sync: auto-sync from HOWARD-HOME at 2026-06-30 11:27:16
Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-30 11:27:16
This commit is contained in:
@@ -28,21 +28,21 @@
|
||||
|
||||
### `SG-Management-RW` → `\\CS-SERVER\Management`
|
||||
**RW:** Meredith Kuhn, Ashley Jensen, Lauren Hasselman, Allison Reibschied, Megan Hiatt,
|
||||
Crystal Rodriguez, Veronica Feller, Shelby Trozzi, Christina DuPras · ~~Tamra Matthews~~ *(leaving)*
|
||||
Crystal Rodriguez, Veronica Feller, Shelby Trozzi, Christina DuPras · ~~Tamra Matthews~~ *(OFFBOARDED 2026-06-30)*
|
||||
**RO (read-only):** Lois Lane, Christine Nyanzunda **[OPEN]**, Susan Hicks **[OPEN]**, John Trozzi, Lupe Sanchez **[OPEN]**
|
||||
> No `SG-Management-RO` group exists — RO members need either a new RO group or a direct NTFS read ACL. **Decision needed.**
|
||||
|
||||
### `SG-Sales-RW` → `\\CS-SERVER\Sales` / `SalesDept`
|
||||
**RW:** Meredith Kuhn, Ashley Jensen, Lauren Hasselman, Megan Hiatt, Crystal Rodriguez · ~~Tamra Matthews~~ *(leaving)*
|
||||
**RW:** Meredith Kuhn, Ashley Jensen, Lauren Hasselman, Megan Hiatt, Crystal Rodriguez · ~~Tamra Matthews~~ *(OFFBOARDED 2026-06-30)*
|
||||
**RO (`SG-Sales-RO`):** Shelby Trozzi
|
||||
> **Two shares exist — `Sales` and `SalesDept`.** SalesDept holds the real history (2014–2026 reports, marketing). Confirm which the group maps to (or both), and what `Sales` is for.
|
||||
|
||||
### `SG-ALdocs-RW` → `\\CS-SERVER\ALdocs` *(share + group NOT created yet)*
|
||||
**RW:** Lois Lane, Karen Rossini, Meredith Kuhn, Ashley Jensen, Megan Hiatt, Crystal Rodriguez · ~~Tamra Matthews~~ *(leaving)*
|
||||
**RW:** Lois Lane, Karen Rossini, Meredith Kuhn, Ashley Jensen, Megan Hiatt, Crystal Rodriguez · ~~Tamra Matthews~~ *(OFFBOARDED 2026-06-30)*
|
||||
> Must create the share + `SG-ALdocs-RW` group before assigning. Nurses (Lois/Karen) + Exec tier + Sales team.
|
||||
|
||||
### `SG-WebDocs-RW` → `\\CS-SERVER\WebDocs` *(share + group NOT created yet)*
|
||||
**RW:** Megan Hiatt, Crystal Rodriguez, Meredith Kuhn, Ashley Jensen · ~~Tamra Matthews~~ *(leaving)*
|
||||
**RW:** Megan Hiatt, Crystal Rodriguez, Meredith Kuhn, Ashley Jensen · ~~Tamra Matthews~~ *(OFFBOARDED 2026-06-30)*
|
||||
> Must create the share + `SG-WebDocs-RW` group. Distinct from the retired DSM `web` station.
|
||||
|
||||
### `SG-Server-RW` → `\\CS-SERVER\Server`
|
||||
|
||||
43
clients/cascades-tucson/docs/printer-gpo-map.md
Normal file
43
clients/cascades-tucson/docs/printer-gpo-map.md
Normal file
@@ -0,0 +1,43 @@
|
||||
# Cascades — Printer / VLAN 20 Migration Map (GPO planning)
|
||||
|
||||
Living reference for the printer migration onto Staff VLAN 20 (10.0.20.0/24) and the
|
||||
eventual **printer GPO** build. Update as machines/printers migrate. Started 2026-06-30 (Howard).
|
||||
|
||||
## How the GPO needs to be built (two layers)
|
||||
|
||||
1. **Point-and-Print policy (computer GPO, fleet-wide)** — REQUIRED prerequisite or any
|
||||
GPO-pushed printer fails (PrintService event 513 / error 0xBCB) for standard users.
|
||||
Set on `HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers`:
|
||||
`RestrictDriverInstallationToAdministrators=0`; subkey `PointAndPrint`:
|
||||
`Restricted=1, TrustedServers=1, ServerList=CS-SERVER, InForest=0,`
|
||||
`NoWarningNoElevationOnInstall=1, UpdatePromptSettings=2` (scopes silent driver install
|
||||
to CS-SERVER only). Caregiver machines already have this — that's why their printer GPO
|
||||
works. Set manually 2026-06-30 on DESKTOP-ROK7VNM + DESKTOP-DLTAGOI; needs to be a GPO.
|
||||
2. **Printer deployment** — GPP Printers / Deployed Printers mapping `\\CS-SERVER\<share>`
|
||||
to the right users/OU/room. Existing GPO `CSC - Life Enrichment Printers` likely still
|
||||
points at OLD share names — repoint. `CSC - Printer Deployment` is disabled/empty (do not use).
|
||||
|
||||
**Driver trap:** Canon MF741/743 are **UFR II only** — PCL6 produces Error #822 (spools, never
|
||||
prints). Any GPO/share for those Canons MUST use `Canon Generic Plus UFR II V250` (INF cnlb0ma64.inf).
|
||||
|
||||
## Printer / machine map
|
||||
|
||||
| Printer (share / name) | Model | IP (VLAN20) | Driver | Machine | User(s) | Domain? | Status / GPO action |
|
||||
|---|---|---|---|---|---|---|---|
|
||||
| `\\CS-SERVER\FrontDesk` | Epson ET-5800 | 10.0.20.221 | EPSON ET-5800 Series | RECEPTIONIST-PC (frontdesk box, S/N MJ0KQHNP) | frontdesk | Domain (cascades.local) | DONE — share repointed, mapped, default. Add to GPO. |
|
||||
| `\\CS-SERVER\LifeEnrichment` | Canon MF741CDW | 10.0.20.94 | Canon Generic Plus UFR II V250 | DESKTOP-DLTAGOI; DESKTOP-ROK7VNM | sharon.edwards; susan.hicks | Domain | DONE — UFR II driver fixed, mapped (not default). **Repoint `CSC - Life Enrichment Printers` GPO from old `1F-132-RecRoom-Canon` to `LifeEnrichment`.** |
|
||||
| Dining Room Manager - Canon MF743CDW | Canon MF743CDW (MF741C/743C) | 10.0.20.228 | Canon Generic Plus UFR II V250 | DESKTOP-MD6UQI3 | dining manager (Alyssa) | **WORKGROUP — not domain-joined yet** | DONE as direct-IP (local) printer, default. **TODO: when DESKTOP-MD6UQI3 is domain-joined, add this printer to the GPO and map it to Alyssa's domain account.** |
|
||||
| Chef Office - Brother MFC-9330CDW | Brother MFC-9330CDW | 10.0.20.236 | Brother MFC-9330CDW Printer | CHEF-PC | chef (all users) | **WORKGROUP — not domain-joined** | DONE as direct-IP (machine-wide / all users), default. **TODO: add to GPO + map to chef's domain account once CHEF-PC is domain-joined.** This is the Chef's printer in the Chef's office (distinct from the kitchen printer with the chefs). |
|
||||
| Memory Care Front Desk - Epson ET-5800 (`\\CS-SERVER\MCReception`) | Epson ET-5800 | 10.0.20.78 | EPSON ET-5800 Series | MEMRECEPT-PC | memfrtdesk (+ other MemCare front-desk staff) | **WORKGROUP — not domain-joined** | Already shared on CS-SERVER as `MCReception`. Machine currently has the Epson via OLD vendor/WSD ports (`EP833571:ET-5800 SERIES` + WSD), NOT the static .78 — needs direct-IP to 10.0.20.78. **Mark for GPO: MemCare front-desk users (mostly the memfrtdesk machine). TODO: add to GPO + map to domain accounts once domain-joined.** |
|
||||
| Memory Care MedTech - Brother MFC-L8900CDW (`\\CS-SERVER\MCMedTech`) | Brother MFC-L8900CDW | 10.0.20.74 | Brother MFC-L8900CDW series | RECEPTIONIST-PC (memcare box → **rename to MEMCARE-***); DESKTOP-LPOPV30 | memory care; karen rossini | **WORKGROUP** | DONE direct-IP machine-wide on both; old 192.168.2.53 + WSD connections removed; LPOPV30 default = new printer (was the old one); memcare box default unchanged (iR-ADV). MedTech room in Memory Care. **TODO: GPO + domain accounts once joined.** |
|
||||
| `\\CS-SERVER\Kitchen` | Canon MF743CDW | 192.168.3.232 (pre-migration) | (verify) | (kitchen) | chefs | — | Kitchen printer (with the chefs). Not yet migrated to VLAN20 this round. |
|
||||
|
||||
## Machine rename TODO
|
||||
- **RECEPTIONIST-PC** (the Memory Care box, "memory care" user, S/N MJ0KQH4R, agent 57f19e17) shares its hostname with the front-desk RECEPTIONIST-PC box — too hard to tell apart in the agent list. **Rename to a unique `MEMCARE-*` name** (pending Howard's chosen name + reboot). The OTHER RECEPTIONIST-PC (frontdesk user, S/N MJ0KQHNP) is the actual front desk.
|
||||
|
||||
## Notes
|
||||
- Workgroup machines (DESKTOP-MD6UQI3, CHEF-PC) get **direct-IP local printers** for now
|
||||
(no domain auth / no point-and-print needed). Once domain-joined, switch them to the
|
||||
GPO-deployed `\\CS-SERVER\<share>` model and map to the domain account.
|
||||
- Detailed how-to + pfSense routing fix: `.claude/memory/project_cascades_vlan20_migration_routing.md`
|
||||
and session log `clients/cascades-tucson/session-logs/2026-06/2026-06-30-howard-vlan20-printer-migration.md`.
|
||||
@@ -0,0 +1,66 @@
|
||||
# Offboarding Record — Tamra Matthews
|
||||
|
||||
**Date:** 2026-06-30 · **Performed by:** Howard Enos (ClaudeTools session) · **Authorized by:** Howard Enos
|
||||
**Separation type:** Voluntary (left Cascades, June 2026) · **Role:** Move-In Coordinator (Marketing / Sales)
|
||||
**Runbook:** `docs/security/termination-procedures.md`
|
||||
|
||||
## Identities handled
|
||||
- **M365 (cloud-only):** `tamra.matthews@cascadestucson.com` — id `2d9cf0d1-2b0b-424e-9cd1-91eaac408837`
|
||||
(`onPremisesSyncEnabled=null` — cloud-mastered object, NOT Entra-synced)
|
||||
- **On-prem AD:** `Tamra.Matthews` (was `OU=Marketing,OU=Departments,DC=cascades,DC=local` — separate
|
||||
object, NOT Entra-synced; renamed from Tamra.Johnson 2026-04-13)
|
||||
- **ALIS:** Not handled this session — Move-In Coordinator role; confirm/disable ALIS staff profile if
|
||||
she had clinical/ALIS access (open follow-up below).
|
||||
|
||||
## Actions completed (M365)
|
||||
| # | Action | Result |
|
||||
|---|---|---|
|
||||
| 1 | Revoke active sign-in sessions | HTTP 200 |
|
||||
| 2 | Block sign-in (`accountEnabled=false`) | confirmed false |
|
||||
| 3 | Reset password (random, vaulted) | OK — no elevation needed (holds no admin role, **no PAA stranding**) |
|
||||
| 4 | Convert mailbox → **SharedMailbox** | confirmed (`RecipientTypeDetails=SharedMailbox`) |
|
||||
| 5 | Grant **FullAccess** to Crystal Rodriguez, Megan Hiatt, Meredith Kuhn, Ashley Jensen | all 4 confirmed FullAccess |
|
||||
| 6 | Hide from GAL (`HiddenFromAddressListsEnabled=true`) | confirmed |
|
||||
| 7 | Remove **O365 Business Standard** license (`f245ecc8…`) | confirmed 0 licenses — **frees 1 seat** |
|
||||
| 8 | Remove from groups `Sales`, `All Cascades`, `SG-SSPR-Eligible` | HTTP 204 ×3 |
|
||||
|
||||
### AutoMapping caveat (delegate auto-attach)
|
||||
- **Crystal Rodriguez + Ashley Jensen** — added with `AutoMapping:$true`; the shared mailbox
|
||||
**auto-attaches** in their Outlook.
|
||||
- **Megan Hiatt + Meredith Kuhn** — `AutoMapping:$true` would not persist via the ComputerGuru
|
||||
Exchange Operator app: the cmdlet echoed success but the grant rolled back (a failed
|
||||
`msExchDelegateListLink` write aborts the whole `Add-MailboxPermission` transaction). Re-added with
|
||||
`AutoMapping:$false`, which **persisted**. They have full access but the box does **not**
|
||||
auto-attach — one-time manual add in Outlook (File → Open & Export → Other User's Folder, or add
|
||||
`tamra.matthews@cascadestucson.com` as an additional mailbox), **or** flip auto-mapping from an
|
||||
interactive EXO PowerShell session later (`Add-MailboxPermission … -AutoMapping $true`).
|
||||
|
||||
## Actions completed (on-prem AD, CS-SERVER)
|
||||
- `Set-ADAccountPassword -Reset` (random, vaulted)
|
||||
- `Disable-ADAccount Tamra.Matthews` → Enabled=False
|
||||
- Group memberships: already 0 (no explicit groups) — nothing to strip
|
||||
- `Move-ADObject` → `CN=Tamra Matthews,OU=Excluded-From-Sync,DC=cascades,DC=local`
|
||||
|
||||
## Retention / compliance
|
||||
- **No Litigation Hold applied.** Decision (Howard, 2026-06-30): although Move-In Coordinator is a
|
||||
resident-intake / PHI-adjacent role, Howard authorized the same posture as the Alma Montt
|
||||
offboarding — **shared-mailbox conversion + zero-deletion** (no mailbox deleted), license removed to
|
||||
free the seat. Mailbox is preserved under default MRM retention; revisit if her PHI-access
|
||||
determination or a legal hold changes. Litigation Hold remains available later (tenant has Business
|
||||
Premium / Exchange Plan 2) if the determination changes.
|
||||
- Passwords stored for emergency recovery/audit only: vault `clients/cascades-tucson/tamra-matthews`
|
||||
(`m365_password`, `ad_password`). **Do NOT re-enable without authorization.**
|
||||
|
||||
## Open follow-ups
|
||||
- [ ] **ALIS staff profile** — confirm whether Tamra had ALIS access; if so, disable the staff record
|
||||
(audit record stays). Her M365 SSO tie is already severed by the sign-in block.
|
||||
- [ ] **AutoMapping for Megan Hiatt + Meredith Kuhn** — either they add the shared mailbox manually,
|
||||
or flip `-AutoMapping $true` from an interactive EXO session (the app-based REST path won't
|
||||
persist it for these two). Crystal + Ashley already auto-attach.
|
||||
- [ ] **Reconcile** Tamra out of forward-looking plans/rosters. Share roster
|
||||
`docs/migration/share-group-roster-proposed-2026-06-25.md` already shows her struck-through
|
||||
*(leaving)*; `docs/servers/active-directory.md` OU=Marketing row updated to disabled +
|
||||
Excluded-From-Sync. April/May questionnaires, CSVs, and the staff roster
|
||||
`reports/cascades-staff-2026-04-22.csv` left as historical record.
|
||||
- [ ] **Note (separate):** Megan Hiatt's M365 account carries a `CREDENTIAL_STUFFING_ACTIVE` flag in
|
||||
the April tenant inventory — unrelated to this offboarding, but worth a breach check.
|
||||
@@ -75,7 +75,7 @@
|
||||
|---------------|------|----------|-------|
|
||||
| Megan.Hiatt | Megan Hiatt | Sales Director | M365: Sales@ |
|
||||
| Crystal.Rodriguez | Crystal Rodriguez | Sales Associate | PC: CRYSTAL-PC. M365: Sales@ |
|
||||
| Tamra.Matthews | Tamra Matthews | Move-In Coordinator | Renamed from Tamra.Johnson (2026-04-13) |
|
||||
| ~~Tamra.Matthews~~ | ~~Tamra Matthews~~ | ~~Move-In Coordinator~~ | **OFFBOARDED 2026-06-30** — disabled, moved to `OU=Excluded-From-Sync`. See `docs/security/offboarding-2026-06-30-tamra-matthews.md` |
|
||||
|
||||
**OU=Resident Services**
|
||||
| SamAccountName | Name | Position | Notes |
|
||||
|
||||
Reference in New Issue
Block a user