sync: auto-sync from HOWARD-HOME at 2026-07-01 13:22:23

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-07-01 13:22:23
This commit is contained in:
2026-07-01 13:23:00 -07:00
parent 7f897ce93f
commit 9e78a153f3
4 changed files with 210 additions and 44 deletions

View File

@@ -8,7 +8,18 @@ metadata:
Cascades is migrating staff machines + printers off the flat old LAN (192.168.0.0/22,
"CSC ENT") onto the isolated **Staff VLAN 20 (10.0.20.0/24, gw 10.0.20.1)** ("CSCNET").
Printers are being re-IP'd to 10.0.20.x (static) and re-shared on the CS-SERVER print
server. Key operational facts learned 2026-06-30 (Howard, front-desk ET-5800 + Life
server.
**PROGRESS (live-reconciled 2026-07-01):** MACHINES are essentially done — 22 online hosts on
VLAN 20; only CS-SERVER (stays by design) + ~6 stragglers (ASSISTMAN-PC, CascadesProxess,
Laptop2, NurseAssist, 2 roaming laptops) remain on 192.168.x. PRINTERS lag — only 4 of 15
CS-SERVER shares repointed to 10.0.20.x (FrontDesk .221, BusinessOffice .220, LifeEnrichment
.94, MCReception .78); 11 shares still on old-LAN IPs (MCMedTech still stale 192.168.2.53 though
target 10.0.20.74 is live+reachable). GPO still NOT fleet-live (silent new-driver-install gap
open: reboot vs pre-stage drivers). MEMCARE-STATION rename staged but not yet applied. Full
live inventory (all shares/ports/machines): clients/cascades-tucson/docs/printer-gpo-map.md.
Key operational facts learned 2026-06-30 (Howard, front-desk ET-5800 + Life
Enrichment Canon MF741CDW):
**pfSense gotcha (the big one):** CS-SERVER (on the old LAN) could not reach ANY VLAN 20

View File

@@ -1,7 +1,24 @@
# Cascades — Printer / VLAN 20 Migration Map (GPO planning)
Living reference for the printer migration onto Staff VLAN 20 (10.0.20.0/24) and the
eventual **printer GPO** build. Update as machines/printers migrate. Started 2026-06-30 (Howard).
Living reference for the migration of staff machines + printers off the flat old LAN
("CSC ENT", 192.168.0.0/22) onto **Staff VLAN 20 (10.0.20.0/24, "CSCNET")** and the eventual
**printer GPO** build. Started 2026-06-30 (Howard). **Last reconciled to LIVE state 2026-07-01**
(full GuruRMM fleet IP pull + CS-SERVER `Get-Printer`/`Get-PrinterPort` + TCP reachability).
## STATE AT A GLANCE (live 2026-07-01)
- **Machines: essentially migrated.** 22 online hosts are on VLAN 20 (10.0.20.x). Only CS-SERVER
(stays on the LAN by design) + 6 stragglers (ASSISTMAN-PC, CascadesProxess, Laptop2,
NurseAssist, 2 roaming laptops) remain on 192.168.x. See "Machine migration status" below.
- **Printer shares: lagging — 4 of 15 repointed.** Only FrontDesk, BusinessOffice, LifeEnrichment,
MCReception point at 10.0.20.x. The other 11 CS-SERVER print shares still target old-LAN
printer IPs. (Server-share printing still WORKS for those — CS-SERVER is on the old LAN and
reaches them fine — but the printer hardware hasn't been moved onto VLAN 20 yet.)
- **All 7 VLAN20 printer targets reachable** from CS-SERVER on 9100 (incl. .74, the MCMedTech
target that the share hasn't been repointed to yet). Gateway 10.0.20.1 pings.
- **GPO: not fleet-live.** Point-and-Print GPO is built but scoped to one pilot box; the silent
new-driver-install gap is still open (reboot vs pre-stage drivers — decision pending). See
"PILOT RESULT" below.
## How the GPO needs to be built (two layers)
@@ -12,70 +29,126 @@ eventual **printer GPO** build. Update as machines/printers migrate. Started 202
`Restricted=1, TrustedServers=1, ServerList=CS-SERVER, InForest=0,`
`NoWarningNoElevationOnInstall=1, UpdatePromptSettings=2` (scopes silent driver install
to CS-SERVER only). Caregiver machines already have this — that's why their printer GPO
works. Set manually 2026-06-30 on DESKTOP-ROK7VNM + DESKTOP-DLTAGOI; needs to be a GPO.
works. GPO `CSC - Point and Print (CS-SERVER)` `{BFAB721A-513D-4C14-8255-DEB1D4266830}` is
BUILT but scoped to DESKTOP-H6QHRR7 only (see PILOT RESULT).
2. **Printer deployment** — GPP Printers / Deployed Printers mapping `\\CS-SERVER\<share>`
to the right users/OU/room. Existing GPO `CSC - Life Enrichment Printers` likely still
points at OLD share names — repoint. `CSC - Printer Deployment` is disabled/empty (do not use).
to the right users/OU/room. Existing GPO `CSC - Life Enrichment Printers` still points at
OLD share name `RecRoom-Canon` — repoint. `CSC - Printer Deployment` is disabled/empty (do not use).
**Driver trap:** Canon MF741/743 are **UFR II only** — PCL6 produces Error #822 (spools, never
**Driver trap:** Canon MF741/743/751 are **UFR II only** — PCL6 produces Error #822 (spools, never
prints). Any GPO/share for those Canons MUST use `Canon Generic Plus UFR II V250` (INF cnlb0ma64.inf).
NOTE: `MCDirector` (Canon MF751CDW) and `Kitchen`/`ExecDirector` (Canon MF743CDW) shares are
currently on **PCL6** on the server — they will hit Error #822 and need the UFR II driver when touched.
## Printer / machine map
## Printer share inventory — CS-SERVER (live 2026-07-01)
| Printer (share / name) | Model | IP (VLAN20) | Driver | Machine | User(s) | Domain? | Status / GPO action |
|---|---|---|---|---|---|---|---|
| `\\CS-SERVER\FrontDesk` | Epson ET-5800 | 10.0.20.221 | EPSON ET-5800 Series | RECEPTIONIST-PC (frontdesk box, S/N MJ0KQHNP) | frontdesk | Domain (cascades.local) | DONE — share repointed, mapped, default. Add to GPO. |
| `\\CS-SERVER\LifeEnrichment` | Canon MF741CDW | 10.0.20.94 | Canon Generic Plus UFR II V250 | DESKTOP-DLTAGOI; DESKTOP-ROK7VNM | sharon.edwards; susan.hicks | Domain | DONE — UFR II driver fixed, mapped (not default). **Repoint `CSC - Life Enrichment Printers` GPO from old `1F-132-RecRoom-Canon` to `LifeEnrichment`.** |
| Dining Room Manager - Canon MF743CDW | Canon MF743CDW (MF741C/743C) | 10.0.20.228 | Canon Generic Plus UFR II V250 | DESKTOP-MD6UQI3 | dining manager (Alyssa) | **WORKGROUP — not domain-joined yet** | DONE as direct-IP (local) printer, default. **TODO: when DESKTOP-MD6UQI3 is domain-joined, add this printer to the GPO and map it to Alyssa's domain account.** |
| Chef Office - Brother MFC-9330CDW | Brother MFC-9330CDW | 10.0.20.236 | Brother MFC-9330CDW Printer | CHEF-PC | chef (all users) | **WORKGROUP — not domain-joined** | DONE as direct-IP (machine-wide / all users), default. **TODO: add to GPO + map to chef's domain account once CHEF-PC is domain-joined.** This is the Chef's printer in the Chef's office (distinct from the kitchen printer with the chefs). |
| Memory Care Front Desk - Epson ET-5800 (`\\CS-SERVER\MCReception`) | Epson ET-5800 | 10.0.20.78 | EPSON ET-5800 Series | MEMRECEPT-PC | memfrtdesk (+ other MemCare front-desk staff) | **WORKGROUP — not domain-joined** | Already shared on CS-SERVER as `MCReception`. Machine currently has the Epson via OLD vendor/WSD ports (`EP833571:ET-5800 SERIES` + WSD), NOT the static .78 — needs direct-IP to 10.0.20.78. **Mark for GPO: MemCare front-desk users (mostly the memfrtdesk machine). TODO: add to GPO + map to domain accounts once domain-joined.** |
| Memory Care MedTech - Brother MFC-L8900CDW (`\\CS-SERVER\MCMedTech`) | Brother MFC-L8900CDW | 10.0.20.74 | Brother MFC-L8900CDW series | RECEPTIONIST-PC (memcare box → **rename to MEMCARE-***); DESKTOP-LPOPV30 | memory care; karen rossini | **WORKGROUP** | DONE direct-IP machine-wide on both; old 192.168.2.53 + WSD connections removed; LPOPV30 default = new printer (was the old one); memcare box default unchanged (iR-ADV). MedTech room in Memory Care. **TODO: GPO + domain accounts once joined.** |
| `\\CS-SERVER\Kitchen` | Canon MF743CDW | 192.168.3.232 (pre-migration) | (verify) | (kitchen) | chefs | — | Kitchen printer (with the chefs). Not yet migrated to VLAN20 this round. |
All shares `Shared=True, Published=False`. "VLAN20?" = does the port point at 10.0.20.x yet.
| Share | Model | Port host IP | VLAN20? | Driver (on server) | Action |
|---|---|---|---|---|---|
| `FrontDesk` | Epson ET-5800 | 10.0.20.221 | YES | EPSON ET-5800 Series | DONE. Add to GPO. |
| `BusinessOffice` | Brother MFC-L8900CDW | 10.0.20.220 | YES | Brother Generic Jpeg Type2 | DONE (now reachable; was powered-off 6/30). Add to GPO. |
| `LifeEnrichment` | Canon MF741CDW | 10.0.20.94 | YES | Canon Generic Plus UFR II V250 | DONE. **Repoint `CSC - Life Enrichment Printers` GPO `RecRoom-Canon`->`LifeEnrichment`.** |
| `MCReception` | Epson ET-5800 | 10.0.20.78 | YES | EPSON ET-5800 Series | DONE (share now on .78). Client-side setup on MEMRECEPT-PC still TBD. |
| `MCMedTech` | Brother (L8900CDW) | **192.168.2.53** | NO — STALE | Brother Generic Jpeg Type2 | **REPOINT to 10.0.20.74** (target is LIVE + reachable). Caregiver GPO deploys this share. |
| `NursesPrinter` | Brother MFC-L8900CDW | 192.168.2.75 | NO | Brother Generic Jpeg Type2 | Re-IP to VLAN20 + repoint. Caregiver GPO default printer. |
| `HealthServices` | Konica Minolta C368 | 192.168.1.138 | NO | KONICA MINOLTA Universal PCL | Re-IP to VLAN20 + repoint. Caregiver GPO. |
| `MCDirector` | Canon MF751CDW | 192.168.3.52 | NO | Canon Generic Plus **PCL6** | Re-IP + repoint; **switch to UFR II** (MF751 = UFR II only). Caregiver GPO. |
| `CopyRoom` | Canon | 192.168.2.230 | NO | Canon Generic Plus PCL6 | Re-IP + repoint; verify model/PDL. Caregiver GPO default fallback. |
| `Kitchen` | Canon MF743CDW | 192.168.3.232 | NO | Canon Generic Plus **PCL6** | Kitchen printer (with chefs). Re-IP + repoint; **UFR II**. Separate from Dining .228. |
| `CulinaryChef` | Brother MFC-9330CDW | 192.168.3.88 | NO | Brother Generic Jpeg Type2 | **Likely redundant** with the Chef direct-IP printer (.236 on CHEF-PC). Verify same device -> retire or repoint. |
| `Accounting` | Canon MF455DW | 192.168.3.227 | NO | Canon Generic Plus PCL6 | Re-IP + repoint (verify PDL; MF455 supports PCL). |
| `AdminOffice` | Brother MFC-9340CDW | 192.168.2.145 | NO | Brother Generic Jpeg Type2 | Re-IP + repoint. |
| `ExecDirector` | Canon MF743CDW | 192.168.2.67 | NO | Canon Generic Plus **PCL6** | Re-IP + repoint; **UFR II** (MF743). |
| `SalesMarketing` | Brother MFC-L8900CDW | 192.168.3.44 | NO | Brother Generic Jpeg Type2 | Re-IP + repoint. |
Progress: **4 / 15 shares on VLAN 20.** 11 remain on old-LAN IPs.
### Direct-IP printers (workgroup machines — no CS-SERVER share)
| Printer | Model | IP (VLAN20) | Machine | User(s) | Status |
|---|---|---|---|---|---|
| Dining Room Manager | Canon MF743CDW | 10.0.20.228 | DESKTOP-MD6UQI3 (workgroup) | dining manager (Alyssa) | DONE direct-IP (UFR II), default. **Domain-join -> move to `\\CS-SERVER\<share>` + GPO.** |
| Chef Office | Brother MFC-9330CDW | 10.0.20.236 | CHEF-PC (workgroup) | chef / JD Martin (USB stays default) | DONE direct-IP machine-wide. **Domain-join -> GPO.** May correspond to stale `CulinaryChef` server share (.88) — reconcile. |
| MedTech (also `MCMedTech`) | Brother MFC-L8900CDW | 10.0.20.74 | RECEPTIONIST-PC (memcare box) + DESKTOP-LPOPV30 | memory care; karen rossini | DONE direct-IP machine-wide on both; server `MCMedTech` share still needs repoint to .74. |
## Machine migration status — VLAN 20 (live 2026-07-01)
**On VLAN 20 (10.0.20.x) — 22 online hosts:** ACCT2-PC (.209), ANN-PC (.218), ASSISTNURSE-PC (.181),
CHEF-PC (.232, workgroup), CRYSTAL-PC (.205), DESKTOP-DLTAGOI (.72, sharon.edwards),
DESKTOP-H6QHRR7 (.235, Lauren — P&P pilot box), DESKTOP-LPOPV30 (.100, karen), DESKTOP-MD6UQI3
(.222, workgroup, Alyssa), DESKTOP-N5G1ROO (.183, Chris Knight), DESKTOP-ROK7VNM (.223, susan.hicks),
DESKTOP-TRCIEJA (.184, Lupe — slated for replacement), Health-Services-Director (.178),
LAPTOP-DRQ5L558 (.237, caregiver device), MAINTENANCE-PC (.96), MDIRECTOR-PC (.71, Shelby Trozzi),
MEMRECEPT-PC (.97, workgroup, memfrtdesk), NURSESTATION-PC (.180, caregiver device),
RECEPTIONIST-PC frontdesk box (.102, S/N MJ0KQHNP), RECEPTIONIST-PC memcare box (.68, S/N MJ0KQH4R
— pending MEMCARE-STATION rename), SALES4-PC (.203), megan (.202).
**Still on old LAN (192.168.x):**
- CS-SERVER (192.168.2.248 / .254) — DC + print server, **stays on the LAN by design**.
- ASSISTMAN-PC (192.168.2.38, Meredith Kuhn) — known watch-host, not migrated.
- CascadesProxess (192.168.2.178), Laptop2 (192.168.2.118), NurseAssist (192.168.3.254),
LAPTOP-8P7HDSEI (192.168.3.101, roaming), LAPTOP-E0STJJE8 (192.168.3.9, roaming).
**Offline (last-known IP from DC DNS):** DESKTOP-F94M8UT (10.0.20.171, was on VLAN20 — Alma's old box),
DESKTOP-U2DHAP0 (192.168.3.37, Ashley — old LAN, seen 2026-07-01), DESKTOP-KQSL232 (decommissioned),
Laptop4 (no DNS record).
## Current GPO state (live-inspected 2026-06-30)
- **NO GPO sets the Point-and-Print policy** (`RestrictDriverInstallationToAdministrators` / Point-and-Print Restrictions / Package Point and Print). This is the missing **Layer 1** — without it, GPP-deployed printers fail to install the driver for standard users (event 513 / 0xBCB). Must be added.
- Printer deployment is via **User-side GPP Printers** (not Deployed Printers / not GPP Computer), linked per-department OU:
- **CSC - Caregiver Workstation** -> OU `Departments/Caregivers` (ComputerSettingsDisabled; User GPP Printers + Registry + Shortcuts). Deploys 6 shares (action=Update): `\\CS-SERVER\NursesPrinter`, `HealthServices`, `MCMedTech`, `MCReception`, `MCDirector`, `CopyRoom`; sets default = NursesPrinter and MCMedTech (the two default=1 entries; intended per-location but no item-level targeting currently parsed).
- **CSC - Life Enrichment Printers** -> OU `Departments/Life Enrichment`. Deploys ONE printer `\\CS-SERVER\RecRoom-Canon` (action=Update, no targeting) — **STALE share name; the printer is now shared as `LifeEnrichment`**.
- **CSC - Reception Workstation Policy** -> OU `Workstations/Staff PCs`. Computer Registry only, no printers.
- **NO GPO sets the Point-and-Print policy** (missing **Layer 1**; explains the 513 / 0xBCB failures). `CSC - Point and Print (CS-SERVER)` was built to fill this but is pilot-scoped only.
- Printer deployment is via **User-side GPP Printers**, linked per-department OU:
- **CSC - Caregiver Workstation** -> OU `Departments/Caregivers` (ComputerSettingsDisabled). Deploys 6 shares (action=Update): `NursesPrinter`, `HealthServices`, `MCMedTech`, `MCReception`, `MCDirector`, `CopyRoom`; defaults = NursesPrinter + MCMedTech (default=1, no item-level targeting parsed). **NOTE: 5 of these 6 shares still point at old-LAN IPs (only MCReception is on VLAN20) — repointing them is what actually moves the caregiver fleet's printers onto VLAN 20.**
- **CSC - Life Enrichment Printers** -> OU `Departments/Life Enrichment`. Deploys ONE printer `\\CS-SERVER\RecRoom-Canon` **STALE share name; now `LifeEnrichment`**.
- **CSC - Reception Workstation Policy** -> OU `Workstations/Staff PCs`. Registry only, no printers.
- **CSC - Printer Deployment** -> not linked, empty. Dead — ignore.
- AD OU structure in play: `Departments/{Caregivers, Life Enrichment}`, `Workstations/Staff PCs`.
## Target-state design + action list
**Layer 1 — Point-and-Print policy (NEW computer GPO, fleet-wide).** Create e.g. `CSC - Point and Print (CS-SERVER)`, Computer config, set:
`HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers` `RestrictDriverInstallationToAdministrators=0`; subkey `PointAndPrint`: `Restricted=1, TrustedServers=1, ServerList=CS-SERVER, InForest=0, NoWarningNoElevationOnInstall=1, UpdatePromptSettings=2`. Link at the OU that contains all staff/department workstations (e.g. `Workstations` and/or `Departments`). This makes every GPP/printer install from CS-SERVER silent for standard users. (Same values we set manually on the LE machines this session.)
**Layer 1 — Point-and-Print policy (fleet-wide computer GPO).** `CSC - Point and Print (CS-SERVER)` exists; broaden its link/filter to all staff/department workstation OUs once the silent-install gap below is resolved.
**Layer 2 — per-department printer GPOs (existing pattern, User GPP Printers).** To add a printer going forward: edit the department's GPO -> User Config -> Preferences -> Control Panel Settings -> Printers -> add a **Shared Printer** item, action=Update/Create, path `\\CS-SERVER\<share>`, optional Set this printer as the default + item-level targeting (by security group / location) if needed. Link the GPO to the department OU.
**Layer 2 — per-department printer GPOs (existing pattern, User GPP Printers).** To add a printer: department GPO -> User Config -> Preferences -> Control Panel -> Printers -> Shared Printer item, action=Update/Create, path `\\CS-SERVER\<share>`, + default + item-level targeting as needed.
**Immediate fixes identified:**
1. CREATE the Layer-1 Point-and-Print GPO (above) and link it. (Prerequisite — do first.)
2. REPOINT `CSC - Life Enrichment Printers` from `\\CS-SERVER\RecRoom-Canon` -> `\\CS-SERVER\LifeEnrichment`.
3. UPDATE the CS-SERVER share ports to the new VLAN20 static IPs so the GPO-deployed shares actually print: `MCMedTech` -> 10.0.20.74 (currently 192.168.2.53), `MCReception` -> 10.0.20.78, and audit `NursesPrinter`/`HealthServices`/`MCDirector`/`CopyRoom` ports as those printers migrate. (Front Desk + Life Enrichment shares already repointed this session.)
4. Confirm caregiver default-printer item-level targeting (Nurses vs MCMedTech by location group) is intact, or re-add it.
5. Workgroup machines (DESKTOP-MD6UQI3, CHEF-PC, MEMCARE-STATION, MEMRECEPT-PC, DESKTOP-LPOPV30) get direct-IP printers until domain-joined; then move them into the right OU and let the GPO take over.
**Immediate fixes (priority order):**
1. **Resolve the silent-install gap** (see PILOT RESULT): decide reboot-test vs pre-stage-drivers, then take the P&P GPO fleet-live.
2. **Repoint the 5 stale caregiver-GPO shares to VLAN20** as those printers get re-IP'd: `MCMedTech` -> 10.0.20.74 (target already live — do this now), `NursesPrinter` (.75), `HealthServices` (.138), `MCDirector` (.52, +UFR II), `CopyRoom` (.230). This is the highest-leverage remaining printer work.
3. REPOINT `CSC - Life Enrichment Printers` `RecRoom-Canon` -> `LifeEnrichment`.
4. Re-IP + repoint the remaining old-LAN shares: `Kitchen` (+UFR II), `Accounting`, `AdminOffice`, `ExecDirector` (+UFR II), `SalesMarketing`.
5. Reconcile `CulinaryChef` (192.168.3.88) vs the Chef direct-IP (.236) — retire the redundant share if same device.
6. Confirm caregiver default-printer item-level targeting (Nurses vs MCMedTech by location group).
7. Domain-join the workgroup machines (DESKTOP-MD6UQI3, CHEF-PC, MEMRECEPT-PC, MEMCARE-STATION, DESKTOP-LPOPV30) -> move to GPO-deployed `\\CS-SERVER\<share>`.
## PILOT RESULT (2026-06-30) — important
## PILOT RESULT (2026-06-30) — still the open blocker
Created `CSC - Point and Print (CS-SERVER)` GPO, scoped it (security filter) to ONE machine **DESKTOP-H6QHRR7** (Lauren Hasselman, Staff PCs OU), linked, `gpupdate`. **The policy registry landed correctly via GPO** (RestrictDriverInstallationToAdministrators=0 + full PointAndPrint set verified on the machine).
Created `CSC - Point and Print (CS-SERVER)`, scoped (security filter) to ONE machine
**DESKTOP-H6QHRR7** (Lauren Hasselman, Staff PCs OU), linked, `gpupdate`. **The policy registry
landed correctly via GPO.** BUT the in-session test **still PROMPTED** for a printer whose driver
was NOT already local (front-desk Epson), even after a spooler restart — the driver did not install.
The earlier LE-machine "silent" maps only worked because that driver was already present.
**BUT the in-session test still PROMPTED:** mapping a printer whose driver was NOT already on the machine (front-desk Epson ET-5800) triggered the elevation prompt for the standard user, even after a spooler restart — the driver did not install. The earlier LE-machine "silent" maps only worked because that driver was already present (we never actually exercised the install path).
**Conclusion:** the P&P policy is necessary but NOT sufficient to make a *brand-new driver install*
silent in a running session. Likely: `RestrictDriverInstallationToAdministrators=0` needs a **reboot**
(CVE-2021-34527 mitigation) and/or v3 (non-package) drivers still elevate.
**Conclusion:** the Point-and-Print policy via GPO is necessary but NOT sufficient on its own to make a *brand-new driver install* silent in a running session. Likely causes: `RestrictDriverInstallationToAdministrators=0` needs a **reboot** to fully take effect (it's a CVE-2021-34527 mitigation), and/or v3 (non-package) drivers (Epson/Canon Generic Plus) still elevate.
**Two reliable paths (decide):**
1. **Reboot-dependent:** test — reboot a machine, then confirm a new-driver map is silent.
2. **Pre-stage drivers (recommended):** deploy each printer's driver machine-wide (computer GPO
startup script installing from CS-SERVER as SYSTEM). GPP connection then attaches to an
already-present driver -> always silent, no reboot/P&P-install dependency.
**Two reliable paths (to validate/decide):**
1. **Reboot-dependent:** policy likely only fully effective after the machine reboots (spooler starts with it). Test: reboot a machine, then confirm a new-driver map is silent. Normal for GPO rollout, but unproven for v3 drivers here.
2. **Pre-stage drivers (most reliable, recommended):** deploy each printer's driver machine-wide (computer GPO startup script installing from CS-SERVER as SYSTEM, or the direct-IP/SYSTEM method we used on workgroup boxes). Then the User GPP printer connection attaches to an already-present driver -> always silent, no reboot/point-and-print-install dependency.
**State:** GPO is scoped to DESKTOP-H6QHRR7 only (harmless; not fleet-live). Lauren's machine cleaned (no test artifacts). NOT yet rolled out. Next: decide reboot-test vs pre-stage-drivers, then go live.
**State:** GPO scoped to DESKTOP-H6QHRR7 only (harmless; not fleet-live). NOT rolled out.
## Machine rename TODO
- **RECEPTIONIST-PC** (the Memory Care box, "memory care" user, S/N MJ0KQH4R, agent 57f19e17) shares its hostname with the front-desk RECEPTIONIST-PC box — too hard to tell apart in the agent list. **Rename STAGED 2026-06-30 -> `MEMCARE-STATION`; applies on next reboot** (not forced; user was active). The OTHER RECEPTIONIST-PC (frontdesk user, S/N MJ0KQHNP) is the actual front desk.
- **RECEPTIONIST-PC** (Memory Care box, S/N MJ0KQH4R, 10.0.20.68, agent 57f19e17) -> `MEMCARE-STATION`
rename was STAGED 2026-06-30 but **NOT YET APPLIED (live 2026-07-01 still reports RECEPTIONIST-PC)**
needs the reboot. The OTHER RECEPTIONIST-PC (frontdesk, S/N MJ0KQHNP, 10.0.20.102) is the real front desk.
## Notes
- Workgroup machines (DESKTOP-MD6UQI3, CHEF-PC) get **direct-IP local printers** for now
(no domain auth / no point-and-print needed). Once domain-joined, switch them to the
GPO-deployed `\\CS-SERVER\<share>` model and map to the domain account.
- Server-share printing works even while a printer is still on the old-LAN IP (CS-SERVER is on the
old LAN and reaches it). Re-IP'ing printers to 10.0.20.x is about VLAN isolation, not print function.
- Workgroup machines get **direct-IP local printers** until domain-joined, then switch to
GPO-deployed `\\CS-SERVER\<share>`.
- Some Brother shares use the generic **"Brother Generic Jpeg Type2 Class Driver"**, not a
model-specific driver (BusinessOffice, MCMedTech, NursesPrinter, CulinaryChef, AdminOffice, SalesMarketing).
- Detailed how-to + pfSense routing fix: `.claude/memory/project_cascades_vlan20_migration_routing.md`
and session log `clients/cascades-tucson/session-logs/2026-06/2026-06-30-howard-vlan20-printer-migration.md`.

View File

@@ -0,0 +1,78 @@
## User
- **User:** Howard Enos (howard)
- **Machine:** Howard-Home
- **Role:** tech
## Session Summary
Picked up the Cascades of Tucson network migration — moving staff machines and printers off the flat old LAN ("CSC ENT", 192.168.0.0/22) onto the isolated Staff VLAN 20 ("CSCNET", 10.0.20.0/24). Howard reported he had moved additional machines and printers since the 2026-06-30 work and asked where things stood. Loaded context from the wiki (clients/cascades-tucson) and the 2026-06-30 VLAN 20 printer-migration session log, then confirmed the terminology: the "CSCNET" target is pfSense VLAN 20, distinct from the WiFi "CSC ENT device-island" track.
Because Howard did not specify which machines/printers he had moved, ran a live GuruRMM reconciliation (delegated the high-volume RMM pull to a sub-agent) to discover current state: a full fleet IP map (10.0.20.x = migrated; 192.168.x = still on old LAN), CS-SERVER print-share/port inventory, and TCP reachability to every VLAN20 printer target. CS-SERVER agent id resolved live = c39f1de7-d5b6-45ae-b132-e06977ab1713 (unchanged).
The live pull showed the migration is much further along than the docs captured: 22 online hosts are now on VLAN 20, with only CS-SERVER (stays by design) plus ~6 stragglers left on the old LAN. Printers lag — only 4 of 15 CS-SERVER shares are repointed to 10.0.20.x. All 7 VLAN20 printer targets are reachable on 9100, including 10.0.20.74 (the MCMedTech target) even though its share still points at the stale 192.168.2.53. The MEMCARE-STATION rename staged on 6/30 has not applied (box still reports RECEPTIONIST-PC).
Reconciled both living docs to the live state: rewrote clients/cascades-tucson/docs/printer-gpo-map.md with the full 15-share inventory + 2 direct-IP printers + the 22-machine VLAN20 roster + a re-prioritized action list, and added a 2026-07-01 progress snapshot to the project_cascades_vlan20_migration_routing memory. No production changes were made this session (read-only investigation + doc updates). Offered to do the safe MCMedTech share repoint (.53 -> .74) but held pending Howard's decision on the GPO silent-install path.
## Key Decisions
- Used the live RMM fleet IP pull as the discovery mechanism for "which machines/printers moved," rather than asking Howard to enumerate them — machines' current IPs directly reveal VLAN20 vs old-LAN membership.
- Delegated the live data-gathering (fleet enumeration + CS-SERVER printer state + reachability) to a sub-agent because it was high-volume RMM tool output; kept the reconciliation and doc writes in the main context.
- Did NOT hand-edit the wiki article (compiled artifact — `/wiki-compile` only); updated the running doc + memory, which is what "update the running map + memory" scopes to.
- Held on the MCMedTech share repoint (safe — target .74 is live/reachable) until Howard decides reboot-test vs pre-stage-drivers for the GPO, to keep printer changes batched with the GPO go-live rather than one-off.
## Problems Encountered
- RMM/coord were initially unreachable from Howard-Home: Tailscale was stuck in `NoState` and disconnecting because unattended mode was off. Sub-agent set `HKLM\SOFTWARE\Tailscale IPN\UnattendedMode = always` and restarted the service — now stable at 100.103.198.108, subnet route to 172.16.3.30 up. Persistent fix; flagged to Howard.
- Docs undercounted migration progress (tracked only a handful of machines/printers). Resolved by the full live pull + doc rewrite.
## Configuration Changes
- **Modified:** `clients/cascades-tucson/docs/printer-gpo-map.md` — full rewrite reconciled to live 2026-07-01 state (15-share inventory with current port IPs + VLAN20 status, 2 direct-IP printers, 22-machine VLAN20 roster + stragglers/offline, re-prioritized action list, driver traps for MF751/MF743 PCL6 shares).
- **Modified:** `.claude/memory/project_cascades_vlan20_migration_routing.md` — added 2026-07-01 progress snapshot (machines done, printers 4/15, GPO not live, rename pending); mechanics/gotchas retained.
- **Created:** this session log.
- **Machine config (Howard-Home, by sub-agent):** `HKLM\SOFTWARE\Tailscale IPN\UnattendedMode = always` + Tailscale service restart. Not a repo change.
- No changes to CS-SERVER, pfSense, printers, or GPOs this session.
## Credentials & Secrets
- No credentials created or discovered. RMM commands ran as the agent (SYSTEM); no vaulted cred needed for the read-only local queries. Vaulted CS-SERVER admin (`clients/cascades-tucson/cs-server.sops.yaml`) was NOT used this session.
## Infrastructure & Servers
- **CS-SERVER** 192.168.2.248 (SMB) / 192.168.2.254 (Hyper-V vEth) — DC + print server; stays on old LAN by design. GuruRMM agent `c39f1de7-d5b6-45ae-b132-e06977ab1713` (resolved live, unchanged). Holds no DHCP scopes (VLAN20 DHCP served by the UniFi gateway).
- **VLAN 20 ("CSCNET")** 10.0.20.0/24, gw 10.0.20.1 (pings from CS-SERVER).
- **VLAN20 hosts (22 online):** ACCT2-PC .209, ANN-PC .218, ASSISTNURSE-PC .181, CHEF-PC .232 (workgroup), CRYSTAL-PC .205, DESKTOP-DLTAGOI .72, DESKTOP-H6QHRR7 .235 (P&P pilot), DESKTOP-LPOPV30 .100, DESKTOP-MD6UQI3 .222 (workgroup), DESKTOP-N5G1ROO .183, DESKTOP-ROK7VNM .223, DESKTOP-TRCIEJA .184, Health-Services-Director .178, LAPTOP-DRQ5L558 .237, MAINTENANCE-PC .96, MDIRECTOR-PC .71, MEMRECEPT-PC .97 (workgroup), NURSESTATION-PC .180, RECEPTIONIST-PC frontdesk .102 (S/N MJ0KQHNP), RECEPTIONIST-PC memcare .68 (S/N MJ0KQH4R, pending rename), SALES4-PC .203, megan .202.
- **Still on old LAN:** CS-SERVER (by design), ASSISTMAN-PC 192.168.2.38, CascadesProxess 192.168.2.178, Laptop2 192.168.2.118, NurseAssist 192.168.3.254, LAPTOP-8P7HDSEI 192.168.3.101 (roaming), LAPTOP-E0STJJE8 192.168.3.9 (roaming).
- **Offline (last DNS IP):** DESKTOP-F94M8UT 10.0.20.171 (VLAN20), DESKTOP-U2DHAP0 192.168.3.37 (old LAN, seen 2026-07-01), DESKTOP-KQSL232 (decommissioned), Laptop4 (no DNS).
- **CS-SERVER print shares (share -> port IP, VLAN20?):** FrontDesk -> 10.0.20.221 YES; BusinessOffice -> 10.0.20.220 YES; LifeEnrichment -> 10.0.20.94 YES (UFR II); MCReception -> 10.0.20.78 YES; MCMedTech -> 192.168.2.53 NO (target .74 live); NursesPrinter -> 192.168.2.75 NO; HealthServices -> 192.168.1.138 NO (Konica C368); MCDirector -> 192.168.3.52 NO (Canon MF751, PCL6 -> needs UFR II); CopyRoom -> 192.168.2.230 NO; Kitchen -> 192.168.3.232 NO (Canon MF743, PCL6 -> UFR II); CulinaryChef -> 192.168.3.88 NO (Brother 9330, likely redundant w/ Chef direct-IP); Accounting -> 192.168.3.227 NO (Canon MF455); AdminOffice -> 192.168.2.145 NO (Brother 9340); ExecDirector -> 192.168.2.67 NO (Canon MF743, PCL6 -> UFR II); SalesMarketing -> 192.168.3.44 NO (Brother L8900).
- **Direct-IP printers (workgroup):** Dining Canon MF743CDW 10.0.20.228 (DESKTOP-MD6UQI3, UFR II); Chef Brother MFC-9330CDW 10.0.20.236 (CHEF-PC); MedTech Brother L8900CDW 10.0.20.74 (memcare box + DESKTOP-LPOPV30).
- **Howard-Home:** Tailscale 100.103.198.108 (now unattended/stable).
## Commands & Outputs
- VLAN20 printer reachability from CS-SERVER (TCP 9100, 2s timeout): 10.0.20.221 True, .220 True, .94 True, .78 True, .74 True, .228 True, .236 True. Gateway 10.0.20.1 ping True. No asleep/off false negatives.
- Data sources: live `Get-NetIPAddress` + `Win32_BIOS` serial on 29 online agents; CS-SERVER DNS zone for offline hosts; CS-SERVER `Get-Printer`/`Get-PrinterPort`.
## Pending / Incomplete Tasks
- **Decide the GPO silent-install path:** reboot-test vs pre-stage-drivers (recommended). This is the blocker to taking `CSC - Point and Print (CS-SERVER)` fleet-live (currently pilot-scoped to DESKTOP-H6QHRR7).
- **Repoint MCMedTech share 192.168.2.53 -> 10.0.20.74** (safe; target live) — offered, held for Howard's go.
- **Repoint remaining stale caregiver-GPO shares** as printers re-IP: NursesPrinter (.75), HealthServices (.138), MCDirector (.52, +UFR II), CopyRoom (.230).
- **Repoint `CSC - Life Enrichment Printers` GPO** `RecRoom-Canon` -> `LifeEnrichment`.
- **Re-IP + repoint remaining old-LAN shares:** Kitchen (+UFR II), Accounting, AdminOffice, ExecDirector (+UFR II), SalesMarketing.
- **Reconcile CulinaryChef (192.168.3.88) vs Chef direct-IP (.236)** — retire redundant share if same device.
- **Apply MEMCARE-STATION rename** (needs reboot; memcare box still reports RECEPTIONIST-PC).
- **Domain-join workgroup machines** (DESKTOP-MD6UQI3, CHEF-PC, MEMRECEPT-PC, MEMCARE-STATION, DESKTOP-LPOPV30) -> switch direct-IP printers to `\\CS-SERVER\<share>` + GPO.
- **Optional:** save a harness memory for the Howard-Home Tailscale UnattendedMode fix.
- Cascades printer skill (Howard's idea) — package the migration how-to into a reusable skill.
## Reference Information
- Running map: `clients/cascades-tucson/docs/printer-gpo-map.md`.
- Migration memory: `.claude/memory/project_cascades_vlan20_migration_routing.md`.
- Prior session: `clients/cascades-tucson/session-logs/2026-06/2026-06-30-howard-vlan20-printer-migration.md`.
- GuruRMM API: http://172.16.3.30:3001 (vault `infrastructure/gururmm-server.sops.yaml`).
- P&P GPO: `CSC - Point and Print (CS-SERVER)` guid `{BFAB721A-513D-4C14-8255-DEB1D4266830}`.
- UFR II driver for Canon MF741/743/751: `Canon Generic Plus UFR II V250`, INF `cnlb0ma64.inf`.
- pfSense LAN routing fix (6/30): top LAN pass rule src 192.168.2.248 -> dst 10.0.20.0/24, gw=default.
- Syncro customer 20149445; 0 open tickets, 37.5 prepaid hrs (as of 2026-06-30).

View File

@@ -23,6 +23,10 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure ·
2026-07-01 | GURU-5070 | agy | gemini returned no response (empty after 3 attempts) [ctx: mode=verify err= at process.processTicksAndRejections (node:internal/process/task_queues:104:]
2026-07-01 | Howard-Home | rmm-search | RMM auth failed via rmm-auth.sh (no TOKEN/RMM)
2026-07-01 | Howard-Home | coord | coord API call failed (HTTP 0) [ctx: http=0 cmd=lock claim resp={"error": "<urlopen error [WinError 10060] A connection attempt failed because t]
2026-07-01 | Howard-Home | rmm/mac-mount-check | [friction] grep '/Volumes/Data' false-matched '/System/Volumes/Data' and reported MOUNTED when share was absent; use precise 'on /Volumes/Data ' (with trailing space) as the LaunchAgent does
2026-07-01 | GURU-5070 | remediation-tool | [friction] declared 'no SharePoint access' on a Graph accessDenied; actually the Tenant Admin app holds SharePoint Sites.FullControl.All - the blocks were (a) SharePoint app-only needs CERT not client_secret ('Unsupported app only token') and (b) get-token.sh had no SharePoint resource tier. Fixed: added sharepoint/sharepoint-admin tiers + reference doc. [ctx: ref=.claude/skills/remediation-tool/references/app-permissions-and-sharepoint.md]