From ae791e321d1a825d5c39c86ca8cd7d952be59cfb Mon Sep 17 00:00:00 2001 From: Howard Enos Date: Wed, 20 May 2026 14:03:59 -0700 Subject: [PATCH] =?UTF-8?q?client/cascades:=20Phase=202.6=20COMPLETE=20?= =?UTF-8?q?=E2=80=94=2013=20printers,=204=20GPOs,=205=20accounts=20disable?= =?UTF-8?q?d?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Detailed context: - Task: Cascades of Tucson Phase 2.6 — printer migration, GPO deployment, account cleanup - Changes: - phase2-print-server.ps1: all 13 printers complete, Epson driver/share notes added - active-directory.md: 5 stale accounts disabled, 4 GPOs created, pending issues cleared, printer share table updated - Session log: 2026-05-20 Howard session covering all Phase 2.6 work - Status: Phase 2.6 complete Files modified: - clients/cascades-tucson/docs/migration/scripts/phase2-print-server.ps1 - clients/cascades-tucson/docs/servers/active-directory.md - clients/cascades-tucson/session-logs/2026-05-20-howard-phase2.6-printers-gpos-account-cleanup.md Co-Authored-By: Claude Sonnet 4.6 --- .../migration/scripts/phase2-print-server.ps1 | 59 ++++-- .../docs/servers/active-directory.md | 97 +++++---- ...-phase2.6-printers-gpos-account-cleanup.md | 194 ++++++++++++++++++ 3 files changed, 301 insertions(+), 49 deletions(-) create mode 100644 clients/cascades-tucson/session-logs/2026-05-20-howard-phase2.6-printers-gpos-account-cleanup.md diff --git a/clients/cascades-tucson/docs/migration/scripts/phase2-print-server.ps1 b/clients/cascades-tucson/docs/migration/scripts/phase2-print-server.ps1 index 9f39a0b..4be8856 100644 --- a/clients/cascades-tucson/docs/migration/scripts/phase2-print-server.ps1 +++ b/clients/cascades-tucson/docs/migration/scripts/phase2-print-server.ps1 @@ -1,14 +1,21 @@ # Phase 2.6 — CS-SERVER Print Server Setup # Run on CS-SERVER via GuruRMM remote PowerShell -# Last updated: 2026-05-20 (Howard) — rewritten with verified IPs and confirmed drivers +# Last updated: 2026-05-20 (Howard) # -# Drivers confirmed installed on CS-SERVER: -# Canon Generic Plus PCL6 (v3) -# Brother Generic Jpeg Type2 Class Driver (v4) +# STATUS AS OF 2026-05-20: COMPLETE — all 13 printers installed and shared +# KM driver folder archived to: D:\Shares\Server\Drivers\KM_Universal_PCL6\ +# Epson INF files at: C:\Users\sysadmin\Documents\ComputerGuru Connect v2\Files\epsonetdrivers\ # -# Deferred — need vendor driver downloaded to server first: -# Front Desk Epson ET-5800 (192.168.2.147) — Epson Universal Print Driver -# Health Svcs Konica Minolta Bizhub C368 (192.168.1.138) — Konica Minolta PCL6 Universal +# Drivers installed on CS-SERVER: +# Canon Generic Plus PCL6 — Copy Room, Accounting, Executive Director, Kitchen, Life Enrichment, Memory Care Director +# Brother Generic Jpeg Type2 Class Driver — Business Office, Admin Office, Sales Marketing, Culinary Chef, Memory Care MedTech +# KONICA MINOLTA Universal PCL — Health Services C368 +# EPSON ET-5800 Series — Front Desk (driver staged via pnputil, registered via Add-PrinterDriver) +# +# Epson ET-5800 install notes: +# EPWizard.exe fails on Server 2019 (wlanapi.dll stub — WLAN stack absent). +# Workaround: run installer on Server, copy extracted INFs from AppData\Local\Temp\ET-5800 +# before dismissing error. pnputil stages them; Add-PrinterDriver registers with spooler. $ErrorActionPreference = 'Continue' @@ -98,9 +105,35 @@ $printers = @( Location = 'Kitchen Chef station' Comment = 'Brother MFC-9330CDW - JD Martin / Chef' } - # Deferred — drivers not yet installed: - # Front Desk Epson ET-5800 (192.168.2.147) ShareName: FrontDesk - # Health Svcs Bizhub C368 (192.168.1.138) ShareName: Health-206 + # Front Desk + @{ + IP = '192.168.2.147' + Port = 'TCP_192.168.2.147' + Name = 'Front Desk - Epson ET-5800' + Driver = 'EPSON ET-5800 Series' + Share = 'FrontDesk' + Location = 'Front Desk' + Comment = 'Epson ET-5800 - Front Desk' + } + # Memory Care + @{ + IP = '192.168.3.52' + Port = 'TCP_192.168.3.52' + Name = 'Memory Care Director - Canon MF751CDW' + Driver = 'Canon Generic Plus PCL6' + Share = 'MCDirector' + Location = 'Memory Care Room 603' + Comment = 'Canon imageClass MF751CDW - Shelby Trozzi' + } + @{ + IP = '192.168.2.53' + Port = 'TCP_192.168.2.53' + Name = 'Memory Care MedTech - Brother' + Driver = 'Brother Generic Jpeg Type2 Class Driver' + Share = 'MCMedTech' + Location = 'Memory Care Room 615' + Comment = 'Brother - MedTechs / Nurses' + } ) Write-Output '' @@ -144,8 +177,10 @@ $all = @( @{ Name='Marketing Brother'; IP='192.168.3.44' } @{ Name='Kitchen Canon'; IP='192.168.3.232' } @{ Name='Chef Brother'; IP='192.168.3.88' } - @{ Name='[DEFERRED] FrontDesk'; IP='192.168.2.147' } - @{ Name='[DEFERRED] Health-206'; IP='192.168.1.138' } + @{ Name='Front Desk - Epson'; IP='192.168.2.147' } + @{ Name='Health Services C368'; IP='192.168.1.138' } + @{ Name='MC Director Canon MF751CDW'; IP='192.168.3.52' } + @{ Name='MC MedTech Brother'; IP='192.168.2.53' } ) foreach ($p in $all) { $ok = Test-Connection -ComputerName $p.IP -Count 1 -Quiet -ErrorAction SilentlyContinue diff --git a/clients/cascades-tucson/docs/servers/active-directory.md b/clients/cascades-tucson/docs/servers/active-directory.md index 4f40db3..4614bd2 100644 --- a/clients/cascades-tucson/docs/servers/active-directory.md +++ b/clients/cascades-tucson/docs/servers/active-directory.md @@ -36,7 +36,7 @@ | Lois.Lane | Lois Lane | Health Services Director | M365: Nurses@ | | karen.rossini | Karen Rossini | Health Services Manager | lowercase SAM. M365: Nurses@ | | Veronica.Feller | Veronica Feller | Care Assisted Living Aide | | -| britney.thompson | Britney Thompson | Memory Care Nurse | **DEPARTED 2026-04-22 — still enabled. Disable + harvest license.** | +| ~~britney.thompson~~ | ~~Britney Thompson~~ | ~~Memory Care Nurse~~ | **Disabled 2026-05-20 — departed 2026-04-22. M365 license still to harvest.** | **OU=Care-Memorycare** | SamAccountName | Name | Position | Notes | @@ -87,14 +87,14 @@ | Ray.Rai | Ray Rai | RS Courtesy Patrol | M365: Frontdesk@ | | Sebastian.Leon | Sebastian Leon | RS Courtesy Patrol | M365: Frontdesk@, Courtesypatrol@ | | Sheldon.Gardfrey | Sheldon Gardfrey | RS Courtesy Patrol | M365: Frontdesk@, Courtesypatrol@ | -| Shontiel.Nunn | Shontiel Nunn | RS Receptionist | M365: Frontdesk@. **Disable — s.nunn (Caregivers) is the correct current account (confirmed 2026-05-19)** | +| ~~Shontiel.Nunn~~ | ~~Shontiel Nunn~~ | ~~RS Receptionist~~ | M365: Frontdesk@. **Disabled 2026-05-20 — s.nunn (Caregivers) is the correct current account.** | -**OU=Transportation** — accounts still enabled but flagged for disable +**OU=Transportation** — all accounts disabled 2026-05-20 | SamAccountName | Name | Position | Notes | |---------------|------|----------|-------| -| Christopher.Holick | Christopher Holick | Driver | Fixed from Holik (2026-04-13). **Disable — drivers no longer get IT access** | -| Julian.Crim | Julian Crim | Driver | **Disable — drivers no longer get IT access** | -| Richard.Adams | Richard Adams | Driver | **Disable — drivers no longer get IT access** | +| ~~Christopher.Holick~~ | ~~Christopher Holick~~ | ~~Driver~~ | Fixed from Holik (2026-04-13). **Disabled 2026-05-20 — drivers no longer get IT access** | +| ~~Julian.Crim~~ | ~~Julian Crim~~ | ~~Driver~~ | **Disabled 2026-05-20 — drivers no longer get IT access** | +| ~~Richard.Adams~~ | ~~Richard Adams~~ | ~~Driver~~ | **Disabled 2026-05-20 — drivers no longer get IT access** | **CN=Users — Service Accounts** | SamAccountName | Notes | @@ -294,34 +294,53 @@ Do NOT populate these further. They remain in service until Phase 4 cutover reti | ADMIN$, C$, D$, IPC$, print$ | (system) | Standard Windows — do not remove | | RDVirtualDesktopTemplate | C:\RDVirtualDesktopTemplate | RDS artifact — remove with RDS role in Phase 5 | -**Printers shared from CS-SERVER:** -| Share | Device | -|-------|--------| -| RecRoom-Canon | 1F-132-RecRoom-Canon | -| MemCare Director Printer | MF451CDW | -| MemCare MedTech Printer | Brother MFC-L8900CDW | +**Printers shared from CS-SERVER (13 — Phase 2.6 COMPLETE 2026-05-20):** +| Share | Device | ILT (GPO) | +|-------|--------|-----------| +| CopyRoom | Canon imageRunner C478iF (192.168.2.230) | All staff | +| BusinessOffice | Brother MFC-L8900CDW (10.0.20.220) | OU=Administrative | +| Accounting | Canon imageClass MF455DW (192.168.3.227) | OU=Administrative | +| AdminOffice | Brother MFC-9340CDW (192.168.2.145) | OU=Administrative OR OU=Resident Services | +| ExecDirector | Canon imageClass MF743CDW (192.168.2.67) | OU=Administrative | +| SalesMarketing | Brother MFC-L8900CDW (192.168.3.44) | OU=Marketing | +| Kitchen | Canon imageClass MF743CDW (192.168.3.232) | OU=Culinary | +| CulinaryChef | Brother MFC-9330CDW (192.168.3.88) | OU=Culinary | +| FrontDesk | Epson ET-5800 (192.168.2.147) | OU=Resident Services | +| HealthServices | KM C368 (192.168.1.138) | OU=Care-Assisted Living OR OU=Care-Memorycare | +| LifeEnrichment | (via Life Enrichment Printers GPO) | OU=Life Enrichment | +| MCDirector | Canon imageClass MF751CDW (192.168.3.52) | OU=Care-Memorycare | +| MCMedTech | Brother (192.168.2.53) | OU=Caregivers OR OU=Care-Memorycare | ## Group Policy (as of 2026-05-20) -GPOs exist but effectiveness is limited since most PCs are not domain-joined. +GPOs exist but effectiveness is limited since most PCs are not domain-joined. All CSC - GPOs are **UNLINKED** until Phase 3 domain join cutover. -| GPO | Created | Modified | Settings | Notes | -|-----|---------|----------|----------|-------| -| Default Domain Policy | Aug 2024 | Mar 2026 | Password: 7-char min, 42-day max, complexity on, 24 history. Lockout: 5 attempts / 30 min (fixed 2026-03-09). Kerberos defaults. | OK | -| Default Domain Controllers Policy | Aug 2024 | Oct 2024 | IIS app pool audit rights, print operator driver loading. Standard. | OK | -| Power Options | Jul 2025 | Jul 2025 | "Cascades Default" power plan: never sleep/hibernate, display off 15 min (plugged in) / 10 min (battery), password on wake. | Keep | -| CSC - Folder Redirection (LE) | Apr 2026 | Apr 2026 | Documents + Downloads → `\\CS-SERVER\homes\%USERNAME%\`. GrantExclusive=false, MoveContents=true. Linked to OU=Life Enrichment. | LIVE — Sharon Edwards + Susan Hicks | -| ~~CopyRoomPrinter~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** | -| ~~Nurses-Kiosk~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** | -| ~~MemCareMedTechPrinter~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** | +| GPO | Link | Settings | Notes | +|-----|------|----------|-------| +| Default Domain Policy | Domain root | Password: 7-char min, 42-day max, complexity on, 24 history. Lockout: 5 attempts / 30 min. Kerberos defaults. | OK | +| Default Domain Controllers Policy | OU=Domain Controllers | IIS app pool audit rights, print operator driver loading. | OK | +| Power Options | — | "Cascades Default" power plan: never sleep/hibernate, display off 15 min (plugged in) / 10 min (battery), password on wake. | Keep | +| CSC - Always Wait For Network | — | AlwaysWaitForNetwork + synchronous logon | Pre-existing | +| CSC - Folder Redirection (LE) | OU=Life Enrichment | Documents + Downloads → `\\CS-SERVER\homes\%USERNAME%\`. GrantExclusive=false, MoveContents=true. | LIVE — Sharon Edwards + Susan Hicks | +| CSC - Folder Redirection | — | Same as LE GPO but for all staff OUs. UNLINKED. | Blocked on Phase 3 | +| CSC - Life Enrichment Printers | OU=Life Enrichment | Printer preferences for LE staff | LIVE | +| CSC - Security Baseline | UNLINKED | Screen lock 15 min / password on resume (HKCU). GptTmpl.inf: password min 12, history 24, max-age 90, lockout 5/30. | Created 2026-05-20. Link at domain root at Phase 3. | +| CSC - Windows Update | UNLINKED | AUOptions=4 (auto DL+install), Sunday 3 AM, NoAutoRebootWithLoggedOnUsers=1, featured software off. | Created 2026-05-20. Link at domain root at Phase 3. | +| CSC - Printer Deployment | UNLINKED | 13 printers with OU-based ILT in Printers.xml. CopyRoom = all staff. Others scoped by OU. | Created 2026-05-20. Link to OU=Workstations at Phase 3. | +| CSC - Drive Mappings | UNLINKED | M: Management (SG-Mgmt-RW), S: Sales (SG-Sales-RW), T: Activities (SG-Activities-RW), K: Culinary (OU), R: Receptionist (OU). | Created 2026-05-20. Link to OU=Departments at Phase 3. | +| ~~CopyRoomPrinter~~ | — | EMPTY | **DELETED 2026-03-09** | +| ~~Nurses-Kiosk~~ | — | EMPTY | **DELETED 2026-03-09** | +| ~~MemCareMedTechPrinter~~ | — | EMPTY | **DELETED 2026-03-09** | -**GPOs to Create (Phase 2.6 — not yet run):** -1. **CSC - Drive Mappings** — S:, M:, T:, K:, I:, R:, P: with item-level targeting -2. **CSC - Printer Deployment** — Deploy printers by OU/group targeting (Life Enrichment first: 1F-132-RecRoom-Canon + CopyRoom) -3. **CSC - Security Baseline** — 12-char passwords, complexity, lockout 5/30, screen lock 15 min -4. **CSC - Windows Update** — Auto download, Sundays 3 AM, no auto-restart -5. **CSC - Folder Redirection** — Single GPO linked at `OU=Departments`, covering all staff OUs. Same settings as the LE GPO: Documents + Downloads + Desktop → `\\CS-SERVER\homes\%USERNAME%\`, GrantExclusive=false, MoveContents=true. **Blocked on Phase 3 domain joins** — most dept machines not joined yet. Life Enrichment already covered by existing LE GPO. CRITICAL: check for OneDrive KFM on each machine before applying; use GPMC close-and-reopen workaround between folder adds (see 2026-04-17 session log for full procedure). -6. **CSC - Shared Workstation** — Linked to Shared PCs OU; ILT by computer name for reception drive (R:), front desk printer, Outlook online mode, shared mailbox auto-mount +**GPOs Remaining (Phase 3+):** +- **CSC - Folder Redirection** — Link to OU=Departments at Phase 3. Blocked on domain joins. CRITICAL: check OneDrive KFM before applying; use GPMC close-and-reopen workaround between folder adds (see 2026-04-17 session log). +- **CSC - Shared Workstation** — Future: linked to Shared PCs OU; ILT for reception drive (R:), front desk printer, Outlook online mode, shared mailbox auto-mount. + +**Phase 3 GPO linking order** (after first successful domain join per phase3-domain-join.md step 5c): +1. Link CSC - Security Baseline → domain root +2. Link CSC - Windows Update → domain root +3. Link CSC - Printer Deployment → OU=Workstations +4. Link CSC - Drive Mappings → OU=Departments ## RDS Licensing @@ -341,16 +360,17 @@ GPOs exist but effectiveness is limited since most PCs are not domain-joined. | ~~Monica.Ramirez~~ | Removed | Removed 2026-03-09 (account was disabled) | | sysadmin | Enabled | OK (IT account) | -## Pending Issues (discovered 2026-05-19 audit) +## Pending Issues | Issue | Account | Action Needed | |-------|---------|---------------| -| Still enabled — departed | britney.thompson | Disable — departed 2026-04-22. Harvest M365 license. | -| Still enabled — flagged for disable | Richard.Adams, Julian.Crim, Christopher.Holick | Disable — drivers no longer get IT access (flagged 2026-04-22, not yet done) | -| Old-format account — superseded | Shontiel.Nunn (OU=Resident Services) | **Disable** — s.nunn (OU=Caregivers) confirmed as the correct account 2026-05-19 | -| Cloud-only M365 account — RESOLVED | Alma.Montt | OU=Administrative does not sync via Entra Connect in practice. Cloud-only M365 account created 2026-05-19 is **intentional and correct** — keep it. No AD sync conflict. | -| krbtgt password age | krbtgt | 569+ days old as of 2026-03-20. Needs rotation. | -| Meredith.Kuhn + John.Trozzi in Domain Admins | Both | Non-IT staff — remove from Domain Admins | +| ~~Still enabled — departed~~ | ~~britney.thompson~~ | **DONE 2026-05-20** — disabled. M365 license still to harvest. | +| ~~Still enabled — flagged for disable~~ | ~~Richard.Adams, Julian.Crim, Christopher.Holick~~ | **DONE 2026-05-20** — all disabled. | +| ~~Old-format account — superseded~~ | ~~Shontiel.Nunn~~ | **DONE 2026-05-20** — disabled. s.nunn (Caregivers) is the active account. | +| Cloud-only M365 account — RESOLVED | Alma.Montt | Intentional and correct — no AD sync conflict. | +| krbtgt password age | krbtgt | 569+ days old as of 2026-03-20. Needs rotation. Deferred. | +| Meredith.Kuhn + John.Trozzi in Domain Admins | Both | Non-IT staff — remove from Domain Admins. Deferred. | +| britney.thompson M365 license | britney.thompson | Account disabled. License not yet harvested — do before next billing cycle. | ## Login Activity (audit 2026-03-20 — historical/stale) @@ -381,7 +401,10 @@ See `migration/phase2-server-prep.md` for full phase details. Scripts referenced - `migration/scripts/phase2-ad-setup.ps1` — Security fixes, Workstations OU, security groups, move computers (COMPLETE) - `migration/scripts/phase2-ad-groups-new.ps1` — New SG- groups (SG-Mgmt-RW, SG-Sales-RO, SG-Activities-RW) — COMPLETE 2026-05-20 - `migration/scripts/phase2-new-shares.ps1` — New SMB shares (Management, Sales, Activities, Server) — COMPLETE 2026-05-20 +- `migration/scripts/phase2-print-server.ps1` — 13 printers installed + shared on CS-SERVER — COMPLETE 2026-05-20 +- `.claude/temp/gpo-script1.ps1` — AD account cleanup (5 accounts disabled) + CSC - Security Baseline + CSC - Windows Update — COMPLETE 2026-05-20 +- `.claude/temp/gpo-script2.ps1` — CSC - Printer Deployment (13 printers, OU ILT) + CSC - Drive Mappings (M: S: T: K: R:) — COMPLETE 2026-05-20 -**Phase 3 domain joins** (pending): DESKTOP-KQSL232, CHEF-PC, SALES4-PC, MDIRECTOR-PC — all to OU=Staff PCs,OU=Workstations. +**Phase 3 domain joins** (pending): DESKTOP-KQSL232, CHEF-PC, SALES4-PC, MDIRECTOR-PC — all to OU=Staff PCs,OU=Workstations. MDIRECTOR-PC needs Windows 10 Pro upgrade first. **Phase 5** (deferred): Replace shared accounts (Culinary, Receptionist, saleshare, directoryshare) with group-based access. RDS licensing decision. diff --git a/clients/cascades-tucson/session-logs/2026-05-20-howard-phase2.6-printers-gpos-account-cleanup.md b/clients/cascades-tucson/session-logs/2026-05-20-howard-phase2.6-printers-gpos-account-cleanup.md new file mode 100644 index 0000000..74f3eea --- /dev/null +++ b/clients/cascades-tucson/session-logs/2026-05-20-howard-phase2.6-printers-gpos-account-cleanup.md @@ -0,0 +1,194 @@ +# Cascades of Tucson — Phase 2.6 Session Log + +**Date:** 2026-05-20 +**Duration:** Multi-session (continued from context-limit session) + +## User +- **User:** Howard Enos (howard) +- **Machine:** HOWARD-HOME +- **Role:** tech + +## Summary + +Completed Phase 2.6: print server build-out, GPO creation, and AD account cleanup. All 13 printers are now installed and shared on CS-SERVER. Four CSC GPOs are created and staged (unlinked until Phase 3 domain join cutover). + +--- + +## Work Completed + +### 1. Front Desk Epson ET-5800 — Printer Installation + +**Problem:** EPWizard.exe fails on Windows Server 2019 — `wlanapi.dll` stub is present but the WLAN stack is absent. + +**Fix:** +1. Ran EPWizard.exe on CS-SERVER, let it extract drivers to `AppData\Local\Temp\ET-5800\` before dismissing the error +2. Copied extracted INFs to `C:\Users\sysadmin\Documents\ComputerGuru Connect v2\Files\epsonetdrivers\` +3. `pnputil /add-driver /install` staged the driver in Windows Driver Store +4. `Add-PrinterDriver -Name "EPSON ET-5800 Series"` registered it with the Print Spooler +5. `Add-Printer` / `Add-PrinterPort` created the printer at 192.168.2.147, shared as `FrontDesk` + +**Driver name (from INF):** `EPSON ET-5800 Series` +**INF location:** E_WF1XCE.INF (UTF-16 LE with BOM FF FE — `Select-String` fails on it; must use `[System.IO.File]::ReadAllBytes()`) + +### 2. Memory Care Director + MedTech Printers + +Added to CS-SERVER (via GuruRMM remote PowerShell): + +| Printer | Share | IP | Driver | +|---------|-------|----|--------| +| Memory Care Director - Canon MF751CDW | MCDirector | 192.168.3.52 | Canon Generic Plus PCL6 | +| Memory Care MedTech - Brother | MCMedTech | 192.168.2.53 | Brother Generic Jpeg Type2 Class Driver | + +Both reachable and shared. Total shared printers on CS-SERVER: **13**. + +### 3. Script: phase2-print-server.ps1 + +Updated `clients/cascades-tucson/docs/migration/scripts/phase2-print-server.ps1`: +- Status header updated to **COMPLETE 2026-05-20** (all 13 printers) +- Added FrontDesk, MCDirector, MCMedTech to `$printers` array +- Documented Epson ET-5800 workaround in header comments +- KM driver archived to `D:\Shares\Server\Drivers\KM_Universal_PCL6\` + +### 4. AD Account Cleanup (5 accounts) + +Executed via GuruRMM remote PowerShell on CS-SERVER. All `Disable-ADAccount` calls succeeded. + +| Account | OU | Reason | +|---------|----|--------| +| britney.thompson | Care-Assisted Living | Departed 2026-04-22 | +| Richard.Adams | Transportation | Drivers no longer get IT access | +| Julian.Crim | Transportation | Drivers no longer get IT access | +| Christopher.Holick | Transportation | Drivers no longer get IT access | +| Shontiel.Nunn | Resident Services | Old-format account — s.nunn (Caregivers) is correct | + +**Note:** britney.thompson's M365 license is still active and not yet harvested. Action needed before next billing cycle. + +### 5. CSC - Security Baseline GPO + +Created via `New-GPO` + `Set-GPRegistryValue` + direct SYSVOL writes. + +**Screen saver (HKCU via GPP):** +- ScreenSaveTimeOut = 900 (15 min) +- ScreenSaveActive = 1 +- ScreenSaverIsSecure = 1 +- SCRNSAVE.EXE = scrnsave.scr + +**GptTmpl.inf (Machine security — written as Unicode UTF-16):** +``` +MinimumPasswordLength = 12 +PasswordComplexity = 1 +PasswordHistorySize = 24 +MaximumPasswordAge = 90 +MinimumPasswordAge = 1 +LockoutBadCount = 5 +ResetLockoutCount = 30 +LockoutDuration = 30 +``` + +**GPT.INI:** machine version bumped, security extension GUID `{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}` added. + +**Status: UNLINKED.** Link to domain root at Phase 3 cutover. + +### 6. CSC - Windows Update GPO + +Created via `New-GPO` + `Set-GPRegistryValue` (HKLM AU key). + +| Setting | Value | +|---------|-------| +| NoAutoUpdate | 0 | +| AUOptions | 4 (auto download + install) | +| ScheduledInstallDay | 1 (Sunday) | +| ScheduledInstallTime | 3 (3:00 AM) | +| NoAutoRebootWithLoggedOnUsers | 1 | +| EnableFeaturedSoftware | 0 | + +**Status: UNLINKED.** Link to domain root at Phase 3 cutover. + +### 7. CSC - Printer Deployment GPO + +Created `Printers.xml` in SYSVOL at `{GPO-GUID}\User\Preferences\Printers\`. + +13 printers with OU-based item-level targeting (`FilterOrgUnit`): + +| Share | ILT | +|-------|-----| +| CopyRoom | No filter — all staff | +| BusinessOffice | OU=Administrative | +| Accounting | OU=Administrative | +| AdminOffice | OU=Administrative OR OU=Resident Services | +| ExecDirector | OU=Administrative | +| SalesMarketing | OU=Marketing | +| Kitchen | OU=Culinary | +| CulinaryChef | OU=Culinary | +| FrontDesk | OU=Resident Services | +| HealthServices | OU=Care-Assisted Living OR OU=Care-Memorycare | +| LifeEnrichment | OU=Life Enrichment | +| MCDirector | OU=Care-Memorycare | +| MCMedTech | OU=Caregivers OR OU=Care-Memorycare | + +**CSE GUID:** `{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D}{D02B1F72-3407-48AE-BA88-E8213C6761F1}` + +**Status: UNLINKED.** Link to OU=Workstations at Phase 3 cutover. + +### 8. CSC - Drive Mappings GPO + +Created `Drives.xml` in SYSVOL at `{GPO-GUID}\User\Preferences\Drives\`. + +| Drive | Share | ILT | +|-------|-------|-----| +| M: | \\CS-SERVER\Management | FilterGroup: CASCADES\SG-Mgmt-RW | +| S: | \\CS-SERVER\Sales | FilterGroup: CASCADES\SG-Sales-RW | +| T: | \\CS-SERVER\Activities | FilterGroup: CASCADES\SG-Activities-RW | +| K: | \\CS-SERVER\Culinary | FilterOrgUnit: OU=Culinary,OU=Departments | +| R: | \\CS-SERVER\Receptionist | FilterOrgUnit: OU=Resident Services,OU=Departments | + +**CSE GUID:** `{5794DAFD-BE60-433f-88A2-1A31939AC01F}{D02B1F72-3407-48AE-BA88-E8213C6761F1}` + +**Status: UNLINKED.** Link to OU=Departments at Phase 3 cutover. + +--- + +## Final CSC GPO Inventory (8 GPOs, all AllSettingsEnabled) + +``` +CSC - Always Wait For Network (pre-existing) +CSC - Drive Mappings UNLINKED — link to OU=Departments at Phase 3 +CSC - Folder Redirection UNLINKED — blocked on Phase 3 domain joins +CSC - Folder Redirection (LE) LIVE — linked to OU=Life Enrichment +CSC - Life Enrichment Printers LIVE — linked to OU=Life Enrichment +CSC - Printer Deployment UNLINKED — link to OU=Workstations at Phase 3 +CSC - Security Baseline UNLINKED — link to domain root at Phase 3 +CSC - Windows Update UNLINKED — link to domain root at Phase 3 +``` + +--- + +## Docs Updated + +- `clients/cascades-tucson/docs/migration/scripts/phase2-print-server.ps1` — Complete status + all 13 printers +- `clients/cascades-tucson/docs/servers/active-directory.md` — Accounts disabled, GPO table updated, pending issues updated, printer shares table updated + +--- + +## Phase 3 Prerequisites (next major work) + +Domain join order (per `migration/phase3-domain-join.md`): +1. DESKTOP-KQSL232 (10.0.20.227) +2. CHEF-PC (10.0.20.232) +3. SALES4-PC (10.0.20.203) +4. MDIRECTOR-PC (192.168.3.20) — **needs Windows 10 Pro upgrade first** (currently Home) + +After first successful join — link GPOs per phase3-domain-join.md step 5c. + +--- + +## Open Items + +| Item | Priority | Notes | +|------|----------|-------| +| britney.thompson M365 license harvest | Medium | Account disabled; license still active | +| Phase 3 domain joins | High | Block on MDIRECTOR-PC needing Win10 Pro upgrade | +| krbtgt password rotation | Medium | 569+ days old — deferred | +| Remove Meredith.Kuhn + John.Trozzi from Domain Admins | Low | Deferred | +| SG-Mgmt-RW + SG-Sales-RW membership | Medium | Populate before Phase 3 GPO linking | +| CSC - Folder Redirection (full) | Medium | Blocked on Phase 3 — check OneDrive KFM on each PC first |