client/cascades: n.castro cleanup, share docs, hook path fix
- active-directory.md: disable n.castro (AD + M365), fix stale Alma.Montt pending entry (she is intentionally cloud-only), restructure SMB shares section into new Phase 2.5 / legacy / system buckets (verified live via GuruRMM Get-SmbShare 2026-05-20) - settings.json: remove hardcoded D:/claudetools UserPromptSubmit hook (machine-specific path belongs in settings.local.json only; Howard's machine is C:/claudetools) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -5,18 +5,5 @@
|
||||
"preferences": {
|
||||
"autoCompact": true,
|
||||
"verbose": false
|
||||
},
|
||||
"hooks": {
|
||||
"UserPromptSubmit": [
|
||||
{
|
||||
"hooks": [
|
||||
{
|
||||
"type": "command",
|
||||
"command": "bash \"D:/claudetools/.claude/scripts/check-messages.sh\"",
|
||||
"timeout": 15
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
@@ -257,21 +257,42 @@ All other OUs — including OU=Caregivers — are within scope and sync to Entra
|
||||
|
||||
## SMB Shares (live — D:\ on CS-SERVER)
|
||||
|
||||
Full share details, permissions, and drive letter mappings are in `docs/servers/cs-server.md`.
|
||||
Verified live via GuruRMM `Get-SmbShare` on 2026-05-20. ABE = Access-Based Enumeration (users see only folders they can access).
|
||||
|
||||
### New shares — Phase 2.5 (created 2026-05-20, ABE on, proper SG- NTFS)
|
||||
|
||||
These are the authoritative Phase 2.5 shares. Empty until each department cuts over from Synology/legacy. Groups will be populated at cutover.
|
||||
|
||||
| Share | Path | NTFS Permissions | Drive letter (planned) |
|
||||
|-------|------|-----------------|----------------------|
|
||||
| Activities | D:\Shares\Activities | SG-Activities-RW (Modify), Domain Admins (Full) | A: or T: (TBD) |
|
||||
| Management | D:\Shares\Management | SG-Mgmt-RW (Modify), Domain Admins (Full) | M: |
|
||||
| Sales | D:\Shares\Sales | SG-Sales-RW (Modify), SG-Sales-RO (ReadAndExecute) | S: |
|
||||
| Server | D:\Shares\Server | SG-IT-RW (Modify), Domain Users (ReadAndExecute) | V: (IT use) |
|
||||
|
||||
### Legacy shares — still active, pre-Phase 2.5 (no ABE, no SG- groups)
|
||||
|
||||
Do NOT populate these further. They remain in service until Phase 4 cutover retires Synology + legacy paths.
|
||||
|
||||
| Share | Path | Status |
|
||||
|-------|------|--------|
|
||||
| Culinary | D:\Shares\Culinary | Active — kitchen staff use this now |
|
||||
| directoryshare | D:\Shares\directoryshare | Active — resident directory |
|
||||
| homes | D:\Homes | Active — folder redirection target (D:\Homes, not D:\Shares\Homes) |
|
||||
| Receptionist | D:\Shares\Receptionist | Active — Tower front-desk scan drop |
|
||||
| IT | D:\Shares\IT | **Superseded by Server share above** — leave in place until Phase 4, do not add new content |
|
||||
| Shares | D:\Shares | Root share — legacy access path |
|
||||
|
||||
### Service / system shares
|
||||
|
||||
| Share | Path | Notes |
|
||||
|-------|------|-------|
|
||||
| AuditDrop$ | D:\Shares\AuditDrop | GuruRMM audit drop — hidden share, write-only |
|
||||
| Culinary | D:\Shares\Culinary | |
|
||||
| directoryshare | D:\Shares\directoryshare | |
|
||||
| homes | D:\Homes | NOTE: D:\Homes, not D:\Shares\Homes |
|
||||
| IT | D:\Shares\IT | |
|
||||
| Activities | D:\Shares\Activities | ABE enabled. NTFS: SG-Activities-RW (Modify), Domain Admins (Full). Created 2026-05-20. |
|
||||
| Management | D:\Shares\Management | ABE enabled. NTFS: SG-Mgmt-RW (Modify), Domain Admins (Full). Created 2026-05-20. |
|
||||
| Receptionist | D:\Shares\Receptionist | |
|
||||
| Sales | D:\Shares\Sales | ABE enabled. NTFS: SG-Sales-RW (Modify), SG-Sales-RO (ReadAndExecute). Created 2026-05-20. |
|
||||
| Server | D:\Shares\Server | ABE enabled. NTFS: SG-IT-RW (Modify), Domain Users (ReadAndExecute). Created 2026-05-20. |
|
||||
| Shares | D:\Shares | Root share |
|
||||
| AuditDrop$ | D:\Shares\AuditDrop | GuruRMM audit drop — hidden, write-only for AuditUploaders |
|
||||
| MemCare Director Printer | (printer) | MF451CDW |
|
||||
| MemCare MedTech Printer | (printer) | Brother MFC-L8900CDW |
|
||||
| RecRoom-Canon | (printer) | 1F-132-RecRoom-Canon |
|
||||
| ADMIN$, C$, D$, IPC$, print$ | (system) | Standard Windows — do not remove |
|
||||
| RDVirtualDesktopTemplate | C:\RDVirtualDesktopTemplate | RDS artifact — remove with RDS role in Phase 5 |
|
||||
|
||||
**Printers shared from CS-SERVER:**
|
||||
| Share | Device |
|
||||
@@ -327,7 +348,7 @@ GPOs exist but effectiveness is limited since most PCs are not domain-joined.
|
||||
| Still enabled — departed | britney.thompson | Disable — departed 2026-04-22. Harvest M365 license. |
|
||||
| Still enabled — flagged for disable | Richard.Adams, Julian.Crim, Christopher.Holick | Disable — drivers no longer get IT access (flagged 2026-04-22, not yet done) |
|
||||
| Old-format account — superseded | Shontiel.Nunn (OU=Resident Services) | **Disable** — s.nunn (OU=Caregivers) confirmed as the correct account 2026-05-19 |
|
||||
| AD + cloud-only M365 conflict | Alma.Montt | AD account exists in OU=Administrative (will sync via Entra Connect). Cloud-only M365 account also created 2026-05-19. **Delete the cloud-only M365 account and let AD sync create it properly** — otherwise Entra Connect will create a duplicate and both will break. |
|
||||
| Cloud-only M365 account — RESOLVED | Alma.Montt | OU=Administrative does not sync via Entra Connect in practice. Cloud-only M365 account created 2026-05-19 is **intentional and correct** — keep it. No AD sync conflict. |
|
||||
| krbtgt password age | krbtgt | 569+ days old as of 2026-03-20. Needs rotation. |
|
||||
| Meredith.Kuhn + John.Trozzi in Domain Admins | Both | Non-IT staff — remove from Domain Admins |
|
||||
|
||||
|
||||
Reference in New Issue
Block a user