sync: auto-sync from ACG-TECH03L at 2026-04-17 23:51:18

Author: Howard Enos
Machine: ACG-TECH03L
Timestamp: 2026-04-17 23:51:18

clients/cascades-tucson/scripts/fix-live-shellfolders.ps1

@@ -0,0 +1,64 @@
+# Live-hive shell-folder repair for a logged-in user whose Documents/Downloads
+# sidebar is showing "this file has no associated app" after a folder-redirection
+# GPO applies only the legacy (Personal) name but not the modern KnownFolder GUID.
+#
+# WHEN TO USE
+#   The Folder Redirection CSE has written the UNC path to `Personal` / etc,
+#   but the matching GUID value ({FDD39AD0-...} for Documents,
+#   {374DE290-...} for Downloads) is still pointing at a local path, so
+#   clicking the sidebar item tries to open the local folder and fails.
+#
+# HOW TO RUN
+#   ScreenConnect Backstage PowerShell. User SHOULD be logged in so the hive
+#   is live. Edit $SID and $UNCBase at the top before running.
+
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory = $true)]
+    [string]$SID,
+
+    [Parameter(Mandatory = $true)]
+    [string]$UNCBase  # e.g. '\\CS-SERVER\homes\Sharon.Edwards'
+)
+
+$USF = "HKU\$SID\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
+$SF  = "HKU\$SID\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
+
+Write-Host "=== BEFORE ==="
+reg query "$USF" /v "Personal"                                   2>$null
+reg query "$USF" /v "{FDD39AD0-238F-46AF-ADB4-6C85480369C7}"     2>$null
+reg query "$USF" /v "{374DE290-123F-4565-9164-39C4925E467B}"     2>$null
+
+$docsUNC = "$UNCBase\Documents"
+$dlUNC   = "$UNCBase\Downloads"
+
+# Documents - both legacy + GUID so the Explorer sidebar resolves cleanly
+reg add "$USF" /v "Personal" /t REG_EXPAND_SZ /d $docsUNC /f | Out-Null
+reg add "$USF" /v "{FDD39AD0-238F-46AF-ADB4-6C85480369C7}" /t REG_EXPAND_SZ /d $docsUNC /f | Out-Null
+reg add "$SF"  /v "Personal" /t REG_SZ /d $docsUNC /f | Out-Null
+reg add "$SF"  /v "My Documents" /t REG_SZ /d $docsUNC /f | Out-Null
+
+# Downloads - modern GUID is the one the sidebar uses
+reg add "$USF" /v "{374DE290-123F-4565-9164-39C4925E467B}" /t REG_EXPAND_SZ /d $dlUNC /f | Out-Null
+reg add "$SF"  /v "{374DE290-123F-4565-9164-39C4925E467B}" /t REG_SZ /d $dlUNC /f | Out-Null
+
+Write-Host "`n=== AFTER ==="
+reg query "$USF" /v "Personal"
+reg query "$USF" /v "{FDD39AD0-238F-46AF-ADB4-6C85480369C7}"
+reg query "$USF" /v "{374DE290-123F-4565-9164-39C4925E467B}"
+
+# Respawn Explorer for the logged-in user so the new values are picked up.
+# Look up by SID rather than by username to avoid locale/spelling issues.
+$user = (Get-CimInstance Win32_UserAccount | Where-Object { $_.SID -eq $SID }).Name
+if ($user) {
+    Write-Host "`n=== Restarting Explorer for $user ==="
+    Get-Process explorer -IncludeUserName -ErrorAction SilentlyContinue |
+        Where-Object { $_.UserName -like "*\$user" -or $_.UserName -like "$user" } |
+        ForEach-Object { Write-Host "Killing PID $($_.Id) owner=$($_.UserName)"; Stop-Process -Id $_.Id -Force }
+    Start-Sleep 3
+    Get-Process explorer -IncludeUserName -ErrorAction SilentlyContinue |
+        Where-Object { $_.UserName -like "*\$user" -or $_.UserName -like "$user" } |
+        Select-Object Id, UserName, StartTime | Format-Table -AutoSize
+} else {
+    Write-Host "`n[WARN] Could not resolve SID to a username - user may need to sign out and back in for sidebar to refresh."
+}

clients/cascades-tucson/scripts/hive-cleanup-shellfolders.ps1

@@ -0,0 +1,102 @@
+# Per-user NTUSER.DAT shell-folder cleanup for ProfWiz-migrated Cascades users.
+#
+# WHAT IT DOES
+#   Finds the user's offline NTUSER.DAT, backs it up, loads the hive, and resets
+#   any User Shell Folders values that are poisoned with the SYSTEM-profile path
+#   (C:\Windows\system32\config\systemprofile\...) back to the standard
+#   %USERPROFILE%\<Folder> REG_EXPAND_SZ defaults. Desktop is intentionally NOT
+#   touched — on machines with a working Desktop reg hack, leaving it alone is
+#   the safe default.
+#
+# WHEN TO USE
+#   ProfWiz-migrated user whose Folder Redirection GPO won't apply cleanly,
+#   whose logon hangs at "Welcome," or whose Documents/Downloads sidebar shows
+#   the "this file has no associated app" error. Always verify the hive is
+#   poisoned FIRST by logging in and reading HKCU\...\User Shell Folders.
+#
+# HOW TO RUN
+#   - ScreenConnect Backstage PowerShell (runs as SYSTEM) is the most reliable
+#   - User MUST be logged OFF (hive loads from NTUSER.DAT on disk; can't be
+#     locked by an active session)
+#   - Pass the user's profile path as -ProfilePath, or omit to use the default
+#     C:\Users\<sam>\
+#
+# ROLLBACK
+#   A timestamped backup is written to C:\ProfileBackups\ before any change.
+#   Restore: Copy-Item <backup> <ntuser-path> -Force  (user logged out)
+
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory = $true)]
+    [string]$ProfilePath,   # e.g. 'C:\Users\Sharon Edwards'
+
+    [string]$BackupDir = 'C:\ProfileBackups',
+
+    [string]$TempHiveName = 'ProfileFix'
+)
+
+$ErrorActionPreference = 'Stop'
+
+$ntuser = Join-Path $ProfilePath 'NTUSER.DAT'
+if (-not (Test-Path $ntuser)) { throw "NTUSER.DAT not found at $ntuser" }
+
+New-Item -ItemType Directory -Path $BackupDir -Force | Out-Null
+$stamp = Get-Date -Format 'yyyyMMdd-HHmmss'
+$leaf  = Split-Path $ProfilePath -Leaf
+$backup = Join-Path $BackupDir "$leaf-NTUSER.DAT.$stamp.bak"
+Copy-Item $ntuser $backup -Force
+Write-Host "[OK] Backup -> $backup"
+
+if (Test-Path "Registry::HKEY_USERS\$TempHiveName") {
+    reg unload "HKU\$TempHiveName" 2>&1 | Out-Null
+    Start-Sleep 1
+}
+$loadResult = reg load "HKU\$TempHiveName" $ntuser 2>&1
+if ($LASTEXITCODE -ne 0) { throw "reg load failed: $loadResult" }
+Write-Host "[OK] Hive loaded at HKU\$TempHiveName"
+
+try {
+    $USF = "Registry::HKEY_USERS\$TempHiveName\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
+
+    # Known-poisoned value names + their default REG_EXPAND_SZ targets.
+    # Desktop is deliberately omitted — don't clobber working redirections.
+    # Include BOTH the legacy names and the KnownFolder GUID forms so the
+    # Explorer sidebar resolves to the same place.
+    $resets = [ordered]@{
+        'Personal'                                = '%USERPROFILE%\Documents'
+        'My Music'                                = '%USERPROFILE%\Music'
+        'My Pictures'                             = '%USERPROFILE%\Pictures'
+        'My Video'                                = '%USERPROFILE%\Videos'
+        'Favorites'                               = '%USERPROFILE%\Favorites'
+        '{FDD39AD0-238F-46AF-ADB4-6C85480369C7}'  = '%USERPROFILE%\Documents'  # Documents KF
+        '{374DE290-123F-4565-9164-39C4925E467B}'  = '%USERPROFILE%\Downloads'  # Downloads KF
+    }
+
+    # Only touch a value if it's CURRENTLY poisoned (points under systemprofile)
+    # or missing. This keeps working redirections (e.g., UNC paths set by a
+    # functioning CSE) intact.
+    $poisonPrefix = 'C:\Windows\system32\config\systemprofile'
+
+    foreach ($name in $resets.Keys) {
+        $current = (Get-ItemProperty -Path $USF -Name $name -ErrorAction SilentlyContinue).$name
+        $new     = $resets[$name]
+
+        if ($null -eq $current) {
+            New-ItemProperty -Path $USF -Name $name -Value $new -PropertyType ExpandString -Force | Out-Null
+            Write-Host "  [ADDED]   $name = $new"
+        } elseif ($current -like "$poisonPrefix*") {
+            Set-ItemProperty -Path $USF -Name $name -Value $new -Type ExpandString
+            Write-Host "  [CHANGED] $name : '$current' -> '$new' (was poisoned)"
+        } else {
+            Write-Host "  [KEEP]    $name = '$current' (not poisoned, leaving alone)"
+        }
+    }
+} finally {
+    [gc]::Collect()
+    Start-Sleep 2
+    reg unload "HKU\$TempHiveName" 2>&1 | Out-Null
+    Write-Host "[OK] Hive unloaded"
+}
+
+Write-Host "`nBackup: $backup"
+Write-Host "Rollback: Copy-Item '$backup' '$ntuser' -Force  (while user logged out)"