azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-05-20 22:41:35

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-20 22:41:35
This commit is contained in:
Howard Enos
2026-05-20 22:41:36 -07:00
parent 144bbe3a47
commit 3a09746468
6 changed files with 451 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
.claude/temp/check-frd-and-homes.ps1 Normal file
View File

@@ -0,0 +1,71 @@
$domain = 'cascades.local'
$gpoGuid = '{512B43A4-F049-4CE5-BFAC-860AD13E92BE}'
$srv = 'CS-SERVER'
$sysvol = "\\$srv\SYSVOL\$domain\Policies"
# === 1. Check fdeploy.ini — did GPMC save the folder redirection settings? ===
Write-Output "=== fdeploy.ini content ==="
$fdeployPath = "$sysvol\$gpoGuid\User\Documents & Settings\fdeploy.ini"
if (Test-Path $fdeployPath) {
$content = [System.IO.File]::ReadAllText($fdeployPath)
if ($content.Trim()) {
Write-Output $content
} else {
Write-Output "(file exists but is EMPTY — GPMC did not save redirection settings)"
}
} else {
Write-Output "(fdeploy.ini does not exist)"
}
Write-Output ""
Write-Output "=== GPT.INI ==="
[System.IO.File]::ReadAllText("$sysvol\$gpoGuid\GPT.INI") | Write-Output
Write-Output ""
Write-Output "=== AD GPC attributes (CSE extension names) ==="
Import-Module ActiveDirectory -EA SilentlyContinue
$gpcObj = Get-ADObject -Filter "Name -eq '$gpoGuid'" `
-SearchBase "CN=Policies,CN=System,DC=cascades,DC=local" `
-Properties gPCUserExtensionNames,versionNumber -EA SilentlyContinue
if ($gpcObj) {
Write-Output " gPCUserExtensionNames: $($gpcObj.gPCUserExtensionNames)"
Write-Output " versionNumber: $($gpcObj.versionNumber)"
} else {
Write-Output " GPC object not found"
}
Write-Output ""
Write-Output "=== SYSVOL full tree ==="
Get-ChildItem "$sysvol\$gpoGuid" -Recurse -EA SilentlyContinue | ForEach-Object {
$rel = $_.FullName.Replace("$sysvol\$gpoGuid", '')
$type = if ($_.PSIsContainer) { '[DIR]' } else { "[FILE $($_.Length)b]" }
Write-Output " $type $rel"
}
# === 2. Check homes share path and NTFS permissions ===
Write-Output ""
Write-Output "=== homes share local path ==="
$share = Get-SmbShare -Name 'homes' -EA SilentlyContinue
if ($share) {
Write-Output " Share path: $($share.Path)"
$homesPath = $share.Path
Write-Output ""
Write-Output "=== homes root NTFS ACL ==="
(Get-Acl $homesPath).Access | ForEach-Object {
Write-Output " $($_.IdentityReference) | $($_.FileSystemRights) | $($_.AccessControlType) | Inherit:$($_.InheritanceFlags) Prop:$($_.PropagationFlags)"
}
Write-Output ""
Write-Output "=== homes subfolders and their ACLs ==="
Get-ChildItem $homesPath -Directory -EA SilentlyContinue | ForEach-Object {
$folder = $_.FullName
$name = $_.Name
Write-Output " --- $name ---"
(Get-Acl $folder).Access | ForEach-Object {
Write-Output " $($_.IdentityReference) | $($_.FileSystemRights) | $($_.AccessControlType) | Inherit:$($_.InheritanceFlags)"
}
}
} else {
Write-Output " 'homes' share not found on this server"
}

31
.claude/temp/fix-homes-icacls.ps1 Normal file
View File

@@ -0,0 +1,31 @@
# Fix homes share NTFS permissions using icacls
# Goal: remove BUILTIN\Users inherited read from all subfolders
# Allow Authenticated Users to create folders on the root only (not read siblings)
Write-Output "=== icacls fix for D:\Homes ==="
# Step 1: Remove BUILTIN\Users from root and all subfolders
$r1 = & icacls "D:\Homes" /remove "BUILTIN\Users" /T /C 2>&1
Write-Output "Remove BUILTIN\Users from root+children: $r1"
# Step 2: Grant Authenticated Users read+create-folder on root ONLY (no inheritance)
$r2 = & icacls "D:\Homes" /grant "Authenticated Users:(RD,AD)" 2>&1
Write-Output "Grant Authenticated Users root-only: $r2"
# Step 3: Disable inheritance on each subfolder and remove inherited BUILTIN\Users
Get-ChildItem "D:\Homes" -Directory -EA SilentlyContinue | ForEach-Object {
$p = $_.FullName
$n = $_.Name
# /inheritance:d = disable, keep existing ACEs
$r = & icacls $p /inheritance:d /C 2>&1
Write-Output " [$n] inheritance:d — $r"
}
Write-Output ""
Write-Output "=== Final ACL check ==="
& icacls "D:\Homes" 2>&1 | Write-Output
Write-Output "--- Subfolders ---"
Get-ChildItem "D:\Homes" -Directory -EA SilentlyContinue | ForEach-Object {
Write-Output " $($_.Name):"
& icacls $_.FullName 2>&1 | ForEach-Object { Write-Output " $_" }
}

109
.claude/temp/fix-homes-ntfs.ps1 Normal file
View File

@@ -0,0 +1,109 @@
$homesPath = 'D:\Homes'
Write-Output "=== Fixing homes root NTFS permissions ==="
Write-Output "Root: $homesPath"
Write-Output ""
# --- Fix root ACL ---
# Remove BUILTIN\Users inherited permissions that flow down to all subfolders.
# Replace with CreateDirectories (This folder only) so users can create their own subfolder
# but cannot read siblings.
$acl = Get-Acl $homesPath
# Identify and remove BUILTIN\Users rules
$usersRulesToRemove = $acl.Access | Where-Object {
$_.IdentityReference.Value -eq 'BUILTIN\Users'
}
foreach ($rule in $usersRulesToRemove) {
$acl.RemoveAccessRule($rule) | Out-Null
Write-Output "[REMOVED] BUILTIN\Users | $($rule.FileSystemRights) | Inherit:$($rule.InheritanceFlags)"
}
# Add back the minimum: This Folder Only — just enough to create their own subfolder
# List Folder + Create Folders on this folder only (not inherited)
$thisOnly = [System.Security.AccessControl.InheritanceFlags]::None
$noProp = [System.Security.AccessControl.PropagationFlags]::None
$allow = [System.Security.AccessControl.AccessControlType]::Allow
# "Authenticated Users" list + create folders on this folder only
$minRights = [System.Security.AccessControl.FileSystemRights]'ReadAndExecute,Synchronize,CreateDirectories'
$minRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
'Authenticated Users', $minRights, $thisOnly, $noProp, $allow
)
$acl.AddAccessRule($minRule)
Write-Output "[ADDED] Authenticated Users | ReadAndExecute+CreateDirectories | This Folder Only"
Set-Acl -Path $homesPath -AclObject $acl
Write-Output "[OK] Root ACL updated"
Write-Output ""
# --- Fix each existing user subfolder ---
# Break inheritance, strip BUILTIN\Users, verify user has Full Control
Write-Output "=== Fixing existing user subfolder ACLs ==="
Get-ChildItem $homesPath -Directory -EA SilentlyContinue | ForEach-Object {
$folder = $_.FullName
$folderName = $_.Name
# Try to resolve folder name to a domain user
# Folder names like "Crystal.Rodriguez", "lauren.hasselman", etc.
$userName = $folderName
$domainUser = "CASCADES\$userName"
$subAcl = Get-Acl $folder
# Disable inheritance (convert inherited to explicit, then we remove what we don't want)
$subAcl.SetAccessRuleProtection($true, $true) # protect=true, preserveInherited=true
Set-Acl -Path $folder -AclObject $subAcl
# Re-read now that inheritance is broken
$subAcl = Get-Acl $folder
# Remove BUILTIN\Users entries
$toRemove = $subAcl.Access | Where-Object {
$_.IdentityReference.Value -eq 'BUILTIN\Users'
}
foreach ($rule in $toRemove) {
$subAcl.RemoveAccessRule($rule) | Out-Null
Write-Output " [$folderName] Removed BUILTIN\Users | $($rule.FileSystemRights)"
}
# Verify user has Full Control (if user account exists in domain)
$userExists = $subAcl.Access | Where-Object {
$_.IdentityReference.Value -like "*$userName*"
}
if (-not $userExists) {
# Check if we can resolve the user and add them
try {
$adUser = Get-ADUser -Filter "SamAccountName -eq '$userName'" -EA SilentlyContinue
if (-not $adUser) {
# Try case-insensitive match
$adUser = Get-ADUser -Filter "Name -like '$($userName.Replace('.','\s'))*'" -EA SilentlyContinue
}
if ($adUser) {
$fullCtrlRights = [System.Security.AccessControl.FileSystemRights]::FullControl
$allInherit = [System.Security.AccessControl.InheritanceFlags]'ContainerInherit,ObjectInherit'
$noProp2 = [System.Security.AccessControl.PropagationFlags]::None
$userRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
"CASCADES\$($adUser.SamAccountName)", $fullCtrlRights, $allInherit, $noProp2, $allow
)
$subAcl.AddAccessRule($userRule)
Write-Output " [$folderName] Added CASCADES\$($adUser.SamAccountName) | FullControl"
} else {
Write-Output " [$folderName] WARNING: no user found for '$userName' — folder has no explicit user ACE"
}
} catch {
Write-Output " [$folderName] WARNING: AD lookup failed: $($_.Exception.Message)"
}
} else {
Write-Output " [$folderName] User ACE already present: $($userExists[0].IdentityReference)"
}
Set-Acl -Path $folder -AclObject $subAcl
Write-Output " [$folderName] ACL updated [OK]"
Write-Output ""
}
Write-Output "=== Final root ACL ==="
(Get-Acl $homesPath).Access | ForEach-Object {
Write-Output " $($_.IdentityReference) | $($_.FileSystemRights) | Inherit:$($_.InheritanceFlags) Prop:$($_.PropagationFlags)"
}

64
.claude/temp/fix-homes-ntfs2.ps1 Normal file
View File

@@ -0,0 +1,64 @@
$homesPath = 'D:\Homes'
$allow = [System.Security.AccessControl.AccessControlType]::Allow
Write-Output "=== Fixing homes root ACL ==="
$acl = Get-Acl $homesPath
# Remove all BUILTIN\Users entries (these inherit down to subfolders — that's the bug)
$removed = 0
$acl.Access | Where-Object { $_.IdentityReference.Value -eq 'BUILTIN\Users' } | ForEach-Object {
$acl.RemoveAccessRule($_) | Out-Null
$removed++
}
Write-Output "Removed $removed BUILTIN\Users rule(s) from root"
# Add back minimum: Authenticated Users, This Folder Only — list + create folders
$minRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
'Authenticated Users',
[System.Security.AccessControl.FileSystemRights]'ReadAndExecute,Synchronize,CreateDirectories',
[System.Security.AccessControl.InheritanceFlags]::None,
[System.Security.AccessControl.PropagationFlags]::None,
$allow
)
$acl.AddAccessRule($minRule)
Set-Acl -Path $homesPath -AclObject $acl
Write-Output "[OK] Root: Authenticated Users — This Folder Only (list + create folders)"
Write-Output ""
Write-Output "=== Fixing user subfolder ACLs ==="
Get-ChildItem $homesPath -Directory -EA SilentlyContinue | ForEach-Object {
$folder = $_.FullName
$name = $_.Name
$subAcl = Get-Acl $folder
# Break inheritance — copy existing ACEs explicitly (no longer inherit from root)
$subAcl.SetAccessRuleProtection($true, $true)
Set-Acl -Path $folder -AclObject $subAcl
$subAcl = Get-Acl $folder
# Remove BUILTIN\Users entries that came from root inheritance
$count = 0
$subAcl.Access | Where-Object { $_.IdentityReference.Value -eq 'BUILTIN\Users' } | ForEach-Object {
$subAcl.RemoveAccessRule($_) | Out-Null
$count++
}
Set-Acl -Path $folder -AclObject $subAcl
Write-Output " [$name] Removed $count BUILTIN\Users rule(s), inheritance disabled [OK]"
}
Write-Output ""
Write-Output "=== Verification — root ACL ==="
(Get-Acl $homesPath).Access | ForEach-Object {
Write-Output " $($_.IdentityReference) | $($_.FileSystemRights) | Inherit:$($_.InheritanceFlags)"
}
Write-Output ""
Write-Output "=== Verification — subfolder ACLs ==="
Get-ChildItem $homesPath -Directory -EA SilentlyContinue | ForEach-Object {
Write-Output " --- $($_.Name) ---"
(Get-Acl $_.FullName).Access | ForEach-Object {
Write-Output " $($_.IdentityReference) | $($_.FileSystemRights) | Inherit:$($_.InheritanceFlags)"
}
}

88
.claude/temp/session-update.md Normal file
View File

@@ -0,0 +1,88 @@
---
## Update: 22:34 PT — NTFS fix, GPO debugging, Zachary folder redirection confirmed working
### Session Summary
Continued from the earlier session where CS-SERVER had been rebooted to clear hung icacls processes. This session completed the NTFS permissions fix on D:\Homes, debugged and resolved the folder redirection GPO failure, and confirmed Zachary Nelson folder redirection working on ACCT2-PC. Also billed two Syncro tickets and closed the browser cleanup ticket.
The NTFS fix proceeded in two rounds. The first icacls pass (run by Howard before this context window) partially worked: it removed the explicit BUILTIN\Users entry from D:\Homes root but left inherited entries flowing in from the D:\ parent, and left explicit BUILTIN\Users ACEs on the subfolders. Guided Howard through the GUI (Advanced Security Settings) to break inheritance on the root and remove BUILTIN\Users from root and all four subfolders (Crystal.Rodriguez, lauren.hasselman, sharon.edwards, Susan.Hicks). Final icacls verification via GuruRMM confirmed clean state across all five paths.
Folder redirection was not applying to Zachary despite three login attempts and gpupdate runs. gpresult showed "Applied Group Policy Objects: N/A" for user settings — zero user-side GPOs reaching him. Root cause: when Howard removed Authenticated Users from the GPO security filter in the earlier session (per Claude instructions), he removed ALL access including Read. Domain computers require Authenticated Users GpoRead to enumerate user-side GPOs; without it the computer cannot include CSC - Folder Redirection in any user RSoP. Also investigated fdeploy1.ini — discovered that fdeploy1.ini (not fdeploy.ini) is the active file on Windows Vista+ clients. All earlier "empty file" reports were false negatives caused by PowerShell mishandling the ampersand in the "Documents & Settings" path. The fdeploy1.ini had 1698 bytes of correct content written by GPMC. The sole blocker was the missing GpoRead. Added Authenticated Users GpoRead back via Set-GPPermission; Zachary logged in and folder redirection applied on the next login.
Billed Syncro ticket #32303 (Domain setup-entra sync) for 2 hours remote labor (product 1190473) and ticket #32306 (Room 343 virus, browser cleanup) for 1 hour onsite (product 26118). Cascades is prepaid; both invoices landed at $0 with prepay block decremented 38.5 to 35.5 hours. Ticket #32306 closed as Resolved. Migration master plan save point updated.
### Key Decisions
- Used GUI walk-through for NTFS fix instead of commands — Howard requested GUI approach after icacls left partial state. Advanced Security Settings is more reliable for multi-step inheritance break and ACE removal operations.
- Authenticated Users GpoRead is mandatory even with security group filtering — removing it entirely breaks computer-side enumeration of user GPOs. Correct pattern: Authenticated Users gets GpoRead only; target security group gets GpoApply. Claude gave incorrect guidance in the earlier session by not clarifying this distinction.
- fdeploy1.ini is the active file on Windows 10/11, not fdeploy.ini — fdeploy.ini is the legacy XP format, always empty on modern domains. Confirmed by comparing working LE GPO structure against the new GPO.
- Remote labor product (1190473 at $150/hr) used for Phase 2.6 migration work; Onsite product (26118 at $175/hr) used for the browser cleanup ticket. Correct per delivery channel.
### Problems Encountered
- icacls /inheritance:d /remove left BUILTIN\Users on subfolders — the combined flags converted inherited ACEs to explicit but did not then remove them in the same pass. Resolved via GUI.
- D:\Homes root inherited BUILTIN\Users from D:\ parent — removing the explicit ACE was not enough; root needed inheritance broken to stop the parent volume from propagating. Resolved via GUI disable inheritance.
- GuruRMM agent hung on UNC path commands — commands using UNC paths to SYSVOL caused the agent to run indefinitely. Resolved by waiting for agent recovery and switching to local C:\Windows\SYSVOL paths with System.IO.Path::Combine() to handle the ampersand character.
- fdeploy.ini vs fdeploy1.ini confusion — all attempts to read the legacy fdeploy.ini returned empty, leading to incorrect conclusion that GPMC had not written settings. Resolved by enumerating the "Documents & Settings" folder with GetFiles() and discovering fdeploy1.ini with 1698 bytes of correct content.
- GPO Authenticated Users GpoRead missing — root cause of "Applied GPOs: N/A". Resolved via Set-GPPermission adding GpoRead back. Root cause was incorrect guidance from Claude in the earlier session.
### Configuration Changes
- D:\Homes NTFS: inheritance from D:\ parent broken on root; BUILTIN\Users removed from root and all 4 subfolders via GUI
- D:\Homes root ACL final state: Authenticated Users (RX,AD) This Folder Only; Administrators (OI)(CI)(F); SYSTEM (OI)(CI)(F); CREATOR OWNER (OI)(CI)(IO)(F)
- CSC - Folder Redirection GPO: Authenticated Users GpoRead added back
- C:\Users\Howard\.claude\plans\wise-discovering-panda.md: CURRENT SAVE POINT updated
### Credentials & Secrets
- GuruRMM API: http://172.16.3.30:3001 — claude-api@azcomputerguru.com / ClaudeAPI2026!@# (JWT required)
- Syncro API key (Howard): Tde5174a6e9e312d14-02fd5bfe0f0ee40c87d027507c680e18
### Infrastructure & Servers
- CS-SERVER: DC + file server, cascades.local, GuruRMM agent 6766e973-e703-47c1-be56-76950290f87c
- ACCT2-PC: Zachary Nelson workstation, GuruRMM agent 9b51e554-45d8-4737-96f5-116c1b1a7589, OU=Staff PCs\Workstations
- D:\Homes share: clean NTFS, no BUILTIN\Users anywhere
- CSC - Folder Redirection GPO GUID: {512B43A4-F049-4CE5-BFAC-860AD13E92BE}
- CSC - Folder Redirection (LE) GPO GUID: {889BE7BE-202E-4153-89AD-B5DB62A52D25}
### Commands & Outputs
```
# Add Authenticated Users GpoRead back
Set-GPPermission -Name 'CSC - Folder Redirection' -TargetName 'Authenticated Users' -TargetType Group -PermissionLevel GpoRead
# Final GPO permission state:
# SG-FolderRedirect | GpoApply
# Authenticated Users | GpoRead
# Domain Admins | GpoEditDeleteModifySecurity
# Enterprise Admins | GpoEditDeleteModifySecurity
# ENTERPRISE DOMAIN CONTROLLERS | GpoRead
# SYSTEM | GpoEditDeleteModifySecurity
# fdeploy1.ini confirmed 1698 bytes with correct content
# Paths: \\CS-SERVER\Homes\%USERNAME%\Desktop, Documents, Downloads, Pictures, Music
# Syncro billing:
# #32303 — timer 39347344, 2.0h remote, invoice 1650366749, $0.00 prepaid
# #32306 — timer 39347378, 1.0h onsite, invoice 1650366766, $0.00 prepaid
# Prepay: 38.5 -> 35.5 hours remaining
# #32306 closed Resolved
```
### Pending / Incomplete Tasks
1. Lauren Hasselman — Howard moves OneDrive data to local folders first, then Add-ADGroupMember SG-FolderRedirect lauren.hasselman, log off/on, verify \\CS-SERVER\homes\lauren.hasselman\ populated
2. Entra Connect — cascadestucson.com UPN suffix, set UPN on Administrative users, add OU=Administrative to sync scope, delta sync, verify soft-match
3. Phase 3 domain joins — DESKTOP-KQSL232, CHEF-PC, SALES4-PC, MDIRECTOR-PC (MDIRECTOR-PC needs Win10 Home to Pro first)
4. Pre-Phase 3 prerequisites — SG-Mgmt-RW / SG-Sales-RW / SG-Activities-RW membership, krbtgt rotation (569+ days), remove Meredith.Kuhn + John.Trozzi from Domain Admins
### Reference Information
- Migration master plan: C:\Users\Howard\.claude\plans\wise-discovering-panda.md
- Resume command: "resume the Cascades migration plan"
- Syncro migration ticket: https://computerguru.syncromsp.com/tickets/110680053 (#32303)
- Syncro browser cleanup ticket (closed): https://computerguru.syncromsp.com/tickets/110684398 (#32306)
- Cascades customer ID: 20149445, prepay remaining: 35.5 hours

88
clients/cascades-tucson/session-logs/2026-05-20-howard-phase2.6-printers-gpos-account-cleanup.md
View File

@@ -377,3 +377,91 @@ Created comprehensive multi-day migration plan. Covers:
| krbtgt password rotation | Medium | 569+ days old |
| Remove Meredith.Kuhn + John.Trozzi from Domain Admins | Low | Deferred |
| Update Syncro ticket #110680053 | Medium | Log today's work |
---
## Update: 22:34 PT — NTFS fix, GPO debugging, Zachary folder redirection confirmed working
### Session Summary
Continued from the earlier session where CS-SERVER had been rebooted to clear hung icacls processes. This session completed the NTFS permissions fix on D:\Homes, debugged and resolved the folder redirection GPO failure, and confirmed Zachary Nelson folder redirection working on ACCT2-PC. Also billed two Syncro tickets and closed the browser cleanup ticket.
The NTFS fix proceeded in two rounds. The first icacls pass (run by Howard before this context window) partially worked: it removed the explicit BUILTIN\Users entry from D:\Homes root but left inherited entries flowing in from the D:\ parent, and left explicit BUILTIN\Users ACEs on the subfolders. Guided Howard through the GUI (Advanced Security Settings) to break inheritance on the root and remove BUILTIN\Users from root and all four subfolders (Crystal.Rodriguez, lauren.hasselman, sharon.edwards, Susan.Hicks). Final icacls verification via GuruRMM confirmed clean state across all five paths.
Folder redirection was not applying to Zachary despite three login attempts and gpupdate runs. gpresult showed "Applied Group Policy Objects: N/A" for user settings — zero user-side GPOs reaching him. Root cause: when Howard removed Authenticated Users from the GPO security filter in the earlier session (per Claude instructions), he removed ALL access including Read. Domain computers require Authenticated Users GpoRead to enumerate user-side GPOs; without it the computer cannot include CSC - Folder Redirection in any user RSoP. Also investigated fdeploy1.ini — discovered that fdeploy1.ini (not fdeploy.ini) is the active file on Windows Vista+ clients. All earlier "empty file" reports were false negatives caused by PowerShell mishandling the ampersand in the "Documents & Settings" path. The fdeploy1.ini had 1698 bytes of correct content written by GPMC. The sole blocker was the missing GpoRead. Added Authenticated Users GpoRead back via Set-GPPermission; Zachary logged in and folder redirection applied on the next login.
Billed Syncro ticket #32303 (Domain setup-entra sync) for 2 hours remote labor (product 1190473) and ticket #32306 (Room 343 virus, browser cleanup) for 1 hour onsite (product 26118). Cascades is prepaid; both invoices landed at $0 with prepay block decremented 38.5 to 35.5 hours. Ticket #32306 closed as Resolved. Migration master plan save point updated.
### Key Decisions
- Used GUI walk-through for NTFS fix instead of commands — Howard requested GUI approach after icacls left partial state. Advanced Security Settings is more reliable for multi-step inheritance break and ACE removal operations.
- Authenticated Users GpoRead is mandatory even with security group filtering — removing it entirely breaks computer-side enumeration of user GPOs. Correct pattern: Authenticated Users gets GpoRead only; target security group gets GpoApply. Claude gave incorrect guidance in the earlier session by not clarifying this distinction.
- fdeploy1.ini is the active file on Windows 10/11, not fdeploy.ini — fdeploy.ini is the legacy XP format, always empty on modern domains. Confirmed by comparing working LE GPO structure against the new GPO.
- Remote labor product (1190473 at $150/hr) used for Phase 2.6 migration work; Onsite product (26118 at $175/hr) used for the browser cleanup ticket. Correct per delivery channel.
### Problems Encountered
- icacls /inheritance:d /remove left BUILTIN\Users on subfolders — the combined flags converted inherited ACEs to explicit but did not then remove them in the same pass. Resolved via GUI.
- D:\Homes root inherited BUILTIN\Users from D:\ parent — removing the explicit ACE was not enough; root needed inheritance broken to stop the parent volume from propagating. Resolved via GUI disable inheritance.
- GuruRMM agent hung on UNC path commands — commands using UNC paths to SYSVOL caused the agent to run indefinitely. Resolved by waiting for agent recovery and switching to local C:\Windows\SYSVOL paths with System.IO.Path::Combine() to handle the ampersand character.
- fdeploy.ini vs fdeploy1.ini confusion — all attempts to read the legacy fdeploy.ini returned empty, leading to incorrect conclusion that GPMC had not written settings. Resolved by enumerating the "Documents & Settings" folder with GetFiles() and discovering fdeploy1.ini with 1698 bytes of correct content.
- GPO Authenticated Users GpoRead missing — root cause of "Applied GPOs: N/A". Resolved via Set-GPPermission adding GpoRead back. Root cause was incorrect guidance from Claude in the earlier session.
### Configuration Changes
- D:\Homes NTFS: inheritance from D:\ parent broken on root; BUILTIN\Users removed from root and all 4 subfolders via GUI
- D:\Homes root ACL final state: Authenticated Users (RX,AD) This Folder Only; Administrators (OI)(CI)(F); SYSTEM (OI)(CI)(F); CREATOR OWNER (OI)(CI)(IO)(F)
- CSC - Folder Redirection GPO: Authenticated Users GpoRead added back
- C:\Users\Howard\.claude\plans\wise-discovering-panda.md: CURRENT SAVE POINT updated
### Credentials & Secrets
- GuruRMM API: http://172.16.3.30:3001 — claude-api@azcomputerguru.com / ClaudeAPI2026!@# (JWT required)
- Syncro API key (Howard): Tde5174a6e9e312d14-02fd5bfe0f0ee40c87d027507c680e18
### Infrastructure & Servers
- CS-SERVER: DC + file server, cascades.local, GuruRMM agent 6766e973-e703-47c1-be56-76950290f87c
- ACCT2-PC: Zachary Nelson workstation, GuruRMM agent 9b51e554-45d8-4737-96f5-116c1b1a7589, OU=Staff PCs\Workstations
- D:\Homes share: clean NTFS, no BUILTIN\Users anywhere
- CSC - Folder Redirection GPO GUID: {512B43A4-F049-4CE5-BFAC-860AD13E92BE}
- CSC - Folder Redirection (LE) GPO GUID: {889BE7BE-202E-4153-89AD-B5DB62A52D25}
### Commands & Outputs
```
# Add Authenticated Users GpoRead back
Set-GPPermission -Name 'CSC - Folder Redirection' -TargetName 'Authenticated Users' -TargetType Group -PermissionLevel GpoRead
# Final GPO permission state:
# SG-FolderRedirect | GpoApply
# Authenticated Users | GpoRead
# Domain Admins | GpoEditDeleteModifySecurity
# Enterprise Admins | GpoEditDeleteModifySecurity
# ENTERPRISE DOMAIN CONTROLLERS | GpoRead
# SYSTEM | GpoEditDeleteModifySecurity
# fdeploy1.ini confirmed 1698 bytes with correct content
# Paths: \\CS-SERVER\Homes\%USERNAME%\Desktop, Documents, Downloads, Pictures, Music
# Syncro billing:
# #32303 — timer 39347344, 2.0h remote, invoice 1650366749, $0.00 prepaid
# #32306 — timer 39347378, 1.0h onsite, invoice 1650366766, $0.00 prepaid
# Prepay: 38.5 -> 35.5 hours remaining
# #32306 closed Resolved
```
### Pending / Incomplete Tasks
1. Lauren Hasselman — Howard moves OneDrive data to local folders first, then Add-ADGroupMember SG-FolderRedirect lauren.hasselman, log off/on, verify \\CS-SERVER\homes\lauren.hasselman\ populated
2. Entra Connect — cascadestucson.com UPN suffix, set UPN on Administrative users, add OU=Administrative to sync scope, delta sync, verify soft-match
3. Phase 3 domain joins — DESKTOP-KQSL232, CHEF-PC, SALES4-PC, MDIRECTOR-PC (MDIRECTOR-PC needs Win10 Home to Pro first)
4. Pre-Phase 3 prerequisites — SG-Mgmt-RW / SG-Sales-RW / SG-Activities-RW membership, krbtgt rotation (569+ days), remove Meredith.Kuhn + John.Trozzi from Domain Admins
### Reference Information
- Migration master plan: C:\Users\Howard\.claude\plans\wise-discovering-panda.md
- Resume command: "resume the Cascades migration plan"
- Syncro migration ticket: https://computerguru.syncromsp.com/tickets/110680053 (#32303)
- Syncro browser cleanup ticket (closed): https://computerguru.syncromsp.com/tickets/110684398 (#32306)
- Cascades customer ID: 20149445, prepay remaining: 35.5 hours