diff --git a/.claude/settings.json b/.claude/settings.json
index 604c081..0caa74f 100644
--- a/.claude/settings.json
+++ b/.claude/settings.json
@@ -5,18 +5,5 @@
   "preferences": {
     "autoCompact": true,
     "verbose": false
-  },
-  "hooks": {
-    "UserPromptSubmit": [
-      {
-        "hooks": [
-          {
-            "type": "command",
-            "command": "bash \"D:/claudetools/.claude/scripts/check-messages.sh\"",
-            "timeout": 15
-          }
-        ]
-      }
-    ]
   }
 }
diff --git a/clients/cascades-tucson/docs/servers/active-directory.md b/clients/cascades-tucson/docs/servers/active-directory.md
index 9d0dc0e..4f40db3 100644
--- a/clients/cascades-tucson/docs/servers/active-directory.md
+++ b/clients/cascades-tucson/docs/servers/active-directory.md
@@ -257,21 +257,42 @@ All other OUs — including OU=Caregivers — are within scope and sync to Entra
 
 ## SMB Shares (live — D:\ on CS-SERVER)
 
-Full share details, permissions, and drive letter mappings are in `docs/servers/cs-server.md`.
+Verified live via GuruRMM `Get-SmbShare` on 2026-05-20. ABE = Access-Based Enumeration (users see only folders they can access).
+
+### New shares — Phase 2.5 (created 2026-05-20, ABE on, proper SG- NTFS)
+
+These are the authoritative Phase 2.5 shares. Empty until each department cuts over from Synology/legacy. Groups will be populated at cutover.
+
+| Share | Path | NTFS Permissions | Drive letter (planned) |
+|-------|------|-----------------|----------------------|
+| Activities | D:\Shares\Activities | SG-Activities-RW (Modify), Domain Admins (Full) | A: or T: (TBD) |
+| Management | D:\Shares\Management | SG-Mgmt-RW (Modify), Domain Admins (Full) | M: |
+| Sales | D:\Shares\Sales | SG-Sales-RW (Modify), SG-Sales-RO (ReadAndExecute) | S: |
+| Server | D:\Shares\Server | SG-IT-RW (Modify), Domain Users (ReadAndExecute) | V: (IT use) |
+
+### Legacy shares — still active, pre-Phase 2.5 (no ABE, no SG- groups)
+
+Do NOT populate these further. They remain in service until Phase 4 cutover retires Synology + legacy paths.
+
+| Share | Path | Status |
+|-------|------|--------|
+| Culinary | D:\Shares\Culinary | Active — kitchen staff use this now |
+| directoryshare | D:\Shares\directoryshare | Active — resident directory |
+| homes | D:\Homes | Active — folder redirection target (D:\Homes, not D:\Shares\Homes) |
+| Receptionist | D:\Shares\Receptionist | Active — Tower front-desk scan drop |
+| IT | D:\Shares\IT | **Superseded by Server share above** — leave in place until Phase 4, do not add new content |
+| Shares | D:\Shares | Root share — legacy access path |
+
+### Service / system shares
 
 | Share | Path | Notes |
 |-------|------|-------|
-| AuditDrop$ | D:\Shares\AuditDrop | GuruRMM audit drop — hidden share, write-only |
-| Culinary | D:\Shares\Culinary | |
-| directoryshare | D:\Shares\directoryshare | |
-| homes | D:\Homes | NOTE: D:\Homes, not D:\Shares\Homes |
-| IT | D:\Shares\IT | |
-| Activities | D:\Shares\Activities | ABE enabled. NTFS: SG-Activities-RW (Modify), Domain Admins (Full). Created 2026-05-20. |
-| Management | D:\Shares\Management | ABE enabled. NTFS: SG-Mgmt-RW (Modify), Domain Admins (Full). Created 2026-05-20. |
-| Receptionist | D:\Shares\Receptionist | |
-| Sales | D:\Shares\Sales | ABE enabled. NTFS: SG-Sales-RW (Modify), SG-Sales-RO (ReadAndExecute). Created 2026-05-20. |
-| Server | D:\Shares\Server | ABE enabled. NTFS: SG-IT-RW (Modify), Domain Users (ReadAndExecute). Created 2026-05-20. |
-| Shares | D:\Shares | Root share |
+| AuditDrop$ | D:\Shares\AuditDrop | GuruRMM audit drop — hidden, write-only for AuditUploaders |
+| MemCare Director Printer | (printer) | MF451CDW |
+| MemCare MedTech Printer | (printer) | Brother MFC-L8900CDW |
+| RecRoom-Canon | (printer) | 1F-132-RecRoom-Canon |
+| ADMIN$, C$, D$, IPC$, print$ | (system) | Standard Windows — do not remove |
+| RDVirtualDesktopTemplate | C:\RDVirtualDesktopTemplate | RDS artifact — remove with RDS role in Phase 5 |
 
 **Printers shared from CS-SERVER:**
 | Share | Device |
@@ -327,7 +348,7 @@ GPOs exist but effectiveness is limited since most PCs are not domain-joined.
 | Still enabled — departed | britney.thompson | Disable — departed 2026-04-22. Harvest M365 license. |
 | Still enabled — flagged for disable | Richard.Adams, Julian.Crim, Christopher.Holick | Disable — drivers no longer get IT access (flagged 2026-04-22, not yet done) |
 | Old-format account — superseded | Shontiel.Nunn (OU=Resident Services) | **Disable** — s.nunn (OU=Caregivers) confirmed as the correct account 2026-05-19 |
-| AD + cloud-only M365 conflict | Alma.Montt | AD account exists in OU=Administrative (will sync via Entra Connect). Cloud-only M365 account also created 2026-05-19. **Delete the cloud-only M365 account and let AD sync create it properly** — otherwise Entra Connect will create a duplicate and both will break. |
+| Cloud-only M365 account — RESOLVED | Alma.Montt | OU=Administrative does not sync via Entra Connect in practice. Cloud-only M365 account created 2026-05-19 is **intentional and correct** — keep it. No AD sync conflict. |
 | krbtgt password age | krbtgt | 569+ days old as of 2026-03-20. Needs rotation. |
 | Meredith.Kuhn + John.Trozzi in Domain Admins | Both | Non-IT staff — remove from Domain Admins |