azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

client/cascades: Phase 2.5 AD groups and shares — COMPLETE

Browse Source 
Created SG-Mgmt-RW, SG-Sales-RO, SG-Activities-RW in OU=Groups.
Created SMB shares Management, Sales, Activities, Server on D:\Shares
with ABE enabled and correct NTFS ACLs per group.
Scripts run on CS-SERVER via GuruRMM 2026-05-20. AD doc updated to live state.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Howard Enos
2026-05-19 22:14:56 -07:00
parent d5d2580dd5
commit 3328a24742
3 changed files with 537 additions and 231 deletions
Download Patch File Download Diff File Expand all files Collapse all files

97
clients/cascades-tucson/docs/migration/scripts/phase2-ad-groups-new.ps1 Normal file
View File

@@ -0,0 +1,97 @@
#Requires -RunAsAdministrator
<#
.SYNOPSIS
Phase 2.5a: Create new AD security groups for staged share rollout.
.DESCRIPTION
Creates three new global security groups for the new share structure.
Groups are created EMPTY — members are added per-department when each
department is ready to cut over to the new shares.
Also removes Tamra.Matthews from SG-Sales-RW (she moves to SG-Sales-RO).
No other changes are made to existing groups or members.
.NOTES
IDEMPOTENT — safe to re-run. Existing groups are skipped, not overwritten.
Run on CS-SERVER via GuruRMM remote execution.
Verify $GroupOU before running:
Get-ADGroup SG-Management-RW | Select DistinguishedName
The OU in $GroupOU must match the OU where existing SG- groups live.
#>
Import-Module ActiveDirectory -ErrorAction Stop
# --- VERIFY THIS MATCHES WHERE EXISTING SG- GROUPS LIVE ---
# Check with: Get-ADGroup SG-Management-RW | Select DistinguishedName
$GroupOU = "OU=Groups,DC=cascades,DC=local"
Write-Host "=== Phase 2.5a: New AD Security Groups ===" -ForegroundColor Cyan
Write-Host ""
# ============================================================
# STEP 1: Create new groups (empty — members added later)
# ============================================================
Write-Host "--- Creating New Security Groups ---" -ForegroundColor Yellow
$newGroups = @(
@{ Name = "SG-Mgmt-RW"; Description = "Management share - Read/Write" }
@{ Name = "SG-Sales-RO"; Description = "Sales share - Read Only" }
@{ Name = "SG-Activities-RW"; Description = "Activities share - Read/Write" }
)
foreach ($g in $newGroups) {
try {
$existing = Get-ADGroup -Filter "Name -eq '$($g.Name)'" -ErrorAction SilentlyContinue
if (-not $existing) {
New-ADGroup `
-Name $g.Name `
-GroupScope Global `
-GroupCategory Security `
-Path $GroupOU `
-Description $g.Description `
-ErrorAction Stop
Write-Host " [OK] Created: $($g.Name)" -ForegroundColor Green
} else {
Write-Host " [SKIP] $($g.Name) already exists" -ForegroundColor DarkGray
}
}
catch {
Write-Host " [ERROR] Failed to create $($g.Name): $_" -ForegroundColor Red
}
}
# ============================================================
# STEP 2: Remove Tamra.Matthews from SG-Sales-RW
# ============================================================
Write-Host "`n--- Adjusting SG-Sales-RW Membership ---" -ForegroundColor Yellow
try {
$isMember = Get-ADGroupMember -Identity "SG-Sales-RW" -ErrorAction Stop |
Where-Object { $_.SamAccountName -eq "Tamra.Matthews" }
if ($isMember) {
Remove-ADGroupMember -Identity "SG-Sales-RW" -Members "Tamra.Matthews" -Confirm:$false -ErrorAction Stop
Write-Host " [OK] Removed Tamra.Matthews from SG-Sales-RW" -ForegroundColor Green
} else {
Write-Host " [SKIP] Tamra.Matthews is not a member of SG-Sales-RW" -ForegroundColor DarkGray
}
}
catch {
Write-Host " [ERROR] Failed to adjust SG-Sales-RW: $_" -ForegroundColor Red
}
# ============================================================
# SUMMARY: All SG- groups with member counts
# ============================================================
Write-Host "`n=== SG- Group Summary ===" -ForegroundColor Cyan
Write-Host ""
Get-ADGroup -Filter 'Name -like "SG-*"' -ErrorAction SilentlyContinue |
Sort-Object Name |
ForEach-Object {
$count = (Get-ADGroupMember $_ -ErrorAction SilentlyContinue | Measure-Object).Count
Write-Host (" {0,-25} {1,2} member(s)" -f $_.Name, $count) -ForegroundColor Cyan
}
Write-Host ""
Write-Host "=== AD Groups Complete ===" -ForegroundColor Cyan
Write-Host "Next: Run phase2-new-shares.ps1 to create the folder structure and SMB shares" -ForegroundColor Green

173
clients/cascades-tucson/docs/migration/scripts/phase2-new-shares.ps1 Normal file
View File

@@ -0,0 +1,173 @@
#Requires -RunAsAdministrator
<#
.SYNOPSIS
Phase 2.5b: Create new share folders, NTFS permissions, and SMB shares on CS-SERVER.
.DESCRIPTION
Builds the folder structure for the staged share rollout. Folders are created
empty — data sync runs separately after this script. Sets NTFS permissions with
broken inheritance and creates SMB shares with Access-Based Enumeration enabled.
Shares created: Management, Sales, Activities, Server.
Does NOT touch: D:\Shares\homes, D:\Shares\Culinary, D:\Shares\Receptionist,
D:\Shares\directoryshare, D:\Shares\IT, D:\Shares\chat, D:\Shares\Public,
or any other existing shares.
.NOTES
IDEMPOTENT — safe to re-run. NTFS permissions are always reapplied (not skipped).
Existing SMB shares have their description updated; share-level permissions are
left alone on re-run.
Requires the ActiveDirectory module and must be run as Administrator on CS-SERVER.
Run AFTER phase2-ad-groups-new.ps1.
#>
Import-Module ActiveDirectory -ErrorAction Stop
$DestRoot = "D:\Shares"
Write-Host "=== Phase 2.5b: New Share Folders & Permissions ===" -ForegroundColor Cyan
Write-Host ""
# --- Share definitions ---
# RWGroup and ROGroup may be $null. $null means that ACE is omitted.
$shares = @(
@{
Name = "Management"
Path = "$DestRoot\Management"
RWGroup = "CASCADES\SG-Mgmt-RW"
ROGroup = $null
Desc = "Management share (Directors only)"
},
@{
Name = "Sales"
Path = "$DestRoot\Sales"
RWGroup = "CASCADES\SG-Sales-RW"
ROGroup = "CASCADES\SG-Sales-RO"
Desc = "Sales share"
},
@{
Name = "Activities"
Path = "$DestRoot\Activities"
RWGroup = "CASCADES\SG-Activities-RW"
ROGroup = $null
Desc = "Activities share (Life Enrichment)"
},
@{
Name = "Server"
Path = "$DestRoot\Server"
RWGroup = "CASCADES\SG-IT-RW"
ROGroup = "CASCADES\Domain Users"
Desc = "Server share (IT tools and scripts)"
}
)
foreach ($s in $shares) {
Write-Host "`n--- $($s.Name) ---" -ForegroundColor Yellow
# Create folder if it doesn't exist
try {
if (-not (Test-Path $s.Path)) {
New-Item -Path $s.Path -ItemType Directory -Force | Out-Null
Write-Host " [OK] Created folder: $($s.Path)" -ForegroundColor Green
} else {
Write-Host " [SKIP] Folder already exists: $($s.Path)" -ForegroundColor DarkGray
}
}
catch {
Write-Host " [ERROR] Failed to create folder $($s.Path): $_" -ForegroundColor Red
continue
}
# Set NTFS permissions (always reapplied — not skipped on re-run)
try {
$acl = New-Object System.Security.AccessControl.DirectorySecurity
# Break inheritance and discard all inherited entries
$acl.SetAccessRuleProtection($true, $false)
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
"SYSTEM",
"FullControl",
"ContainerInherit,ObjectInherit",
"None",
"Allow"
)))
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
"CASCADES\Domain Admins",
"FullControl",
"ContainerInherit,ObjectInherit",
"None",
"Allow"
)))
if ($s.RWGroup) {
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
$s.RWGroup,
"Modify",
"ContainerInherit,ObjectInherit",
"None",
"Allow"
)))
}
if ($s.ROGroup) {
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
$s.ROGroup,
"ReadAndExecute",
"ContainerInherit,ObjectInherit",
"None",
"Allow"
)))
}
Set-Acl -Path $s.Path -AclObject $acl -ErrorAction Stop
Write-Host " [OK] NTFS permissions set" -ForegroundColor Green
}
catch {
Write-Host " [ERROR] NTFS permissions failed on $($s.Path): $_" -ForegroundColor Red
continue
}
# Create or update SMB share
try {
$existingShare = Get-SmbShare -Name $s.Name -ErrorAction SilentlyContinue
if (-not $existingShare) {
New-SmbShare `
-Name $s.Name `
-Path $s.Path `
-Description $s.Desc `
-FullAccess "Authenticated Users" `
-FolderEnumerationMode AccessBased `
-ErrorAction Stop
Write-Host " [OK] Created SMB share: \\CS-SERVER\$($s.Name) (ABE enabled)" -ForegroundColor Green
} else {
# Update description only; share-level permissions are left alone
Set-SmbShare -Name $s.Name -Description $s.Desc -Force -ErrorAction Stop
Write-Host " [SKIP] SMB share already exists — description updated" -ForegroundColor DarkGray
}
}
catch {
Write-Host " [ERROR] SMB share failed for $($s.Name): $_" -ForegroundColor Red
}
}
# ============================================================
# SUMMARY
# ============================================================
Write-Host "`n=== New Shares Summary ===" -ForegroundColor Cyan
Write-Host "`nAll SMB shares on D:\:" -ForegroundColor Yellow
Get-SmbShare | Where-Object { $_.Path -like "D:\*" } |
Select-Object Name, Path, Description, FolderEnumerationMode |
Format-Table -AutoSize -Wrap
Write-Host "NTFS permissions on new folders:" -ForegroundColor Yellow
foreach ($s in $shares) {
if (Test-Path $s.Path) {
Write-Host "`n $($s.Path):" -ForegroundColor Cyan
& icacls $s.Path
}
}
Write-Host "`n=== New Share Setup Complete ===" -ForegroundColor Cyan
Write-Host "Folders are empty — sync data separately before activating each department." -ForegroundColor Green

498
clients/cascades-tucson/docs/servers/active-directory.md
View File

@@ -8,67 +8,132 @@
- Sites: Default-First-Site-Name
- No trusts configured
## AD Users (42 total — 40 enabled, 2 disabled) — cleaned 2026-04-13
## AD Users (updated 2026-05-19)
**New since last doc update:** Allison Reibschied (2026-03-13), Lauren Hasselman (2026-02-26)
**Changes since 2026-04-13:**
- Alma.Montt added to OU=Administrative (provisioned 2026-05-19) — cloud-only M365 account also created same day; needs reconciliation (see Pending Issues)
- Kyla.QuickTiffany confirmed in OU=Resident Services (was listed as "needs account" in prior doc)
- Zachary.Nelson confirmed: Accounting Assistant (replacing Allison.Reibschied)
- Allison.Reibschied: no longer employed — account disabled in DC 2026-05-19
- 38 caregiver accounts active in OU=Caregivers (new dedicated OU, all syncing to Entra)
- s.nunn confirmed as the correct Shontiel Nunn account (Caregivers/MedTech). Shontiel.Nunn (old format, OU=Resident Services) to be disabled.
### Enabled Accounts — HR Roster (updated 2026-04-13)
| Name | SamAccountName | Position | Department | Shared Email | Notes |
|------|---------------|----------|------------|-------------|-------|
| Administrator | Administrator | — | — | — | Built-in |
| localadmin | localadmin | — | — | — | Local admin |
| Sysadmin | sysadmin | — | — | — | System admin |
| Howard Dax | howard | Home Office | Administrative | first.last@ | MSP technician |
| Meredith Kuhn | Meredith.Kuhn | Executive Director | Administrative | first.last@ | |
| John Trozzi | John.Trozzi | Maintenance Director | Maintenance | first.last@ | PC: MAINTENANCE-PC |
| Lupe Sanchez | Lupe.Sanchez | Housekeeping Director | Housekeeping | first.last@ | Renamed from Guadalupe.Sanchez, duplicate deleted (2026-04-13) |
| Megan Hiatt | Megan.Hiatt | Sales Director | Marketing | first.last@, Sales@ | |
| Crystal Rodriguez | Crystal.Rodriguez | Sales Associate | Marketing | first.last@, Sales@ | PC: CRYSTAL-PC |
| Tamra Matthews | Tamra.Matthews | Move-In Coordinator | Marketing | first.last@ | Renamed from Tamra.Johnson (2026-04-13) |
| Lois Lane | Lois.Lane | Health Services Director | Care, Assisted Living | first.last@, Nurses@ | |
| Christina DuPras | Christina.DuPras | Resident Services Director | Resident Services | first.last@ | |
| Christine Nyanzunda | Christine.Nyanzunda | Memory Care Admin Assistant | Care, Memory Care | first.last@ | |
| Susan Hicks | Susan.Hicks | Life Enrichment Director | Life Enrichment | first.last@ | PC: DESKTOP-ROK7VNM |
| Ashley Jensen | Ashley.Jensen | Assistant Executive Director | Administrative | first.last@, Accounting@ | |
| Veronica Feller | Veronica.Feller | Care, Assisted Living Aide | Care, Assisted Living | first.last@ | |
| Sebastian Leon | Sebastian.Leon | RS Courtesy Patrol | Resident Services | Frontdesk@, Courtesypatrol@ | |
| JD Martin | JD.Martin | Culinary Director | Culinary | first.last@ | |
| Alyssa Brooks | Alyssa.Brooks | Dining Manager | Culinary | first.last@ | Renamed from Alyssa.Shestko, duplicate deleted (2026-04-13) |
| Matt Brooks | Matt.Brooks | Memory Care Receptionist | Maintenance | first.last@ | Dept says Maintenance (HR data) |
| Ramon Castaneda | Ramon.Castaneda | Kitchen Manager | Culinary | first.last@ | |
| Michelle Shestko | Michelle.Shestko | Resident Services Receptionist | Resident Services | MC Front Desk | |
| Sharon Edwards | Sharon.Edwards | Life Enrichment Assistant | Life Enrichment | first.last@ | PC: DESKTOP-DLTAGOI |
| Britney Thompson | britney.thompson | Memory Care Nurse | Care, Assisted Living | first.last@, Nurses@ | **DEPARTED 2026-04-22 per John — disable account + harvest license** |
| Shelby Trozzi | Shelby.Trozzi | Memory Care Director | Care, Memory Care | first.last@ | Renamed from strozzi (2026-04-13) |
| Karen Rossini | karen.rossini | Health Services Manager | Care, Assisted Living | first.last@, Nurses@ | lowercase SamAccountName |
| Sheldon Gardfrey | Sheldon.Gardfrey | RS Courtesy Patrol | Resident Services | Frontdesk@, Courtesypatrol@ | |
| Cathy Kingston | Cathy.Kingston | Resident Services Receptionist | Resident Services | Frontdesk@ | |
| Shontiel Nunn | Shontiel.Nunn | Resident Services Receptionist | Resident Services | Frontdesk@ | |
| Ray Rai | Ray.Rai | RS Courtesy Patrol | Resident Services | Frontdesk@ | |
| Richard Adams | Richard.Adams | Driver | Transportation | Transportation@ | **2026-04-22: disable — drivers no longer get IT access** |
| Julian Crim | Julian.Crim | Driver | Transportation | Transportation@ | **2026-04-22: disable — drivers no longer get IT access** |
| Christopher Holick | Christopher.Holick | Driver | Transportation | Transportation@ | Fixed from Holik (2026-04-13). **2026-04-22: disable — drivers no longer get IT access** |
| Lauren Hasselman | lauren.hasselman | Business Office Director | Administrative | first.last@, Accounting@ | Replaced Jeff Bristol. lowercase SamAccountName |
| Allison Reibschied | Allison.Reibschied | Accounting Assistant | Administrative | first.last@ | Added 2026-03-13. PC: ACCT2-PC |
| QBDataServiceUser34 | QBDataServiceUser34 | — | — | — | QuickBooks service account |
| Culinary | Culinary | — | — | — | Generic department account — replace Phase 5 |
| RECEPTIONIST | Receptionist | — | — | — | Generic role account — replace Phase 5 |
| saleshare | saleshare | — | — | — | Shared sales resource — replace Phase 5 |
| directoryshare | directoryshare | — | — | — | Shared directory resource — replace Phase 5 |
### Enabled Accounts — Staff (updated 2026-05-19)
### Not in AD — Needs Account Created
| Name | Position | Department | Shared Email | Notes |
|------|----------|------------|-------------|-------|
| Kyla Quick Tiffany | Resident Services Receptionist | Resident Services | Frontdesk@ | New — needs AD + M365 account |
**OU=Administrative**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| Meredith.Kuhn | Meredith Kuhn | Executive Director | |
| Ashley.Jensen | Ashley Jensen | Assistant Executive Director | M365: Accounting@ |
| lauren.hasselman | Lauren Hasselman | Business Office Director | lowercase SAM. Replaced Jeff Bristol. M365: Accounting@ |
| Alma.Montt | Alma Montt | Life Enrichment | Provisioned 2026-05-19. **Cloud-only M365 account also created same day — reconcile before next Entra sync** (see Pending Issues) |
| Zachary.Nelson | Zachary Nelson | Accounting Assistant | Confirmed 2026-05-19. Replacing Allison.Reibschied. |
| ~~Allison.Reibschied~~ | ~~Allison Reibschied~~ | ~~Accounting Assistant~~ | **Disabled 2026-05-19 — no longer employed.** |
**OU=Care-Assisted Living**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| Lois.Lane | Lois Lane | Health Services Director | M365: Nurses@ |
| karen.rossini | Karen Rossini | Health Services Manager | lowercase SAM. M365: Nurses@ |
| Veronica.Feller | Veronica Feller | Care Assisted Living Aide | |
| britney.thompson | Britney Thompson | Memory Care Nurse | **DEPARTED 2026-04-22 — still enabled. Disable + harvest license.** |
**OU=Care-Memorycare**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| Christine.Nyanzunda | Christine Nyanzunda | Memory Care Admin Assistant | |
| Shelby.Trozzi | Shelby Trozzi | Memory Care Director | Renamed from strozzi (2026-04-13) |
**OU=Caregivers** — 38 accounts, all shift caregivers/medtechs, all in SG-Caregivers, all syncing to Entra. See Caregiver Accounts section below.
**OU=Culinary**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| JD.Martin | JD Martin | Culinary Director | |
| Alyssa.Brooks | Alyssa Brooks | Dining Manager | Renamed from Alyssa.Shestko (2026-04-13) |
| Ramon.Castaneda | Ramon Castaneda | Kitchen Manager | |
**OU=Housekeeping**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| Lupe.Sanchez | Lupe Sanchez | Housekeeping Director | Renamed from Guadalupe.Sanchez, duplicate deleted (2026-04-13) |
**OU=Life Enrichment**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| Sharon.Edwards | Sharon Edwards | Life Enrichment Assistant | PC: DESKTOP-DLTAGOI |
| Susan.Hicks | Susan Hicks | Life Enrichment Director | PC: DESKTOP-ROK7VNM |
**OU=Maintenance**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| John.Trozzi | John Trozzi | Maintenance Director | PC: MAINTENANCE-PC |
| Matt.Brooks | Matt Brooks | Memory Care Receptionist | Dept listed as Maintenance in HR data |
**OU=Marketing**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| Megan.Hiatt | Megan Hiatt | Sales Director | M365: Sales@ |
| Crystal.Rodriguez | Crystal Rodriguez | Sales Associate | PC: CRYSTAL-PC. M365: Sales@ |
| Tamra.Matthews | Tamra Matthews | Move-In Coordinator | Renamed from Tamra.Johnson (2026-04-13) |
**OU=Resident Services**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| Christina.DuPras | Christina DuPras | Resident Services Director | |
| Cathy.Kingston | Cathy Kingston | RS Receptionist | M365: Frontdesk@ |
| Kyla.QuickTiffany | Kyla Quick Tiffany | RS Receptionist | M365: Frontdesk@. Previously listed as "needs account" — now confirmed in AD |
| Michelle.Shestko | Michelle Shestko | RS Receptionist | M365: MC Front Desk |
| Ray.Rai | Ray Rai | RS Courtesy Patrol | M365: Frontdesk@ |
| Sebastian.Leon | Sebastian Leon | RS Courtesy Patrol | M365: Frontdesk@, Courtesypatrol@ |
| Sheldon.Gardfrey | Sheldon Gardfrey | RS Courtesy Patrol | M365: Frontdesk@, Courtesypatrol@ |
| Shontiel.Nunn | Shontiel Nunn | RS Receptionist | M365: Frontdesk@. **Disable — s.nunn (Caregivers) is the correct current account (confirmed 2026-05-19)** |
**OU=Transportation** — accounts still enabled but flagged for disable
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| Christopher.Holick | Christopher Holick | Driver | Fixed from Holik (2026-04-13). **Disable — drivers no longer get IT access** |
| Julian.Crim | Julian Crim | Driver | **Disable — drivers no longer get IT access** |
| Richard.Adams | Richard Adams | Driver | **Disable — drivers no longer get IT access** |
**CN=Users — Service Accounts**
| SamAccountName | Notes |
|---------------|-------|
| Administrator | Built-in |
| localadmin | Local admin |
| sysadmin | System admin (IT) |
| MSOL_12be42ce1269 | Entra Connect service account |
| QBDataServiceUser34 | QuickBooks service account |
**OU=Excluded-From-Sync — Shared/Generic Accounts** (intentionally not syncing to Entra)
| SamAccountName | Notes |
|---------------|-------|
| Culinary | Generic dept account — replace Phase 5 |
| directoryshare | Shared resource — replace Phase 5 |
| RECEPTIONIST | Generic role account — replace Phase 5 |
| saleshare | Shared resource — replace Phase 5 |
**OU=ServiceAccounts**
| SamAccountName | Notes |
|---------------|-------|
| svc-audit-upload | GuruRMM audit upload service account |
### Disabled Accounts
| SamAccountName | Notes |
|---------------|-------|
| Guest | Built-in — correct to leave disabled |
| krbtgt | Built-in Kerberos — **password 569+ days old as of 2026-03-20, needs rotation** |
### Accounts Deleted (2026-04-13 cleanup)
Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, Isabella.Islas, ann.dery, alyssa.brooks (duplicate), Lupe.Sanchez (duplicate), jeff.bristol
Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, Isabella.Islas, ann.dery, alyssa.brooks (lowercase duplicate), Lupe.Sanchez (duplicate), jeff.bristol
### Disabled Accounts (2) — cleaned 2026-04-13
| Name | SamAccountName | Notes |
|------|---------------|-------|
| Guest | Guest | Built-in — correct to leave disabled |
| krbtgt | krbtgt | Built-in Kerberos — correct to leave disabled. **Password 569+ days old — needs rotation** |
## Caregiver Accounts (OU=Caregivers)
38 accounts, all shift caregivers/medtechs, first-initial-last format (e.g., a.mcferren). All members of SG-Caregivers. All syncing to Entra ID (full-domain sync scope includes this OU).
a.atwood, a.mcferren, b.johnson, b.mendoza, b.sika, c.johnson, c.lassey, c.tate, d.fierros, e.esperance, e.huerta, e.sanchez, e.yuzon, g.williams, g.williford, j.andrade, j.clarke, j.dittbenner, j.higdon, k.aziakpo, k.flores, k.wyzykowski, l.fuster, l.hogan, m.baker, m.kariuki, m.kastner, m.lopez, p.doran, p.sandoval-beck, r.cooper, r.flores, r.morales, s.carroll, s.nunn, s.padilla, s.ramirez, t.abainza, t.lassey-assiakoley, w.reed
s.nunn confirmed as the correct account (2026-05-19). Shontiel.Nunn (OU=Resident Services) is the old-format account — disable it.
## Domain-Joined Computers (8)
@@ -82,7 +147,7 @@ Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, Haris.Durut, Nuri
|----------|------|
| CS-QB | Hyper-V VM — VoIP server |
### OU=Staff PCs,OU=Workstations (moved 2026-04-13)
### OU=Staff PCs,OU=Workstations
| Computer | User | Role |
|----------|------|------|
| ACCT2-PC | Allison Reibschied | Accounting |
@@ -92,103 +157,77 @@ Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, Haris.Durut, Nuri
| DESKTOP-DLTAGOI | Sharon Edwards | Life Enrichment Assistant |
| DESKTOP-ROK7VNM | Susan Hicks | Life Enrichment Director |
### Missing from AD (listed in overview but NOT domain-joined)
- **SALES4-PC** — Sales workstation (10.0.20.203) — NOT in AD
- **CHEF-PC** — Kitchen workstation (10.0.20.232) — NOT in AD
- **MDIRECTOR-PC** — MemCare Director (192.168.3.20) — NOT in AD
- **DESKTOP-KQSL232** — Unknown (10.0.20.227) — NOT in AD
### OU=Shared PCs,OU=Workstations
Empty — created for future shared/rotation workstations (GPO: CSC - Shared Workstation).
These 4 machines are on the network but not domain-joined. They may be workgroup machines or were never joined to the domain.
### Not Domain-Joined (on network but workgroup/unjoined)
- **SALES4-PC** — Sales workstation (10.0.20.203)
- **CHEF-PC** — Kitchen workstation (10.0.20.232)
- **MDIRECTOR-PC** — MemCare Director (192.168.3.20)
- **DESKTOP-KQSL232** — Unknown (10.0.20.227)
## Organizational Units
Domain join for these machines planned in Phase 3 (OU=Staff PCs,OU=Workstations).
## Organizational Units (current state — 2026-05-19)
OU cleanup is **complete**. All root-level duplicate OUs have been deleted. The structure below reflects live state.
### Current State (pre-cleanup)
```
cascades.local
├── Builtin (system)
├── Computers (default container) ← 5 PCs here: ACCT2-PC, CRYSTAL-PC, CS-QB, DESKTOP-1ISF081, DESKTOP-H6QHRR7
├── Users (default container) ← 20 accounts dumped here (system + stale + needs placement)
├── Computers (default) — CS-QB (VoIP VM)
├── Users (default) — service accounts: Administrator, localadmin, MSOL_12be42ce1269, QBDataServiceUser34, sysadmin
├── Domain Controllers
│ └── CS-SERVER
├── Managment ← MISSPELLED, empty — DELETE
├── Sales ← empty — DELETE
├── MemCare ← empty — DELETE
├── Administrative ← ROOT DUPLICATE of Departments\Administrative — DELETE
├── Care-Assisted Living ← ROOT DUPLICATE — DELETE
├── Care-Memorycare ← ROOT DUPLICATE — DELETE
├── Culinary ← ROOT DUPLICATE — DELETE
├── Housekeeping ← ROOT DUPLICATE — DELETE
├── Life Enrichment ← ROOT DUPLICATE — DELETE
├── Maintenance ← ROOT DUPLICATE — DELETE
├── Marketing ← ROOT DUPLICATE — DELETE
├── Resident Services ← ROOT DUPLICATE — DELETE
── Transportation ← ROOT DUPLICATE — DELETE
── Departments
├── Administrative (6 users)
├── Care-Assisted Living (4 users)
│ └── Nurses (sub-OU, empty)
├── Care-Memorycare (2 users)
── Culinary (4 users)
├── Housekeeping (1 user)
├── Life Enrichment (2 users)
├── Maintenance (2 users)
├── Marketing (4 users)
├── Resident Services (7 users)
└── Transportation (3 users)
├── Departments
│ ├── Administrative — Alma.Montt, Ashley.Jensen, lauren.hasselman, Meredith.Kuhn, Zachary.Nelson
├── Care-Assisted Living — britney.thompson, karen.rossini, Lois.Lane, Veronica.Feller
└── Nurses (empty sub-OU)
├── Caregivers — 38 accounts (shift caregivers/medtechs, first.last format)
├── Care-Memorycare — Christine.Nyanzunda, Shelby.Trozzi
├── Culinary — Alyssa.Brooks, JD.Martin, Ramon.Castaneda
├── Housekeeping — Lupe.Sanchez
├── Life Enrichment — Sharon.Edwards, Susan.Hicks
├── Maintenance — John.Trozzi, Matt.Brooks
├── Marketing — Crystal.Rodriguez, Megan.Hiatt, Tamra.Matthews
├── Resident Services — Cathy.Kingston, Christina.DuPras, Kyla.QuickTiffany, Michelle.Shestko, Ray.Rai, Sebastian.Leon, Sheldon.Gardfrey, Shontiel.Nunn
│ └── Transportation — Christopher.Holick, Julian.Crim, Richard.Adams
── Excluded-From-Sync — Culinary, directoryshare, RECEPTIONIST, saleshare
├── Groups — SG-* groups + AuditUploaders (see Security Groups section)
├── ServiceAccounts — svc-audit-upload
└── Workstations
├── Shared PCs (empty)
── Staff PCs — domain-joined workstations
```
### Target State (after cleanup — Phase 2.1 + 2.2)
```
cascades.local
├── Builtin (system)
├── Computers (default container) ← CS-QB stays here (VM, not staff PC)
├── Users (default container) ← system/service accounts only
├── Domain Controllers
│ └── CS-SERVER
├── Workstations ← NEW
│ ├── Staff PCs ← NEW — CRYSTAL-PC, ACCT2-PC, DESKTOP-H6QHRR7, DESKTOP-1ISF081, DESKTOP-DLTAGOI, DESKTOP-ROK7VNM
│ └── Shared PCs ← NEW — shared/rotation workstations (GPO: CSC - Shared Workstation)
└── Departments
├── Administrative (6 users)
├── Care-Assisted Living (4 users)
│ └── Nurses (sub-OU)
├── Care-Memorycare (2 users)
├── Culinary (4 users)
├── Housekeeping (1 user)
├── Life Enrichment (2 users)
├── Maintenance (2 users)
├── Marketing (4 users)
├── Resident Services (7 users)
└── Transportation (3 users)
```
**Historical note:** Prior to 2026-04-13, 13 root-level OUs existed (10 duplicate department OUs + Managment misspelled + MemCare + Sales, all empty). All deleted as part of Phase 2.1 cleanup.
### Cleanup Scripts
- `migration/scripts/phase2-ou-cleanup.ps1` — Audit + delete 13 root-level OUs, handle CN=Users accounts
- `migration/scripts/phase2-ad-setup.ps1` — Security fixes, create Workstations OU, security groups, move computers
## Security Groups (OU=Groups — live state 2026-05-20)
## Group Policy (as of 2026-03-07 export)
GPOs exist but effectiveness is limited since most PCs aren't domain-joined.
| GPO | Created | Modified | Settings | Notes |
|-----|---------|----------|----------|-------|
| Default Domain Policy | Aug 2024 | Mar 2026 | Password: 7-char min, 42-day max, complexity on, 24 history. **Lockout: 5 attempts / 30 min** (fixed 2026-03-09). Kerberos defaults. | OK |
| Default Domain Controllers Policy | Aug 2024 | Oct 2024 | IIS app pool audit rights, print operator driver loading. Standard. | OK |
| Power Options | Jul 2025 | Jul 2025 | "Cascades Default" power plan: never sleep/hibernate, display off 15 min (plugged in) / 10 min (battery), password on wake. | Reasonable — keep |
| ~~CopyRoomPrinter~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** |
| ~~Nurses-Kiosk~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** |
| ~~MemCareMedTechPrinter~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** |
**GPO Review (2026-03-07):** All 3 Dec 2025 GPOs are completely empty shells — no computer or user settings, not linked to any OU. Safe to delete with zero impact. The Default Domain Policy has account lockout disabled (threshold = 0), allowing unlimited password brute-force attempts — this needs to be fixed in the security baseline GPO.
## RDS Licensing
- **Mode: NotConfigured**
- **License Servers: None**
- RDS roles are installed on CS-SERVER (Connection Broker, Session Host, Web Access) but licensing is NOT configured.
- **Compliance risk:** Windows Server allows a 120-day grace period for RDS without licensing. After that, connections may be refused. Since the server was installed 8/4/2024 (~19 months ago), the grace period has long expired. RDS may be running in non-compliant mode.
## Existing AD Groups (Custom)
| Group | Members | Notes |
|-------|---------|-------|
| SG-Activities-RW | 0 | Activities share — Read/Write (Life Enrichment). Created 2026-05-20. |
| SG-CA-BreakGlass | 0 | Conditional Access break-glass group |
| SG-Caregivers | 38 | All shift caregivers/medtechs — syncing to Entra |
| SG-Chat-RW | 0 | Chat share access — legacy |
| SG-CourtesyPatrol | 0 | Courtesy patrol dept |
| SG-Culinary-RW | 0 | Culinary share access |
| SG-Directory-RW | 0 | Directory share access |
| SG-Drivers | 0 | Transportation drivers |
| SG-External-Signin-Allowed | 0 | CA policy — allowed external sign-in |
| SG-FrontDesk | 0 | Front desk dept |
| SG-IT-RW | 0 | IT share access |
| SG-Management-RW | 0 | Management share — OLD group, superseded by SG-Mgmt-RW. Do not use for new share. |
| SG-Mgmt-RW | 0 | Management share — Read/Write. Replaces SG-Management-RW. Created 2026-05-20. |
| SG-Office-PHI-External | 0 | PHI-authorized external access |
| SG-Office-PHI-Internal | 0 | PHI-authorized internal access |
| SG-Receptionist-RW | 0 | Receptionist share access |
| SG-Sales-RO | 0 | Sales share — Read Only. Created 2026-05-20. |
| SG-Sales-RW | 0 | Sales share — Read/Write |
| SG-Server-RW | 0 | Server share — OLD group, do not use for new Server share |
| AuditUploaders | 0 | GuruRMM audit upload service |
**Legacy groups (CN=Users, not in OU=Groups):**
| Group | Members | Notes |
|-------|---------|-------|
| QuickBooks Access | Meredith.Kuhn, Megan.Hiatt, Ashley.Jensen, lauren.hasselman | Renamed from "Quickboosk acccess" on 2026-03-09 |
@@ -196,110 +235,110 @@ GPOs exist but effectiveness is limited since most PCs aren't domain-joined.
| MemoryCareDepartment | (empty) | Never populated |
| KitchenAdmin | (empty) | Never populated |
## Migration Plan — AD Changes (Phase 2.2 + 2.6 + 3)
## Entra Connect (live state 2026-05-19)
See `migration/phase2-server-prep.md` and `migration/scripts/phase2-ad-setup.ps1`.
Entra Connect is installed and running on CS-SERVER in production mode.
### Security Fixes (immediate)
- Remove disabled Monica.Ramirez from **Domain Admins** (security risk)
- Disable Haris.Durut (still enabled, not employed)
- Fix "Quickboosk acccess" → "QuickBooks Access"
- Add lauren.hasselman to QuickBooks Access (replaced Jeff Bristol)
| Setting | Value |
|---------|-------|
| Installed on | CS-SERVER |
| Staging mode | FALSE (live production sync) |
| Scheduler | Enabled — next run: Delta |
| AD connector | cascades.local |
| Entra connector | NETORGFT4257522.onmicrosoft.com |
| OU sync scope | Full domain (dnList empty — unfiltered) |
| Service account | MSOL_12be42ce1269 (CN=Users) |
### OU Changes
- **DELETE 10 root-level duplicate OUs** (Administrative, Care-Assisted Living, Care-Memorycare, Culinary, Housekeeping, Life Enrichment, Maintenance, Marketing, Resident Services, Transportation) — duplicates of Departments sub-OUs
- **DELETE 3 empty root-level OUs** (Managment, MemCare, Sales) — unused
- Create: `OU=Workstations,DC=cascades,DC=local`
- Create: `OU=Staff PCs,OU=Workstations,DC=cascades,DC=local`
**OU=Excluded-From-Sync** is explicitly excluded from sync. The shared accounts (Culinary, directoryshare, RECEPTIONIST, saleshare) placed there do not appear in Entra ID.
### Security Groups (created with members from Synology permission mapping)
All other OUs — including OU=Caregivers — are within scope and sync to Entra.
| Group | Members |
|-------|---------|
| SG-Management-RW | Meredith.Kuhn, Ashley.Jensen, Megan.Hiatt, Crystal.Rodriguez, Tamra.Matthews, britney.thompson, Veronica.Feller, strozzi, Alyssa.Brooks, lauren.hasselman |
| SG-Sales-RW | Megan.Hiatt, Crystal.Rodriguez, Tamra.Matthews |
| SG-Server-RW | Ashley.Jensen, britney.thompson, Christina.DuPras, Veronica.Feller, Meredith.Kuhn |
| SG-Chat-RW | Ashley.Jensen, britney.thompson, Veronica.Feller |
| SG-Culinary-RW | JD.Martin, Ramon.Castaneda, Alyssa.Brooks |
| SG-IT-RW | howard, sysadmin |
| SG-Receptionist-RW | Cathy.Kingston, Shontiel.Nunn, Ray.Rai, Sebastian.Leon, Michelle.Shestko |
| SG-Directory-RW | Cathy.Kingston, Shontiel.Nunn, Christina.DuPras |
| SG-AllShares-RO | (populated as needed) |
**Historical note:** As of the 2026-04-13 doc, Entra Connect was planned as Phase 2.7 (blocked on AD cleanup). Cleanup is now complete and Entra Connect is deployed.
### Account Removals (client confirmed)
## SMB Shares (live — D:\ on CS-SERVER)
**Already disabled — delete:** Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, jeff.bristol
Full share details, permissions, and drive letter mappings are in `docs/servers/cs-server.md`.
**Enabled but not in HR — disable + delete:** Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, alyssa.brooks, Isabella.Islas, ann.dery
| Share | Path | Notes |
|-------|------|-------|
| AuditDrop$ | D:\Shares\AuditDrop | GuruRMM audit drop — hidden share, write-only |
| Culinary | D:\Shares\Culinary | |
| directoryshare | D:\Shares\directoryshare | |
| homes | D:\Homes | NOTE: D:\Homes, not D:\Shares\Homes |
| IT | D:\Shares\IT | |
| Activities | D:\Shares\Activities | ABE enabled. NTFS: SG-Activities-RW (Modify), Domain Admins (Full). Created 2026-05-20. |
| Management | D:\Shares\Management | ABE enabled. NTFS: SG-Mgmt-RW (Modify), Domain Admins (Full). Created 2026-05-20. |
| Receptionist | D:\Shares\Receptionist | |
| Sales | D:\Shares\Sales | ABE enabled. NTFS: SG-Sales-RW (Modify), SG-Sales-RO (ReadAndExecute). Created 2026-05-20. |
| Server | D:\Shares\Server | ABE enabled. NTFS: SG-IT-RW (Modify), Domain Users (ReadAndExecute). Created 2026-05-20. |
| Shares | D:\Shares | Root share |
**Keep:** lauren.hasselman (replaced Bristol as Business Office Director)
**Printers shared from CS-SERVER:**
| Share | Device |
|-------|--------|
| RecRoom-Canon | 1F-132-RecRoom-Canon |
| MemCare Director Printer | MF451CDW |
| MemCare MedTech Printer | Brother MFC-L8900CDW |
### CN=Users — HR Verified (2026-03-10)
## Group Policy (as of 2026-03-07 export)
HR (Meredith) responded. All accounts resolved:
GPOs exist but effectiveness is limited since most PCs are not domain-joined.
| Account | Enabled | Last Logon | Action |
|---------|---------|-----------|--------|
| Lupe.Sanchez | Yes | Never | **Keep** — confirmed same person as Guadalupe.Sanchez (M365: lupe.sanchez@). Merge or delete duplicate |
| Receptionist | Yes | 2/22/2026 | Shared account — keep until Phase 5 replacement |
| directoryshare | Yes | 2/26/2026 | Shared/service account — keep until Phase 5 replacement |
| GPO | Created | Modified | Settings | Notes |
|-----|---------|----------|----------|-------|
| Default Domain Policy | Aug 2024 | Mar 2026 | Password: 7-char min, 42-day max, complexity on, 24 history. Lockout: 5 attempts / 30 min (fixed 2026-03-09). Kerberos defaults. | OK |
| Default Domain Controllers Policy | Aug 2024 | Oct 2024 | IIS app pool audit rights, print operator driver loading. Standard. | OK |
| Power Options | Jul 2025 | Jul 2025 | "Cascades Default" power plan: never sleep/hibernate, display off 15 min (plugged in) / 10 min (battery), password on wake. | Keep |
| ~~CopyRoomPrinter~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** |
| ~~Nurses-Kiosk~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** |
| ~~MemCareMedTechPrinter~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** |
**Confirmed DELETE by HR:**
- Anna.Pitzlin (disabled) — was forwarded to Meredith, OK to delete now
- Nela.Durut-Azizi (disabled) — was forwarded to Meredith, OK to delete now
- Jodi.Ramstack (disabled)
- Monica.Ramirez (disabled, already removed from Domain Admins)
- Kristiana.Dowse — M365 only, not in AD. Delete M365 account + remove license
**Already confirmed for removal (not current employees, never logged in):**
Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, Isabella.Islas, ann.dery, alyssa.brooks (lowercase duplicate)
**System/service accounts staying in CN=Users:**
Administrator, Guest, krbtgt, localadmin, sysadmin, QBDataServiceUser34
### Domain Join (Phase 3)
Join these PCs to cascades.local in OU=Staff PCs,OU=Workstations:
- DESKTOP-KQSL232 (first)
- CHEF-PC
- SALES4-PC
- MDIRECTOR-PC (last)
### GPOs to Create (Phase 2.6)
**GPOs to Create (Phase 2.6 — not yet run):**
1. **CSC - Drive Mappings** — S:, M:, T:, K:, I:, R:, P: with item-level targeting
2. **CSC - Printer Deployment** — Deploy printers by OU/group targeting (Life Enrichment first: 1F-132-RecRoom-Canon + CopyRoom)
3. **CSC - Security Baseline** — 12-char passwords, complexity, lockout 5/30, screen lock 15 min
4. **CSC - Windows Update** — Auto download, Sundays 3 AM, no auto-restart
5. **CSC - Folder Redirection** — Desktop, Documents, Downloads `\\CS-SERVER\homes\%username%\`
6. **CSC - Shared Workstation** — Linked to Shared PCs OU; ILT by computer name for reception drive (R:), front desk printer, Outlook online mode, shared mailbox auto-mount. Blocked on: M365 tenant details, onsite PC identification.
5. **CSC - Folder Redirection** — Desktop, Documents, Downloads to `\\CS-SERVER\homes\%username%\`
6. **CSC - Shared Workstation** — Linked to Shared PCs OU; ILT by computer name for reception drive (R:), front desk printer, Outlook online mode, shared mailbox auto-mount
### Entra Connect (Phase 2.7 — NEW)
- Install Entra Connect on CS-SERVER for AD → M365 sync + SSO
- **BLOCKED ON:** AD cleanup (renames, deletions, duplicate resolution) must complete first
- See `cloud/m365.md` → "Entra Connect — SSO Setup Plan" for full prerequisites and steps
- Enables: single sign-on, one password, auto Office/Edge activation per user, roaming experience without roaming profiles
## RDS Licensing
### Shared Account Replacement (Phase 5)
Replace Culinary, Receptionist, saleshare, directoryshare with security group access.
- **Mode: NotConfigured**
- **License Servers: None**
- RDS roles installed on CS-SERVER (Connection Broker, Session Host, Web Access) but licensing is NOT configured.
- Compliance risk: grace period is 120 days. Server installed 2024-08-04 (~21 months ago as of 2026-05-19). Grace period expired. RDS is running non-compliant.
- Decision deferred to Phase 5.
## Domain Admins (from 2026-03-07 export)
## Domain Admins
| Account | Status | Action Needed |
|---------|--------|---------------|
| Account | Status | Notes |
|---------|--------|-------|
| Administrator | Enabled | OK (built-in) |
| Meredith.Kuhn | Enabled | **REMOVE** — administrative staff, not IT |
| John.Trozzi | Enabled | **REMOVE** — maintenance, not IT |
| ~~Monica.Ramirez~~ | **Disabled** | **REMOVED 2026-03-09** |
| Meredith.Kuhn | Enabled | Should be removed — administrative staff, not IT |
| John.Trozzi | Enabled | Should be removed — maintenance, not IT |
| ~~Monica.Ramirez~~ | Removed | Removed 2026-03-09 (account was disabled) |
| sysadmin | Enabled | OK (IT account) |
## Login Activity (audit 2026-03-20)
## Pending Issues (discovered 2026-05-19 audit)
Only 12 of 49 enabled accounts have ever logged in. Most staff have never used their AD accounts because their PCs aren't domain-joined.
| Issue | Account | Action Needed |
|-------|---------|---------------|
| Still enabled — departed | britney.thompson | Disable — departed 2026-04-22. Harvest M365 license. |
| Still enabled — flagged for disable | Richard.Adams, Julian.Crim, Christopher.Holick | Disable — drivers no longer get IT access (flagged 2026-04-22, not yet done) |
| Old-format account — superseded | Shontiel.Nunn (OU=Resident Services) | **Disable** — s.nunn (OU=Caregivers) confirmed as the correct account 2026-05-19 |
| AD + cloud-only M365 conflict | Alma.Montt | AD account exists in OU=Administrative (will sync via Entra Connect). Cloud-only M365 account also created 2026-05-19. **Delete the cloud-only M365 account and let AD sync create it properly** — otherwise Entra Connect will create a duplicate and both will break. |
| krbtgt password age | krbtgt | 569+ days old as of 2026-03-20. Needs rotation. |
| Meredith.Kuhn + John.Trozzi in Domain Admins | Both | Non-IT staff — remove from Domain Admins |
## Login Activity (audit 2026-03-20 — historical/stale)
Data below is from the 2026-03-20 audit. Only 12 of 49 enabled accounts had ever logged in at that time. Most staff had never used AD accounts because their PCs were not domain-joined.
| Account | Last Logon | Notes |
|---------|-----------|-------|
| sysadmin | 2026-03-16 | |
| QBDataServiceUser34 | 2026-03-14 | QuickBooks service |
| Allison.Reibschied | 2026-03-13 | **NEW** Administrative |
| Allison.Reibschied | 2026-03-13 | Administrative |
| lauren.hasselman | 2026-03-12 | Business Office Director |
| Administrator | 2026-03-11 | |
| Receptionist | 2026-03-11 | Shared account |
@@ -307,23 +346,20 @@ Only 12 of 49 enabled accounts have ever logged in. Most staff have never used t
| localadmin | 2026-03-09 | |
| Crystal.Rodriguez | 2026-03-09 | CRYSTAL-PC |
| Culinary | 2026-02-20 | Shared account |
| saleshare | 2025-12-08 | Shared account |
| Christina.DuPras | 2026-01-06 | |
| Monica.Ramirez | 2024-11-04 | **Disabled** |
| saleshare | 2025-12-08 | Shared account |
| Monica.Ramirez | 2024-11-04 | Disabled — now deleted |
**37 enabled accounts have NEVER logged in** — most have never set a password either.
37 accounts had never logged in as of 2026-03-20. Login activity will improve as more PCs are domain-joined (Phase 3).
## Issues Found
1. **Only 6 computers domain-joined** — At least 4 known staff PCs are NOT in AD. (Migration Phase 3 will fix)
2. **3 GPOs from Dec 2025 undocumented** — CopyRoomPrinter, Nurses-Kiosk, MemCareMedTechPrinter. Need to review settings and linkage. Previous MSP or sysadmin created these.
3. **RDS licensing not configured** — Compliance risk, grace period expired ~17 months ago. (Phase 5 decision)
4. **12 accounts to remove** — 5 disabled + 7 former employees still enabled. (Phase 2.1/2.2)
5. **4 shared/generic accounts** (Culinary, Receptionist, saleshare, directoryshare) — To be replaced. (Phase 5)
6. **Monica.Ramirez (disabled) still in Domain Admins** — Security risk, fix immediately. (Phase 2.2)
7. **Meredith.Kuhn and John.Trozzi in Domain Admins** — Non-IT staff should not be DAs. (Phase 2.2)
8. **"Managment" OU misspelled** — To be deleted (empty). (Phase 2.1)
9. **"Quickboosk acccess" group typo** — To be fixed. (Phase 2.2)
10. **13 junk root-level OUs** — 10 duplicate department OUs + Managment + MemCare + Sales, all empty. Delete in Phase 2.1.
11. **20 accounts in CN=Users** — Mix of system, stale, and misplaced. Clean up in Phase 2.1.
12. **5 computers in CN=Computers** — Move 4 staff PCs to Workstations OU. CS-QB stays. (Phase 2.2)
13. **Lupe.Sanchez** — In CN=Users, possible duplicate of Guadalupe.Sanchez (Housekeeping). Flag for onsite review.
## Migration Plan Reference
See `migration/phase2-server-prep.md` for full phase details. Scripts referenced throughout this doc:
- `migration/scripts/phase2-ou-cleanup.ps1` — OU audit + delete (COMPLETE)
- `migration/scripts/phase2-ad-setup.ps1` — Security fixes, Workstations OU, security groups, move computers (COMPLETE)
- `migration/scripts/phase2-ad-groups-new.ps1` — New SG- groups (SG-Mgmt-RW, SG-Sales-RO, SG-Activities-RW) — COMPLETE 2026-05-20
- `migration/scripts/phase2-new-shares.ps1` — New SMB shares (Management, Sales, Activities, Server) — COMPLETE 2026-05-20
**Phase 3 domain joins** (pending): DESKTOP-KQSL232, CHEF-PC, SALES4-PC, MDIRECTOR-PC — all to OU=Staff PCs,OU=Workstations.
**Phase 5** (deferred): Replace shared accounts (Culinary, Receptionist, saleshare, directoryshare) with group-based access. RDS licensing decision.