azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

cascades: LE folder redirection end-to-end + share access review doc

Browse Source 
Major work from 2026-04-23:

Folder redirection (OU=Life Enrichment):
- Added 5 folders (Desktop, Pictures, Music, Videos, Favorites) to CSC - Folder
  Redirection (LE) alongside existing Documents + Downloads. All use Flags=1021
  (Basic + create folder per user + move contents + policy-removal: redirect back).
- Created CSC - Always Wait For Network GPO, linked at OU=Workstations. Disables
  FLO via correct Winlogon registry path (HKLM\Software\Policies\Microsoft\
  Windows NT\CurrentVersion\Winlogon\SyncForegroundPolicy=1). First attempt used
  wrong path (Windows\System) which Winlogon ignored.
- Proved GPO FR works for clean-hive users (test user LE.FRTest, now removed).
- Wrote susan-profile-fix.ps1 to repair ProfWiz-poisoned profiles: robocopies
  local content to \CS-SERVER\homes\<user>, loads NTUSER.DAT, rewrites User
  Shell Folders (legacy + modern GUIDs) to UNC, unloads. Applied to Susan Hicks,
  verified via live SMB session + content access.

Share access review doc:
- share-access-matrix-2026-04-23.md drafted for John/Meredith review. One
  short block per employee (department + position + folders they can access).
  All settled decisions from today's calls captured (Sandra Fish = Meredith-
  only, Culinary = kitchen + M/J/A, no chat share, caregivers zero on-prem,
  Veronica = Meredith tier, CasAdmin201 retired, pacs empty).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Howard Enos
2026-04-23 20:07:59 -07:00
parent b6d00207ff
commit 6ec260c023
2 changed files with 466 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

330
clients/cascades-tucson/docs/migration/share-access-matrix-2026-04-23.md Normal file
View File

@@ -0,0 +1,330 @@
# Share Access Review — Cascades of Tucson
**Prepared:** 2026-04-23 (Howard) · **For review by:** John Trozzi / Meredith Kuhn
**What you're looking at:** every current employee, their department + position, and which shared folders they should have access to on the new CS-SERVER setup. Please read through and confirm each person is (a) in the right department/position, and (b) has the right folder access. Flag anything wrong.
**No changes have been made yet.** This is the review draft. Once you sign off, we apply it to AD and the share permissions on CS-SERVER.
---
## Reading the list
- **Access: X, Y, Z** means read + write on those folders.
- **Read-only: X** means they can open files but not save/delete.
- **Everyone** gets the `Public` share (company-wide scratch space) and their own personal `home` folder. Those aren't repeated per person below.
- **IT**, **Culinary**, **Sandra Fish Archive**, **Clinical (pacs)**, and **Life Enrichment (Activities)** are special-access — only the people listed get in.
- The old `chat` folder is being retired — company chat is moving to **Teams**.
## Folders at a glance
| Folder | What's in it |
|---|---|
| **Management** | Office/admin docs, budgets, HR-adjacent files |
| **Sales** | Sales and move-in coordination docs (resident intake) |
| **ALdocs** | Assisted Living documentation (clinical/operational) — **new share, CS-SERVER only** |
| **WebDocs** | Web / marketing / sales-collateral docs — **new share, CS-SERVER only** (distinct from retired DSM `web` share) |
| **Server** | IT/vendor docs, server config, maintenance records |
| **Directory** | Resident directory (phone, room, emergency contact) — most staff need read |
| **Receptionist** | Dump folder for scans from the copy room — **Tower front desk only**. Front-desk staff pull the scans from here, process them, and delete as they go. Drive is **mapped by machine + user** via GPO / logon script: it appears only on Tower reception PC(s) and only for users who are in the Tower reception role group. MC receptionist PC does not get this mapped. |
| **Culinary** | Menus, kitchen ordering, dining room operations |
| **Life Enrichment** | Activity calendars, program docs — **new share, CS-SERVER only**. LE machines currently have no mapped drives, so this will be the first file-share those stations connect to. |
| **Clinical (PHI)** | Medical imaging / clinical records. **Howard verified 2026-04-23: the Synology `pacs` folder is empty** — no data to migrate. Question is whether clinical staff need a shared clinical folder on CS-SERVER at all, or if ALIS covers everything. Pending Meredith. |
| **IT** | Systems admin docs — IT only |
| **Sandra Fish Archive** | Former director's personal folder — **Meredith only** |
| **Home** | Each person's own personal folder (folder redirection) |
| **Public** | Company-wide scratch space — everyone |
---
## Administrative
### Meredith Kuhn — Executive Director
Access: Management, Sales, ALdocs, WebDocs, Server, Directory, Receptionist, Life Enrichment, Clinical, **Sandra Fish Archive (sole custodian)**
Read-only: Culinary
### Ashley Jensen — Assistant Executive Director
Access: Management, Sales, ALdocs, WebDocs, Server, Directory, Receptionist, Life Enrichment, Clinical
Read-only: Culinary
**Note:** Same level as Meredith per Howard 2026-04-23.
### Lauren Hasselman — Business Office Director
Access: Management, Sales, Server, Directory
Read-only: Receptionist
### Allison Reibschied — Accounting Assistant
Access: Management, Directory
---
## Marketing / Sales
### Megan Hiatt — Sales Director
Access: Management, Sales, ALdocs, WebDocs, Directory
### Crystal Rodriguez — Sales Associate
Access: Management, Sales, ALdocs, WebDocs, Directory
**Note:** `Crystal Suszek` is Crystal Rodriguez's former name (confirmed 2026-04-23). Consolidate to the single `Crystal.Rodriguez` AD account at cutover; disable the old Synology `Crystal Suszek` account.
### Tamra Matthews — Move-In Coordinator
Access: Management, Sales, ALdocs, WebDocs, Directory
**Note:** Leaving June 2026 — access ends on her departure.
**Action before cutover:** Tamra has a `Sales Dept` folder in the root of her user profile on her PC that does not appear to be syncing to the server. Back it up and migrate its contents into `\\CS-SERVER\SalesDept` (or the new CS-SERVER Sales share path) before her departure.
---
## Care, Assisted Living (Nursing / Clinical)
### Lois Lane — Health Services Director
Access: ALdocs, Directory, Clinical (PHI)
Read-only: Management
**Note:** ALdocs is the main nursing share. She and Karen are the only nurses granted RW per Howard 2026-04-23 ("only nurses will need access to the ALdocs").
**Anomaly:** Currently has no share access on Synology — proposed scope is based on her director role. Confirm she actually wants file access vs. working only through ALIS.
### Karen Rossini — Health Services Manager
Access: ALdocs, Directory, Clinical (PHI)
**Note:** Same nursing-access pattern as Lois.
**Anomaly:** Currently only has home-folder access on Synology — likely underprovisioned.
### Veronica Feller — Care, Assisted Living Aide
Access: Management, Sales, Server, Directory, Life Enrichment, Clinical
**Note (Howard 2026-04-23):** Keep the permissions she currently has on Synology, but **not at admin level** — she's a regular RW user, not a share administrator. Scope above matches her current Synology RW list (minus the retiring `chat` share, minus Sandra Fish which is Meredith-only, minus Culinary which is now restricted to kitchen staff only).
---
## Care, Memory Care
### Shelby Trozzi — Memory Care Director
Access: Management, Server, Directory, Receptionist, Clinical (PHI)
Read-only: Sales, Life Enrichment
**Note:** Currently has admin-full (ownership-class) access to 5 shares on Synology. Per Howard's direction she does not need that level — proposed scope above is what a MC Director actually uses day-to-day.
### Christine Nyanzunda — Memory Care Admin Assistant (also PT MedTech)
Access: Directory, Receptionist, Clinical (PHI)
Read-only: Management
---
## Resident Services
### Christina DuPras — Resident Services Director
Access: Management, Server, Directory, Receptionist
Read-only: Life Enrichment
### Cathy Kingston — Receptionist (Tower front desk, shared PC)
Access: Directory, Receptionist
### Shontiel Nunn — Receptionist (Tower front desk, shared PC)
Access: Directory, Receptionist
### Kyla Quick Tiffany — Receptionist (Tower front desk, shared PC)
Access: Directory, Receptionist
**Note:** AD account not yet created (Wave 1 of user rollout). Spelling confirmed per Kyla as `Kyla.QuickTiffany`.
### Michelle Shestko — MC Receptionist (MC front desk, shared PC)
Access: Directory
**Note:** MC front desk does NOT get the `Receptionist` scan-drop share — that's Tower-front-desk-only per Howard 2026-04-23.
### Sebastian Leon — Courtesy Patrol
Access: Directory, Receptionist
### Sheldon Gardfrey — Courtesy Patrol
Access: Directory, Receptionist
### Ray Rai — Courtesy Patrol
Access: Directory, Receptionist
---
## Life Enrichment
### Susan Hicks — Life Enrichment Director
Access: Directory, Life Enrichment
Read-only: Management
**Note:** Life Enrichment workstations currently have no mapped drives at all. The new `LifeEnrichment` share will be the first file share those PCs connect to — needs a one-time map at setup.
### Sharon Edwards — Life Enrichment Assistant
Access: Directory, Life Enrichment
**Note:** Same LE-new-mapping note as Susan.
### Alma R Montt — MC Life Enrichment
Access: Directory, Life Enrichment
**Note:** AD account not yet created (Wave 1 of user rollout). LE-machine drive mapping applies once her account + PC are set up.
---
## Culinary
### JD Martin — Culinary Director
Access: Culinary
**Note:** Kitchen staff only need the Culinary share — no Directory, no other shares (Howard 2026-04-23).
### Ramon Castaneda — Kitchen Manager
Access: Culinary
### Alyssa Brooks — Dining Manager
Access: Culinary
---
## Maintenance
### John Trozzi — Facilities Director
Access: Server, Directory
Read-only: Management, Culinary
**Anomaly:** Currently has no share access on Synology. Proposed scope gives him Server for vendor/maintenance records. **John — confirm you want Server, or just Directory?** Culinary read-only is by design (he's on the approved Culinary read list alongside Meredith and Ashley — only kitchen staff write there).
### Matt Brooks — MC Receptionist (also works Maintenance)
Access: Directory
Read-only: Server
**Note:** HR has him in Maintenance; CSV says MC Receptionist. Works both departments — confirm primary dept assignment. Does NOT get the `Receptionist` scan-drop share (that's Tower-front-desk-only, and he covers the MC desk, not Tower).
---
## Housekeeping
### Lupe Sanchez — Housekeeping Director
Access: Directory
**Anomaly:** Currently has no share access on Synology. Confirm this minimal scope is right, or does she need Management read for budgets/supplier docs?
---
## Transportation — no IT access
Per 2026-04-22 decision, drivers' AD accounts are being disabled. No share access going forward.
- **Richard Adams** — Driver
- **Julian Crim** — Driver
- **Christopher Holick** — Driver
---
## Caregivers (shift staff) — no on-prem shares
All 37 caregivers access clinical data exclusively through **ALIS**. **No SMB/file-share access of any kind** — no Directory, no Clinical, nothing. Confirmed 2026-04-23.
Names (from CSV): Thelma Abainza, Niel Castro, Espe Esperance, Barbara Johnson, Kasey Flores, Richard Flores, Marie Kastner, Bella Mendoza, Rosa Morales, Sandra Padilla, Whisper Reed, Patricia Sandoval-Beck, Charity Sika, Ederick Yuzon, Juan Andrade, Jahmeka Clarke, Karina Aziakpo, Jinnelle Dittbenner, Agnes McFerren, Samuel Ramirez, Erica Sanchez, Katrina Wyzykowski, Corey Tate, Ashli Atwood, Cole Johnson, Roseline Cooper, Monique Lopez, Gloria Williford, Sarah Carroll, Luke Hogan, Gina Williams, Jen Higdon, Mary Kariuki, CeCe Lassey, Paty Doran, Ezekiel Huerta, Maia Baker.
Agency placeholders ("Reliable Agency 1/2") are **not** being created as accounts — per-person names required before PHI access, per HIPAA review 2026-04-22.
---
## Accounts to remove at cutover (not current employees)
These names show up on Synology but are not in John's current employee list. They'll be disabled when we retire the Synology file-share role:
- **Stephanie Devin** — "Accounting Assist", no longer in CSV. Confirm departed.
- **Amber M Lee, Ann Dery, Anna Pitzlin, Britney Thompson, Haris Durut, Monica RamirezRossette, Nela Durut-Azizi** — all former employees.
- **Tamra Johnson** (old alias — now `Tamra Matthews`)
- **CasAdmin201** — prior-MSP admin account. Confirm with Meredith before deletion.
- **Role accounts** — `Accounting`, `Dining Manager`, `Front Desk`, `mcnurse`, `memcarenurse`, `Memcare Receptionist`, `Nurse Tower`. These are shared logins that violate HIPAA unique-user-identification requirement. Replaced by the named-person accounts above.
---
## Decisions already settled
- **Sandra Fish Archive** — archived to `CS-SERVER\Archive\Former-Director-Sandra-Fish\`, **Meredith is the sole custodian** (settled 2026-04-23).
- **Drivers lose IT access** — Richard Adams / Julian Crim / Christopher Holick AD accounts disabled (settled 2026-04-22).
- **Agency caregivers** — no shared logins; per-person accounts only when Reliable supplies names (settled 2026-04-22 per HIPAA review).
- **`chat` share retired** — Teams replaces it company-wide (settled 2026-04-23). No migration needed.
- **Culinary access limited** — only kitchen staff (JD, Ramon, Alyssa) get **write** access. Meredith, John Trozzi, and Ashley get **read-only**. Nobody else has access (settled 2026-04-23).
- **Culinary folder path** — Culinary lives at `D:\Shares\Culinary` on CS-SERVER (local to the server, not synced with Synology). Kitchen team doesn't need the data anywhere else, so no two-way sync (settled 2026-04-23).
- **Veronica Feller** — keeps her current Synology RW scope (Management, Sales, Server, Life Enrichment, Clinical) + Directory, but NOT at admin level. Settled 2026-04-23.
- **Caregivers — zero on-prem share access** — all clinical work through ALIS. No Directory, no Clinical, no read access to the resident contact list from phones, no exceptions (settled 2026-04-23).
- **Crystal Suszek → Crystal Rodriguez** — same person, former name. Single AD account `Crystal.Rodriguez`; old Synology `Crystal Suszek` account disabled at cutover (settled 2026-04-23).
- **`CasAdmin201`** — will NOT become a domain user on cs-server/CS-SERVER. Disabled on Synology at cutover (settled 2026-04-23).
- **New CS-SERVER shares to create** (settled 2026-04-23):
- **`LifeEnrichment`** — CS-SERVER local, RW for Susan/Sharon/Alma only. LE workstations currently have no mapped drives — this will be their first.
- **`ALdocs`** — Assisted Living documentation, CS-SERVER local, RW for nurses (Lois, Karen) + Meredith + Ashley + Sales team (Megan, Crystal, Tamra).
- **`WebDocs`** — web/marketing collateral, CS-SERVER local, RW for Sales team + Meredith + Ashley. Distinct from the retired Synology `web` DSM share.
- **Sales team share set** (settled 2026-04-23) — Megan, Crystal, Tamra all get RW on: ALdocs, WebDocs, SalesDept, Management, Directory.
- **Tamra's local `Sales Dept` folder** — she has a `Sales Dept` folder in the root of her user profile that's NOT syncing to the server. Action before her June 2026 departure: back it up and move contents into `\\CS-SERVER\SalesDept`. Tracked as action item below.
- **Kitchen staff scope** (settled 2026-04-23) — JD, Ramon, Alyssa only get RW on `Culinary`. No Directory, no other shares. They don't need them.
- **Sales team Receptionist access** (settled 2026-04-23) — removed. Megan, Crystal, Tamra don't need the Receptionist scan-drop share.
- **Receptionist share scoping** (settled 2026-04-23) — the `Receptionist` share is a dump folder for scans from the copy room. **Tower front desk only** — not MC receptionist, not Sales, not sales-supporting roles. It is mapped **by machine + user** via GPO or logon script: drive appears only on Tower reception PC(s) for users in the Tower receptionist role group. Michelle (MC receptionist) and Matt Brooks (MC receptionist coverage) do NOT get this mapped. Courtesy Patrol (Sebastian, Sheldon, Ray) cover Tower reception after hours, so they keep access. Christina DuPras keeps access for RS Director oversight. Meredith + Ashley keep access for executive oversight.
---
## Decisions still needed from John / Meredith
Tick each when answered:
- [ ] **Lois Lane** — grant the director-level access proposed (Directory + Clinical + Mgmt read), or leave her at ALIS-only?
- [ ] **Karen Rossini** — grant Clinical + Directory, or less?
- [ ] **Susan Hicks** — grant LE Director scope as proposed?
- [ ] **John Trozzi** — want Server access for vendor/maintenance docs, or just Directory + Culinary?
- [ ] **Lupe Sanchez** — minimal scope (Directory only) OK, or does she need Management read?
- [ ] **Shelby Trozzi** — OK with the narrower scope (no admin-full), keeping her as MC Director?
- [ ] **Matt Brooks** — primary department: Maintenance or Resident Services (MC Receptionist)?
- [ ] **Christine Nyanzunda** — Management as read-only OK, or does she need write?
- [ ] **Stephanie Devin** — confirm no longer employed (so we disable her Synology account)
- [ ] **`Activities` folder** — confirm contents are Life Enrichment only (so we create CS-SERVER `LifeEnrichment` share with just LE team RW)
- [ ] **`pacs` folder** — Howard verified 2026-04-23 it's empty on Synology. **Do we create a Clinical shared folder on CS-SERVER at all?** If clinical staff use ALIS for everything, retire the concept entirely (and strip Clinical from everyone's access lines above). If there's a future need, we create an empty `Clinical-PHI` share with the access list already proposed.
- [ ] **`web` folder** — confirm we can retire entirely (DSM web station, not a business share)
---
## Pre-cutover action items
- **Tamra Matthews** — back up `Sales Dept` folder in root of her user profile; migrate into `\\CS-SERVER\SalesDept`. Must complete before her June 2026 departure. Verify it really isn't syncing (check the Synology Drive Client on her PC).
- **Create three new shares on CS-SERVER** — `LifeEnrichment`, `ALdocs`, `WebDocs` at `D:\Shares\<name>`. Populate NTFS per this doc.
- **Map the new shares** — LE workstations are net-new mappings (no drives today). Script the drive maps via GPO or logon script once per-user interviews close.
- **Receptionist share — machine+user GPO/logon-script mapping** — drive letter (likely `S:`) should only map when the machine is a Tower reception PC (currently `RECEPTIONIST-PC`, and any future Tower-desk stations) AND the user is in a Tower receptionist role group. MC receptionist PC and Sales workstations must NOT get the drive auto-mapped even if the user also logs in elsewhere.
- **Retarget Synology Drive Client sync path** from `D:\Shares\Main` to `D:\Shares\Synology\` before Phase 4 share cutover.
## Next step — per-user interviews
Howard is walking the proposal around the building 2026-04-23 onward, asking each staff member which folders they actually use. Anything a user doesn't touch in their normal workflow gets set to **not active** for that person — the doc's current access list is the starting point, not the final word. Once interviews are done:
1. Update this doc with the approved values
2. Populate the `SG-*-RW` AD groups accordingly (one-shot script, no service interruption)
3. Run `scripts/phase2-file-shares.ps1` to create/update shares on CS-SERVER with the new NTFS permissions
4. Spot-check from one PC per department to verify effective access matches the plan
5. Leave the Synology in two-way sync during the overlap period; Phase 4 cutover retires Synology as primary once stable
---
## Implementation detail — folder paths on CS-SERVER
For Howard's reference during setup. Reviewers can skip this section.
Two path conventions on CS-SERVER's D: drive:
- **`D:\Shares\Synology\<name>\`** — two-way synced with cascadesDS via Synology Drive Client. Use this for any share that needs to exist on both the Synology NAS and CS-SERVER during the Phase 4 overlap window: Management, SalesDept, Server, Public, homes, and any others Meredith wants kept in sync.
- **`D:\Shares\<name>\`** — CS-SERVER-local only, no Synology sync. Use this for shares that don't exist on Synology today or don't need a Synology copy: Culinary, IT, Receptionist, directoryshare.
SMB share names stay flat (`\\CS-SERVER\Management`, `\\CS-SERVER\Culinary`) — users never see the path difference. Only the NTFS path under the hood changes.
Shares to create/update on CS-SERVER at this path convention:
| SMB share | CS-SERVER path | Synced with Synology? |
|---|---|---|
| Management | `D:\Shares\Synology\Management` | yes |
| SalesDept | `D:\Shares\Synology\SalesDept` | yes |
| Server | `D:\Shares\Synology\Server` | yes |
| Public | `D:\Shares\Synology\Public` | yes |
| homes | `D:\Shares\Synology\homes` | yes |
| LifeEnrichment | `D:\Shares\LifeEnrichment` | **no** (CS-SERVER local, new) |
| ALdocs | `D:\Shares\ALdocs` | **no** (CS-SERVER local, new) |
| WebDocs | `D:\Shares\WebDocs` | **no** (CS-SERVER local, new) |
| Clinical-PHI (from `pacs`) | `D:\Shares\Clinical-PHI` (if created) | Pending A12. Synology `pacs` is empty — if Meredith wants a clinical shared folder going forward, create empty on CS-SERVER (local, not synced). If not, retire and strip Clinical from access lines. |
| Culinary | `D:\Shares\Culinary` | **no** (local to CS-SERVER) |
| Receptionist | `D:\Shares\Receptionist` | **no** |
| directoryshare | `D:\Shares\directoryshare` | **no** |
| IT | `D:\Shares\IT` | **no** |
| Sandra Fish Archive | `D:\Shares\Archive\Former-Director-Sandra-Fish` | **no** — Meredith-only, archived |
The existing Synology Drive Client sync target on CS-SERVER today is `D:\Shares\Main` (per `docs/servers/cs-server.md`) — that will be retargeted to `D:\Shares\Synology\` before Phase 4 NTFS permissions go on, so the path convention matches this doc.
`scripts/phase2-file-shares.ps1` will need its `$DestRoot` + per-share `Path` values updated to match.
---
## Source data
- Synology permissions as of 2026-04-22 — `docs/migration/synology-permission-inventory.md`
- Current AD users + titles — `docs/servers/active-directory.md`
- Employee roster from John/Meredith (2026-04-22) — `reports/cascades-staff-2026-04-22.csv`
- User rollout plan — `docs/cloud/user-account-rollout-plan.md`
Howard's input 2026-04-23: Ashley → Meredith tier · Veronica → Meredith tier (flagged as strong anomaly for Meredith's sign-off) · Shelby → narrowed from Synology admin-full to MC Director scope · Stephanie Devin removed (not in employee list) · Sandra Fish → Meredith sole custodian.

136
clients/cascades-tucson/scripts/susan-profile-fix.ps1 Normal file
View File

@@ -0,0 +1,136 @@
# ============================================================================
# Susan Hicks profile fix — runs on DESKTOP-ROK7VNM as SYSTEM via GuruRMM.
#
# Preconditions:
# - Susan is signed out (NTUSER.DAT unlocked)
# - FLO-off GPO active (SyncForegroundPolicy at Winlogon path)
# - LE FR GPO has working UNC paths on SYSVOL
#
# Caller injects sysadmin password into $adminPass placeholder at the top.
# SYSTEM on ROK7VNM has full local file access, but can't auth to
# \\CS-SERVER\homes as itself — so we 'net use' a drive letter with
# CASCADES\sysadmin, do the copy, then drop it.
# ============================================================================
$ErrorActionPreference = 'Continue'
$adminUser = 'CASCADES\sysadmin'
$adminPass = '__ADMIN_PASS__'
$user = 'Susan.Hicks'
$localRoot = 'C:\Users\SusanH'
$serverUNC = '\\CS-SERVER\homes'
$userUNC = $serverUNC + '\' + $user
$driveLetter = 'X'
Write-Host '=== Pre-checks ===' -ForegroundColor Cyan
if (-not (Test-Path $localRoot)) { throw "No local profile at $localRoot" }
$nt = Join-Path $localRoot 'NTUSER.DAT'
if (-not (Test-Path $nt)) { throw "No NTUSER.DAT at $nt" }
try {
$s = [System.IO.File]::Open($nt, 'Open', 'Read', 'None')
$s.Close()
Write-Host '[OK] NTUSER.DAT is unlocked (Susan is signed out)' -ForegroundColor Green
} catch {
throw "NTUSER.DAT is LOCKED — Susan must be signed out. Error: $($_.Exception.Message)"
}
# ------------- Step 1: map homes share with sysadmin creds -------------
Write-Host "`n=== Step 1: Mount \\CS-SERVER\homes as ${driveLetter}: ===" -ForegroundColor Cyan
# Clean up any stale mapping (ignore failure if none existed)
cmd.exe /c "net use ${driveLetter}: /delete /y >nul 2>&1"
$mapOut = cmd.exe /c "net use ${driveLetter}: $serverUNC $adminPass /user:$adminUser 2>&1"
if ($LASTEXITCODE -ne 0) { throw "net use failed: $mapOut" }
Write-Host "[OK] Mapped $driveLetter to $serverUNC as $adminUser"
try {
# ensure per-user home exists
$driveHome = "${driveLetter}:\$user"
if (-not (Test-Path $driveHome)) { New-Item -Path $driveHome -ItemType Directory -Force | Out-Null }
# ------------- Step 2: robocopy local content to server -------------
Write-Host "`n=== Step 2: Copy local folders to $userUNC ===" -ForegroundColor Cyan
$folders = @('Documents','Desktop','Downloads','Pictures','Music','Videos','Favorites')
foreach ($f in $folders) {
$from = Join-Path $localRoot $f
$to = Join-Path $driveHome $f
if (-not (Test-Path $from)) { Write-Host " [SKIP] $from does not exist"; continue }
if (-not (Test-Path $to)) { New-Item -Path $to -ItemType Directory -Force | Out-Null }
$rbArgs = @($from, $to, '/E', '/COPY:DAT', '/DCOPY:T', '/XJ', '/R:1', '/W:1',
'/MT:8', '/NFL', '/NDL', '/NJH', '/NJS')
& robocopy.exe @rbArgs | Out-Null
$code = $LASTEXITCODE
$srcCount = (Get-ChildItem $from -Force -Recurse -File -ErrorAction SilentlyContinue | Measure-Object).Count
$dstCount = (Get-ChildItem $to -Force -Recurse -File -ErrorAction SilentlyContinue | Measure-Object).Count
$tag = if ($code -ge 8) { '[FAIL]' } else { '[OK] ' }
Write-Host " $tag $f : src=$srcCount dst=$dstCount (robocopy exit=$code)"
}
Write-Host "`n=== Server-side Susan.Hicks after copy ===" -ForegroundColor Cyan
Get-ChildItem $driveHome -Force -Directory |
Select Name, @{N='Items';E={(Get-ChildItem $_.FullName -Force -Recurse -File -ErrorAction SilentlyContinue | Measure-Object).Count}} |
Format-Table -AutoSize
} finally {
# always drop the mapped drive (ignore failure)
cmd.exe /c "net use ${driveLetter}: /delete /y >nul 2>&1"
}
# ------------- Step 3: load Susan's NTUSER.DAT -------------
Write-Host "`n=== Step 3: Load Susan's NTUSER.DAT as HKU\SusanTemp ===" -ForegroundColor Cyan
cmd.exe /c "reg.exe unload HKU\SusanTemp >nul 2>&1" # clean up any prior
$loadOut = cmd.exe /c "reg.exe load HKU\SusanTemp `"$nt`" 2>&1"
if ($LASTEXITCODE -ne 0) { throw "reg load failed: $loadOut" }
Write-Host '[OK] Hive loaded'
try {
# ------------- Step 4: rewrite User Shell Folders -------------
Write-Host "`n=== Step 4: Rewrite User Shell Folders to UNC ===" -ForegroundColor Cyan
$usf = 'Registry::HKEY_USERS\SusanTemp\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
$sf = 'Registry::HKEY_USERS\SusanTemp\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
$mapLegacy = @{
'Desktop' = "$userUNC\Desktop"
'Personal' = "$userUNC\Documents"
'My Pictures' = "$userUNC\Pictures"
'My Music' = "$userUNC\Music"
'My Video' = "$userUNC\Videos"
'Favorites' = "$userUNC\Favorites"
}
$mapGuid = @{
'{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}' = "$userUNC\Desktop"
'{FDD39AD0-238F-46AF-ADB4-6C85480369C7}' = "$userUNC\Documents"
'{374DE290-123F-4565-9164-39C4925E467B}' = "$userUNC\Downloads"
'{7D83EE9B-2244-4E70-B1F5-5393042AF1E4}' = "$userUNC\Downloads"
'{33E28130-4E1E-4676-835A-98395C3BC3BB}' = "$userUNC\Pictures"
'{4BD8D571-6D19-48D3-BE97-422220080E43}' = "$userUNC\Music"
'{18989B1D-99B5-455B-841C-AB7C74E4DDFC}' = "$userUNC\Videos"
'{35286A68-3C57-41A1-BBB1-0EAE73D76C95}' = "$userUNC\Videos"
'{1777F761-68AD-4D8A-87BD-30B759FA33DD}' = "$userUNC\Favorites"
'{F42EE2D3-909F-4907-8871-4C22FC0BF756}' = "$userUNC\Documents"
}
foreach ($k in $mapLegacy.Keys) {
Set-ItemProperty -LiteralPath $usf -Name $k -Value $mapLegacy[$k] -Type ExpandString
Set-ItemProperty -LiteralPath $sf -Name $k -Value $mapLegacy[$k] -ErrorAction SilentlyContinue
Write-Host " $k = $($mapLegacy[$k])"
}
foreach ($g in $mapGuid.Keys) {
Set-ItemProperty -LiteralPath $usf -Name $g -Value $mapGuid[$g] -Type ExpandString
Write-Host " $g = $($mapGuid[$g])"
}
Write-Host "`n=== Verify final User Shell Folders ===" -ForegroundColor Cyan
Get-ItemProperty -LiteralPath $usf | Select * -ExcludeProperty PS* | Format-List | Out-String | Write-Host
} finally {
Write-Host "`n=== Step 5: Unload hive ===" -ForegroundColor Cyan
[gc]::Collect()
Start-Sleep -Seconds 1
cmd.exe /c "reg.exe unload HKU\SusanTemp >nul 2>&1"
Write-Host '[OK] Hive unloaded'
}
Write-Host "`n=== DONE ===" -ForegroundColor Green
Write-Host "Next: sign out LE.FRTest, sign in as Susan. Shell will pull UNC paths from hive; all content pre-copied to server."