational Units +Domain join for these machines planned in Phase 3 (OU=Staff PCs,OU=Workstations). + +## Organizational Units (current state — 2026-05-19) + +OU cleanup is **complete**. All root-level duplicate OUs have been deleted. The structure below reflects live state. -### Current State (pre-cleanup) ``` cascades.local ├── Builtin (system) -├── Computers (default container) ← 5 PCs here: ACCT2-PC, CRYSTAL-PC, CS-QB, DESKTOP-1ISF081, DESKTOP-H6QHRR7 -├── Users (default container) ← 20 accounts dumped here (system + stale + needs placement) +├── Computers (default) — CS-QB (VoIP VM) +├── Users (default) — service accounts: Administrator, localadmin, MSOL_12be42ce1269, QBDataServiceUser34, sysadmin ├── Domain Controllers │ └── CS-SERVER -├── Managment ← MISSPELLED, empty — DELETE -├── Sales ← empty — DELETE -├── MemCare ← empty — DELETE -├── Administrative ← ROOT DUPLICATE of Departments\Administrative — DELETE -├── Care-Assisted Living ← ROOT DUPLICATE — DELETE -├── Care-Memorycare ← ROOT DUPLICATE — DELETE -├── Culinary ← ROOT DUPLICATE — DELETE -├── Housekeeping ← ROOT DUPLICATE — DELETE -├── Life Enrichment ← ROOT DUPLICATE — DELETE -├── Maintenance ← ROOT DUPLICATE — DELETE -├── Marketing ← ROOT DUPLICATE — DELETE -├── Resident Services ← ROOT DUPLICATE — DELETE -├── Transportation ← ROOT DUPLICATE — DELETE -└── Departments - ├── Administrative (6 users) - ├── Care-Assisted Living (4 users) - │ └── Nurses (sub-OU, empty) - ├── Care-Memorycare (2 users) - ├── Culinary (4 users) - ├── Housekeeping (1 user) - ├── Life Enrichment (2 users) - ├── Maintenance (2 users) - ├── Marketing (4 users) - ├── Resident Services (7 users) - └── Transportation (3 users) +├── Departments +│ ├── Administrative — Alma.Montt, Ashley.Jensen, lauren.hasselman, Meredith.Kuhn, Zachary.Nelson +│ ├── Care-Assisted Living — britney.thompson, karen.rossini, Lois.Lane, Veronica.Feller +│ │ └── Nurses (empty sub-OU) +│ ├── Caregivers — 38 accounts (shift caregivers/medtechs, first.last format) +│ ├── Care-Memorycare — Christine.Nyanzunda, Shelby.Trozzi +│ ├── Culinary — Alyssa.Brooks, JD.Martin, Ramon.Castaneda +│ ├── Housekeeping — Lupe.Sanchez +│ ├── Life Enrichment — Sharon.Edwards, Susan.Hicks +│ ├── Maintenance — John.Trozzi, Matt.Brooks +│ ├── Marketing — Crystal.Rodriguez, Megan.Hiatt, Tamra.Matthews +│ ├── Resident Services — Cathy.Kingston, Christina.DuPras, Kyla.QuickTiffany, Michelle.Shestko, Ray.Rai, Sebastian.Leon, Sheldon.Gardfrey, Shontiel.Nunn +│ └── Transportation — Christopher.Holick, Julian.Crim, Richard.Adams +├── Excluded-From-Sync — Culinary, directoryshare, RECEPTIONIST, saleshare +├── Groups — SG-* groups + AuditUploaders (see Security Groups section) +├── ServiceAccounts — svc-audit-upload +└── Workstations + ├── Shared PCs (empty) + └── Staff PCs — domain-joined workstations ``` -### Target State (after cleanup — Phase 2.1 + 2.2) -``` -cascades.local -├── Builtin (system) -├── Computers (default container) ← CS-QB stays here (VM, not staff PC) -├── Users (default container) ← system/service accounts only -├── Domain Controllers -│ └── CS-SERVER -├── Workstations ← NEW -│ ├── Staff PCs ← NEW — CRYSTAL-PC, ACCT2-PC, DESKTOP-H6QHRR7, DESKTOP-1ISF081, DESKTOP-DLTAGOI, DESKTOP-ROK7VNM -│ └── Shared PCs ← NEW — shared/rotation workstations (GPO: CSC - Shared Workstation) -└── Departments - ├── Administrative (6 users) - ├── Care-Assisted Living (4 users) - │ └── Nurses (sub-OU) - ├── Care-Memorycare (2 users) - ├── Culinary (4 users) - ├── Housekeeping (1 user) - ├── Life Enrichment (2 users) - ├── Maintenance (2 users) - ├── Marketing (4 users) - ├── Resident Services (7 users) - └── Transportation (3 users) -``` +**Historical note:** Prior to 2026-04-13, 13 root-level OUs existed (10 duplicate department OUs + Managment misspelled + MemCare + Sales, all empty). All deleted as part of Phase 2.1 cleanup. -### Cleanup Scripts -- `migration/scripts/phase2-ou-cleanup.ps1` — Audit + delete 13 root-level OUs, handle CN=Users accounts -- `migration/scripts/phase2-ad-setup.ps1` — Security fixes, create Workstations OU, security groups, move computers +## Security Groups (OU=Groups — live state 2026-05-20) -## Group Policy (as of 2026-03-07 export) - -GPOs exist but effectiveness is limited since most PCs aren't domain-joined. - -| GPO | Created | Modified | Settings | Notes | -|-----|---------|----------|----------|-------| -| Default Domain Policy | Aug 2024 | Mar 2026 | Password: 7-char min, 42-day max, complexity on, 24 history. **Lockout: 5 attempts / 30 min** (fixed 2026-03-09). Kerberos defaults. | OK | -| Default Domain Controllers Policy | Aug 2024 | Oct 2024 | IIS app pool audit rights, print operator driver loading. Standard. | OK | -| Power Options | Jul 2025 | Jul 2025 | "Cascades Default" power plan: never sleep/hibernate, display off 15 min (plugged in) / 10 min (battery), password on wake. | Reasonable — keep | -| ~~CopyRoomPrinter~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** | -| ~~Nurses-Kiosk~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** | -| ~~MemCareMedTechPrinter~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** | - -**GPO Review (2026-03-07):** All 3 Dec 2025 GPOs are completely empty shells — no computer or user settings, not linked to any OU. Safe to delete with zero impact. The Default Domain Policy has account lockout disabled (threshold = 0), allowing unlimited password brute-force attempts — this needs to be fixed in the security baseline GPO. - -## RDS Licensing -- **Mode: NotConfigured** -- **License Servers: None** -- RDS roles are installed on CS-SERVER (Connection Broker, Session Host, Web Access) but licensing is NOT configured. -- **Compliance risk:** Windows Server allows a 120-day grace period for RDS without licensing. After that, connections may be refused. Since the server was installed 8/4/2024 (~19 months ago), the grace period has long expired. RDS may be running in non-compliant mode. - -## Existing AD Groups (Custom) +| Group | Members | Notes | +|-------|---------|-------| +| SG-Activities-RW | 0 | Activities share — Read/Write (Life Enrichment). Created 2026-05-20. | +| SG-CA-BreakGlass | 0 | Conditional Access break-glass group | +| SG-Caregivers | 38 | All shift caregivers/medtechs — syncing to Entra | +| SG-Chat-RW | 0 | Chat share access — legacy | +| SG-CourtesyPatrol | 0 | Courtesy patrol dept | +| SG-Culinary-RW | 0 | Culinary share access | +| SG-Directory-RW | 0 | Directory share access | +| SG-Drivers | 0 | Transportation drivers | +| SG-External-Signin-Allowed | 0 | CA policy — allowed external sign-in | +| SG-FrontDesk | 0 | Front desk dept | +| SG-IT-RW | 0 | IT share access | +| SG-Management-RW | 0 | Management share — OLD group, superseded by SG-Mgmt-RW. Do not use for new share. | +| SG-Mgmt-RW | 0 | Management share — Read/Write. Replaces SG-Management-RW. Created 2026-05-20. | +| SG-Office-PHI-External | 0 | PHI-authorized external access | +| SG-Office-PHI-Internal | 0 | PHI-authorized internal access | +| SG-Receptionist-RW | 0 | Receptionist share access | +| SG-Sales-RO | 0 | Sales share — Read Only. Created 2026-05-20. | +| SG-Sales-RW | 0 | Sales share — Read/Write | +| SG-Server-RW | 0 | Server share — OLD group, do not use for new Server share | +| AuditUploaders | 0 | GuruRMM audit upload service | +**Legacy groups (CN=Users, not in OU=Groups):** | Group | Members | Notes | |-------|---------|-------| | QuickBooks Access | Meredith.Kuhn, Megan.Hiatt, Ashley.Jensen, lauren.hasselman | Renamed from "Quickboosk acccess" on 2026-03-09 | @@ -196,110 +235,110 @@ GPOs exist but effectiveness is limited since most PCs aren't domain-joined. | MemoryCareDepartment | (empty) | Never populated | | KitchenAdmin | (empty) | Never populated | -## Migration Plan — AD Changes (Phase 2.2 + 2.6 + 3) +## Entra Connect (live state 2026-05-19) -See `migration/phase2-server-prep.md` and `migration/scripts/phase2-ad-setup.ps1`. +Entra Connect is installed and running on CS-SERVER in production mode. -### Security Fixes (immediate) -- Remove disabled Monica.Ramirez from **Domain Admins** (security risk) -- Disable Haris.Durut (still enabled, not employed) -- Fix "Quickboosk acccess" → "QuickBooks Access" -- Add lauren.hasselman to QuickBooks Access (replaced Jeff Bristol) +| Setting | Value | +|---------|-------| +| Installed on | CS-SERVER | +| Staging mode | FALSE (live production sync) | +| Scheduler | Enabled — next run: Delta | +| AD connector | cascades.local | +| Entra connector | NETORGFT4257522.onmicrosoft.com | +| OU sync scope | Full domain (dnList empty — unfiltered) | +| Service account | MSOL_12be42ce1269 (CN=Users) | -### OU Changes -- **DELETE 10 root-level duplicate OUs** (Administrative, Care-Assisted Living, Care-Memorycare, Culinary, Housekeeping, Life Enrichment, Maintenance, Marketing, Resident Services, Transportation) — duplicates of Departments sub-OUs -- **DELETE 3 empty root-level OUs** (Managment, MemCare, Sales) — unused -- Create: `OU=Workstations,DC=cascades,DC=local` -- Create: `OU=Staff PCs,OU=Workstations,DC=cascades,DC=local` +**OU=Excluded-From-Sync** is explicitly excluded from sync. The shared accounts (Culinary, directoryshare, RECEPTIONIST, saleshare) placed there do not appear in Entra ID. -### Security Groups (created with members from Synology permission mapping) +All other OUs — including OU=Caregivers — are within scope and sync to Entra. -| Group | Members | -|-------|---------| -| SG-Management-RW | Meredith.Kuhn, Ashley.Jensen, Megan.Hiatt, Crystal.Rodriguez, Tamra.Matthews, britney.thompson, Veronica.Feller, strozzi, Alyssa.Brooks, lauren.hasselman | -| SG-Sales-RW | Megan.Hiatt, Crystal.Rodriguez, Tamra.Matthews | -| SG-Server-RW | Ashley.Jensen, britney.thompson, Christina.DuPras, Veronica.Feller, Meredith.Kuhn | -| SG-Chat-RW | Ashley.Jensen, britney.thompson, Veronica.Feller | -| SG-Culinary-RW | JD.Martin, Ramon.Castaneda, Alyssa.Brooks | -| SG-IT-RW | howard, sysadmin | -| SG-Receptionist-RW | Cathy.Kingston, Shontiel.Nunn, Ray.Rai, Sebastian.Leon, Michelle.Shestko | -| SG-Directory-RW | Cathy.Kingston, Shontiel.Nunn, Christina.DuPras | -| SG-AllShares-RO | (populated as needed) | +**Historical note:** As of the 2026-04-13 doc, Entra Connect was planned as Phase 2.7 (blocked on AD cleanup). Cleanup is now complete and Entra Connect is deployed. -### Account Removals (client confirmed) +## SMB Shares (live — D:\ on CS-SERVER) -**Already disabled — delete:** Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, jeff.bristol +Full share details, permissions, and drive letter mappings are in `docs/servers/cs-server.md`. -**Enabled but not in HR — disable + delete:** Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, alyssa.brooks, Isabella.Islas, ann.dery +| Share | Path | Notes | +|-------|------|-------| +| AuditDrop$ | D:\Shares\AuditDrop | GuruRMM audit drop — hidden share, write-only | +| Culinary | D:\Shares\Culinary | | +| directoryshare | D:\Shares\directoryshare | | +| homes | D:\Homes | NOTE: D:\Homes, not D:\Shares\Homes | +| IT | D:\Shares\IT | | +| Activities | D:\Shares\Activities | ABE enabled. NTFS: SG-Activities-RW (Modify), Domain Admins (Full). Created 2026-05-20. | +| Management | D:\Shares\Management | ABE enabled. NTFS: SG-Mgmt-RW (Modify), Domain Admins (Full). Created 2026-05-20. | +| Receptionist | D:\Shares\Receptionist | | +| Sales | D:\Shares\Sales | ABE enabled. NTFS: SG-Sales-RW (Modify), SG-Sales-RO (ReadAndExecute). Created 2026-05-20. | +| Server | D:\Shares\Server | ABE enabled. NTFS: SG-IT-RW (Modify), Domain Users (ReadAndExecute). Created 2026-05-20. | +| Shares | D:\Shares | Root share | -**Keep:** lauren.hasselman (replaced Bristol as Business Office Director) +**Printers shared from CS-SERVER:** +| Share | Device | +|-------|--------| +| RecRoom-Canon | 1F-132-RecRoom-Canon | +| MemCare Director Printer | MF451CDW | +| MemCare MedTech Printer | Brother MFC-L8900CDW | -### CN=Users — HR Verified (2026-03-10) +## Group Policy (as of 2026-03-07 export) -HR (Meredith) responded. All accounts resolved: +GPOs exist but effectiveness is limited since most PCs are not domain-joined. -| Account | Enabled | Last Logon | Action | -|---------|---------|-----------|--------| -| Lupe.Sanchez | Yes | Never | **Keep** — confirmed same person as Guadalupe.Sanchez (M365: lupe.sanchez@). Merge or delete duplicate | -| Receptionist | Yes | 2/22/2026 | Shared account — keep until Phase 5 replacement | -| directoryshare | Yes | 2/26/2026 | Shared/service account — keep until Phase 5 replacement | +| GPO | Created | Modified | Settings | Notes | +|-----|---------|----------|----------|-------| +| Default Domain Policy | Aug 2024 | Mar 2026 | Password: 7-char min, 42-day max, complexity on, 24 history. Lockout: 5 attempts / 30 min (fixed 2026-03-09). Kerberos defaults. | OK | +| Default Domain Controllers Policy | Aug 2024 | Oct 2024 | IIS app pool audit rights, print operator driver loading. Standard. | OK | +| Power Options | Jul 2025 | Jul 2025 | "Cascades Default" power plan: never sleep/hibernate, display off 15 min (plugged in) / 10 min (battery), password on wake. | Keep | +| ~~CopyRoomPrinter~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** | +| ~~Nurses-Kiosk~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** | +| ~~MemCareMedTechPrinter~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** | -**Confirmed DELETE by HR:** -- Anna.Pitzlin (disabled) — was forwarded to Meredith, OK to delete now -- Nela.Durut-Azizi (disabled) — was forwarded to Meredith, OK to delete now -- Jodi.Ramstack (disabled) -- Monica.Ramirez (disabled, already removed from Domain Admins) -- Kristiana.Dowse — M365 only, not in AD. Delete M365 account + remove license - -**Already confirmed for removal (not current employees, never logged in):** -Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, Isabella.Islas, ann.dery, alyssa.brooks (lowercase duplicate) - -**System/service accounts staying in CN=Users:** -Administrator, Guest, krbtgt, localadmin, sysadmin, QBDataServiceUser34 - -### Domain Join (Phase 3) -Join these PCs to cascades.local in OU=Staff PCs,OU=Workstations: -- DESKTOP-KQSL232 (first) -- CHEF-PC -- SALES4-PC -- MDIRECTOR-PC (last) - -### GPOs to Create (Phase 2.6) +**GPOs to Create (Phase 2.6 — not yet run):** 1. **CSC - Drive Mappings** — S:, M:, T:, K:, I:, R:, P: with item-level targeting 2. **CSC - Printer Deployment** — Deploy printers by OU/group targeting (Life Enrichment first: 1F-132-RecRoom-Canon + CopyRoom) 3. **CSC - Security Baseline** — 12-char passwords, complexity, lockout 5/30, screen lock 15 min 4. **CSC - Windows Update** — Auto download, Sundays 3 AM, no auto-restart -5. **CSC - Folder Redirection** — Desktop, Documents, Downloads → `\\CS-SERVER\homes\%username%\` -6. **CSC - Shared Workstation** — Linked to Shared PCs OU; ILT by computer name for reception drive (R:), front desk printer, Outlook online mode, shared mailbox auto-mount. Blocked on: M365 tenant details, onsite PC identification. +5. **CSC - Folder Redirection** — Desktop, Documents, Downloads to `\\CS-SERVER\homes\%username%\` +6. **CSC - Shared Workstation** — Linked to Shared PCs OU; ILT by computer name for reception drive (R:), front desk printer, Outlook online mode, shared mailbox auto-mount -### Entra Connect (Phase 2.7 — NEW) -- Install Entra Connect on CS-SERVER for AD → M365 sync + SSO -- **BLOCKED ON:** AD cleanup (renames, deletions, duplicate resolution) must complete first -- See `cloud/m365.md` → "Entra Connect — SSO Setup Plan" for full prerequisites and steps -- Enables: single sign-on, one password, auto Office/Edge activation per user, roaming experience without roaming profiles +## RDS Licensing -### Shared Account Replacement (Phase 5) -Replace Culinary, Receptionist, saleshare, directoryshare with security group access. +- **Mode: NotConfigured** +- **License Servers: None** +- RDS roles installed on CS-SERVER (Connection Broker, Session Host, Web Access) but licensing is NOT configured. +- Compliance risk: grace period is 120 days. Server installed 2024-08-04 (~21 months ago as of 2026-05-19). Grace period expired. RDS is running non-compliant. +- Decision deferred to Phase 5. -## Domain Admins (from 2026-03-07 export) +## Domain Admins -| Account | Status | Action Needed | -|---------|--------|---------------| +| Account | Status | Notes | +|---------|--------|-------| | Administrator | Enabled | OK (built-in) | -| Meredith.Kuhn | Enabled | **REMOVE** — administrative staff, not IT | -| John.Trozzi | Enabled | **REMOVE** — maintenance, not IT | -| ~~Monica.Ramirez~~ | **Disabled** | **REMOVED 2026-03-09** | +| Meredith.Kuhn | Enabled | Should be removed — administrative staff, not IT | +| John.Trozzi | Enabled | Should be removed — maintenance, not IT | +| ~~Monica.Ramirez~~ | Removed | Removed 2026-03-09 (account was disabled) | | sysadmin | Enabled | OK (IT account) | -## Login Activity (audit 2026-03-20) +## Pending Issues (discovered 2026-05-19 audit) -Only 12 of 49 enabled accounts have ever logged in. Most staff have never used their AD accounts because their PCs aren't domain-joined. +| Issue | Account | Action Needed | +|-------|---------|---------------| +| Still enabled — departed | britney.thompson | Disable — departed 2026-04-22. Harvest M365 license. | +| Still enabled — flagged for disable | Richard.Adams, Julian.Crim, Christopher.Holick | Disable — drivers no longer get IT access (flagged 2026-04-22, not yet done) | +| Old-format account — superseded | Shontiel.Nunn (OU=Resident Services) | **Disable** — s.nunn (OU=Caregivers) confirmed as the correct account 2026-05-19 | +| AD + cloud-only M365 conflict | Alma.Montt | AD account exists in OU=Administrative (will sync via Entra Connect). Cloud-only M365 account also created 2026-05-19. **Delete the cloud-only M365 account and let AD sync create it properly** — otherwise Entra Connect will create a duplicate and both will break. | +| krbtgt password age | krbtgt | 569+ days old as of 2026-03-20. Needs rotation. | +| Meredith.Kuhn + John.Trozzi in Domain Admins | Both | Non-IT staff — remove from Domain Admins | + +## Login Activity (audit 2026-03-20 — historical/stale) + +Data below is from the 2026-03-20 audit. Only 12 of 49 enabled accounts had ever logged in at that time. Most staff had never used AD accounts because their PCs were not domain-joined. | Account | Last Logon | Notes | |---------|-----------|-------| | sysadmin | 2026-03-16 | | | QBDataServiceUser34 | 2026-03-14 | QuickBooks service | -| Allison.Reibschied | 2026-03-13 | **NEW** — Administrative | +| Allison.Reibschied | 2026-03-13 | Administrative | | lauren.hasselman | 2026-03-12 | Business Office Director | | Administrator | 2026-03-11 | | | Receptionist | 2026-03-11 | Shared account | @@ -307,23 +346,20 @@ Only 12 of 49 enabled accounts have ever logged in. Most staff have never used t | localadmin | 2026-03-09 | | | Crystal.Rodriguez | 2026-03-09 | CRYSTAL-PC | | Culinary | 2026-02-20 | Shared account | -| saleshare | 2025-12-08 | Shared account | | Christina.DuPras | 2026-01-06 | | -| Monica.Ramirez | 2024-11-04 | **Disabled** | +| saleshare | 2025-12-08 | Shared account | +| Monica.Ramirez | 2024-11-04 | Disabled — now deleted | -**37 enabled accounts have NEVER logged in** — most have never set a password either. +37 accounts had never logged in as of 2026-03-20. Login activity will improve as more PCs are domain-joined (Phase 3). -## Issues Found -1. **Only 6 computers domain-joined** — At least 4 known staff PCs are NOT in AD. (Migration Phase 3 will fix) -2. **3 GPOs from Dec 2025 undocumented** — CopyRoomPrinter, Nurses-Kiosk, MemCareMedTechPrinter. Need to review settings and linkage. Previous MSP or sysadmin created these. -3. **RDS licensing not configured** — Compliance risk, grace period expired ~17 months ago. (Phase 5 decision) -4. **12 accounts to remove** — 5 disabled + 7 former employees still enabled. (Phase 2.1/2.2) -5. **4 shared/generic accounts** (Culinary, Receptionist, saleshare, directoryshare) — To be replaced. (Phase 5) -6. **Monica.Ramirez (disabled) still in Domain Admins** — Security risk, fix immediately. (Phase 2.2) -7. **Meredith.Kuhn and John.Trozzi in Domain Admins** — Non-IT staff should not be DAs. (Phase 2.2) -8. **"Managment" OU misspelled** — To be deleted (empty). (Phase 2.1) -9. **"Quickboosk acccess" group typo** — To be fixed. (Phase 2.2) -10. **13 junk root-level OUs** — 10 duplicate department OUs + Managment + MemCare + Sales, all empty. Delete in Phase 2.1. -11. **20 accounts in CN=Users** — Mix of system, stale, and misplaced. Clean up in Phase 2.1. -12. **5 computers in CN=Computers** — Move 4 staff PCs to Workstations OU. CS-QB stays. (Phase 2.2) -13. **Lupe.Sanchez** — In CN=Users, possible duplicate of Guadalupe.Sanchez (Housekeeping). Flag for onsite review. +## Migration Plan Reference + +See `migration/phase2-server-prep.md` for full phase details. Scripts referenced throughout this doc: +- `migration/scripts/phase2-ou-cleanup.ps1` — OU audit + delete (COMPLETE) +- `migration/scripts/phase2-ad-setup.ps1` — Security fixes, Workstations OU, security groups, move computers (COMPLETE) +- `migration/scripts/phase2-ad-groups-new.ps1` — New SG- groups (SG-Mgmt-RW, SG-Sales-RO, SG-Activities-RW) — COMPLETE 2026-05-20 +- `migration/scripts/phase2-new-shares.ps1` — New SMB shares (Management, Sales, Activities, Server) — COMPLETE 2026-05-20 + +**Phase 3 domain joins** (pending): DESKTOP-KQSL232, CHEF-PC, SALES4-PC, MDIRECTOR-PC — all to OU=Staff PCs,OU=Workstations. + +**Phase 5** (deferred): Replace shared accounts (Culinary, Receptionist, saleshare, directoryshare) with group-based access. RDS licensing decision.