azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

client/cascades: Phase 2.5 AD groups and shares — COMPLETE

Browse Source 
Created SG-Mgmt-RW, SG-Sales-RO, SG-Activities-RW in OU=Groups.
Created SMB shares Management, Sales, Activities, Server on D:\Shares
with ABE enabled and correct NTFS ACLs per group.
Scripts run on CS-SERVER via GuruRMM 2026-05-20. AD doc updated to live state.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Howard Enos
2026-05-19 22:14:56 -07:00
parent d5d2580dd5
commit 3328a24742
3 changed files with 537 additions and 231 deletions
Download Patch File Download Diff File Expand all files Collapse all files

97
clients/cascades-tucson/docs/migration/scripts/phase2-ad-groups-new.ps1 Normal file
View File

@@ -0,0 +1,97 @@
#Requires -RunAsAdministrator
<#
.SYNOPSIS
Phase 2.5a: Create new AD security groups for staged share rollout.
.DESCRIPTION
Creates three new global security groups for the new share structure.
Groups are created EMPTY — members are added per-department when each
department is ready to cut over to the new shares.
Also removes Tamra.Matthews from SG-Sales-RW (she moves to SG-Sales-RO).
No other changes are made to existing groups or members.
.NOTES
IDEMPOTENT — safe to re-run. Existing groups are skipped, not overwritten.
Run on CS-SERVER via GuruRMM remote execution.
Verify $GroupOU before running:
Get-ADGroup SG-Management-RW | Select DistinguishedName
The OU in $GroupOU must match the OU where existing SG- groups live.
#>
Import-Module ActiveDirectory -ErrorAction Stop
# --- VERIFY THIS MATCHES WHERE EXISTING SG- GROUPS LIVE ---
# Check with: Get-ADGroup SG-Management-RW | Select DistinguishedName
$GroupOU = "OU=Groups,DC=cascades,DC=local"
Write-Host "=== Phase 2.5a: New AD Security Groups ===" -ForegroundColor Cyan
Write-Host ""
# ============================================================
# STEP 1: Create new groups (empty — members added later)
# ============================================================
Write-Host "--- Creating New Security Groups ---" -ForegroundColor Yellow
$newGroups = @(
@{ Name = "SG-Mgmt-RW"; Description = "Management share - Read/Write" }
@{ Name = "SG-Sales-RO"; Description = "Sales share - Read Only" }
@{ Name = "SG-Activities-RW"; Description = "Activities share - Read/Write" }
)
foreach ($g in $newGroups) {
try {
$existing = Get-ADGroup -Filter "Name -eq '$($g.Name)'" -ErrorAction SilentlyContinue
if (-not $existing) {
New-ADGroup `
-Name $g.Name `
-GroupScope Global `
-GroupCategory Security `
-Path $GroupOU `
-Description $g.Description `
-ErrorAction Stop
Write-Host " [OK] Created: $($g.Name)" -ForegroundColor Green
} else {
Write-Host " [SKIP] $($g.Name) already exists" -ForegroundColor DarkGray
}
}
catch {
Write-Host " [ERROR] Failed to create $($g.Name): $_" -ForegroundColor Red
}
}
# ============================================================
# STEP 2: Remove Tamra.Matthews from SG-Sales-RW
# ============================================================
Write-Host "`n--- Adjusting SG-Sales-RW Membership ---" -ForegroundColor Yellow
try {
$isMember = Get-ADGroupMember -Identity "SG-Sales-RW" -ErrorAction Stop |
Where-Object { $_.SamAccountName -eq "Tamra.Matthews" }
if ($isMember) {
Remove-ADGroupMember -Identity "SG-Sales-RW" -Members "Tamra.Matthews" -Confirm:$false -ErrorAction Stop
Write-Host " [OK] Removed Tamra.Matthews from SG-Sales-RW" -ForegroundColor Green
} else {
Write-Host " [SKIP] Tamra.Matthews is not a member of SG-Sales-RW" -ForegroundColor DarkGray
}
}
catch {
Write-Host " [ERROR] Failed to adjust SG-Sales-RW: $_" -ForegroundColor Red
}
# ============================================================
# SUMMARY: All SG- groups with member counts
# ============================================================
Write-Host "`n=== SG- Group Summary ===" -ForegroundColor Cyan
Write-Host ""
Get-ADGroup -Filter 'Name -like "SG-*"' -ErrorAction SilentlyContinue |
Sort-Object Name |
ForEach-Object {
$count = (Get-ADGroupMember $_ -ErrorAction SilentlyContinue | Measure-Object).Count
Write-Host (" {0,-25} {1,2} member(s)" -f $_.Name, $count) -ForegroundColor Cyan
}
Write-Host ""
Write-Host "=== AD Groups Complete ===" -ForegroundColor Cyan
Write-Host "Next: Run phase2-new-shares.ps1 to create the folder structure and SMB shares" -ForegroundColor Green

173
clients/cascades-tucson/docs/migration/scripts/phase2-new-shares.ps1 Normal file
View File

@@ -0,0 +1,173 @@
#Requires -RunAsAdministrator
<#
.SYNOPSIS
Phase 2.5b: Create new share folders, NTFS permissions, and SMB shares on CS-SERVER.
.DESCRIPTION
Builds the folder structure for the staged share rollout. Folders are created
empty — data sync runs separately after this script. Sets NTFS permissions with
broken inheritance and creates SMB shares with Access-Based Enumeration enabled.
Shares created: Management, Sales, Activities, Server.
Does NOT touch: D:\Shares\homes, D:\Shares\Culinary, D:\Shares\Receptionist,
D:\Shares\directoryshare, D:\Shares\IT, D:\Shares\chat, D:\Shares\Public,
or any other existing shares.
.NOTES
IDEMPOTENT — safe to re-run. NTFS permissions are always reapplied (not skipped).
Existing SMB shares have their description updated; share-level permissions are
left alone on re-run.
Requires the ActiveDirectory module and must be run as Administrator on CS-SERVER.
Run AFTER phase2-ad-groups-new.ps1.
#>
Import-Module ActiveDirectory -ErrorAction Stop
$DestRoot = "D:\Shares"
Write-Host "=== Phase 2.5b: New Share Folders & Permissions ===" -ForegroundColor Cyan
Write-Host ""
# --- Share definitions ---
# RWGroup and ROGroup may be $null. $null means that ACE is omitted.
$shares = @(
@{
Name = "Management"
Path = "$DestRoot\Management"
RWGroup = "CASCADES\SG-Mgmt-RW"
ROGroup = $null
Desc = "Management share (Directors only)"
},
@{
Name = "Sales"
Path = "$DestRoot\Sales"
RWGroup = "CASCADES\SG-Sales-RW"
ROGroup = "CASCADES\SG-Sales-RO"
Desc = "Sales share"
},
@{
Name = "Activities"
Path = "$DestRoot\Activities"
RWGroup = "CASCADES\SG-Activities-RW"
ROGroup = $null
Desc = "Activities share (Life Enrichment)"
},
@{
Name = "Server"
Path = "$DestRoot\Server"
RWGroup = "CASCADES\SG-IT-RW"
ROGroup = "CASCADES\Domain Users"
Desc = "Server share (IT tools and scripts)"
}
)
foreach ($s in $shares) {
Write-Host "`n--- $($s.Name) ---" -ForegroundColor Yellow
# Create folder if it doesn't exist
try {
if (-not (Test-Path $s.Path)) {
New-Item -Path $s.Path -ItemType Directory -Force | Out-Null
Write-Host " [OK] Created folder: $($s.Path)" -ForegroundColor Green
} else {
Write-Host " [SKIP] Folder already exists: $($s.Path)" -ForegroundColor DarkGray
}
}
catch {
Write-Host " [ERROR] Failed to create folder $($s.Path): $_" -ForegroundColor Red
continue
}
# Set NTFS permissions (always reapplied — not skipped on re-run)
try {
$acl = New-Object System.Security.AccessControl.DirectorySecurity
# Break inheritance and discard all inherited entries
$acl.SetAccessRuleProtection($true, $false)
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
"SYSTEM",
"FullControl",
"ContainerInherit,ObjectInherit",
"None",
"Allow"
)))
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
"CASCADES\Domain Admins",
"FullControl",
"ContainerInherit,ObjectInherit",
"None",
"Allow"
)))
if ($s.RWGroup) {
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
$s.RWGroup,
"Modify",
"ContainerInherit,ObjectInherit",
"None",
"Allow"
)))
}
if ($s.ROGroup) {
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
$s.ROGroup,
"ReadAndExecute",
"ContainerInherit,ObjectInherit",
"None",
"Allow"
)))
}
Set-Acl -Path $s.Path -AclObject $acl -ErrorAction Stop
Write-Host " [OK] NTFS permissions set" -ForegroundColor Green
}
catch {
Write-Host " [ERROR] NTFS permissions failed on $($s.Path): $_" -ForegroundColor Red
continue
}
# Create or update SMB share
try {
$existingShare = Get-SmbShare -Name $s.Name -ErrorAction SilentlyContinue
if (-not $existingShare) {
New-SmbShare `
-Name $s.Name `
-Path $s.Path `
-Description $s.Desc `
-FullAccess "Authenticated Users" `
-FolderEnumerationMode AccessBased `
-ErrorAction Stop
Write-Host " [OK] Created SMB share: \\CS-SERVER\$($s.Name) (ABE enabled)" -ForegroundColor Green
} else {
# Update description only; share-level permissions are left alone
Set-SmbShare -Name $s.Name -Description $s.Desc -Force -ErrorAction Stop
Write-Host " [SKIP] SMB share already exists — description updated" -ForegroundColor DarkGray
}
}
catch {
Write-Host " [ERROR] SMB share failed for $($s.Name): $_" -ForegroundColor Red
}
}
# ============================================================
# SUMMARY
# ============================================================
Write-Host "`n=== New Shares Summary ===" -ForegroundColor Cyan
Write-Host "`nAll SMB shares on D:\:" -ForegroundColor Yellow
Get-SmbShare | Where-Object { $_.Path -like "D:\*" } |
Select-Object Name, Path, Description, FolderEnumerationMode |
Format-Table -AutoSize -Wrap
Write-Host "NTFS permissions on new folders:" -ForegroundColor Yellow
foreach ($s in $shares) {
if (Test-Path $s.Path) {
Write-Host "`n $($s.Path):" -ForegroundColor Cyan
& icacls $s.Path
}
}
Write-Host "`n=== New Share Setup Complete ===" -ForegroundColor Cyan
Write-Host "Folders are empty — sync data separately before activating each department." -ForegroundColor Green

498
clients/cascades-tucson/docs/servers/active-directory.md
View File

@@ -8,67 +8,132 @@
- Sites: Default-First-Site-Name - Sites: Default-First-Site-Name
- No trusts configured - No trusts configured
## AD Users (42 total — 40 enabled, 2 disabled) — cleaned 2026-04-13 ## AD Users (updated 2026-05-19)
**New since last doc update:** Allison Reibschied (2026-03-13), Lauren Hasselman (2026-02-26) **Changes since 2026-04-13:**
- Alma.Montt added to OU=Administrative (provisioned 2026-05-19) — cloud-only M365 account also created same day; needs reconciliation (see Pending Issues)
- Kyla.QuickTiffany confirmed in OU=Resident Services (was listed as "needs account" in prior doc)
- Zachary.Nelson confirmed: Accounting Assistant (replacing Allison.Reibschied)
- Allison.Reibschied: no longer employed — account disabled in DC 2026-05-19
- 38 caregiver accounts active in OU=Caregivers (new dedicated OU, all syncing to Entra)
- s.nunn confirmed as the correct Shontiel Nunn account (Caregivers/MedTech). Shontiel.Nunn (old format, OU=Resident Services) to be disabled.
### Enabled Accounts — HR Roster (updated 2026-04-13) ### Enabled Accounts — Staff (updated 2026-05-19)
| Name | SamAccountName | Position | Department | Shared Email | Notes |
|------|---------------|----------|------------|-------------|-------|
| Administrator | Administrator | — | — | — | Built-in |
| localadmin | localadmin | — | — | — | Local admin |
| Sysadmin | sysadmin | — | — | — | System admin |
| Howard Dax | howard | Home Office | Administrative | first.last@ | MSP technician |
| Meredith Kuhn | Meredith.Kuhn | Executive Director | Administrative | first.last@ | |
| John Trozzi | John.Trozzi | Maintenance Director | Maintenance | first.last@ | PC: MAINTENANCE-PC |
| Lupe Sanchez | Lupe.Sanchez | Housekeeping Director | Housekeeping | first.last@ | Renamed from Guadalupe.Sanchez, duplicate deleted (2026-04-13) |
| Megan Hiatt | Megan.Hiatt | Sales Director | Marketing | first.last@, Sales@ | |
| Crystal Rodriguez | Crystal.Rodriguez | Sales Associate | Marketing | first.last@, Sales@ | PC: CRYSTAL-PC |
| Tamra Matthews | Tamra.Matthews | Move-In Coordinator | Marketing | first.last@ | Renamed from Tamra.Johnson (2026-04-13) |
| Lois Lane | Lois.Lane | Health Services Director | Care, Assisted Living | first.last@, Nurses@ | |
| Christina DuPras | Christina.DuPras | Resident Services Director | Resident Services | first.last@ | |
| Christine Nyanzunda | Christine.Nyanzunda | Memory Care Admin Assistant | Care, Memory Care | first.last@ | |
| Susan Hicks | Susan.Hicks | Life Enrichment Director | Life Enrichment | first.last@ | PC: DESKTOP-ROK7VNM |
| Ashley Jensen | Ashley.Jensen | Assistant Executive Director | Administrative | first.last@, Accounting@ | |
| Veronica Feller | Veronica.Feller | Care, Assisted Living Aide | Care, Assisted Living | first.last@ | |
| Sebastian Leon | Sebastian.Leon | RS Courtesy Patrol | Resident Services | Frontdesk@, Courtesypatrol@ | |
| JD Martin | JD.Martin | Culinary Director | Culinary | first.last@ | |
| Alyssa Brooks | Alyssa.Brooks | Dining Manager | Culinary | first.last@ | Renamed from Alyssa.Shestko, duplicate deleted (2026-04-13) |
| Matt Brooks | Matt.Brooks | Memory Care Receptionist | Maintenance | first.last@ | Dept says Maintenance (HR data) |
| Ramon Castaneda | Ramon.Castaneda | Kitchen Manager | Culinary | first.last@ | |
| Michelle Shestko | Michelle.Shestko | Resident Services Receptionist | Resident Services | MC Front Desk | |
| Sharon Edwards | Sharon.Edwards | Life Enrichment Assistant | Life Enrichment | first.last@ | PC: DESKTOP-DLTAGOI |
| Britney Thompson | britney.thompson | Memory Care Nurse | Care, Assisted Living | first.last@, Nurses@ | **DEPARTED 2026-04-22 per John — disable account + harvest license** |
| Shelby Trozzi | Shelby.Trozzi | Memory Care Director | Care, Memory Care | first.last@ | Renamed from strozzi (2026-04-13) |
| Karen Rossini | karen.rossini | Health Services Manager | Care, Assisted Living | first.last@, Nurses@ | lowercase SamAccountName |
| Sheldon Gardfrey | Sheldon.Gardfrey | RS Courtesy Patrol | Resident Services | Frontdesk@, Courtesypatrol@ | |
| Cathy Kingston | Cathy.Kingston | Resident Services Receptionist | Resident Services | Frontdesk@ | |
| Shontiel Nunn | Shontiel.Nunn | Resident Services Receptionist | Resident Services | Frontdesk@ | |
| Ray Rai | Ray.Rai | RS Courtesy Patrol | Resident Services | Frontdesk@ | |
| Richard Adams | Richard.Adams | Driver | Transportation | Transportation@ | **2026-04-22: disable — drivers no longer get IT access** |
| Julian Crim | Julian.Crim | Driver | Transportation | Transportation@ | **2026-04-22: disable — drivers no longer get IT access** |
| Christopher Holick | Christopher.Holick | Driver | Transportation | Transportation@ | Fixed from Holik (2026-04-13). **2026-04-22: disable — drivers no longer get IT access** |
| Lauren Hasselman | lauren.hasselman | Business Office Director | Administrative | first.last@, Accounting@ | Replaced Jeff Bristol. lowercase SamAccountName |
| Allison Reibschied | Allison.Reibschied | Accounting Assistant | Administrative | first.last@ | Added 2026-03-13. PC: ACCT2-PC |
| QBDataServiceUser34 | QBDataServiceUser34 | — | — | — | QuickBooks service account |
| Culinary | Culinary | — | — | — | Generic department account — replace Phase 5 |
| RECEPTIONIST | Receptionist | — | — | — | Generic role account — replace Phase 5 |
| saleshare | saleshare | — | — | — | Shared sales resource — replace Phase 5 |
| directoryshare | directoryshare | — | — | — | Shared directory resource — replace Phase 5 |
### Not in AD — Needs Account Created **OU=Administrative**
| Name | Position | Department | Shared Email | Notes | | SamAccountName | Name | Position | Notes |
|------|----------|------------|-------------|-------| |---------------|------|----------|-------|
| Kyla Quick Tiffany | Resident Services Receptionist | Resident Services | Frontdesk@ | New — needs AD + M365 account | | Meredith.Kuhn | Meredith Kuhn | Executive Director | |
| Ashley.Jensen | Ashley Jensen | Assistant Executive Director | M365: Accounting@ |
| lauren.hasselman | Lauren Hasselman | Business Office Director | lowercase SAM. Replaced Jeff Bristol. M365: Accounting@ |
| Alma.Montt | Alma Montt | Life Enrichment | Provisioned 2026-05-19. **Cloud-only M365 account also created same day — reconcile before next Entra sync** (see Pending Issues) |
| Zachary.Nelson | Zachary Nelson | Accounting Assistant | Confirmed 2026-05-19. Replacing Allison.Reibschied. |
| ~~Allison.Reibschied~~ | ~~Allison Reibschied~~ | ~~Accounting Assistant~~ | **Disabled 2026-05-19 — no longer employed.** |
**OU=Care-Assisted Living**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| Lois.Lane | Lois Lane | Health Services Director | M365: Nurses@ |
| karen.rossini | Karen Rossini | Health Services Manager | lowercase SAM. M365: Nurses@ |
| Veronica.Feller | Veronica Feller | Care Assisted Living Aide | |
| britney.thompson | Britney Thompson | Memory Care Nurse | **DEPARTED 2026-04-22 — still enabled. Disable + harvest license.** |
**OU=Care-Memorycare**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| Christine.Nyanzunda | Christine Nyanzunda | Memory Care Admin Assistant | |
| Shelby.Trozzi | Shelby Trozzi | Memory Care Director | Renamed from strozzi (2026-04-13) |
**OU=Caregivers** — 38 accounts, all shift caregivers/medtechs, all in SG-Caregivers, all syncing to Entra. See Caregiver Accounts section below.
**OU=Culinary**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| JD.Martin | JD Martin | Culinary Director | |
| Alyssa.Brooks | Alyssa Brooks | Dining Manager | Renamed from Alyssa.Shestko (2026-04-13) |
| Ramon.Castaneda | Ramon Castaneda | Kitchen Manager | |
**OU=Housekeeping**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| Lupe.Sanchez | Lupe Sanchez | Housekeeping Director | Renamed from Guadalupe.Sanchez, duplicate deleted (2026-04-13) |
**OU=Life Enrichment**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| Sharon.Edwards | Sharon Edwards | Life Enrichment Assistant | PC: DESKTOP-DLTAGOI |
| Susan.Hicks | Susan Hicks | Life Enrichment Director | PC: DESKTOP-ROK7VNM |
**OU=Maintenance**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| John.Trozzi | John Trozzi | Maintenance Director | PC: MAINTENANCE-PC |
| Matt.Brooks | Matt Brooks | Memory Care Receptionist | Dept listed as Maintenance in HR data |
**OU=Marketing**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| Megan.Hiatt | Megan Hiatt | Sales Director | M365: Sales@ |
| Crystal.Rodriguez | Crystal Rodriguez | Sales Associate | PC: CRYSTAL-PC. M365: Sales@ |
| Tamra.Matthews | Tamra Matthews | Move-In Coordinator | Renamed from Tamra.Johnson (2026-04-13) |
**OU=Resident Services**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| Christina.DuPras | Christina DuPras | Resident Services Director | |
| Cathy.Kingston | Cathy Kingston | RS Receptionist | M365: Frontdesk@ |
| Kyla.QuickTiffany | Kyla Quick Tiffany | RS Receptionist | M365: Frontdesk@. Previously listed as "needs account" — now confirmed in AD |
| Michelle.Shestko | Michelle Shestko | RS Receptionist | M365: MC Front Desk |
| Ray.Rai | Ray Rai | RS Courtesy Patrol | M365: Frontdesk@ |
| Sebastian.Leon | Sebastian Leon | RS Courtesy Patrol | M365: Frontdesk@, Courtesypatrol@ |
| Sheldon.Gardfrey | Sheldon Gardfrey | RS Courtesy Patrol | M365: Frontdesk@, Courtesypatrol@ |
| Shontiel.Nunn | Shontiel Nunn | RS Receptionist | M365: Frontdesk@. **Disable — s.nunn (Caregivers) is the correct current account (confirmed 2026-05-19)** |
**OU=Transportation** — accounts still enabled but flagged for disable
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| Christopher.Holick | Christopher Holick | Driver | Fixed from Holik (2026-04-13). **Disable — drivers no longer get IT access** |
| Julian.Crim | Julian Crim | Driver | **Disable — drivers no longer get IT access** |
| Richard.Adams | Richard Adams | Driver | **Disable — drivers no longer get IT access** |
**CN=Users — Service Accounts**
| SamAccountName | Notes |
|---------------|-------|
| Administrator | Built-in |
| localadmin | Local admin |
| sysadmin | System admin (IT) |
| MSOL_12be42ce1269 | Entra Connect service account |
| QBDataServiceUser34 | QuickBooks service account |
**OU=Excluded-From-Sync — Shared/Generic Accounts** (intentionally not syncing to Entra)
| SamAccountName | Notes |
|---------------|-------|
| Culinary | Generic dept account — replace Phase 5 |
| directoryshare | Shared resource — replace Phase 5 |
| RECEPTIONIST | Generic role account — replace Phase 5 |
| saleshare | Shared resource — replace Phase 5 |
**OU=ServiceAccounts**
| SamAccountName | Notes |
|---------------|-------|
| svc-audit-upload | GuruRMM audit upload service account |
### Disabled Accounts
| SamAccountName | Notes |
|---------------|-------|
| Guest | Built-in — correct to leave disabled |
| krbtgt | Built-in Kerberos — **password 569+ days old as of 2026-03-20, needs rotation** |
### Accounts Deleted (2026-04-13 cleanup) ### Accounts Deleted (2026-04-13 cleanup)
Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, Isabella.Islas, ann.dery, alyssa.brooks (duplicate), Lupe.Sanchez (duplicate), jeff.bristol Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, Isabella.Islas, ann.dery, alyssa.brooks (lowercase duplicate), Lupe.Sanchez (duplicate), jeff.bristol
### Disabled Accounts (2) — cleaned 2026-04-13 ## Caregiver Accounts (OU=Caregivers)
| Name | SamAccountName | Notes |
|------|---------------|-------| 38 accounts, all shift caregivers/medtechs, first-initial-last format (e.g., a.mcferren). All members of SG-Caregivers. All syncing to Entra ID (full-domain sync scope includes this OU).
| Guest | Guest | Built-in — correct to leave disabled |
| krbtgt | krbtgt | Built-in Kerberos — correct to leave disabled. **Password 569+ days old — needs rotation** | a.atwood, a.mcferren, b.johnson, b.mendoza, b.sika, c.johnson, c.lassey, c.tate, d.fierros, e.esperance, e.huerta, e.sanchez, e.yuzon, g.williams, g.williford, j.andrade, j.clarke, j.dittbenner, j.higdon, k.aziakpo, k.flores, k.wyzykowski, l.fuster, l.hogan, m.baker, m.kariuki, m.kastner, m.lopez, p.doran, p.sandoval-beck, r.cooper, r.flores, r.morales, s.carroll, s.nunn, s.padilla, s.ramirez, t.abainza, t.lassey-assiakoley, w.reed
s.nunn confirmed as the correct account (2026-05-19). Shontiel.Nunn (OU=Resident Services) is the old-format account — disable it.
## Domain-Joined Computers (8) ## Domain-Joined Computers (8)
@@ -82,7 +147,7 @@ Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, Haris.Durut, Nuri
|----------|------| |----------|------|
| CS-QB | Hyper-V VM — VoIP server | | CS-QB | Hyper-V VM — VoIP server |
### OU=Staff PCs,OU=Workstations (moved 2026-04-13) ### OU=Staff PCs,OU=Workstations
| Computer | User | Role | | Computer | User | Role |
|----------|------|------| |----------|------|------|
| ACCT2-PC | Allison Reibschied | Accounting | | ACCT2-PC | Allison Reibschied | Accounting |
@@ -92,103 +157,77 @@ Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, Haris.Durut, Nuri
| DESKTOP-DLTAGOI | Sharon Edwards | Life Enrichment Assistant | | DESKTOP-DLTAGOI | Sharon Edwards | Life Enrichment Assistant |
| DESKTOP-ROK7VNM | Susan Hicks | Life Enrichment Director | | DESKTOP-ROK7VNM | Susan Hicks | Life Enrichment Director |
### Missing from AD (listed in overview but NOT domain-joined) ### OU=Shared PCs,OU=Workstations
- **SALES4-PC** — Sales workstation (10.0.20.203) — NOT in AD Empty — created for future shared/rotation workstations (GPO: CSC - Shared Workstation).
- **CHEF-PC** — Kitchen workstation (10.0.20.232) — NOT in AD
- **MDIRECTOR-PC** — MemCare Director (192.168.3.20) — NOT in AD
- **DESKTOP-KQSL232** — Unknown (10.0.20.227) — NOT in AD
These 4 machines are on the network but not domain-joined. They may be workgroup machines or were never joined to the domain. ### Not Domain-Joined (on network but workgroup/unjoined)
- **SALES4-PC** — Sales workstation (10.0.20.203)
- **CHEF-PC** — Kitchen workstation (10.0.20.232)
- **MDIRECTOR-PC** — MemCare Director (192.168.3.20)
- **DESKTOP-KQSL232** — Unknown (10.0.20.227)
## Organizational Units Domain join for these machines planned in Phase 3 (OU=Staff PCs,OU=Workstations).
## Organizational Units (current state — 2026-05-19)
OU cleanup is **complete**. All root-level duplicate OUs have been deleted. The structure below reflects live state.
### Current State (pre-cleanup)
``` ```
cascades.local cascades.local
├── Builtin (system) ├── Builtin (system)
├── Computers (default container) ← 5 PCs here: ACCT2-PC, CRYSTAL-PC, CS-QB, DESKTOP-1ISF081, DESKTOP-H6QHRR7 ├── Computers (default) — CS-QB (VoIP VM)
├── Users (default container) ← 20 accounts dumped here (system + stale + needs placement) ├── Users (default) — service accounts: Administrator, localadmin, MSOL_12be42ce1269, QBDataServiceUser34, sysadmin
├── Domain Controllers ├── Domain Controllers
│ └── CS-SERVER │ └── CS-SERVER
├── Managment ← MISSPELLED, empty — DELETE ├── Departments
├── Sales ← empty — DELETE │ ├── Administrative — Alma.Montt, Ashley.Jensen, lauren.hasselman, Meredith.Kuhn, Zachary.Nelson
├── MemCare ← empty — DELETE ├── Care-Assisted Living — britney.thompson, karen.rossini, Lois.Lane, Veronica.Feller
├── Administrative ← ROOT DUPLICATE of Departments\Administrative — DELETE └── Nurses (empty sub-OU)
├── Care-Assisted Living ← ROOT DUPLICATE — DELETE ├── Caregivers — 38 accounts (shift caregivers/medtechs, first.last format)
├── Care-Memorycare ← ROOT DUPLICATE — DELETE ├── Care-Memorycare — Christine.Nyanzunda, Shelby.Trozzi
├── Culinary ← ROOT DUPLICATE — DELETE ├── Culinary — Alyssa.Brooks, JD.Martin, Ramon.Castaneda
├── Housekeeping ← ROOT DUPLICATE — DELETE ├── Housekeeping — Lupe.Sanchez
├── Life Enrichment ← ROOT DUPLICATE — DELETE ├── Life Enrichment — Sharon.Edwards, Susan.Hicks
├── Maintenance ← ROOT DUPLICATE — DELETE ├── Maintenance — John.Trozzi, Matt.Brooks
├── Marketing ← ROOT DUPLICATE — DELETE ├── Marketing — Crystal.Rodriguez, Megan.Hiatt, Tamra.Matthews
├── Resident Services ← ROOT DUPLICATE — DELETE ├── Resident Services — Cathy.Kingston, Christina.DuPras, Kyla.QuickTiffany, Michelle.Shestko, Ray.Rai, Sebastian.Leon, Sheldon.Gardfrey, Shontiel.Nunn
── Transportation ← ROOT DUPLICATE — DELETE │ └── Transportation — Christopher.Holick, Julian.Crim, Richard.Adams
── Departments ── Excluded-From-Sync — Culinary, directoryshare, RECEPTIONIST, saleshare
├── Administrative (6 users) ├── Groups — SG-* groups + AuditUploaders (see Security Groups section)
├── Care-Assisted Living (4 users) ├── ServiceAccounts — svc-audit-upload
│ └── Nurses (sub-OU, empty) └── Workstations
├── Care-Memorycare (2 users) ├── Shared PCs (empty)
── Culinary (4 users) ── Staff PCs — domain-joined workstations
├── Housekeeping (1 user)
├── Life Enrichment (2 users)
├── Maintenance (2 users)
├── Marketing (4 users)
├── Resident Services (7 users)
└── Transportation (3 users)
``` ```
### Target State (after cleanup — Phase 2.1 + 2.2) **Historical note:** Prior to 2026-04-13, 13 root-level OUs existed (10 duplicate department OUs + Managment misspelled + MemCare + Sales, all empty). All deleted as part of Phase 2.1 cleanup.
```
cascades.local
├── Builtin (system)
├── Computers (default container) ← CS-QB stays here (VM, not staff PC)
├── Users (default container) ← system/service accounts only
├── Domain Controllers
│ └── CS-SERVER
├── Workstations ← NEW
│ ├── Staff PCs ← NEW — CRYSTAL-PC, ACCT2-PC, DESKTOP-H6QHRR7, DESKTOP-1ISF081, DESKTOP-DLTAGOI, DESKTOP-ROK7VNM
│ └── Shared PCs ← NEW — shared/rotation workstations (GPO: CSC - Shared Workstation)
└── Departments
├── Administrative (6 users)
├── Care-Assisted Living (4 users)
│ └── Nurses (sub-OU)
├── Care-Memorycare (2 users)
├── Culinary (4 users)
├── Housekeeping (1 user)
├── Life Enrichment (2 users)
├── Maintenance (2 users)
├── Marketing (4 users)
├── Resident Services (7 users)
└── Transportation (3 users)
```
### Cleanup Scripts ## Security Groups (OU=Groups — live state 2026-05-20)
- `migration/scripts/phase2-ou-cleanup.ps1` — Audit + delete 13 root-level OUs, handle CN=Users accounts
- `migration/scripts/phase2-ad-setup.ps1` — Security fixes, create Workstations OU, security groups, move computers
## Group Policy (as of 2026-03-07 export) | Group | Members | Notes |
|-------|---------|-------|
GPOs exist but effectiveness is limited since most PCs aren't domain-joined. | SG-Activities-RW | 0 | Activities share — Read/Write (Life Enrichment). Created 2026-05-20. |
| SG-CA-BreakGlass | 0 | Conditional Access break-glass group |
| GPO | Created | Modified | Settings | Notes | | SG-Caregivers | 38 | All shift caregivers/medtechs — syncing to Entra |
|-----|---------|----------|----------|-------| | SG-Chat-RW | 0 | Chat share access — legacy |
| Default Domain Policy | Aug 2024 | Mar 2026 | Password: 7-char min, 42-day max, complexity on, 24 history. **Lockout: 5 attempts / 30 min** (fixed 2026-03-09). Kerberos defaults. | OK | | SG-CourtesyPatrol | 0 | Courtesy patrol dept |
| Default Domain Controllers Policy | Aug 2024 | Oct 2024 | IIS app pool audit rights, print operator driver loading. Standard. | OK | | SG-Culinary-RW | 0 | Culinary share access |
| Power Options | Jul 2025 | Jul 2025 | "Cascades Default" power plan: never sleep/hibernate, display off 15 min (plugged in) / 10 min (battery), password on wake. | Reasonable — keep | | SG-Directory-RW | 0 | Directory share access |
| ~~CopyRoomPrinter~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** | | SG-Drivers | 0 | Transportation drivers |
| ~~Nurses-Kiosk~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** | | SG-External-Signin-Allowed | 0 | CA policy — allowed external sign-in |
| ~~MemCareMedTechPrinter~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** | | SG-FrontDesk | 0 | Front desk dept |
| SG-IT-RW | 0 | IT share access |
**GPO Review (2026-03-07):** All 3 Dec 2025 GPOs are completely empty shells — no computer or user settings, not linked to any OU. Safe to delete with zero impact. The Default Domain Policy has account lockout disabled (threshold = 0), allowing unlimited password brute-force attempts — this needs to be fixed in the security baseline GPO. | SG-Management-RW | 0 | Management share — OLD group, superseded by SG-Mgmt-RW. Do not use for new share. |
| SG-Mgmt-RW | 0 | Management share — Read/Write. Replaces SG-Management-RW. Created 2026-05-20. |
## RDS Licensing | SG-Office-PHI-External | 0 | PHI-authorized external access |
- **Mode: NotConfigured** | SG-Office-PHI-Internal | 0 | PHI-authorized internal access |
- **License Servers: None** | SG-Receptionist-RW | 0 | Receptionist share access |
- RDS roles are installed on CS-SERVER (Connection Broker, Session Host, Web Access) but licensing is NOT configured. | SG-Sales-RO | 0 | Sales share — Read Only. Created 2026-05-20. |
- **Compliance risk:** Windows Server allows a 120-day grace period for RDS without licensing. After that, connections may be refused. Since the server was installed 8/4/2024 (~19 months ago), the grace period has long expired. RDS may be running in non-compliant mode. | SG-Sales-RW | 0 | Sales share — Read/Write |
| SG-Server-RW | 0 | Server share — OLD group, do not use for new Server share |
## Existing AD Groups (Custom) | AuditUploaders | 0 | GuruRMM audit upload service |
**Legacy groups (CN=Users, not in OU=Groups):**
| Group | Members | Notes | | Group | Members | Notes |
|-------|---------|-------| |-------|---------|-------|
| QuickBooks Access | Meredith.Kuhn, Megan.Hiatt, Ashley.Jensen, lauren.hasselman | Renamed from "Quickboosk acccess" on 2026-03-09 | | QuickBooks Access | Meredith.Kuhn, Megan.Hiatt, Ashley.Jensen, lauren.hasselman | Renamed from "Quickboosk acccess" on 2026-03-09 |
@@ -196,110 +235,110 @@ GPOs exist but effectiveness is limited since most PCs aren't domain-joined.
| MemoryCareDepartment | (empty) | Never populated | | MemoryCareDepartment | (empty) | Never populated |
| KitchenAdmin | (empty) | Never populated | | KitchenAdmin | (empty) | Never populated |
## Migration Plan — AD Changes (Phase 2.2 + 2.6 + 3) ## Entra Connect (live state 2026-05-19)
See `migration/phase2-server-prep.md` and `migration/scripts/phase2-ad-setup.ps1`. Entra Connect is installed and running on CS-SERVER in production mode.
### Security Fixes (immediate) | Setting | Value |
- Remove disabled Monica.Ramirez from **Domain Admins** (security risk) |---------|-------|
- Disable Haris.Durut (still enabled, not employed) | Installed on | CS-SERVER |
- Fix "Quickboosk acccess" → "QuickBooks Access" | Staging mode | FALSE (live production sync) |
- Add lauren.hasselman to QuickBooks Access (replaced Jeff Bristol) | Scheduler | Enabled — next run: Delta |
| AD connector | cascades.local |
| Entra connector | NETORGFT4257522.onmicrosoft.com |
| OU sync scope | Full domain (dnList empty — unfiltered) |
| Service account | MSOL_12be42ce1269 (CN=Users) |
### OU Changes **OU=Excluded-From-Sync** is explicitly excluded from sync. The shared accounts (Culinary, directoryshare, RECEPTIONIST, saleshare) placed there do not appear in Entra ID.
- **DELETE 10 root-level duplicate OUs** (Administrative, Care-Assisted Living, Care-Memorycare, Culinary, Housekeeping, Life Enrichment, Maintenance, Marketing, Resident Services, Transportation) — duplicates of Departments sub-OUs
- **DELETE 3 empty root-level OUs** (Managment, MemCare, Sales) — unused
- Create: `OU=Workstations,DC=cascades,DC=local`
- Create: `OU=Staff PCs,OU=Workstations,DC=cascades,DC=local`
### Security Groups (created with members from Synology permission mapping) All other OUs — including OU=Caregivers — are within scope and sync to Entra.
| Group | Members | **Historical note:** As of the 2026-04-13 doc, Entra Connect was planned as Phase 2.7 (blocked on AD cleanup). Cleanup is now complete and Entra Connect is deployed.
|-------|---------|
| SG-Management-RW | Meredith.Kuhn, Ashley.Jensen, Megan.Hiatt, Crystal.Rodriguez, Tamra.Matthews, britney.thompson, Veronica.Feller, strozzi, Alyssa.Brooks, lauren.hasselman |
| SG-Sales-RW | Megan.Hiatt, Crystal.Rodriguez, Tamra.Matthews |
| SG-Server-RW | Ashley.Jensen, britney.thompson, Christina.DuPras, Veronica.Feller, Meredith.Kuhn |
| SG-Chat-RW | Ashley.Jensen, britney.thompson, Veronica.Feller |
| SG-Culinary-RW | JD.Martin, Ramon.Castaneda, Alyssa.Brooks |
| SG-IT-RW | howard, sysadmin |
| SG-Receptionist-RW | Cathy.Kingston, Shontiel.Nunn, Ray.Rai, Sebastian.Leon, Michelle.Shestko |
| SG-Directory-RW | Cathy.Kingston, Shontiel.Nunn, Christina.DuPras |
| SG-AllShares-RO | (populated as needed) |
### Account Removals (client confirmed) ## SMB Shares (live — D:\ on CS-SERVER)
**Already disabled — delete:** Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, jeff.bristol Full share details, permissions, and drive letter mappings are in `docs/servers/cs-server.md`.
**Enabled but not in HR — disable + delete:** Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, alyssa.brooks, Isabella.Islas, ann.dery | Share | Path | Notes |
|-------|------|-------|
| AuditDrop$ | D:\Shares\AuditDrop | GuruRMM audit drop — hidden share, write-only |
| Culinary | D:\Shares\Culinary | |
| directoryshare | D:\Shares\directoryshare | |
| homes | D:\Homes | NOTE: D:\Homes, not D:\Shares\Homes |
| IT | D:\Shares\IT | |
| Activities | D:\Shares\Activities | ABE enabled. NTFS: SG-Activities-RW (Modify), Domain Admins (Full). Created 2026-05-20. |
| Management | D:\Shares\Management | ABE enabled. NTFS: SG-Mgmt-RW (Modify), Domain Admins (Full). Created 2026-05-20. |
| Receptionist | D:\Shares\Receptionist | |
| Sales | D:\Shares\Sales | ABE enabled. NTFS: SG-Sales-RW (Modify), SG-Sales-RO (ReadAndExecute). Created 2026-05-20. |
| Server | D:\Shares\Server | ABE enabled. NTFS: SG-IT-RW (Modify), Domain Users (ReadAndExecute). Created 2026-05-20. |
| Shares | D:\Shares | Root share |
**Keep:** lauren.hasselman (replaced Bristol as Business Office Director) **Printers shared from CS-SERVER:**
| Share | Device |
|-------|--------|
| RecRoom-Canon | 1F-132-RecRoom-Canon |
| MemCare Director Printer | MF451CDW |
| MemCare MedTech Printer | Brother MFC-L8900CDW |
### CN=Users — HR Verified (2026-03-10) ## Group Policy (as of 2026-03-07 export)
HR (Meredith) responded. All accounts resolved: GPOs exist but effectiveness is limited since most PCs are not domain-joined.
| Account | Enabled | Last Logon | Action | | GPO | Created | Modified | Settings | Notes |
|---------|---------|-----------|--------| |-----|---------|----------|----------|-------|
| Lupe.Sanchez | Yes | Never | **Keep** — confirmed same person as Guadalupe.Sanchez (M365: lupe.sanchez@). Merge or delete duplicate | | Default Domain Policy | Aug 2024 | Mar 2026 | Password: 7-char min, 42-day max, complexity on, 24 history. Lockout: 5 attempts / 30 min (fixed 2026-03-09). Kerberos defaults. | OK |
| Receptionist | Yes | 2/22/2026 | Shared account — keep until Phase 5 replacement | | Default Domain Controllers Policy | Aug 2024 | Oct 2024 | IIS app pool audit rights, print operator driver loading. Standard. | OK |
| directoryshare | Yes | 2/26/2026 | Shared/service account — keep until Phase 5 replacement | | Power Options | Jul 2025 | Jul 2025 | "Cascades Default" power plan: never sleep/hibernate, display off 15 min (plugged in) / 10 min (battery), password on wake. | Keep |
| ~~CopyRoomPrinter~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** |
| ~~Nurses-Kiosk~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** |
| ~~MemCareMedTechPrinter~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** |
**Confirmed DELETE by HR:** **GPOs to Create (Phase 2.6 — not yet run):**
- Anna.Pitzlin (disabled) — was forwarded to Meredith, OK to delete now
- Nela.Durut-Azizi (disabled) — was forwarded to Meredith, OK to delete now
- Jodi.Ramstack (disabled)
- Monica.Ramirez (disabled, already removed from Domain Admins)
- Kristiana.Dowse — M365 only, not in AD. Delete M365 account + remove license
**Already confirmed for removal (not current employees, never logged in):**
Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, Isabella.Islas, ann.dery, alyssa.brooks (lowercase duplicate)
**System/service accounts staying in CN=Users:**
Administrator, Guest, krbtgt, localadmin, sysadmin, QBDataServiceUser34
### Domain Join (Phase 3)
Join these PCs to cascades.local in OU=Staff PCs,OU=Workstations:
- DESKTOP-KQSL232 (first)
- CHEF-PC
- SALES4-PC
- MDIRECTOR-PC (last)
### GPOs to Create (Phase 2.6)
1. **CSC - Drive Mappings** — S:, M:, T:, K:, I:, R:, P: with item-level targeting 1. **CSC - Drive Mappings** — S:, M:, T:, K:, I:, R:, P: with item-level targeting
2. **CSC - Printer Deployment** — Deploy printers by OU/group targeting (Life Enrichment first: 1F-132-RecRoom-Canon + CopyRoom) 2. **CSC - Printer Deployment** — Deploy printers by OU/group targeting (Life Enrichment first: 1F-132-RecRoom-Canon + CopyRoom)
3. **CSC - Security Baseline** — 12-char passwords, complexity, lockout 5/30, screen lock 15 min 3. **CSC - Security Baseline** — 12-char passwords, complexity, lockout 5/30, screen lock 15 min
4. **CSC - Windows Update** — Auto download, Sundays 3 AM, no auto-restart 4. **CSC - Windows Update** — Auto download, Sundays 3 AM, no auto-restart
5. **CSC - Folder Redirection** — Desktop, Documents, Downloads `\\CS-SERVER\homes\%username%\` 5. **CSC - Folder Redirection** — Desktop, Documents, Downloads to `\\CS-SERVER\homes\%username%\`
6. **CSC - Shared Workstation** — Linked to Shared PCs OU; ILT by computer name for reception drive (R:), front desk printer, Outlook online mode, shared mailbox auto-mount. Blocked on: M365 tenant details, onsite PC identification. 6. **CSC - Shared Workstation** — Linked to Shared PCs OU; ILT by computer name for reception drive (R:), front desk printer, Outlook online mode, shared mailbox auto-mount
### Entra Connect (Phase 2.7 — NEW) ## RDS Licensing
- Install Entra Connect on CS-SERVER for AD → M365 sync + SSO
- **BLOCKED ON:** AD cleanup (renames, deletions, duplicate resolution) must complete first
- See `cloud/m365.md` → "Entra Connect — SSO Setup Plan" for full prerequisites and steps
- Enables: single sign-on, one password, auto Office/Edge activation per user, roaming experience without roaming profiles
### Shared Account Replacement (Phase 5) - **Mode: NotConfigured**
Replace Culinary, Receptionist, saleshare, directoryshare with security group access. - **License Servers: None**
- RDS roles installed on CS-SERVER (Connection Broker, Session Host, Web Access) but licensing is NOT configured.
- Compliance risk: grace period is 120 days. Server installed 2024-08-04 (~21 months ago as of 2026-05-19). Grace period expired. RDS is running non-compliant.
- Decision deferred to Phase 5.
## Domain Admins (from 2026-03-07 export) ## Domain Admins
| Account | Status | Action Needed | | Account | Status | Notes |
|---------|--------|---------------| |---------|--------|-------|
| Administrator | Enabled | OK (built-in) | | Administrator | Enabled | OK (built-in) |
| Meredith.Kuhn | Enabled | **REMOVE** — administrative staff, not IT | | Meredith.Kuhn | Enabled | Should be removed — administrative staff, not IT |
| John.Trozzi | Enabled | **REMOVE** — maintenance, not IT | | John.Trozzi | Enabled | Should be removed — maintenance, not IT |
| ~~Monica.Ramirez~~ | **Disabled** | **REMOVED 2026-03-09** | | ~~Monica.Ramirez~~ | Removed | Removed 2026-03-09 (account was disabled) |
| sysadmin | Enabled | OK (IT account) | | sysadmin | Enabled | OK (IT account) |
## Login Activity (audit 2026-03-20) ## Pending Issues (discovered 2026-05-19 audit)
Only 12 of 49 enabled accounts have ever logged in. Most staff have never used their AD accounts because their PCs aren't domain-joined. | Issue | Account | Action Needed |
|-------|---------|---------------|
| Still enabled — departed | britney.thompson | Disable — departed 2026-04-22. Harvest M365 license. |
| Still enabled — flagged for disable | Richard.Adams, Julian.Crim, Christopher.Holick | Disable — drivers no longer get IT access (flagged 2026-04-22, not yet done) |
| Old-format account — superseded | Shontiel.Nunn (OU=Resident Services) | **Disable** — s.nunn (OU=Caregivers) confirmed as the correct account 2026-05-19 |
| AD + cloud-only M365 conflict | Alma.Montt | AD account exists in OU=Administrative (will sync via Entra Connect). Cloud-only M365 account also created 2026-05-19. **Delete the cloud-only M365 account and let AD sync create it properly** — otherwise Entra Connect will create a duplicate and both will break. |
| krbtgt password age | krbtgt | 569+ days old as of 2026-03-20. Needs rotation. |
| Meredith.Kuhn + John.Trozzi in Domain Admins | Both | Non-IT staff — remove from Domain Admins |
## Login Activity (audit 2026-03-20 — historical/stale)
Data below is from the 2026-03-20 audit. Only 12 of 49 enabled accounts had ever logged in at that time. Most staff had never used AD accounts because their PCs were not domain-joined.
| Account | Last Logon | Notes | | Account | Last Logon | Notes |
|---------|-----------|-------| |---------|-----------|-------|
| sysadmin | 2026-03-16 | | | sysadmin | 2026-03-16 | |
| QBDataServiceUser34 | 2026-03-14 | QuickBooks service | | QBDataServiceUser34 | 2026-03-14 | QuickBooks service |
| Allison.Reibschied | 2026-03-13 | **NEW** Administrative | | Allison.Reibschied | 2026-03-13 | Administrative |
| lauren.hasselman | 2026-03-12 | Business Office Director | | lauren.hasselman | 2026-03-12 | Business Office Director |
| Administrator | 2026-03-11 | | | Administrator | 2026-03-11 | |
| Receptionist | 2026-03-11 | Shared account | | Receptionist | 2026-03-11 | Shared account |
@@ -307,23 +346,20 @@ Only 12 of 49 enabled accounts have ever logged in. Most staff have never used t
| localadmin | 2026-03-09 | | | localadmin | 2026-03-09 | |
| Crystal.Rodriguez | 2026-03-09 | CRYSTAL-PC | | Crystal.Rodriguez | 2026-03-09 | CRYSTAL-PC |
| Culinary | 2026-02-20 | Shared account | | Culinary | 2026-02-20 | Shared account |
| saleshare | 2025-12-08 | Shared account |
| Christina.DuPras | 2026-01-06 | | | Christina.DuPras | 2026-01-06 | |
| Monica.Ramirez | 2024-11-04 | **Disabled** | | saleshare | 2025-12-08 | Shared account |
| Monica.Ramirez | 2024-11-04 | Disabled — now deleted |
**37 enabled accounts have NEVER logged in** — most have never set a password either. 37 accounts had never logged in as of 2026-03-20. Login activity will improve as more PCs are domain-joined (Phase 3).
## Issues Found ## Migration Plan Reference
1. **Only 6 computers domain-joined** — At least 4 known staff PCs are NOT in AD. (Migration Phase 3 will fix)
2. **3 GPOs from Dec 2025 undocumented** — CopyRoomPrinter, Nurses-Kiosk, MemCareMedTechPrinter. Need to review settings and linkage. Previous MSP or sysadmin created these. See `migration/phase2-server-prep.md` for full phase details. Scripts referenced throughout this doc:
3. **RDS licensing not configured** — Compliance risk, grace period expired ~17 months ago. (Phase 5 decision) - `migration/scripts/phase2-ou-cleanup.ps1` — OU audit + delete (COMPLETE)
4. **12 accounts to remove** — 5 disabled + 7 former employees still enabled. (Phase 2.1/2.2) - `migration/scripts/phase2-ad-setup.ps1` — Security fixes, Workstations OU, security groups, move computers (COMPLETE)
5. **4 shared/generic accounts** (Culinary, Receptionist, saleshare, directoryshare) — To be replaced. (Phase 5) - `migration/scripts/phase2-ad-groups-new.ps1` — New SG- groups (SG-Mgmt-RW, SG-Sales-RO, SG-Activities-RW) — COMPLETE 2026-05-20
6. **Monica.Ramirez (disabled) still in Domain Admins** — Security risk, fix immediately. (Phase 2.2) - `migration/scripts/phase2-new-shares.ps1` — New SMB shares (Management, Sales, Activities, Server) — COMPLETE 2026-05-20
7. **Meredith.Kuhn and John.Trozzi in Domain Admins** — Non-IT staff should not be DAs. (Phase 2.2)
8. **"Managment" OU misspelled** — To be deleted (empty). (Phase 2.1) **Phase 3 domain joins** (pending): DESKTOP-KQSL232, CHEF-PC, SALES4-PC, MDIRECTOR-PC — all to OU=Staff PCs,OU=Workstations.
9. **"Quickboosk acccess" group typo** — To be fixed. (Phase 2.2)
10. **13 junk root-level OUs** — 10 duplicate department OUs + Managment + MemCare + Sales, all empty. Delete in Phase 2.1. **Phase 5** (deferred): Replace shared accounts (Culinary, Receptionist, saleshare, directoryshare) with group-based access. RDS licensing decision.
11. **20 accounts in CN=Users** — Mix of system, stale, and misplaced. Clean up in Phase 2.1.
12. **5 computers in CN=Computers** — Move 4 staff PCs to Workstations OU. CS-QB stays. (Phase 2.2)
13. **Lupe.Sanchez** — In CN=Users, possible duplicate of Guadalupe.Sanchez (Housekeeping). Flag for onsite review.