azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-05-20 14:53:36

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-20 14:53:36
This commit is contained in:
Howard Enos
2026-05-20 14:53:38 -07:00
parent 35d3a39242
commit 4c94254477
3 changed files with 264 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
clients/cascades-tucson/session-logs/2026-05-20-howard-phase2.6-printers-gpos-account-cleanup.md
View File

@@ -187,6 +187,31 @@ After first successful join — link GPOs per phase3-domain-join.md step 5c.
| Item | Priority | Notes |
|------|----------|-------|
| ~~britney.thompson M365 offboarding~~ | ~~Done~~ | Sign-in blocked, license removed, litigation hold applied (sysadmin@ via admin center 2026-05-20) |
---
## Update: 14:53 PT — britney.thompson M365 offboarding + next session scope
### britney.thompson M365 Offboarding (Complete)
Attempted Graph API via device code flow. The well-known PowerShell client ID (`1950a258-227b-4e31-a9cf-717495945fc2`) is blocked in the tenant (AADSTS65002 — preauthorization required). No Graph-capable modules installed on HOWARD-HOME (Microsoft.Graph, MSOnline, AzureAD all absent). No Azure CLI.
Howard logged into admin.microsoft.com as `sysadmin@cascadestucson.com` and completed offboarding manually:
- Sign-in blocked in M365
- License removed (returned to pool)
- Litigation hold applied on mailbox
AD account was disabled earlier in this session (see main log above). Offboarding is fully complete.
### Next Session — Accounting Office Folder Redirection
Planned work for next session:
- Machines in the accounting office (Room 103 area): ACCT2-PC (already domain-joined), plus any others in that area
- Folder redirection for accounting staff: Documents, Downloads, Desktop → `\\CS-SERVER\homes\%USERNAME%\`
- **Key difference from LE GPO:** GrantExclusive=true — removes inherited permissions, grants the user exclusive access (plus Domain Admins). No other domain users can browse sibling folders.
- Linked to OU=Administrative (or a sub-scope if only accounting staff targeted)
- Sales department folder redirection possibly follows same session if accounting goes cleanly
- Pre-check required: OneDrive KFM status on each accounting PC before applying GPO (see 2026-04-17 session log for procedure)
| Phase 3 domain joins | High | Block on MDIRECTOR-PC needing Win10 Pro upgrade |
| krbtgt password rotation | Medium | 569+ days old — deferred |
| Remove Meredith.Kuhn + John.Trozzi from Domain Admins | Low | Deferred |