diff --git a/clients/cascades-tucson/docs/servers/active-directory.md b/clients/cascades-tucson/docs/servers/active-directory.md index 17c8496..9d0dc0e 100644 --- a/clients/cascades-tucson/docs/servers/active-directory.md +++ b/clients/cascades-tucson/docs/servers/active-directory.md @@ -280,7 +280,7 @@ Full share details, permissions, and drive letter mappings are in `docs/servers/ | MemCare Director Printer | MF451CDW | | MemCare MedTech Printer | Brother MFC-L8900CDW | -## Group Policy (as of 2026-03-07 export) +## Group Policy (as of 2026-05-20) GPOs exist but effectiveness is limited since most PCs are not domain-joined. @@ -289,6 +289,7 @@ GPOs exist but effectiveness is limited since most PCs are not domain-joined. | Default Domain Policy | Aug 2024 | Mar 2026 | Password: 7-char min, 42-day max, complexity on, 24 history. Lockout: 5 attempts / 30 min (fixed 2026-03-09). Kerberos defaults. | OK | | Default Domain Controllers Policy | Aug 2024 | Oct 2024 | IIS app pool audit rights, print operator driver loading. Standard. | OK | | Power Options | Jul 2025 | Jul 2025 | "Cascades Default" power plan: never sleep/hibernate, display off 15 min (plugged in) / 10 min (battery), password on wake. | Keep | +| CSC - Folder Redirection (LE) | Apr 2026 | Apr 2026 | Documents + Downloads → `\\CS-SERVER\homes\%USERNAME%\`. GrantExclusive=false, MoveContents=true. Linked to OU=Life Enrichment. | LIVE — Sharon Edwards + Susan Hicks | | ~~CopyRoomPrinter~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** | | ~~Nurses-Kiosk~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** | | ~~MemCareMedTechPrinter~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** | @@ -298,7 +299,7 @@ GPOs exist but effectiveness is limited since most PCs are not domain-joined. 2. **CSC - Printer Deployment** — Deploy printers by OU/group targeting (Life Enrichment first: 1F-132-RecRoom-Canon + CopyRoom) 3. **CSC - Security Baseline** — 12-char passwords, complexity, lockout 5/30, screen lock 15 min 4. **CSC - Windows Update** — Auto download, Sundays 3 AM, no auto-restart -5. **CSC - Folder Redirection** — Desktop, Documents, Downloads to `\\CS-SERVER\homes\%username%\` +5. **CSC - Folder Redirection** — Single GPO linked at `OU=Departments`, covering all staff OUs. Same settings as the LE GPO: Documents + Downloads + Desktop → `\\CS-SERVER\homes\%USERNAME%\`, GrantExclusive=false, MoveContents=true. **Blocked on Phase 3 domain joins** — most dept machines not joined yet. Life Enrichment already covered by existing LE GPO. CRITICAL: check for OneDrive KFM on each machine before applying; use GPMC close-and-reopen workaround between folder adds (see 2026-04-17 session log for full procedure). 6. **CSC - Shared Workstation** — Linked to Shared PCs OU; ILT by computer name for reception drive (R:), front desk printer, Outlook online mode, shared mailbox auto-mount ## RDS Licensing diff --git a/clients/cascades-tucson/session-logs/2026-05-20-howard-phase2-ad-groups-and-shares.md b/clients/cascades-tucson/session-logs/2026-05-20-howard-phase2-ad-groups-and-shares.md new file mode 100644 index 0000000..424d306 --- /dev/null +++ b/clients/cascades-tucson/session-logs/2026-05-20-howard-phase2-ad-groups-and-shares.md @@ -0,0 +1,94 @@ +# Cascades of Tucson — Phase 2.5 AD Groups and Shares + +**Date:** 2026-05-20 +**Syncro tickets:** none opened this session + +## User +- **User:** Howard Enos (howard) +- **Machine:** HOWARD-HOME +- **Role:** tech + +--- + +## Session Summary + +Resumed from a crash mid-session on 2026-05-19. Context was recovered from the prior session log and `active-directory.md`. A live verification against CS-SERVER via GuruRMM confirmed the Phase 2.5 scripts had not run before the crash. + +Ran both Phase 2.5 scripts on CS-SERVER via GuruRMM remote PowerShell: + +**phase2-ad-groups-new.ps1** — Created three new security groups in `OU=Groups,DC=cascades,DC=local`: +- `SG-Mgmt-RW` — Management share Read/Write (replaces old SG-Management-RW) +- `SG-Sales-RO` — Sales share Read Only +- `SG-Activities-RW` — Activities share Read/Write + +Tamra.Matthews was not in SG-Sales-RW so no removal was needed (SKIP result — expected). + +**phase2-new-shares.ps1** — Created four new SMB shares on `D:\Shares`, all with ABE enabled and broken inheritance: +- `Management` — NTFS: SG-Mgmt-RW (Modify), Domain Admins (Full) +- `Sales` — NTFS: SG-Sales-RW (Modify), SG-Sales-RO (ReadAndExecute) +- `Activities` — NTFS: SG-Activities-RW (Modify), Domain Admins (Full) +- `Server` — NTFS: SG-IT-RW (Modify), Domain Users (ReadAndExecute) + +All folders are empty — data sync and group membership population are separate steps per department when each is ready to cut over. + +Discussed folder redirection for the new shares. Decision: create a single `CSC - Folder Redirection` GPO linked at `OU=Departments` rather than per-OU GPOs. Blocked on Phase 3 domain joins — most affected machines are not domain-joined yet. Life Enrichment is already covered by the existing `CSC - Folder Redirection (LE)` GPO. Will return to this after Phase 3. + +--- + +## Key Decisions + +- **Single domain-wide folder redirection GPO** — Link at `OU=Departments` rather than duplicating the LE GPO per department. As machines get domain-joined in Phase 3 they pick it up automatically. Blocked until Phase 3 domain joins are further along. +- **phase2-new-shares.ps1 sent as base64 EncodedCommand** — Direct JSON serialization of the script caused a `Missing closing '}'` parser error. Workaround: encode as UTF-16LE base64 and launch via `powershell.exe -EncodedCommand`. This pattern should be used for any multi-line PS scripts sent via the GuruRMM command API. + +--- + +## Problems Encountered + +- **phase2-new-shares.ps1 parser error via GuruRMM API** — Sending the script as a raw JSON string caused PowerShell to fail with `Missing closing '}'`. Root cause: JSON serialization mangled backtick line continuations. Fixed by encoding the script as UTF-16LE base64 and using `-EncodedCommand`. + +--- + +## Configuration Changes + +| File | Change | +|------|--------| +| `clients/cascades-tucson/docs/migration/scripts/phase2-ad-groups-new.ps1` | New — committed | +| `clients/cascades-tucson/docs/migration/scripts/phase2-new-shares.ps1` | New — committed | +| `clients/cascades-tucson/docs/servers/active-directory.md` | Updated: SG- groups table, SMB shares table, GPO section, script status | + +--- + +## Infrastructure Changes on CS-SERVER + +| Object | Type | Action | +|--------|------|--------| +| SG-Mgmt-RW | AD Security Group | Created in OU=Groups | +| SG-Sales-RO | AD Security Group | Created in OU=Groups | +| SG-Activities-RW | AD Security Group | Created in OU=Groups | +| D:\Shares\Management | Folder + SMB share | Created, ABE enabled, NTFS set | +| D:\Shares\Sales | Folder + SMB share | Created, ABE enabled, NTFS set | +| D:\Shares\Activities | Folder + SMB share | Created, ABE enabled, NTFS set | +| D:\Shares\Server | Folder + SMB share | Created, ABE enabled, NTFS set | + +--- + +## Pending / Incomplete Tasks + +| Item | Status | Notes | +|------|--------|-------| +| Populate new SG- groups with members | Pending | Per-dept when each cuts over to new shares | +| CSC - Folder Redirection GPO (all depts) | Pending | Blocked on Phase 3 domain joins. Check OneDrive KFM on each machine before applying. Use GPMC close-and-reopen workaround (see 2026-04-17 session log). | +| `n.castro` — block M365 sign-in | Pending (from 2026-05-18) | `Update-MgUser -UserId n.castro@cascadestucson.com -AccountEnabled:$false` | +| `Shontiel.Nunn` old account — disable | Pending (from 2026-05-18) | s.nunn is the correct account | +| `britney.thompson` — disable + harvest M365 license | Pending | Departed 2026-04-22 | +| `Alma.Montt` — AD + cloud-only M365 conflict | Pending | Delete cloud-only account, let Entra Connect sync the AD account | +| `k.flores`, `g.williford`, `m.kariuki` — employment status | On hold | Unconfirmed | +| Phase 3 domain joins | Pending | DESKTOP-KQSL232, CHEF-PC, SALES4-PC, MDIRECTOR-PC → OU=Staff PCs | + +--- + +## Reference + +- Prior session log: `clients/cascades-tucson/session-logs/2026-05-19-howard-alma-montt-account-completion.md` +- Folder redirection procedure: `clients/cascades-tucson/session-logs/2026-04-17-howard-cascades-onboarding-and-folder-redirection.md` +- AD structure: `clients/cascades-tucson/docs/servers/active-directory.md`