client/cascades: Phase 2.6 COMPLETE — 13 printers, 4 GPOs, 5 accounts disabled

Detailed context: - Task: Cascades of Tucson Phase 2.6 — printer migration, GPO deployment, account cleanup - Changes: - phase2-print-server.ps1: all 13 printers complete, Epson driver/share notes added - active-directory.md: 5 stale accounts disabled, 4 GPOs created, pending issues cleared, printer share table updated - Session log: 2026-05-20 Howard session covering all Phase 2.6 work - Status: Phase 2.6 complete Files modified: - clients/cascades-tucson/docs/migration/scripts/phase2-print-server.ps1 - clients/cascades-tucson/docs/servers/active-directory.md - clients/cascades-tucson/session-logs/2026-05-20-howard-phase2.6-printers-gpos-account-cleanup.md Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-20 14:03:59 -07:00
parent dc29e2ff24
commit ae791e321d
3 changed files with 301 additions and 49 deletions
--- a/clients/cascades-tucson/docs/migration/scripts/phase2-print-server.ps1
+++ b/clients/cascades-tucson/docs/migration/scripts/phase2-print-server.ps1
@@ -1,14 +1,21 @@
 # Phase 2.6 — CS-SERVER Print Server Setup
 # Run on CS-SERVER via GuruRMM remote PowerShell
-# Last updated: 2026-05-20 (Howard) — rewritten with verified IPs and confirmed drivers
+# Last updated: 2026-05-20 (Howard)
 #
-# Drivers confirmed installed on CS-SERVER:
-#   Canon Generic Plus PCL6 (v3)
-#   Brother Generic Jpeg Type2 Class Driver (v4)
+# STATUS AS OF 2026-05-20: COMPLETE — all 13 printers installed and shared
+#   KM driver folder archived to: D:\Shares\Server\Drivers\KM_Universal_PCL6\
+#   Epson INF files at: C:\Users\sysadmin\Documents\ComputerGuru Connect v2\Files\epsonetdrivers\
 #
-# Deferred — need vendor driver downloaded to server first:
-#   Front Desk Epson ET-5800 (192.168.2.147)    — Epson Universal Print Driver
-#   Health Svcs Konica Minolta Bizhub C368 (192.168.1.138) — Konica Minolta PCL6 Universal
+# Drivers installed on CS-SERVER:
+#   Canon Generic Plus PCL6             — Copy Room, Accounting, Executive Director, Kitchen, Life Enrichment, Memory Care Director
+#   Brother Generic Jpeg Type2 Class Driver — Business Office, Admin Office, Sales Marketing, Culinary Chef, Memory Care MedTech
+#   KONICA MINOLTA Universal PCL        — Health Services C368
+#   EPSON ET-5800 Series                — Front Desk (driver staged via pnputil, registered via Add-PrinterDriver)
+#
+# Epson ET-5800 install notes:
+#   EPWizard.exe fails on Server 2019 (wlanapi.dll stub — WLAN stack absent).
+#   Workaround: run installer on Server, copy extracted INFs from AppData\Local\Temp\ET-5800
+#   before dismissing error. pnputil stages them; Add-PrinterDriver registers with spooler.

 $ErrorActionPreference = 'Continue'

@@ -98,9 +105,35 @@ $printers = @(
        Location = 'Kitchen Chef station'
        Comment  = 'Brother MFC-9330CDW - JD Martin / Chef'
    }
-    # Deferred — drivers not yet installed:
-    # Front Desk Epson ET-5800 (192.168.2.147)         ShareName: FrontDesk
-    # Health Svcs Bizhub C368  (192.168.1.138)         ShareName: Health-206
+    # Front Desk
+    @{
+        IP       = '192.168.2.147'
+        Port     = 'TCP_192.168.2.147'
+        Name     = 'Front Desk - Epson ET-5800'
+        Driver   = 'EPSON ET-5800 Series'
+        Share    = 'FrontDesk'
+        Location = 'Front Desk'
+        Comment  = 'Epson ET-5800 - Front Desk'
+    }
+    # Memory Care
+    @{
+        IP       = '192.168.3.52'
+        Port     = 'TCP_192.168.3.52'
+        Name     = 'Memory Care Director - Canon MF751CDW'
+        Driver   = 'Canon Generic Plus PCL6'
+        Share    = 'MCDirector'
+        Location = 'Memory Care Room 603'
+        Comment  = 'Canon imageClass MF751CDW - Shelby Trozzi'
+    }
+    @{
+        IP       = '192.168.2.53'
+        Port     = 'TCP_192.168.2.53'
+        Name     = 'Memory Care MedTech - Brother'
+        Driver   = 'Brother Generic Jpeg Type2 Class Driver'
+        Share    = 'MCMedTech'
+        Location = 'Memory Care Room 615'
+        Comment  = 'Brother - MedTechs / Nurses'
+    }
 )

 Write-Output ''
@@ -144,8 +177,10 @@ $all = @(
    @{ Name='Marketing Brother';     IP='192.168.3.44' }
    @{ Name='Kitchen Canon';         IP='192.168.3.232' }
    @{ Name='Chef Brother';          IP='192.168.3.88' }
-    @{ Name='[DEFERRED] FrontDesk';  IP='192.168.2.147' }
-    @{ Name='[DEFERRED] Health-206'; IP='192.168.1.138' }
+    @{ Name='Front Desk - Epson';          IP='192.168.2.147' }
+    @{ Name='Health Services C368';       IP='192.168.1.138' }
+    @{ Name='MC Director Canon MF751CDW'; IP='192.168.3.52' }
+    @{ Name='MC MedTech Brother';         IP='192.168.2.53' }
 )
 foreach ($p in $all) {
    $ok = Test-Connection -ComputerName $p.IP -Count 1 -Quiet -ErrorAction SilentlyContinue
--- a/clients/cascades-tucson/docs/servers/active-directory.md
+++ b/clients/cascades-tucson/docs/servers/active-directory.md
@@ -36,7 +36,7 @@
 | Lois.Lane | Lois Lane | Health Services Director | M365: Nurses@ |
 | karen.rossini | Karen Rossini | Health Services Manager | lowercase SAM. M365: Nurses@ |
 | Veronica.Feller | Veronica Feller | Care Assisted Living Aide | |
-| britney.thompson | Britney Thompson | Memory Care Nurse | **DEPARTED 2026-04-22 — still enabled. Disable + harvest license.** |
+| ~~britney.thompson~~ | ~~Britney Thompson~~ | ~~Memory Care Nurse~~ | **Disabled 2026-05-20 — departed 2026-04-22. M365 license still to harvest.** |

 **OU=Care-Memorycare**
 | SamAccountName | Name | Position | Notes |
@@ -87,14 +87,14 @@
 | Ray.Rai | Ray Rai | RS Courtesy Patrol | M365: Frontdesk@ |
 | Sebastian.Leon | Sebastian Leon | RS Courtesy Patrol | M365: Frontdesk@, Courtesypatrol@ |
 | Sheldon.Gardfrey | Sheldon Gardfrey | RS Courtesy Patrol | M365: Frontdesk@, Courtesypatrol@ |
-| Shontiel.Nunn | Shontiel Nunn | RS Receptionist | M365: Frontdesk@. **Disable — s.nunn (Caregivers) is the correct current account (confirmed 2026-05-19)** |
+| ~~Shontiel.Nunn~~ | ~~Shontiel Nunn~~ | ~~RS Receptionist~~ | M365: Frontdesk@. **Disabled 2026-05-20 — s.nunn (Caregivers) is the correct current account.** |

-**OU=Transportation** — accounts still enabled but flagged for disable
+**OU=Transportation** — all accounts disabled 2026-05-20
 | SamAccountName | Name | Position | Notes |
 |---------------|------|----------|-------|
-| Christopher.Holick | Christopher Holick | Driver | Fixed from Holik (2026-04-13). **Disable — drivers no longer get IT access** |
-| Julian.Crim | Julian Crim | Driver | **Disable — drivers no longer get IT access** |
-| Richard.Adams | Richard Adams | Driver | **Disable — drivers no longer get IT access** |
+| ~~Christopher.Holick~~ | ~~Christopher Holick~~ | ~~Driver~~ | Fixed from Holik (2026-04-13). **Disabled 2026-05-20 — drivers no longer get IT access** |
+| ~~Julian.Crim~~ | ~~Julian Crim~~ | ~~Driver~~ | **Disabled 2026-05-20 — drivers no longer get IT access** |
+| ~~Richard.Adams~~ | ~~Richard Adams~~ | ~~Driver~~ | **Disabled 2026-05-20 — drivers no longer get IT access** |

 **CN=Users — Service Accounts**
 | SamAccountName | Notes |
@@ -294,34 +294,53 @@ Do NOT populate these further. They remain in service until Phase 4 cutover reti
 | ADMIN$, C$, D$, IPC$, print$ | (system) | Standard Windows — do not remove |
 | RDVirtualDesktopTemplate | C:\RDVirtualDesktopTemplate | RDS artifact — remove with RDS role in Phase 5 |

-**Printers shared from CS-SERVER:**
-| Share | Device |
-|-------|--------|
-| RecRoom-Canon | 1F-132-RecRoom-Canon |
-| MemCare Director Printer | MF451CDW |
-| MemCare MedTech Printer | Brother MFC-L8900CDW |
+**Printers shared from CS-SERVER (13 — Phase 2.6 COMPLETE 2026-05-20):**
+| Share | Device | ILT (GPO) |
+|-------|--------|-----------|
+| CopyRoom | Canon imageRunner C478iF (192.168.2.230) | All staff |
+| BusinessOffice | Brother MFC-L8900CDW (10.0.20.220) | OU=Administrative |
+| Accounting | Canon imageClass MF455DW (192.168.3.227) | OU=Administrative |
+| AdminOffice | Brother MFC-9340CDW (192.168.2.145) | OU=Administrative OR OU=Resident Services |
+| ExecDirector | Canon imageClass MF743CDW (192.168.2.67) | OU=Administrative |
+| SalesMarketing | Brother MFC-L8900CDW (192.168.3.44) | OU=Marketing |
+| Kitchen | Canon imageClass MF743CDW (192.168.3.232) | OU=Culinary |
+| CulinaryChef | Brother MFC-9330CDW (192.168.3.88) | OU=Culinary |
+| FrontDesk | Epson ET-5800 (192.168.2.147) | OU=Resident Services |
+| HealthServices | KM C368 (192.168.1.138) | OU=Care-Assisted Living OR OU=Care-Memorycare |
+| LifeEnrichment | (via Life Enrichment Printers GPO) | OU=Life Enrichment |
+| MCDirector | Canon imageClass MF751CDW (192.168.3.52) | OU=Care-Memorycare |
+| MCMedTech | Brother (192.168.2.53) | OU=Caregivers OR OU=Care-Memorycare |

 ## Group Policy (as of 2026-05-20)

-GPOs exist but effectiveness is limited since most PCs are not domain-joined.
+GPOs exist but effectiveness is limited since most PCs are not domain-joined. All CSC - GPOs are **UNLINKED** until Phase 3 domain join cutover.

-| GPO | Created | Modified | Settings | Notes |
-|-----|---------|----------|----------|-------|
-| Default Domain Policy | Aug 2024 | Mar 2026 | Password: 7-char min, 42-day max, complexity on, 24 history. Lockout: 5 attempts / 30 min (fixed 2026-03-09). Kerberos defaults. | OK |
-| Default Domain Controllers Policy | Aug 2024 | Oct 2024 | IIS app pool audit rights, print operator driver loading. Standard. | OK |
-| Power Options | Jul 2025 | Jul 2025 | "Cascades Default" power plan: never sleep/hibernate, display off 15 min (plugged in) / 10 min (battery), password on wake. | Keep |
-| CSC - Folder Redirection (LE) | Apr 2026 | Apr 2026 | Documents + Downloads → `\\CS-SERVER\homes\%USERNAME%\`. GrantExclusive=false, MoveContents=true. Linked to OU=Life Enrichment. | LIVE — Sharon Edwards + Susan Hicks |
-| ~~CopyRoomPrinter~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** |
-| ~~Nurses-Kiosk~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** |
-| ~~MemCareMedTechPrinter~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** |
+| GPO | Link | Settings | Notes |
+|-----|------|----------|-------|
+| Default Domain Policy | Domain root | Password: 7-char min, 42-day max, complexity on, 24 history. Lockout: 5 attempts / 30 min. Kerberos defaults. | OK |
+| Default Domain Controllers Policy | OU=Domain Controllers | IIS app pool audit rights, print operator driver loading. | OK |
+| Power Options | — | "Cascades Default" power plan: never sleep/hibernate, display off 15 min (plugged in) / 10 min (battery), password on wake. | Keep |
+| CSC - Always Wait For Network | — | AlwaysWaitForNetwork + synchronous logon | Pre-existing |
+| CSC - Folder Redirection (LE) | OU=Life Enrichment | Documents + Downloads → `\\CS-SERVER\homes\%USERNAME%\`. GrantExclusive=false, MoveContents=true. | LIVE — Sharon Edwards + Susan Hicks |
+| CSC - Folder Redirection | — | Same as LE GPO but for all staff OUs. UNLINKED. | Blocked on Phase 3 |
+| CSC - Life Enrichment Printers | OU=Life Enrichment | Printer preferences for LE staff | LIVE |
+| CSC - Security Baseline | UNLINKED | Screen lock 15 min / password on resume (HKCU). GptTmpl.inf: password min 12, history 24, max-age 90, lockout 5/30. | Created 2026-05-20. Link at domain root at Phase 3. |
+| CSC - Windows Update | UNLINKED | AUOptions=4 (auto DL+install), Sunday 3 AM, NoAutoRebootWithLoggedOnUsers=1, featured software off. | Created 2026-05-20. Link at domain root at Phase 3. |
+| CSC - Printer Deployment | UNLINKED | 13 printers with OU-based ILT in Printers.xml. CopyRoom = all staff. Others scoped by OU. | Created 2026-05-20. Link to OU=Workstations at Phase 3. |
+| CSC - Drive Mappings | UNLINKED | M: Management (SG-Mgmt-RW), S: Sales (SG-Sales-RW), T: Activities (SG-Activities-RW), K: Culinary (OU), R: Receptionist (OU). | Created 2026-05-20. Link to OU=Departments at Phase 3. |
+| ~~CopyRoomPrinter~~ | — | EMPTY | **DELETED 2026-03-09** |
+| ~~Nurses-Kiosk~~ | — | EMPTY | **DELETED 2026-03-09** |
+| ~~MemCareMedTechPrinter~~ | — | EMPTY | **DELETED 2026-03-09** |

-**GPOs to Create (Phase 2.6 — not yet run):**
-1. **CSC - Drive Mappings** — S:, M:, T:, K:, I:, R:, P: with item-level targeting
-2. **CSC - Printer Deployment** — Deploy printers by OU/group targeting (Life Enrichment first: 1F-132-RecRoom-Canon + CopyRoom)
-3. **CSC - Security Baseline** — 12-char passwords, complexity, lockout 5/30, screen lock 15 min
-4. **CSC - Windows Update** — Auto download, Sundays 3 AM, no auto-restart
-5. **CSC - Folder Redirection** — Single GPO linked at `OU=Departments`, covering all staff OUs. Same settings as the LE GPO: Documents + Downloads + Desktop → `\\CS-SERVER\homes\%USERNAME%\<Folder>`, GrantExclusive=false, MoveContents=true. **Blocked on Phase 3 domain joins** — most dept machines not joined yet. Life Enrichment already covered by existing LE GPO. CRITICAL: check for OneDrive KFM on each machine before applying; use GPMC close-and-reopen workaround between folder adds (see 2026-04-17 session log for full procedure).
-6. **CSC - Shared Workstation** — Linked to Shared PCs OU; ILT by computer name for reception drive (R:), front desk printer, Outlook online mode, shared mailbox auto-mount
+**GPOs Remaining (Phase 3+):**
+- **CSC - Folder Redirection** — Link to OU=Departments at Phase 3. Blocked on domain joins. CRITICAL: check OneDrive KFM before applying; use GPMC close-and-reopen workaround between folder adds (see 2026-04-17 session log).
+- **CSC - Shared Workstation** — Future: linked to Shared PCs OU; ILT for reception drive (R:), front desk printer, Outlook online mode, shared mailbox auto-mount.
+
+**Phase 3 GPO linking order** (after first successful domain join per phase3-domain-join.md step 5c):
+1. Link CSC - Security Baseline → domain root
+2. Link CSC - Windows Update → domain root
+3. Link CSC - Printer Deployment → OU=Workstations
+4. Link CSC - Drive Mappings → OU=Departments

 ## RDS Licensing

@@ -341,16 +360,17 @@ GPOs exist but effectiveness is limited since most PCs are not domain-joined.
 | ~~Monica.Ramirez~~ | Removed | Removed 2026-03-09 (account was disabled) |
 | sysadmin | Enabled | OK (IT account) |

-## Pending Issues (discovered 2026-05-19 audit)
+## Pending Issues

 | Issue | Account | Action Needed |
 |-------|---------|---------------|
-| Still enabled — departed | britney.thompson | Disable — departed 2026-04-22. Harvest M365 license. |
-| Still enabled — flagged for disable | Richard.Adams, Julian.Crim, Christopher.Holick | Disable — drivers no longer get IT access (flagged 2026-04-22, not yet done) |
-| Old-format account — superseded | Shontiel.Nunn (OU=Resident Services) | **Disable** — s.nunn (OU=Caregivers) confirmed as the correct account 2026-05-19 |
-| Cloud-only M365 account — RESOLVED | Alma.Montt | OU=Administrative does not sync via Entra Connect in practice. Cloud-only M365 account created 2026-05-19 is **intentional and correct** — keep it. No AD sync conflict. |
-| krbtgt password age | krbtgt | 569+ days old as of 2026-03-20. Needs rotation. |
-| Meredith.Kuhn + John.Trozzi in Domain Admins | Both | Non-IT staff — remove from Domain Admins |
+| ~~Still enabled — departed~~ | ~~britney.thompson~~ | **DONE 2026-05-20** — disabled. M365 license still to harvest. |
+| ~~Still enabled — flagged for disable~~ | ~~Richard.Adams, Julian.Crim, Christopher.Holick~~ | **DONE 2026-05-20** — all disabled. |
+| ~~Old-format account — superseded~~ | ~~Shontiel.Nunn~~ | **DONE 2026-05-20** — disabled. s.nunn (Caregivers) is the active account. |
+| Cloud-only M365 account — RESOLVED | Alma.Montt | Intentional and correct — no AD sync conflict. |
+| krbtgt password age | krbtgt | 569+ days old as of 2026-03-20. Needs rotation. Deferred. |
+| Meredith.Kuhn + John.Trozzi in Domain Admins | Both | Non-IT staff — remove from Domain Admins. Deferred. |
+| britney.thompson M365 license | britney.thompson | Account disabled. License not yet harvested — do before next billing cycle. |

 ## Login Activity (audit 2026-03-20 — historical/stale)

@@ -381,7 +401,10 @@ See `migration/phase2-server-prep.md` for full phase details. Scripts referenced
 - `migration/scripts/phase2-ad-setup.ps1` — Security fixes, Workstations OU, security groups, move computers (COMPLETE)
 - `migration/scripts/phase2-ad-groups-new.ps1` — New SG- groups (SG-Mgmt-RW, SG-Sales-RO, SG-Activities-RW) — COMPLETE 2026-05-20
 - `migration/scripts/phase2-new-shares.ps1` — New SMB shares (Management, Sales, Activities, Server) — COMPLETE 2026-05-20
+- `migration/scripts/phase2-print-server.ps1` — 13 printers installed + shared on CS-SERVER — COMPLETE 2026-05-20
+- `.claude/temp/gpo-script1.ps1` — AD account cleanup (5 accounts disabled) + CSC - Security Baseline + CSC - Windows Update — COMPLETE 2026-05-20
+- `.claude/temp/gpo-script2.ps1` — CSC - Printer Deployment (13 printers, OU ILT) + CSC - Drive Mappings (M: S: T: K: R:) — COMPLETE 2026-05-20

-**Phase 3 domain joins** (pending): DESKTOP-KQSL232, CHEF-PC, SALES4-PC, MDIRECTOR-PC — all to OU=Staff PCs,OU=Workstations.
+**Phase 3 domain joins** (pending): DESKTOP-KQSL232, CHEF-PC, SALES4-PC, MDIRECTOR-PC — all to OU=Staff PCs,OU=Workstations. MDIRECTOR-PC needs Windows 10 Pro upgrade first.

 **Phase 5** (deferred): Replace shared accounts (Culinary, Receptionist, saleshare, directoryshare) with group-based access. RDS licensing decision.
--- a/clients/cascades-tucson/session-logs/2026-05-20-howard-phase2.6-printers-gpos-account-cleanup.md
+++ b/clients/cascades-tucson/session-logs/2026-05-20-howard-phase2.6-printers-gpos-account-cleanup.md
@@ -0,0 +1,194 @@
+# Cascades of Tucson — Phase 2.6 Session Log
+
+**Date:** 2026-05-20
+**Duration:** Multi-session (continued from context-limit session)
+
+## User
+- **User:** Howard Enos (howard)
+- **Machine:** HOWARD-HOME
+- **Role:** tech
+
+## Summary
+
+Completed Phase 2.6: print server build-out, GPO creation, and AD account cleanup. All 13 printers are now installed and shared on CS-SERVER. Four CSC GPOs are created and staged (unlinked until Phase 3 domain join cutover).
+
+---
+
+## Work Completed
+
+### 1. Front Desk Epson ET-5800 — Printer Installation
+
+**Problem:** EPWizard.exe fails on Windows Server 2019 — `wlanapi.dll` stub is present but the WLAN stack is absent.
+
+**Fix:**
+1. Ran EPWizard.exe on CS-SERVER, let it extract drivers to `AppData\Local\Temp\ET-5800\` before dismissing the error
+2. Copied extracted INFs to `C:\Users\sysadmin\Documents\ComputerGuru Connect v2\Files\epsonetdrivers\`
+3. `pnputil /add-driver <INF> /install` staged the driver in Windows Driver Store
+4. `Add-PrinterDriver -Name "EPSON ET-5800 Series"` registered it with the Print Spooler
+5. `Add-Printer` / `Add-PrinterPort` created the printer at 192.168.2.147, shared as `FrontDesk`
+
+**Driver name (from INF):** `EPSON ET-5800 Series`
+**INF location:** E_WF1XCE.INF (UTF-16 LE with BOM FF FE — `Select-String` fails on it; must use `[System.IO.File]::ReadAllBytes()`)
+
+### 2. Memory Care Director + MedTech Printers
+
+Added to CS-SERVER (via GuruRMM remote PowerShell):
+
+| Printer | Share | IP | Driver |
+|---------|-------|----|--------|
+| Memory Care Director - Canon MF751CDW | MCDirector | 192.168.3.52 | Canon Generic Plus PCL6 |
+| Memory Care MedTech - Brother | MCMedTech | 192.168.2.53 | Brother Generic Jpeg Type2 Class Driver |
+
+Both reachable and shared. Total shared printers on CS-SERVER: **13**.
+
+### 3. Script: phase2-print-server.ps1
+
+Updated `clients/cascades-tucson/docs/migration/scripts/phase2-print-server.ps1`:
+- Status header updated to **COMPLETE 2026-05-20** (all 13 printers)
+- Added FrontDesk, MCDirector, MCMedTech to `$printers` array
+- Documented Epson ET-5800 workaround in header comments
+- KM driver archived to `D:\Shares\Server\Drivers\KM_Universal_PCL6\`
+
+### 4. AD Account Cleanup (5 accounts)
+
+Executed via GuruRMM remote PowerShell on CS-SERVER. All `Disable-ADAccount` calls succeeded.
+
+| Account | OU | Reason |
+|---------|----|--------|
+| britney.thompson | Care-Assisted Living | Departed 2026-04-22 |
+| Richard.Adams | Transportation | Drivers no longer get IT access |
+| Julian.Crim | Transportation | Drivers no longer get IT access |
+| Christopher.Holick | Transportation | Drivers no longer get IT access |
+| Shontiel.Nunn | Resident Services | Old-format account — s.nunn (Caregivers) is correct |
+
+**Note:** britney.thompson's M365 license is still active and not yet harvested. Action needed before next billing cycle.
+
+### 5. CSC - Security Baseline GPO
+
+Created via `New-GPO` + `Set-GPRegistryValue` + direct SYSVOL writes.
+
+**Screen saver (HKCU via GPP):**
+- ScreenSaveTimeOut = 900 (15 min)
+- ScreenSaveActive = 1
+- ScreenSaverIsSecure = 1
+- SCRNSAVE.EXE = scrnsave.scr
+
+**GptTmpl.inf (Machine security — written as Unicode UTF-16):**
+```
+MinimumPasswordLength = 12
+PasswordComplexity = 1
+PasswordHistorySize = 24
+MaximumPasswordAge = 90
+MinimumPasswordAge = 1
+LockoutBadCount = 5
+ResetLockoutCount = 30
+LockoutDuration = 30
+```
+
+**GPT.INI:** machine version bumped, security extension GUID `{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}` added.
+
+**Status: UNLINKED.** Link to domain root at Phase 3 cutover.
+
+### 6. CSC - Windows Update GPO
+
+Created via `New-GPO` + `Set-GPRegistryValue` (HKLM AU key).
+
+| Setting | Value |
+|---------|-------|
+| NoAutoUpdate | 0 |
+| AUOptions | 4 (auto download + install) |
+| ScheduledInstallDay | 1 (Sunday) |
+| ScheduledInstallTime | 3 (3:00 AM) |
+| NoAutoRebootWithLoggedOnUsers | 1 |
+| EnableFeaturedSoftware | 0 |
+
+**Status: UNLINKED.** Link to domain root at Phase 3 cutover.
+
+### 7. CSC - Printer Deployment GPO
+
+Created `Printers.xml` in SYSVOL at `{GPO-GUID}\User\Preferences\Printers\`.
+
+13 printers with OU-based item-level targeting (`FilterOrgUnit`):
+
+| Share | ILT |
+|-------|-----|
+| CopyRoom | No filter — all staff |
+| BusinessOffice | OU=Administrative |
+| Accounting | OU=Administrative |
+| AdminOffice | OU=Administrative OR OU=Resident Services |
+| ExecDirector | OU=Administrative |
+| SalesMarketing | OU=Marketing |
+| Kitchen | OU=Culinary |
+| CulinaryChef | OU=Culinary |
+| FrontDesk | OU=Resident Services |
+| HealthServices | OU=Care-Assisted Living OR OU=Care-Memorycare |
+| LifeEnrichment | OU=Life Enrichment |
+| MCDirector | OU=Care-Memorycare |
+| MCMedTech | OU=Caregivers OR OU=Care-Memorycare |
+
+**CSE GUID:** `{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D}{D02B1F72-3407-48AE-BA88-E8213C6761F1}`
+
+**Status: UNLINKED.** Link to OU=Workstations at Phase 3 cutover.
+
+### 8. CSC - Drive Mappings GPO
+
+Created `Drives.xml` in SYSVOL at `{GPO-GUID}\User\Preferences\Drives\`.
+
+| Drive | Share | ILT |
+|-------|-------|-----|
+| M: | \\CS-SERVER\Management | FilterGroup: CASCADES\SG-Mgmt-RW |
+| S: | \\CS-SERVER\Sales | FilterGroup: CASCADES\SG-Sales-RW |
+| T: | \\CS-SERVER\Activities | FilterGroup: CASCADES\SG-Activities-RW |
+| K: | \\CS-SERVER\Culinary | FilterOrgUnit: OU=Culinary,OU=Departments |
+| R: | \\CS-SERVER\Receptionist | FilterOrgUnit: OU=Resident Services,OU=Departments |
+
+**CSE GUID:** `{5794DAFD-BE60-433f-88A2-1A31939AC01F}{D02B1F72-3407-48AE-BA88-E8213C6761F1}`
+
+**Status: UNLINKED.** Link to OU=Departments at Phase 3 cutover.
+
+---
+
+## Final CSC GPO Inventory (8 GPOs, all AllSettingsEnabled)
+
+```
+CSC - Always Wait For Network    (pre-existing)
+CSC - Drive Mappings             UNLINKED — link to OU=Departments at Phase 3
+CSC - Folder Redirection         UNLINKED — blocked on Phase 3 domain joins
+CSC - Folder Redirection (LE)    LIVE — linked to OU=Life Enrichment
+CSC - Life Enrichment Printers   LIVE — linked to OU=Life Enrichment
+CSC - Printer Deployment         UNLINKED — link to OU=Workstations at Phase 3
+CSC - Security Baseline          UNLINKED — link to domain root at Phase 3
+CSC - Windows Update             UNLINKED — link to domain root at Phase 3
+```
+
+---
+
+## Docs Updated
+
+- `clients/cascades-tucson/docs/migration/scripts/phase2-print-server.ps1` — Complete status + all 13 printers
+- `clients/cascades-tucson/docs/servers/active-directory.md` — Accounts disabled, GPO table updated, pending issues updated, printer shares table updated
+
+---
+
+## Phase 3 Prerequisites (next major work)
+
+Domain join order (per `migration/phase3-domain-join.md`):
+1. DESKTOP-KQSL232 (10.0.20.227)
+2. CHEF-PC (10.0.20.232)
+3. SALES4-PC (10.0.20.203)
+4. MDIRECTOR-PC (192.168.3.20) — **needs Windows 10 Pro upgrade first** (currently Home)
+
+After first successful join — link GPOs per phase3-domain-join.md step 5c.
+
+---
+
+## Open Items
+
+| Item | Priority | Notes |
+|------|----------|-------|
+| britney.thompson M365 license harvest | Medium | Account disabled; license still active |
+| Phase 3 domain joins | High | Block on MDIRECTOR-PC needing Win10 Pro upgrade |
+| krbtgt password rotation | Medium | 569+ days old — deferred |
+| Remove Meredith.Kuhn + John.Trozzi from Domain Admins | Low | Deferred |
+| SG-Mgmt-RW + SG-Sales-RW membership | Medium | Populate before Phase 3 GPO linking |
+| CSC - Folder Redirection (full) | Medium | Blocked on Phase 3 — check OneDrive KFM on each PC first |