azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-06-10 20:21:07

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-10 20:21:07
This commit is contained in:
Howard Enos
2026-06-10 20:21:20 -07:00
parent 9c56690270
commit 83133ddce3
6 changed files with 536 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
clients/dataforth/docs/projects/shares-permissions/Dataforth-Shared-Drives-Reorganization-Plan.docx Normal file
View File

Binary file not shown.

265
clients/dataforth/docs/projects/shares-permissions/_build_docx.py Normal file
View File

@@ -0,0 +1,265 @@
#!/usr/bin/env python3
"""Build the Dataforth Shared Drives Reorganization & Access Plan (.docx)."""
import os
from docx import Document
from docx.shared import Pt, RGBColor, Inches
from docx.enum.text import WD_ALIGN_PARAGRAPH
from docx.enum.table import WD_TABLE_ALIGNMENT
from docx.oxml.ns import qn
from docx.oxml import OxmlElement
NAVY = RGBColor(0x1F, 0x39, 0x64)
ACCENT = RGBColor(0x2E, 0x74, 0xB5)
RED = RGBColor(0xB0, 0x20, 0x20)
GREY = RGBColor(0x59, 0x59, 0x59)
HDR_FILL = "1F3964"
SENS_FILL = "FBE4E4"
ALT_FILL = "F2F6FB"
doc = Document()
# Base style
normal = doc.styles["Normal"]
normal.font.name = "Calibri"
normal.font.size = Pt(11)
normal.paragraph_format.space_after = Pt(6)
for hs, sz, col in [("Heading 1", 15, NAVY), ("Heading 2", 12.5, ACCENT)]:
st = doc.styles[hs]
st.font.name = "Calibri"
st.font.size = Pt(sz)
st.font.color.rgb = col
st.font.bold = True
def shade(cell, fill):
tcPr = cell._tc.get_or_add_tcPr()
shd = OxmlElement("w:shd")
shd.set(qn("w:val"), "clear")
shd.set(qn("w:fill"), fill)
tcPr.append(shd)
def set_cell_text(cell, text, bold=False, color=None, size=10.5, align=None):
cell.text = ""
p = cell.paragraphs[0]
if align:
p.alignment = align
run = p.add_run(text)
run.font.size = Pt(size)
run.font.bold = bold
if color:
run.font.color.rgb = color
def header_row(table, labels):
for i, lab in enumerate(labels):
c = table.rows[0].cells[i]
set_cell_text(c, lab, bold=True, color=RGBColor(0xFF, 0xFF, 0xFF))
shade(c, HDR_FILL)
def add_table(headers, rows, widths=None, sensitive_rows=None):
sensitive_rows = sensitive_rows or set()
t = doc.add_table(rows=1, cols=len(headers))
t.alignment = WD_TABLE_ALIGNMENT.CENTER
t.style = "Table Grid"
header_row(t, headers)
for r_idx, row in enumerate(rows):
cells = t.add_row().cells
for i, val in enumerate(row):
set_cell_text(cells[i], val)
if r_idx in sensitive_rows:
for c in cells:
shade(c, SENS_FILL)
elif r_idx % 2 == 1:
for c in cells:
shade(c, ALT_FILL)
if widths:
for row in t.rows:
for i, w in enumerate(widths):
row.cells[i].width = Inches(w)
return t
def spacer(pts=4):
p = doc.add_paragraph()
p.paragraph_format.space_after = Pt(pts)
# ---- Title block ----
title = doc.add_paragraph()
title.alignment = WD_ALIGN_PARAGRAPH.LEFT
r = title.add_run("Dataforth Shared Drives")
r.font.size = Pt(24); r.font.bold = True; r.font.color.rgb = NAVY
sub = doc.add_paragraph()
r = sub.add_run("Reorganization & Access Plan")
r.font.size = Pt(15); r.font.color.rgb = ACCENT
meta = doc.add_paragraph()
r = meta.add_run("Prepared by Arizona Computer Guru · June 2026")
r.font.size = Pt(10); r.font.color.rgb = GREY; r.italic = True
# rule
pr = doc.add_paragraph()
pbdr = OxmlElement("w:pPr"); bdr = OxmlElement("w:pBdr")
bottom = OxmlElement("w:bottom")
bottom.set(qn("w:val"), "single"); bottom.set(qn("w:sz"), "12")
bottom.set(qn("w:space"), "1"); bottom.set(qn("w:color"), "2E74B5")
bdr.append(bottom); pbdr.append(bdr)
pr._p.insert(0, pbdr)
# ---- Intro ----
doc.add_paragraph(
"This document explains how Dataforth's shared network drives are organized today, why we "
"recommend changing that, and what a cleaner, department-based setup would look like. The goal "
"is simple: keep files organized by department, give each team access to what it needs, and "
"protect sensitive information — without anyone losing access to the files they use day to day."
)
note = doc.add_paragraph()
r = note.add_run("Nothing will change until you have reviewed and approved a plan. We will make changes "
"in stages so the transition is smooth.")
r.italic = True; r.font.color.rgb = GREY
# ---- Section 1: situation today ----
doc.add_heading("1. The situation today", level=1)
doc.add_paragraph(
"Right now, every shared drive at Dataforth is open to every employee. Anyone who logs in can "
"open, change, move, or delete files on all of them — there are no department-level "
"restrictions in place."
)
doc.add_paragraph(
"Think of it like a building where every filing cabinet is unlocked: convenient, but it means "
"payroll records, employee safety files, purchase orders, and the accounting books are all sitting "
"open to everyone in the company. It also makes accidental changes or deletions easy, and if a "
"single employee account is ever compromised, that account can reach everything at once."
)
doc.add_paragraph(
"On top of access, the drives have simply grown messy over the years — the same files in "
"multiple places, folders named “Do not use,” and personal folders left behind by former "
"employees. Files are arranged by history, not by department."
)
# ---- Section 2: what we recommend ----
doc.add_heading("2. What we recommend", level=1)
for b in [
"Organize files by department, so each team's data lives in one clear place.",
"Give each department access to only the folders it needs — full access where they work, "
"view-only where they just need to reference, and no access to areas that don't concern them.",
"Lock down sensitive data (payroll, employee/OSHA records, purchase orders, accounting) so only "
"the right people can see it.",
"Clean up duplicate, outdated, and orphaned folders as we go (with your approval before anything "
"is removed).",
"Set it up so access is easy to manage going forward — adding a new hire becomes “put them "
"in the Sales group” rather than hand-setting permissions folder by folder.",
]:
doc.add_paragraph(b, style="List Bullet")
# ---- Section 3: current drives ----
doc.add_heading("3. Your shared drives today", level=1)
doc.add_paragraph("Here is what is on each shared drive now. Drives marked with a red row contain "
"sensitive information that should not be open to all staff.")
rows = [
["Q: (“c-drive”)", "General company files: documents, manufacturing, production control, shipping, scanned documents — plus Payroll, OSHA records, and Purchase Orders", "Yes"],
["T: (“e-drive”)", "Engineering & manufacturing files (ENGR, ECOs, FMEA, Test Engineering) — plus QuickBooks accounting files", "Yes"],
["S: (“sage”)", "Sage accounting system, invoices, and financial reports", "Yes"],
["W: (“sales”)", "Sales & marketing materials, contacts, RMAs, videos", "No"],
["Y: (“archive”)", "Archived engineering data", "No"],
["B: (“Engineering”)", "The main, large Engineering data store", "No"],
["itsvc", "IT software, drivers, and server tools (used by IT)", "No"],
["X: (“webshare”)", "Files for the automated website datasheet system (mostly automated)", "No"],
]
sens = {i for i, row in enumerate(rows) if row[2] == "Yes"}
add_table(["Drive", "What's on it today", "Sensitive?"], rows, widths=[1.3, 5.0, 0.9], sensitive_rows=sens)
small = doc.add_paragraph()
r = small.add_run("There is also a “test” drive used by the DOS test stations on the manufacturing "
"floor. It must stay exactly as it is for those machines to keep working, so it is not "
"part of this reorganization.")
r.font.size = Pt(9.5); r.italic = True; r.font.color.rgb = GREY
# ---- Section 4: proposed structure ----
doc.add_heading("4. A cleaner structure — organized by department", level=1)
doc.add_paragraph(
"Instead of a handful of catch-all drives that everyone can see, we propose organizing the data "
"into clear department areas. Each area would have its own access list. The areas marked "
"“restricted” would be limited to specific people or departments."
)
prop = [
["Company (All Staff)", "Company-wide documents, forms, policies, templates, announcements", "Everyone"],
["Engineering", "Engineering files, ECOs, FMEA, test engineering, engineering archive", "Engineering"],
["Manufacturing & Production", "Manufacturing, production control, SMT, assembly documents", "Manufacturing"],
["Quality & Calibration", "Quality records, calibration, inspection data", "Quality"],
["Sales & Marketing", "Sales materials, contacts, RMAs, marketing", "Sales"],
["Shipping & Receiving", "Shipping paperwork, receiving, RMA handoffs", "Shipping"],
["Accounting & Finance (restricted)", "Sage, QuickBooks, invoices, purchase orders, financial reports", "Accounting only"],
["Human Resources (restricted)", "Payroll, OSHA 300, safety training, personnel files", "HR only"],
["IT (restricted)", "IT software, drivers, server tools", "IT only"],
]
restricted = {6, 7, 8}
add_table(["Proposed department area", "What would live here", "Primary owner"], prop,
widths=[2.4, 3.8, 1.3], sensitive_rows=restricted)
# ---- Section 5: where things move ----
doc.add_heading("5. Where today's sensitive items would move", level=1)
doc.add_paragraph("A few concrete examples of how today's exposed folders would be relocated and protected:")
moves = [
["Payroll", "Q: (open to all)", "Human Resources (restricted)"],
["OSHA 300 / Safety Training", "Q: (open to all)", "Human Resources (restricted)"],
["Purchase Orders", "Q: (open to all)", "Accounting & Finance (restricted)"],
["QuickBooks files (QBfiles)", "T: (open to all)", "Accounting & Finance (restricted)"],
["Sage accounting", "S: (open to all)", "Accounting & Finance (restricted)"],
["Engineering (ENGR, ECOs, FMEA)", "Spread across T:, Y:, B:", "Engineering"],
["“Do not use” / old / personal folders", "Various drives", "Archived or removed (with your OK)"],
]
add_table(["Item", "Where it is now", "Proposed new home"], moves, widths=[2.6, 2.3, 2.6])
# ---- Section 6: what we need ----
doc.add_heading("6. What we need from you", level=1)
doc.add_paragraph("To build the plan, please help us with the following. A short call works too if that's easier.")
for b in [
"Confirm your department list (the areas in Section 4 are our starting guess).",
"Fill in the access plan below — who should be able to add/edit files in each area, and who only "
"needs to view them.",
"Tell us exactly who should have access to the restricted areas (Accounting, HR, IT).",
"Provide a list of employees by department (or an org chart) so we can set up the groups.",
"Let us know of any old folders you already know are safe to clean up.",
]:
doc.add_paragraph(b, style="List Bullet")
doc.add_heading("Access plan — please fill in", level=2)
doc.add_paragraph("For each area, write which departments (or people) need full access vs. view-only. "
"Anyone not listed simply won't have access to that area.")
acc = [
["Company (All Staff)", "All staff", ""],
["Engineering", "", ""],
["Manufacturing & Production", "", ""],
["Quality & Calibration", "", ""],
["Sales & Marketing", "", ""],
["Shipping & Receiving", "", ""],
["Accounting & Finance (restricted)", "", ""],
["Human Resources (restricted)", "", ""],
["IT (restricted)", "", ""],
]
t = add_table(["Department area", "Full access (add / edit)", "View-only"], acc,
widths=[2.4, 2.8, 2.3], sensitive_rows={6, 7, 8})
# give the fill-in rows a little height
for row in t.rows[1:]:
trPr = row._tr.get_or_add_trPr()
h = OxmlElement("w:trHeight"); h.set(qn("w:val"), "420"); h.set(qn("w:hRule"), "atLeast")
trPr.append(h)
# ---- Section 7: how we do it safely ----
doc.add_heading("7. How we'll do this safely", level=1)
for b in [
"We start from your answers and send back a clear “who sees what” plan for your sign-off.",
"Nothing changes until you approve it.",
"We make the changes in stages, one area at a time, and confirm each department can still reach "
"their files before moving on.",
"If anyone is missing access after a change, it's a quick fix — we add them to the right group.",
"We keep a full backup of the current setup so any change can be reversed.",
]:
doc.add_paragraph(b, style="List Bullet")
doc.add_paragraph()
close = doc.add_paragraph()
r = close.add_run("Questions or want to walk through this together? We're happy to jump on a call.")
r.italic = True; r.font.color.rgb = GREY
out = os.path.join(os.path.dirname(os.path.abspath(__file__)),
"Dataforth-Shared-Drives-Reorganization-Plan.docx")
doc.save(out)
print("WROTE:", out)
print("paragraphs:", len(doc.paragraphs), "tables:", len(doc.tables))

34
clients/dataforth/docs/projects/shares-permissions/acl-audit-detail-2026-06-10.md Normal file
View File

@@ -0,0 +1,34 @@
# Dataforth — Shares ACL Audit Detail (INTERNAL — do not send to client)
**Captured:** 2026-06-10, read-only RMM (`Get-SmbShare`/`Get-SmbShareAccess`/`Get-Acl` as SYSTEM on each server). No changes made.
**Use:** technical baseline for Phase 3 (rollback reference). The client-facing summary is `current-state-2026-06-10.md`.
## Headline
- All eight business shares grant access to all staff via `Everyone` / `Domain Users`.
- `Domain Users` has **FullControl (NTFS)** on `archive`, `sales`, `Engineering`, `sage`; **Modify** on `c-drive`, `e-drive`, `webshare`; ReadAndExecute on `ITSvc`.
- No custom AD security groups exist (only `Domain Users`, admin accounts `sysadmin`/`Admin_3652`, and service accounts appear).
## Share-level + NTFS root ACLs
| Share | Server | Path | Share ACL | NTFS root (non-builtin) | Inheritance |
|---|---|---|---|---|---|
| c-drive | AD2 | `C:\Shares\c-drive` | Everyone:Full; Domain Users:Change; Admins:Full | Domain Users:**Modify** | enabled (inherited Users:R+Append+Create) |
| e-drive | AD2 | `C:\Shares\e-drive` | Everyone:Full; Domain Users:Change; Admins:Full | Domain Users:**Modify**; sysadmin:Full | protected |
| webshare | AD2 | `C:\Shares\webshare` | Everyone:Full; Domain Users:Change; Admins:Full | Domain Users:**Modify**; sysadmin:Full; **svc_testdatadb:Full** | protected |
| test | AD2 | `C:\Shares\test` | Everyone:Full; Domain Users:Change; Admins:Full | Everyone:Full; Domain Users:Modify; **Guest:Read**; sysadmin:Full | protected — DOS/SMB1, leave as-is |
| sage | SAGE-SQL | `C:\sage` | Everyone:Full; Admins:Full | Domain Users:**FullControl**; Admin_3652:Full | protected |
| sales | FILES-D1 | `E:\Shares\sales` | Everyone:Full; Admins:Full | Domain Users:**FullControl**; sysadmin:Full (owner) | protected |
| archive | FILES-D1 | `E:\Shares\archive` | Everyone:Full; Admins:Full | Domain Users:**FullControl**; sysadmin:Full (owner) | protected |
| Engineering | AD1 | `C:\Engineering` | Everyone:Full; Admins:Full | Domain Users:**FullControl**; Admin_3652:Full | protected |
| ITSvc | AD1 | `C:\Shares\ITSvc` | Everyone:Full; Admins:Full | Domain Users:ReadAndExecute; Domain Computers:ReadAndExecute; Admin_3652:Full | protected |
All shares also carry inherited/explicit `NT AUTHORITY\SYSTEM:FullControl` and `BUILTIN\Administrators:FullControl` (keep these).
## Special / infra shares (exclude from department model)
- `test` (AD2) — DOS test stations need SMB1 + Guest; keep open.
- `webshare` (AD2) — preserve `svc_testdatadb:Full`; restrict humans only.
- `ITSvc` (AD1) — IT depot; `Domain Computers` needs Read for deployment.
- `NETLOGON` / `SYSVOL` — system shares; never touch.
## Phase 3 rollback prep (to do before any change)
- `icacls "<path>" /save acl-backup-<share>.txt /t` (or `Get-Acl` export) for each share → store in this folder before modifying.

46
clients/dataforth/docs/projects/shares-permissions/current-state-2026-06-10.md Normal file
View File

@@ -0,0 +1,46 @@
# Dataforth — Your Shared Drives Today (Plain Overview)
*Prepared by Arizona Computer Guru, 2026-06-10. A simple snapshot of the shared network drives as they are now — to read alongside our email about setting up department access.*
**Right now, every shared drive below is open to every employee** — anyone who logs in can open, change, or delete anything on all of them. The goal of this project is to give each department access to only what it needs, and to lock down the sensitive areas.
Below is what's on each drive today, so you can decide who should have access to what.
---
### Q: drive ("c-drive") — general company files
A bit of everything. Main areas: Documents, Manufacturing, Production Control, Shipping, SMT, Scanned Documents, Purchasing, and a number of personal/older folders.
**Sensitive folders here:** Payroll · OSHA 300 · OSHA Safety Training · Purchase Orders.
### T: drive ("e-drive") — engineering & manufacturing
Engineering and manufacturing files: ENGR, ECO's, FMEA, Manufacturing, Test Engineering, plus utilities.
**Sensitive folder here:** QuickBooks / accounting files (QBfiles).
### S: drive ("sage") — accounting / Sage ERP
Sage accounting system files, invoices, financial reports, and related tools.
**Sensitive — this is mostly Accounting/Finance data.**
### W: drive ("sales") — sales & marketing
Sales and marketing materials, contacts, RMAs, videos, shipping handoffs, and weekly updates.
### Y: drive ("archive") — engineering archive
Archived engineering data.
### B: drive ("Engineering") — main engineering data
The primary, large Engineering data store.
### itsvc — IT software & drivers
Software installers, printer/server drivers, and IT tools. **Used by IT.**
### X: drive ("webshare") — website / test-datasheet system
Files for the automated website datasheet system. **Mostly automated — IT/Engineering.**
---
**A note on cleanup:** the drives have collected a lot of old material over the years — duplicate folders, folders named "Do not use," and personal folders from former staff. As part of this we can tidy these up; we'll confirm with you before removing anything.
*(There is also a "test" drive used by the DOS test stations on the manufacturing floor. It has to stay as-is for those machines to work, so it isn't part of this access exercise.)*
---
*Technical permission details are kept separately in our internal records (`acl-audit-detail-2026-06-10.md`) and aren't needed to answer our questions.*

97
clients/dataforth/docs/projects/shares-permissions/discovery-email-draft.md Normal file
View File

@@ -0,0 +1,97 @@
# DRAFT — Dataforth shared-folder access & permissions discovery email
> Draft for ACG review. Recipients/sender to be set before sending.
> Suggested To: Dan Center (dcenter@dataforth.com). Suggested CC: Kevin Wackerly. From: ACG (Howard/Mike).
> Tone: plain-language, non-technical where possible. Goal: get their departments + the access matrix + sensitive-data rules so we can build the permission model.
---
**Subject:** Dataforth shared drives — setting up proper department access & permissions
Hi Dan,
As part of tightening things up after last year's security incident, we'd like to get Dataforth's shared network drives (the mapped drives everyone uses — Q:, S:, T:, W:, X:, Y:, B:, etc.) onto a proper department-based access model.
Right now, essentially **every shared drive is open to every employee** — anyone who logs in can open, change, or delete files on all of them, including folders like Payroll, OSHA records, Purchase Orders, and the accounting/Sage data. There are also no department-based permission groups in place, so there's no easy way to say "only Accounting sees the accounting folder." We'd like to fix that: give each department access to what it needs, restrict the sensitive areas, and make ongoing access management simple.
To do this right, we need your input on how *you* want it set up. Could you help us with the following? A short call works too if that's easier.
### 1. Confirm your departments
Here's our starting guess at Dataforth's departments — please correct/add/remove:
- Engineering
- Manufacturing / Production / Assembly
- Quality / Calibration
- Sales & Marketing
- Shipping / Receiving
- Accounting / Finance
- HR / Administration
- IT
- Management / Executive
### 2. Who gets access to which shared drive
For each shared drive, tell us which departments should have **Read/Write** (open & edit), **Read-Only** (view only), or **No access**. Here are the current drives and roughly what's in each:
| Drive | Share | What's in it (today) |
|---|---|---|
| Q: | c-drive | Company-wide mix — documents, Mfg, Shipping, SMT, Production Control, **Payroll, OSHA, Purchase Orders**, plus many person-named folders |
| T: | e-drive | Engineering & manufacturing (ENGR, ECO'S, FMEA, MANUFACT, TE) + **QuickBooks/accounting files** |
| S: | sage | Sage ERP / accounting, invoices, reports |
| W: | sales | Sales & marketing, contacts, RMAs, shipping handoffs |
| Y: | archive | Engineering archive (ENGR) |
| B: | Engineering | Main Engineering data (large) |
| B: | itsvc | IT software, drivers, server tools (IT use) |
| X: | webshare | Website/test-datasheet system (mostly automated — IT/Engineering) |
A simple way to answer is to fill in this grid (RW = read/write, RO = read-only, blank = no access):
```
Department | Q c-drive | T e-drive | S sage | W sales | Y archive | B Engineering | itsvc | webshare
--------------------------|-----------|-----------|--------|---------|-----------|---------------|-------|---------
Engineering | | | | | | | |
Manufacturing/Production | | | | | | | |
Quality/Calibration | | | | | | | |
Sales & Marketing | | | | | | | |
Shipping/Receiving | | | | | | | |
Accounting/Finance | | | | | | | |
HR/Administration | | | | | | | |
IT | | | | | | | |
Management/Executive | | | | | | | |
```
### 3. Sensitive areas — who specifically should see these?
These should almost certainly **not** be open to all staff. Please tell us who (which department, or specific people) should have access:
- **Payroll** (currently on Q:)
- **OSHA 300 / OSHA Safety Training** (injury/safety records — currently on Q:)
- **Purchase Orders** (currently on Q:)
- **Accounting / Sage / QuickBooks / invoices** (S:, plus QBfiles on T:)
- Anything else you consider confidential (HR files, contracts, pricing, etc.)
### 4. Who's in each department
So we can put the right people in the right groups, we need a list of employees by department. An existing org chart or staff roster is perfect — or if it's easier, we can put together a proposed list from what we know and you correct it.
### 5. Cleanup
The drives have accumulated a lot of old material over the years — folders literally named "Do not use," duplicates, and per-person folders from former staff. As we go, we can archive or remove what's no longer needed. Are there any folders you already know are safe to clean up, or anyone we should check with first?
### 6. Special cases
Anyone who needs access across departments (e.g. management seeing everything), contractors/outside parties, or individual exceptions?
---
Once we have this, we'll put together a clear access plan (a simple "who sees what" map), send it back for your sign-off, and then implement it in stages so nobody loses access unexpectedly. Nothing changes on your end until you've approved the plan.
Thanks Dan — happy to jump on a quick call to walk through it if that's easier.
Best,
[Sender]
Arizona Computer Guru
---
### Internal notes (do not send)
- The `test` drive (DOS test stations) stays open by necessity (SMB1/guest) — not part of this exercise; don't raise it with them.
- `webshare` must keep the `svc_testdatadb` service account — restrict humans only.
- Drive-letter B: covers both Engineering and itsvc in current docs — confirm during design.
- After their reply: build AD security groups (`SG-<Resource>-<RW|RO>`), draft the group×share matrix, get sign-off (Phase 2), then staged build (Phase 3). See `roadmap.md`.
- Sensitive-data rules likely need HR/Finance sign-off, not just Dan — ask who owns that decision.

94
clients/dataforth/docs/projects/shares-permissions/roadmap.md Normal file
View File

@@ -0,0 +1,94 @@
# Dataforth — File Shares & Permissions Remediation: Roadmap
**Owner:** ACG (Howard) · **Client:** Dataforth (Dan Center, primary IT contact)
**Started:** 2026-06-10 · **Status:** Phase 0 complete; Phase 1 (client input) pending email
**Goal:** Move Dataforth from "every share open to every employee" to a **least-privilege, department-based access model** built on AD security groups, with sensitive data (payroll, OSHA, financials) properly restricted — without breaking the DOS/test-datasheet infrastructure or the in-flight post-ransomware file-recovery audit.
Related docs: [current-state-2026-06-10.md](./current-state-2026-06-10.md) (plain client-facing overview) · [acl-audit-detail-2026-06-10.md](./acl-audit-detail-2026-06-10.md) (internal technical baseline) · [discovery-email-draft.md](./discovery-email-draft.md) (client ask)
---
## Why now
The 2026-06-10 read-only audit confirmed: all eight business shares grant access to all staff via `Everyone` / `Domain Users`, with `Domain Users:FullControl` on four of them (archive, sales, Engineering, sage). Payroll, OSHA injury logs, purchase orders, and accounting data are readable and writable by every employee. This is both a security/insider-risk problem and a compliance gap, and it follows a 2025 ransomware incident — tightening share access materially reduces blast radius of any future credential compromise.
---
## Guiding principles (target model)
- **Department-based AD security groups**, granted on resources; users join groups. Naming: `SG-<Resource>-<RW|RO>` (e.g. `SG-Sales-RW`, `SG-Accounting-RW`, `SG-Engineering-RO`).
- **Least privilege:** users get **Modify** (not Full); only Administrators/owners get FullControl. Remove `Everyone`. Replace blanket `Domain Users` with department groups.
- **Access-Based Enumeration (ABE)** on every share so users see only what they can open.
- **Share ACL = permissive, NTFS = authoritative** (standard pattern): set share to `Authenticated Users:Full` (or the relevant groups), enforce real access at NTFS via groups.
- **Sensitive shares isolated:** Payroll/HR, OSHA, Accounting/Finance get their own restricted groups, broken inheritance, no `Domain Users`.
- **Infra/app shares excluded** from the department model and handled case-by-case: `test` (DOS/SMB1 guest — leave open), `webshare` (preserve `svc_testdatadb`), `ITSvc` (IT-RW + computers/all-RO), `NETLOGON`/`SYSVOL` (never touch).
- **Change is staged and reversible:** snapshot every ACL before change; one share at a time; pilot user validation before flipping `Everyone`/`Domain Users` off.
---
## Phases
### Phase 0 — Discovery (DONE 2026-06-10)
- [x] Read-only enumeration of shares, top-level folders, share ACLs, NTFS root ACLs on AD1/AD2/FILES-D1/SAGE-SQL.
- [x] Baseline written: `current-state-2026-06-10.md`.
- [x] Confirmed: no department groups; Domain Users has Modify/Full on all shares; sensitive data exposed.
### Phase 1 — Client input (BLOCKING — pending)
Send the discovery email to Dataforth and capture their answers. We need:
1. **Department list** confirmed/corrected (starter list in the email).
2. **Department → share access matrix** — for each share: which departments get **Read/Write**, **Read-Only**, or **No access**.
3. **Sensitive-data rules** — who exactly may access Payroll, OSHA, Purchase Orders, Accounting/Sage (named people or a small group).
4. **Department rosters** — which employees belong to which department (or an org chart / they map names to departments).
5. **Legacy cleanup decisions** — which "Do not use"/person-named/legacy folders can be archived or deleted.
6. **Special cases** — execs who see everything, individuals with cross-department needs, external/contractor access.
- [ ] Email sent (recipients to be set by ACG).
- [ ] Replies received and logged into this folder.
### Phase 2 — Target-state design (after Phase 1)
- [ ] Build the **AD security group list** (per share/department, RW + RO variants) with naming convention.
- [ ] Build the **permission matrix**: groups × shares with explicit Modify/Read/none.
- [ ] Decide **structure changes**: folder consolidation, legacy archive/delete list, whether to recreate the missing `staff` share, Engineering volume/letter cleanup.
- [ ] Decide **drive-mapping changes** (GPO) — keep current letters or map by group.
- [ ] Plan handling of the four special shares (test/webshare/ITSvc/sage-app).
- [ ] **Sign-off from Dataforth** on the matrix before any change.
### Phase 3 — Build (staged, reversible)
- [ ] Snapshot/export current ACLs for every share (`icacls /save` or `Get-Acl` export) → store in this folder.
- [ ] Create AD security groups; populate membership from the rosters.
- [ ] Per share, in a controlled order (lowest-risk first, e.g. `archive``sales``e-drive`/`c-drive``Engineering` → sensitive last):
- Break inheritance where needed, add department groups (Modify), keep SYSTEM/Administrators Full.
- Apply ABE; set share ACL to permissive.
- **Leave `Domain Users`/`Everyone` in place initially** (additive) and validate with a pilot user in each department.
- [ ] Update GPO drive mappings if the model changes letters/targets.
### Phase 4 — Cutover & validate
- [ ] Per share, once validated: **remove `Everyone` and `Domain Users`** (the enforcement step).
- [ ] Walk each department through their access; resolve "I can't get to X" tickets quickly (add to group, not re-open the share).
- [ ] Lock down the sensitive shares last, with explicit HR/Accounting confirmation.
- [ ] Archive/remove approved legacy folders (after the migration-gap audit clears them).
### Phase 5 — Document & handoff
- [ ] Update the Dataforth wiki (shares map + new group model + matrix).
- [ ] Record group→share matrix as the source of truth in this folder.
- [ ] Vault any new service accounts (none expected).
- [ ] Set a review cadence (e.g. quarterly access review with Dan/HR).
- [ ] Bill per phase against the prepaid block (live-check `GET /customers/578095`).
---
## Risks & watch-items
- **Breaking app dependencies:** DOS stations (`test`), datasheet pipeline (`webshare`/`svc_testdatadb`), Sage (`sage` app paths), GageTrak, Epicor shortcuts. Validate before removing broad access.
- **Migration-gap audit overlap:** don't delete/move data the review-only audit still needs; sequence cleanup after it clears each share.
- **AD1 C: 90% full:** no staging copies on AD1; Engineering restructure needs a destination decision.
- **Hidden hard-coded UNC paths:** scripts/apps may reference `\\server\share\...` with assumed open access — surface during pilot validation.
- **Double-hop limitation:** ACL changes run locally on each file server (as SYSTEM via RMM) — fine; cross-server file moves use the documented GPO-mapped-drive workaround.
- **Single point of contact:** confirm Dan Center is authoritative for access decisions, or who signs off on the sensitive-data rules (likely needs HR/Finance input).
---
## Open questions for ACG (internal, before/with the email)
- Confirm email recipients/sender (Dan Center primary; CC Kevin Wackerly? Mike or Howard sending?).
- Is HR/Finance input needed directly for payroll/OSHA/PO rules, or does Dan relay?
- Do we recreate the missing `staff` share in this project or keep it separate?
- Budget/timeline expectations (prepaid block — scope the build phase into billable chunks).