diff --git a/.claude/temp/gpo-script1.ps1 b/.claude/temp/gpo-script1.ps1
new file mode 100644
index 0000000..1ac888c
--- /dev/null
+++ b/.claude/temp/gpo-script1.ps1
@@ -0,0 +1,105 @@
+Import-Module GroupPolicy, ActiveDirectory -ErrorAction Stop
+$ErrorActionPreference = 'Continue'
+$domain = 'cascades.local'
+$srv = 'CS-SERVER'
+$sysvol = "\\$srv\SYSVOL\$domain\Policies"
+
+Write-Output "=== 1. AD Account Cleanup ==="
+$toDisable = @(
+ @{ SAM='britney.thompson'; Why='Departed 2026-04-22' }
+ @{ SAM='Richard.Adams'; Why='Driver - no longer gets IT access' }
+ @{ SAM='Julian.Crim'; Why='Driver - no longer gets IT access' }
+ @{ SAM='Christopher.Holick'; Why='Driver - no longer gets IT access' }
+ @{ SAM='Shontiel.Nunn'; Why='Old-format account - s.nunn (Caregivers) is correct' }
+)
+foreach ($a in $toDisable) {
+ try {
+ $u = Get-ADUser -Identity $a.SAM -Properties Enabled -ErrorAction Stop
+ if ($u.Enabled) { Disable-ADAccount -Identity $a.SAM; Write-Output " [OK] Disabled: $($a.SAM) - $($a.Why)" }
+ else { Write-Output " [--] Already disabled: $($a.SAM)" }
+ } catch { Write-Output " [ERROR] $($a.SAM): $_" }
+}
+
+Write-Output ""
+Write-Output "=== 2. CSC - Security Baseline ==="
+if (-not (Get-GPO -Name 'CSC - Security Baseline' -Domain $domain -ErrorAction SilentlyContinue)) {
+ New-GPO -Name 'CSC - Security Baseline' -Domain $domain `
+ -Comment 'Phase 2.6: 12-char password min, lockout 5/30, 15-min screen lock. UNLINKED - link at domain root during Phase 3.' | Out-Null
+ Write-Output " [OK] GPO created"
+} else { Write-Output " [--] Already exists" }
+
+foreach ($kv in @(
+ @{ N='ScreenSaveTimeOut'; V='900' }
+ @{ N='ScreenSaveActive'; V='1' }
+ @{ N='ScreenSaverIsSecure'; V='1' }
+ @{ N='SCRNSAVE.EXE'; V='scrnsave.scr' }
+)) {
+ Set-GPRegistryValue -Name 'CSC - Security Baseline' `
+ -Key 'HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop' `
+ -ValueName $kv.N -Type String -Value $kv.V | Out-Null
+}
+Write-Output " [OK] Screen saver: 15 min idle, password on resume"
+
+$gpo = Get-GPO -Name 'CSC - Security Baseline' -Domain $domain
+$gpoPath = "$sysvol\{$($gpo.Id.ToString().ToUpper())}"
+$secDir = "$gpoPath\Machine\Microsoft\Windows NT\SecEdit"
+New-Item -Path $secDir -ItemType Directory -Force | Out-Null
+
+$infLines = @(
+ '[Unicode]'
+ 'Unicode=yes'
+ '[System Access]'
+ 'MinimumPasswordLength = 12'
+ 'PasswordComplexity = 1'
+ 'PasswordHistorySize = 24'
+ 'MaximumPasswordAge = 90'
+ 'MinimumPasswordAge = 1'
+ 'LockoutBadCount = 5'
+ 'ResetLockoutCount = 30'
+ 'LockoutDuration = 30'
+ '[Version]'
+ 'signature="$CHICAGO$"'
+ 'Revision=1'
+)
+$inf = $infLines -join "`r`n"
+[System.IO.File]::WriteAllText("$secDir\GptTmpl.inf", $inf, [System.Text.Encoding]::Unicode)
+Write-Output " [OK] GptTmpl.inf: password min 12, history 24, max-age 90, lockout 5/30"
+
+$iniPath = "$gpoPath\GPT.INI"
+$raw = [System.IO.File]::ReadAllText($iniPath)
+$ver = 0; if ($raw -match '(?m)^Version=(\d+)') { $ver = [int]$Matches[1] }
+$mVer = ($ver -band 0xFFFF) + 1
+$uVer = ($ver -shr 16) -band 0xFFFF
+$newVer = ($uVer -shl 16) -bor $mVer
+$userExt = ''; if ($raw -match '(?m)^gPCUserExtensionNames=([^\r\n]+)') { $userExt = $Matches[1] }
+$newIni = "[General]`r`nVersion=$newVer`r`ngPCMachineExtensionNames=[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]`r`n"
+if ($userExt) { $newIni += "gPCUserExtensionNames=$userExt`r`n" }
+[System.IO.File]::WriteAllText($iniPath, $newIni, [System.Text.Encoding]::ASCII)
+Write-Output " [OK] GPT.INI updated with security extension"
+
+Write-Output ""
+Write-Output "=== 3. CSC - Windows Update ==="
+if (-not (Get-GPO -Name 'CSC - Windows Update' -Domain $domain -ErrorAction SilentlyContinue)) {
+ New-GPO -Name 'CSC - Windows Update' -Domain $domain `
+ -Comment 'Phase 2.6: Auto download, scheduled install Sundays 3 AM, no auto-restart with active sessions. UNLINKED - link at domain root during Phase 3.' | Out-Null
+ Write-Output " [OK] GPO created"
+} else { Write-Output " [--] Already exists" }
+
+$wuKey = 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU'
+foreach ($kv in @(
+ @{ N='NoAutoUpdate'; V=0; T='DWord' }
+ @{ N='AUOptions'; V=4; T='DWord' }
+ @{ N='ScheduledInstallDay'; V=1; T='DWord' }
+ @{ N='ScheduledInstallTime'; V=3; T='DWord' }
+ @{ N='NoAutoRebootWithLoggedOnUsers'; V=1; T='DWord' }
+ @{ N='EnableFeaturedSoftware'; V=0; T='DWord' }
+)) {
+ Set-GPRegistryValue -Name 'CSC - Windows Update' -Key $wuKey `
+ -ValueName $kv.N -Type $kv.T -Value $kv.V | Out-Null
+}
+Write-Output " [OK] Windows Update: auto DL, Sunday 3 AM install, no forced reboot"
+
+Write-Output ""
+Write-Output "=== CSC GPO Status ==="
+Get-GPO -All -Domain $domain | Where-Object { $_.DisplayName -like 'CSC - *' } |
+ Select-Object DisplayName, GpoStatus | Sort-Object DisplayName | Format-Table -AutoSize
diff --git a/.claude/temp/gpo-script2.ps1 b/.claude/temp/gpo-script2.ps1
new file mode 100644
index 0000000..acc4740
--- /dev/null
+++ b/.claude/temp/gpo-script2.ps1
@@ -0,0 +1,134 @@
+Import-Module GroupPolicy -ErrorAction Stop
+$ErrorActionPreference = 'Continue'
+$domain = 'cascades.local'
+$srv = 'CS-SERVER'
+$sysvol = "\\$srv\SYSVOL\$domain\Policies"
+$ts = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
+
+Write-Output "=== 1. CSC - Printer Deployment ==="
+if (-not (Get-GPO -Name 'CSC - Printer Deployment' -Domain $domain -ErrorAction SilentlyContinue)) {
+ New-GPO -Name 'CSC - Printer Deployment' -Domain $domain `
+ -Comment 'Phase 2.6: Deploy CS-SERVER shared printers with OU-based ILT. UNLINKED - link to OU=Workstations at Phase 3 cutover.' | Out-Null
+ Write-Output " [OK] GPO created"
+} else { Write-Output " [--] Already exists" }
+
+$gpo = Get-GPO -Name 'CSC - Printer Deployment' -Domain $domain
+$gpoPath = "$sysvol\{$($gpo.Id.ToString().ToUpper())}"
+$pDir = "$gpoPath\User\Preferences\Printers"
+New-Item -Path $pDir -ItemType Directory -Force | Out-Null
+
+$printers = @(
+ @{ Share='CopyRoom'; OUs=@() }
+ @{ Share='BusinessOffice'; OUs=@('OU=Administrative,OU=Departments,DC=cascades,DC=local') }
+ @{ Share='Accounting'; OUs=@('OU=Administrative,OU=Departments,DC=cascades,DC=local') }
+ @{ Share='AdminOffice'; OUs=@('OU=Administrative,OU=Departments,DC=cascades,DC=local','OU=Resident Services,OU=Departments,DC=cascades,DC=local') }
+ @{ Share='ExecDirector'; OUs=@('OU=Administrative,OU=Departments,DC=cascades,DC=local') }
+ @{ Share='SalesMarketing'; OUs=@('OU=Marketing,OU=Departments,DC=cascades,DC=local') }
+ @{ Share='Kitchen'; OUs=@('OU=Culinary,OU=Departments,DC=cascades,DC=local') }
+ @{ Share='CulinaryChef'; OUs=@('OU=Culinary,OU=Departments,DC=cascades,DC=local') }
+ @{ Share='FrontDesk'; OUs=@('OU=Resident Services,OU=Departments,DC=cascades,DC=local') }
+ @{ Share='HealthServices'; OUs=@('OU=Care-Assisted Living,OU=Departments,DC=cascades,DC=local','OU=Care-Memorycare,OU=Departments,DC=cascades,DC=local') }
+ @{ Share='LifeEnrichment'; OUs=@('OU=Life Enrichment,OU=Departments,DC=cascades,DC=local') }
+ @{ Share='MCDirector'; OUs=@('OU=Care-Memorycare,OU=Departments,DC=cascades,DC=local') }
+ @{ Share='MCMedTech'; OUs=@('OU=Caregivers,OU=Departments,DC=cascades,DC=local','OU=Care-Memorycare,OU=Departments,DC=cascades,DC=local') }
+)
+
+$sb = [System.Text.StringBuilder]::new()
+[void]$sb.AppendLine('')
+[void]$sb.AppendLine('')
+foreach ($p in $printers) {
+ $uid = [System.Guid]::NewGuid().ToString().ToUpper()
+ $unc = "\\CS-SERVER\$($p.Share)"
+ [void]$sb.AppendLine(" ")
+ [void]$sb.AppendLine(" ")
+ if ($p.OUs.Count -gt 0) {
+ [void]$sb.AppendLine(" ")
+ $first = $true
+ foreach ($ou in $p.OUs) {
+ $bool = if ($first) { 'AND' } else { 'OR' }
+ [void]$sb.AppendLine(" ")
+ $first = $false
+ }
+ [void]$sb.AppendLine(" ")
+ } else {
+ [void]$sb.AppendLine(" ")
+ }
+ [void]$sb.AppendLine(" ")
+ [void]$sb.AppendLine(" ")
+}
+[void]$sb.AppendLine("")
+[System.IO.File]::WriteAllText("$pDir\Printers.xml", $sb.ToString(), [System.Text.Encoding]::UTF8)
+Write-Output " [OK] Printers.xml written (13 printers with OU-based ILT)"
+
+$iniPath = "$gpoPath\GPT.INI"
+$raw = [System.IO.File]::ReadAllText($iniPath)
+$ver = 0; if ($raw -match '(?m)^Version=(\d+)') { $ver = [int]$Matches[1] }
+$uVer = (($ver -shr 16) -band 0xFFFF) + 1
+$mVer = $ver -band 0xFFFF
+$newVer = ($uVer -shl 16) -bor $mVer
+$machExt = ''; if ($raw -match '(?m)^gPCMachineExtensionNames=([^\r\n]+)') { $machExt = $Matches[1] }
+$ini = "[General]`r`nVersion=$newVer`r`n"
+if ($machExt) { $ini += "gPCMachineExtensionNames=$machExt`r`n" }
+$ini += "gPCUserExtensionNames=[{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D}{D02B1F72-3407-48AE-BA88-E8213C6761F1}]`r`n"
+[System.IO.File]::WriteAllText($iniPath, $ini, [System.Text.Encoding]::ASCII)
+Write-Output " [OK] GPT.INI updated"
+
+Write-Output ""
+Write-Output "=== 2. CSC - Drive Mappings ==="
+if (-not (Get-GPO -Name 'CSC - Drive Mappings' -Domain $domain -ErrorAction SilentlyContinue)) {
+ New-GPO -Name 'CSC - Drive Mappings' -Domain $domain `
+ -Comment 'Phase 2.6: M: S: T: K: R: with group/OU ILT. UNLINKED - link to OU=Departments at Phase 3 cutover.' | Out-Null
+ Write-Output " [OK] GPO created"
+} else { Write-Output " [--] Already exists" }
+
+$gpo = Get-GPO -Name 'CSC - Drive Mappings' -Domain $domain
+$gpoPath = "$sysvol\{$($gpo.Id.ToString().ToUpper())}"
+$dDir = "$gpoPath\User\Preferences\Drives"
+New-Item -Path $dDir -ItemType Directory -Force | Out-Null
+
+$drives = @(
+ @{ Letter='M'; Share='\\CS-SERVER\Management'; Label='Management'; FType='Group'; FVal='CASCADES\SG-Mgmt-RW' }
+ @{ Letter='S'; Share='\\CS-SERVER\Sales'; Label='Sales'; FType='Group'; FVal='CASCADES\SG-Sales-RW' }
+ @{ Letter='T'; Share='\\CS-SERVER\Activities'; Label='Activities'; FType='Group'; FVal='CASCADES\SG-Activities-RW' }
+ @{ Letter='K'; Share='\\CS-SERVER\Culinary'; Label='Culinary'; FType='OU'; FVal='OU=Culinary,OU=Departments,DC=cascades,DC=local' }
+ @{ Letter='R'; Share='\\CS-SERVER\Receptionist'; Label='Receptionist'; FType='OU'; FVal='OU=Resident Services,OU=Departments,DC=cascades,DC=local' }
+)
+
+$sb2 = [System.Text.StringBuilder]::new()
+[void]$sb2.AppendLine('')
+[void]$sb2.AppendLine('')
+foreach ($d in $drives) {
+ $uid = [System.Guid]::NewGuid().ToString().ToUpper()
+ [void]$sb2.AppendLine(" ")
+ [void]$sb2.AppendLine(" ")
+ [void]$sb2.AppendLine(" ")
+ if ($d.FType -eq 'Group') {
+ [void]$sb2.AppendLine(" ")
+ } else {
+ [void]$sb2.AppendLine(" ")
+ }
+ [void]$sb2.AppendLine(" ")
+ [void]$sb2.AppendLine(" ")
+ [void]$sb2.AppendLine(" ")
+}
+[void]$sb2.AppendLine("")
+[System.IO.File]::WriteAllText("$dDir\Drives.xml", $sb2.ToString(), [System.Text.Encoding]::UTF8)
+Write-Output " [OK] Drives.xml written (M: S: T: K: R: with group/OU ILT)"
+
+$iniPath = "$gpoPath\GPT.INI"
+$raw = [System.IO.File]::ReadAllText($iniPath)
+$ver = 0; if ($raw -match '(?m)^Version=(\d+)') { $ver = [int]$Matches[1] }
+$uVer = (($ver -shr 16) -band 0xFFFF) + 1
+$mVer = $ver -band 0xFFFF
+$newVer = ($uVer -shl 16) -bor $mVer
+$machExt = ''; if ($raw -match '(?m)^gPCMachineExtensionNames=([^\r\n]+)') { $machExt = $Matches[1] }
+$ini = "[General]`r`nVersion=$newVer`r`n"
+if ($machExt) { $ini += "gPCMachineExtensionNames=$machExt`r`n" }
+$ini += "gPCUserExtensionNames=[{5794DAFD-BE60-433f-88A2-1A31939AC01F}{D02B1F72-3407-48AE-BA88-E8213C6761F1}]`r`n"
+[System.IO.File]::WriteAllText($iniPath, $ini, [System.Text.Encoding]::ASCII)
+Write-Output " [OK] GPT.INI updated"
+
+Write-Output ""
+Write-Output "=== All CSC GPOs ==="
+Get-GPO -All -Domain $domain | Where-Object { $_.DisplayName -like 'CSC - *' } |
+ Select-Object DisplayName, GpoStatus | Sort-Object DisplayName | Format-Table -AutoSize
diff --git a/clients/cascades-tucson/session-logs/2026-05-20-howard-phase2.6-printers-gpos-account-cleanup.md b/clients/cascades-tucson/session-logs/2026-05-20-howard-phase2.6-printers-gpos-account-cleanup.md
index f4637be..a08c453 100644
--- a/clients/cascades-tucson/session-logs/2026-05-20-howard-phase2.6-printers-gpos-account-cleanup.md
+++ b/clients/cascades-tucson/session-logs/2026-05-20-howard-phase2.6-printers-gpos-account-cleanup.md
@@ -187,6 +187,31 @@ After first successful join — link GPOs per phase3-domain-join.md step 5c.
| Item | Priority | Notes |
|------|----------|-------|
| ~~britney.thompson M365 offboarding~~ | ~~Done~~ | Sign-in blocked, license removed, litigation hold applied (sysadmin@ via admin center 2026-05-20) |
+
+---
+
+## Update: 14:53 PT — britney.thompson M365 offboarding + next session scope
+
+### britney.thompson M365 Offboarding (Complete)
+
+Attempted Graph API via device code flow. The well-known PowerShell client ID (`1950a258-227b-4e31-a9cf-717495945fc2`) is blocked in the tenant (AADSTS65002 — preauthorization required). No Graph-capable modules installed on HOWARD-HOME (Microsoft.Graph, MSOnline, AzureAD all absent). No Azure CLI.
+
+Howard logged into admin.microsoft.com as `sysadmin@cascadestucson.com` and completed offboarding manually:
+- Sign-in blocked in M365
+- License removed (returned to pool)
+- Litigation hold applied on mailbox
+
+AD account was disabled earlier in this session (see main log above). Offboarding is fully complete.
+
+### Next Session — Accounting Office Folder Redirection
+
+Planned work for next session:
+- Machines in the accounting office (Room 103 area): ACCT2-PC (already domain-joined), plus any others in that area
+- Folder redirection for accounting staff: Documents, Downloads, Desktop → `\\CS-SERVER\homes\%USERNAME%\`
+- **Key difference from LE GPO:** GrantExclusive=true — removes inherited permissions, grants the user exclusive access (plus Domain Admins). No other domain users can browse sibling folders.
+- Linked to OU=Administrative (or a sub-scope if only accounting staff targeted)
+- Sales department folder redirection possibly follows same session if accounting goes cleanly
+- Pre-check required: OneDrive KFM status on each accounting PC before applying GPO (see 2026-04-17 session log for procedure)
| Phase 3 domain joins | High | Block on MDIRECTOR-PC needing Win10 Pro upgrade |
| krbtgt password rotation | Medium | 569+ days old — deferred |
| Remove Meredith.Kuhn + John.Trozzi from Domain Admins | Low | Deferred |