client/cascades: session log + AD doc update 2026-05-20
Phase 2.5 complete. Folder redirection GPO decision documented — deferred to Phase 3 (blocked on domain joins). Pending items carried forward. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -280,7 +280,7 @@ Full share details, permissions, and drive letter mappings are in `docs/servers/
|
||||
| MemCare Director Printer | MF451CDW |
|
||||
| MemCare MedTech Printer | Brother MFC-L8900CDW |
|
||||
|
||||
## Group Policy (as of 2026-03-07 export)
|
||||
## Group Policy (as of 2026-05-20)
|
||||
|
||||
GPOs exist but effectiveness is limited since most PCs are not domain-joined.
|
||||
|
||||
@@ -289,6 +289,7 @@ GPOs exist but effectiveness is limited since most PCs are not domain-joined.
|
||||
| Default Domain Policy | Aug 2024 | Mar 2026 | Password: 7-char min, 42-day max, complexity on, 24 history. Lockout: 5 attempts / 30 min (fixed 2026-03-09). Kerberos defaults. | OK |
|
||||
| Default Domain Controllers Policy | Aug 2024 | Oct 2024 | IIS app pool audit rights, print operator driver loading. Standard. | OK |
|
||||
| Power Options | Jul 2025 | Jul 2025 | "Cascades Default" power plan: never sleep/hibernate, display off 15 min (plugged in) / 10 min (battery), password on wake. | Keep |
|
||||
| CSC - Folder Redirection (LE) | Apr 2026 | Apr 2026 | Documents + Downloads → `\\CS-SERVER\homes\%USERNAME%\`. GrantExclusive=false, MoveContents=true. Linked to OU=Life Enrichment. | LIVE — Sharon Edwards + Susan Hicks |
|
||||
| ~~CopyRoomPrinter~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** |
|
||||
| ~~Nurses-Kiosk~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** |
|
||||
| ~~MemCareMedTechPrinter~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** |
|
||||
@@ -298,7 +299,7 @@ GPOs exist but effectiveness is limited since most PCs are not domain-joined.
|
||||
2. **CSC - Printer Deployment** — Deploy printers by OU/group targeting (Life Enrichment first: 1F-132-RecRoom-Canon + CopyRoom)
|
||||
3. **CSC - Security Baseline** — 12-char passwords, complexity, lockout 5/30, screen lock 15 min
|
||||
4. **CSC - Windows Update** — Auto download, Sundays 3 AM, no auto-restart
|
||||
5. **CSC - Folder Redirection** — Desktop, Documents, Downloads to `\\CS-SERVER\homes\%username%\`
|
||||
5. **CSC - Folder Redirection** — Single GPO linked at `OU=Departments`, covering all staff OUs. Same settings as the LE GPO: Documents + Downloads + Desktop → `\\CS-SERVER\homes\%USERNAME%\<Folder>`, GrantExclusive=false, MoveContents=true. **Blocked on Phase 3 domain joins** — most dept machines not joined yet. Life Enrichment already covered by existing LE GPO. CRITICAL: check for OneDrive KFM on each machine before applying; use GPMC close-and-reopen workaround between folder adds (see 2026-04-17 session log for full procedure).
|
||||
6. **CSC - Shared Workstation** — Linked to Shared PCs OU; ILT by computer name for reception drive (R:), front desk printer, Outlook online mode, shared mailbox auto-mount
|
||||
|
||||
## RDS Licensing
|
||||
|
||||
@@ -0,0 +1,94 @@
|
||||
# Cascades of Tucson — Phase 2.5 AD Groups and Shares
|
||||
|
||||
**Date:** 2026-05-20
|
||||
**Syncro tickets:** none opened this session
|
||||
|
||||
## User
|
||||
- **User:** Howard Enos (howard)
|
||||
- **Machine:** HOWARD-HOME
|
||||
- **Role:** tech
|
||||
|
||||
---
|
||||
|
||||
## Session Summary
|
||||
|
||||
Resumed from a crash mid-session on 2026-05-19. Context was recovered from the prior session log and `active-directory.md`. A live verification against CS-SERVER via GuruRMM confirmed the Phase 2.5 scripts had not run before the crash.
|
||||
|
||||
Ran both Phase 2.5 scripts on CS-SERVER via GuruRMM remote PowerShell:
|
||||
|
||||
**phase2-ad-groups-new.ps1** — Created three new security groups in `OU=Groups,DC=cascades,DC=local`:
|
||||
- `SG-Mgmt-RW` — Management share Read/Write (replaces old SG-Management-RW)
|
||||
- `SG-Sales-RO` — Sales share Read Only
|
||||
- `SG-Activities-RW` — Activities share Read/Write
|
||||
|
||||
Tamra.Matthews was not in SG-Sales-RW so no removal was needed (SKIP result — expected).
|
||||
|
||||
**phase2-new-shares.ps1** — Created four new SMB shares on `D:\Shares`, all with ABE enabled and broken inheritance:
|
||||
- `Management` — NTFS: SG-Mgmt-RW (Modify), Domain Admins (Full)
|
||||
- `Sales` — NTFS: SG-Sales-RW (Modify), SG-Sales-RO (ReadAndExecute)
|
||||
- `Activities` — NTFS: SG-Activities-RW (Modify), Domain Admins (Full)
|
||||
- `Server` — NTFS: SG-IT-RW (Modify), Domain Users (ReadAndExecute)
|
||||
|
||||
All folders are empty — data sync and group membership population are separate steps per department when each is ready to cut over.
|
||||
|
||||
Discussed folder redirection for the new shares. Decision: create a single `CSC - Folder Redirection` GPO linked at `OU=Departments` rather than per-OU GPOs. Blocked on Phase 3 domain joins — most affected machines are not domain-joined yet. Life Enrichment is already covered by the existing `CSC - Folder Redirection (LE)` GPO. Will return to this after Phase 3.
|
||||
|
||||
---
|
||||
|
||||
## Key Decisions
|
||||
|
||||
- **Single domain-wide folder redirection GPO** — Link at `OU=Departments` rather than duplicating the LE GPO per department. As machines get domain-joined in Phase 3 they pick it up automatically. Blocked until Phase 3 domain joins are further along.
|
||||
- **phase2-new-shares.ps1 sent as base64 EncodedCommand** — Direct JSON serialization of the script caused a `Missing closing '}'` parser error. Workaround: encode as UTF-16LE base64 and launch via `powershell.exe -EncodedCommand`. This pattern should be used for any multi-line PS scripts sent via the GuruRMM command API.
|
||||
|
||||
---
|
||||
|
||||
## Problems Encountered
|
||||
|
||||
- **phase2-new-shares.ps1 parser error via GuruRMM API** — Sending the script as a raw JSON string caused PowerShell to fail with `Missing closing '}'`. Root cause: JSON serialization mangled backtick line continuations. Fixed by encoding the script as UTF-16LE base64 and using `-EncodedCommand`.
|
||||
|
||||
---
|
||||
|
||||
## Configuration Changes
|
||||
|
||||
| File | Change |
|
||||
|------|--------|
|
||||
| `clients/cascades-tucson/docs/migration/scripts/phase2-ad-groups-new.ps1` | New — committed |
|
||||
| `clients/cascades-tucson/docs/migration/scripts/phase2-new-shares.ps1` | New — committed |
|
||||
| `clients/cascades-tucson/docs/servers/active-directory.md` | Updated: SG- groups table, SMB shares table, GPO section, script status |
|
||||
|
||||
---
|
||||
|
||||
## Infrastructure Changes on CS-SERVER
|
||||
|
||||
| Object | Type | Action |
|
||||
|--------|------|--------|
|
||||
| SG-Mgmt-RW | AD Security Group | Created in OU=Groups |
|
||||
| SG-Sales-RO | AD Security Group | Created in OU=Groups |
|
||||
| SG-Activities-RW | AD Security Group | Created in OU=Groups |
|
||||
| D:\Shares\Management | Folder + SMB share | Created, ABE enabled, NTFS set |
|
||||
| D:\Shares\Sales | Folder + SMB share | Created, ABE enabled, NTFS set |
|
||||
| D:\Shares\Activities | Folder + SMB share | Created, ABE enabled, NTFS set |
|
||||
| D:\Shares\Server | Folder + SMB share | Created, ABE enabled, NTFS set |
|
||||
|
||||
---
|
||||
|
||||
## Pending / Incomplete Tasks
|
||||
|
||||
| Item | Status | Notes |
|
||||
|------|--------|-------|
|
||||
| Populate new SG- groups with members | Pending | Per-dept when each cuts over to new shares |
|
||||
| CSC - Folder Redirection GPO (all depts) | Pending | Blocked on Phase 3 domain joins. Check OneDrive KFM on each machine before applying. Use GPMC close-and-reopen workaround (see 2026-04-17 session log). |
|
||||
| `n.castro` — block M365 sign-in | Pending (from 2026-05-18) | `Update-MgUser -UserId n.castro@cascadestucson.com -AccountEnabled:$false` |
|
||||
| `Shontiel.Nunn` old account — disable | Pending (from 2026-05-18) | s.nunn is the correct account |
|
||||
| `britney.thompson` — disable + harvest M365 license | Pending | Departed 2026-04-22 |
|
||||
| `Alma.Montt` — AD + cloud-only M365 conflict | Pending | Delete cloud-only account, let Entra Connect sync the AD account |
|
||||
| `k.flores`, `g.williford`, `m.kariuki` — employment status | On hold | Unconfirmed |
|
||||
| Phase 3 domain joins | Pending | DESKTOP-KQSL232, CHEF-PC, SALES4-PC, MDIRECTOR-PC → OU=Staff PCs |
|
||||
|
||||
---
|
||||
|
||||
## Reference
|
||||
|
||||
- Prior session log: `clients/cascades-tucson/session-logs/2026-05-19-howard-alma-montt-account-completion.md`
|
||||
- Folder redirection procedure: `clients/cascades-tucson/session-logs/2026-04-17-howard-cascades-onboarding-and-folder-redirection.md`
|
||||
- AD structure: `clients/cascades-tucson/docs/servers/active-directory.md`
|
||||
Reference in New Issue
Block a user