sync: auto-sync from HOWARD-HOME at 2026-06-09 17:08:26

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-09 17:08:26

clients/cascades-tucson/session-logs/2026-06/2026-06-09-howard-cascades-accounting-scan-folder.md

@@ -0,0 +1,125 @@
+# Cascades of Tucson — Session Log 2026-06-09 — Accounting scan-to-folder build
+
+## User
+- **User:** Howard Enos (howard)
+- **Machine:** Howard-Home
+- **Role:** tech
+
+## Session Summary
+
+Set up a scan-to-folder destination for the Cascades accounting team so the Business Office
+Brother MFC-L8900CDW (10.0.20.220) can scan documents to a network folder that Lauren Hasselman
+and Chris Knight (and, added mid-session, Zachary Nelson) can access. (Continuation of the same
+session that earlier reconciled crashed-session billing — see
+`2026-06-09-howard-cascades-billing-recovery-wiki.md`.)
+
+Started with read-only discovery on CS-SERVER via GuruRMM. The 2026-03-20 audit was stale; the
+live share set is much larger. Found there is no plain "Accounting" file share — the only
+accounting file folder is `Company Web Docs\Accounting` buried under the Synology-Drive-synced
+`D:\Shares\Main` tree, with a wide-open `Everyone:FullControl` ACL. Confirmed `10.0.20.220` is the
+Business Office Brother and that `lauren.hasselman` + `chris.knight` are real AD users. Per Howard's
+choices (dedicated clean share, lock to the named users, dedicated scan service account), built a
+fresh structure rather than reusing the Synology-synced folder.
+
+Created the service account `svc-scan` (CN=Users, PasswordNeverExpires, CannotChangePassword),
+vaulted its password, then created `D:\Shares\Accounting` with inheritance broken and locked to
+Lauren/Chris (Modify), and `D:\Shares\Accounting\Scans` adding svc-scan (Modify, writer only). Hit
+a name collision: a pre-existing *printer* share named `Accounting` (Canon MF455DW) meant the file
+share didn't create and my grants/Everyone-revoke landed on the printer share. Restored the printer
+share (re-added Everyone:Read) and created the file share under the non-colliding name `AcctDept`.
+Added Zachary Nelson to NTFS + share when Howard asked. Verified svc-scan can SMB-write to
+`\\192.168.2.254\AcctDept\Scans` from ACCT2-PC (a VLAN-20 host, proxy for the printer).
+
+Key network finding: CS-SERVER (192.168.2.254, main LAN) cannot reach the VLAN-20 printers —
+pfSense blocks main→VLAN20 (80/443/445 all fail to 10.0.20.220). So the Brother WBM must be
+configured from a VLAN-20 PC or onsite; the reverse path (printer→CS-SERVER:445) is open, which is
+all scanning needs. Gave Howard the exact Brother Scan-to-Network profile values (NTLMv2,
+`cascades\svc-scan`, path `\\192.168.2.254\AcctDept\Scans`); Howard configured it and **a test scan
+succeeded**. Finally mapped the `\\cs-server\AcctDept` share as persistent per-user drives via RMM
+user_session: Lauren got X: (Y: was in use on her box), Zachary got Y: (matching Chris's manual Y:).
+Howard set the standing rule that all future Cascades scanner→folder setups reuse `svc-scan`.
+
+## Key Decisions
+
+- **Dedicated clean share over the existing accounting folder.** The real accounting folder
+  (`Main\Company Web Docs\Accounting`) is Everyone:Full and sits in the Synology-Drive-synced tree
+  (scans would replicate to the NAS). Built `D:\Shares\Accounting` fresh with a scoped ACL instead.
+- **Dedicated `svc-scan` service account** (not a reused user credential) for the printer's stored
+  SMB auth — least-privilege, vaulted, low blast radius. Howard then made it the standard for ALL
+  future Cascades scan-to-folder setups (memory: `feedback_cascades_scan_account.md`).
+- **File share named `AcctDept`, not `Accounting`** — a printer share already owns "Accounting".
+- **svc-scan granted on the `Scans` subfolder only** (not the parent Accounting), relying on default
+  bypass-traverse so it can reach/write the dropbox without being able to read accounting documents.
+- **NTLMv2 (not Auto/Kerberos) in the Brother profile** — the printer can't reach a KDC cleanly
+  across the VLAN with explicit credentials.
+- **Persistent drive maps via RMM user_session** (per logged-in user) rather than GPP — only two
+  users, both logged in; X:/Y: per free-letter availability.
+
+## Problems Encountered
+
+- **Share name collision with a printer share.** `New-SmbShare -Name Accounting` / `Grant-SmbShareAccess`
+  silently operated on the existing `Accounting` Canon MF455DW printer share — the file share never
+  got created and I added stray grants + revoked Everyone on the printer share. Resolved by removing
+  my grants, re-adding `Everyone:Read` to the printer share, and creating the file share as `AcctDept`.
+- **CS-SERVER cannot reach VLAN-20 printers** (pfSense main→VLAN20 block) — can't configure the
+  Brother WBM from the server. Resolved by validating from / directing config to a VLAN-20 host
+  (ACCT2-PC); confirmed the needed direction (printer→server:445) is open.
+- **UNC backslash mangling in dispatched scripts** (`\\` collapsed to `\`, paths like `C:\192.168...`).
+  Resolved by building all UNC/path/identity strings from `[char]92` on the server side (per the
+  known transport quirk) and using mapped drive letters for write tests.
+- **PSDrive UNC root tripled the path** on a write test — switched to `net use` + drive letter.
+
+## Configuration Changes
+
+- **CS-SERVER (cascades.local), via GuruRMM agent `c39f1de7-d5b6-45ae-b132-e06977ab1713`:**
+  - New AD user `svc-scan` (CN=Users; PasswordNeverExpires, CannotChangePassword; Description points to vault).
+  - New folders `D:\Shares\Accounting` and `D:\Shares\Accounting\Scans`.
+  - NTFS `D:\Shares\Accounting`: inheritance disabled; SYSTEM + BUILTIN\Administrators = FullControl;
+    `CASCADES\lauren.hasselman`, `CASCADES\chris.knight`, `CASCADES\zachary.nelson` = Modify. No Everyone.
+  - NTFS `D:\Shares\Accounting\Scans`: inherits the above + explicit `CASCADES\svc-scan` = Modify.
+  - New SMB share `AcctDept` → `D:\Shares\Accounting` (Change: lauren/chris/zachary/svc-scan; Full: Admins).
+  - Removed the earlier interim share+folder `AcctScans` (replaced by the AcctDept structure).
+  - Restored the `Accounting` (Canon MF455DW) printer share — removed my stray grants, re-added Everyone:Read.
+- **DESKTOP-H6QHRR7 (Lauren):** persistent map `X: → \\cs-server\AcctDept` (user_session). Earlier also a Public Desktop shortcut "Accounting Scans" → `\\CS-SERVER\AcctDept\Scans`.
+- **ACCT2-PC (Zachary):** persistent map `Y: → \\cs-server\AcctDept` (user_session).
+- **DESKTOP-N5G1ROO (Chris):** Y: mapped by Howard manually (not by this session). Public Desktop shortcut pushed earlier.
+- **Brother MFC-L8900CDW @ 10.0.20.220:** Scan-to-Network profile created by Howard (see below). Test scan confirmed.
+- **Repo:** wiki updated (`wiki/clients/cascades-tucson.md` — Access vault pointer, new "File Shares & Scan-to-Folder" Patterns subsection incl. the svc-scan reuse rule, 2026-06-09 history row). Memory: `feedback_cascades_scan_account.md` + MEMORY.md index line. This session log.
+
+## Credentials & Secrets
+
+- **`svc-scan` / `aPqzfE3Sknm2ZbMwccPHAa9#`** — AD service account, cascades.local, on CS-SERVER.
+  Vault: `clients/cascades-tucson/svc-scan.sops.yaml` (`credentials.password`). Brother SMB auth
+  username `cascades\svc-scan`. PasswordNeverExpires, CannotChangePassword.
+
+## Infrastructure & Servers
+
+- **CS-SERVER:** 192.168.2.254 (main LAN). Live RMM agent `c39f1de7-d5b6-45ae-b132-e06977ab1713`.
+  Share root `D:\Shares`. New: `D:\Shares\Accounting{,\Scans}`, share `\\CS-SERVER\AcctDept`.
+- **Brother MFC-L8900CDW (Business Office):** 10.0.20.220 (VLAN 20). WBM `http://10.0.20.220`.
+  Profile → Network Folder Path `\\192.168.2.254\AcctDept\Scans`, Auth NTLMv2, user `cascades\svc-scan`, PDF Multi-Page.
+- **ACCT2-PC:** 10.0.20.209 (VLAN 20, Zachary). RMM agent `da48bfbb-6b00-4bc5-bf03-0a3753362968`. Reaches printer WBM + CS-SERVER:445.
+- **Network:** pfSense blocks main-LAN (192.168.2.x) → VLAN 20 (10.0.20.x); CS-SERVER→10.0.20.220:80/443/445 all fail. Printer→CS-SERVER:445 open.
+- **Pre-existing collision:** SMB printer share `Accounting` = "Accounting - Canon MF455DW" (LocalsplOnly).
+
+## Commands & Outputs
+
+- svc-scan write test (from ACCT2-PC): mapped `\\192.168.2.254\AcctDept\Scans`, wrote+removed a file, owner returned `CASCADES\svc-scan` → OK.
+- Drive maps (user_session, /persistent:yes): Lauren `net use X: \\cs-server\AcctDept`; Zachary `net use Y: \\cs-server\AcctDept` — both "command completed successfully."
+- Free-letter logic: `(@("Y","X","W"...) | Where-Object { $inUse -notcontains $_ })[0]` from `Win32_LogicalDisk` DeviceIDs.
+- RMM/SMB transport: build UNC + `domain\user` from `[char]92` to survive the JSON/PowerShell backslash collapse.
+
+## Pending / Incomplete Tasks
+
+- **ASSISTNURSE-PC 1.0h onsite billing on #32303** — still paused at preview from earlier today (awaiting Howard's go).
+- Optional: force all three accounting drive maps to a single consistent letter (currently Chris Y:, Zachary Y:, Lauren X:).
+- Optional: lock down the legacy `Main\Company Web Docs\Accounting` Everyone:Full folder (HIPAA) — separate cleanup, not done.
+- The `AcctScans` Public Desktop shortcut on Lauren/Chris points at `\Scans`; the mapped drive points at the `AcctDept` root — both valid, just noting the dual entry points.
+
+## Reference Information
+
+- Share: `\\CS-SERVER\AcctDept` → `D:\Shares\Accounting`; scan dropbox subfolder `\Scans`.
+- Printer scan target: `\\192.168.2.254\AcctDept\Scans` (use IP, not hostname — VLAN-20 DNS).
+- Vault: `clients/cascades-tucson/svc-scan.sops.yaml`.
+- Standing rule: reuse `svc-scan` for all future Cascades scanner→folder setups (`feedback_cascades_scan_account.md`).
+- Agents: CS-SERVER `c39f1de7...`, ACCT2-PC `da48bfbb...`, DESKTOP-H6QHRR7 `633458f6...`, DESKTOP-N5G1ROO `205025ee...`.