sync: auto-sync from HOWARD-HOME at 2026-05-20 17:08:25

Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-05-20 17:08:25
2026-05-20 17:08:26 -07:00
parent 6c476066ee
commit bc984d9c78
15 changed files with 638 additions and 0 deletions
--- a/.claude/temp/check-frd-gpo.ps1
+++ b/.claude/temp/check-frd-gpo.ps1
@@ -0,0 +1,37 @@
+$domain = 'cascades.local'
+$gpoName = 'CSC - Folder Redirection'
+
+$gpo = Get-GPO -Name $gpoName -Domain $domain -EA Stop
+Write-Output "GPO: $($gpo.DisplayName)"
+Write-Output "GUID: {$($gpo.Id.ToString().ToUpper())}"
+Write-Output "Status: $($gpo.GpoStatus)"
+Write-Output ""
+
+Write-Output "=== Security Filter (who this GPO applies to) ==="
+Get-GPPermission -Name $gpoName -Domain $domain -All | ForEach-Object {
+    Write-Output "  $($_.Trustee.Name) [$($_.Trustee.TrusteeType)] — $($_.Permission)"
+}
+
+Write-Output ""
+Write-Output "=== GPO Links ==="
+$report = Get-GPOReport -Name $gpoName -Domain $domain -ReportType Xml
+$xml = [xml]$report
+$links = $xml.GPO.LinksTo
+if ($links) {
+    foreach ($l in $links) {
+        Write-Output "  $($l.SOMPath) — Enabled: $($l.Enabled) — NoOverride: $($l.NoOverride)"
+    }
+} else {
+    Write-Output "  (no links)"
+}
+
+Write-Output ""
+Write-Output "=== SYSVOL contents ==="
+$srv = 'CS-SERVER'
+$sysvol = "\\$srv\SYSVOL\$domain\Policies"
+$guid = "{$($gpo.Id.ToString().ToUpper())}"
+Get-ChildItem "$sysvol\$guid" -Recurse -EA SilentlyContinue | ForEach-Object {
+    $rel = $_.FullName.Replace("$sysvol\$guid", '')
+    $type = if ($_.PSIsContainer) { '[DIR]' } else { "[FILE $($_.Length)b]" }
+    Write-Output "  $type $rel"
+}
--- a/.claude/temp/find-zachary.ps1
+++ b/.claude/temp/find-zachary.ps1
@@ -0,0 +1,19 @@
+Import-Module ActiveDirectory -EA SilentlyContinue
+$u = Get-ADUser -Identity 'zachary.nelson' -Properties DistinguishedName, Department, Title, MemberOf -EA SilentlyContinue
+if ($u) {
+    Write-Output "DN: $($u.DistinguishedName)"
+    Write-Output "Department: $($u.Department)"
+    Write-Output "Title: $($u.Title)"
+    Write-Output "OU: $($u.DistinguishedName -replace '^CN=[^,]+,','')"
+    Write-Output ""
+    Write-Output "Groups:"
+    $u.MemberOf | ForEach-Object { Write-Output "  $_" }
+} else {
+    Write-Output "User not found"
+}
+
+Write-Output ""
+Write-Output "=== All users in OU=Administrative ==="
+Get-ADUser -Filter * -SearchBase "OU=Administrative,OU=Departments,DC=cascades,DC=local" -Properties Department,Title -EA SilentlyContinue |
+    Select-Object SamAccountName, Name, Department, Title |
+    ForEach-Object { Write-Output "  $($_.SamAccountName) — $($_.Name) — $($_.Department) — $($_.Title)" }
--- a/.claude/temp/frd-link.ps1
+++ b/.claude/temp/frd-link.ps1
@@ -0,0 +1,42 @@
+$domain = 'cascades.local'
+$gpoName = 'CSC - Folder Redirection'
+$ouDN = 'OU=Administrative,OU=Departments,DC=cascades,DC=local'
+
+Import-Module GroupPolicy -EA SilentlyContinue
+
+# Link GPO to OU=Administrative
+try {
+    New-GPLink -Name $gpoName -Domain $domain -Target $ouDN -LinkEnabled Yes -EA Stop
+    Write-Output "[OK] Linked to $ouDN"
+} catch {
+    if ($_.Exception.Message -like '*already*') {
+        Set-GPLink -Name $gpoName -Domain $domain -Target $ouDN -LinkEnabled Yes -EA SilentlyContinue
+        Write-Output "[OK] Link already existed — enabled"
+    } else {
+        Write-Output "[ERROR] $($_.Exception.Message)"
+    }
+}
+
+Write-Output ""
+Write-Output "=== Security Filter ==="
+Get-GPPermission -Name $gpoName -Domain $domain -All | ForEach-Object {
+    Write-Output "  $($_.Trustee.Name) [$($_.Trustee.TrusteeType)] — $($_.Permission)"
+}
+
+Write-Output ""
+Write-Output "=== Links ==="
+$report = [xml](Get-GPOReport -Name $gpoName -Domain $domain -ReportType Xml)
+$links = $report.GPO.LinksTo
+if ($links) {
+    foreach ($l in $links) {
+        Write-Output "  $($l.SOMPath) — Enabled: $($l.Enabled)"
+    }
+} else {
+    Write-Output "  (none)"
+}
+
+Write-Output ""
+Write-Output "=== SG-FolderRedirect members ==="
+Get-ADGroupMember -Identity 'SG-FolderRedirect' -EA SilentlyContinue | ForEach-Object {
+    Write-Output "  $($_.SamAccountName)"
+}
--- a/.claude/temp/frd-prep.ps1
+++ b/.claude/temp/frd-prep.ps1
@@ -0,0 +1,72 @@
+$domain = 'cascades.local'
+$gpoName = 'CSC - Folder Redirection'
+$groupName = 'SG-FolderRedirect'
+$groupOU = 'OU=Security Groups,OU=Groups,DC=cascades,DC=local'
+
+Import-Module ActiveDirectory -EA SilentlyContinue
+
+# --- Create SG-FolderRedirect if it doesn't exist ---
+$grp = Get-ADGroup -Filter "Name -eq '$groupName'" -EA SilentlyContinue
+if (-not $grp) {
+    try {
+        New-ADGroup -Name $groupName -GroupScope Global -GroupCategory Security `
+            -Description 'Members receive GPO folder redirection to \\CS-SERVER\homes\%USERNAME%' `
+            -Path $groupOU -EA Stop
+        Write-Output "[OK] Created group: $groupName in $groupOU"
+    } catch {
+        # Try root of domain if OU doesn't exist
+        try {
+            New-ADGroup -Name $groupName -GroupScope Global -GroupCategory Security `
+                -Description 'Members receive GPO folder redirection to \\CS-SERVER\homes\%USERNAME%' `
+                -Path "CN=Users,DC=cascades,DC=local" -EA Stop
+            Write-Output "[OK] Created group: $groupName in CN=Users (fallback)"
+        } catch {
+            Write-Output "[ERROR] Create group: $($_.Exception.Message)"
+        }
+    }
+} else {
+    Write-Output "[INFO] Group already exists: $($grp.DistinguishedName)"
+}
+
+# --- Add zachary.nelson to the group ---
+try {
+    Add-ADGroupMember -Identity $groupName -Members 'Zachary.Nelson' -EA Stop
+    Write-Output "[OK] Added Zachary.Nelson to $groupName"
+} catch {
+    if ($_.Exception.Message -like '*already a member*') {
+        Write-Output "[INFO] Zachary.Nelson already in $groupName"
+    } else {
+        Write-Output "[ERROR] Add member: $($_.Exception.Message)"
+    }
+}
+
+# --- Remove Authenticated Users from GPO security filter ---
+try {
+    Set-GPPermission -Name $gpoName -Domain $domain `
+        -PermissionLevel None -TargetName 'Authenticated Users' -TargetType Group -EA Stop
+    Write-Output "[OK] Removed Authenticated Users from security filter"
+} catch {
+    Write-Output "[WARN] Remove Authenticated Users: $($_.Exception.Message)"
+}
+
+# --- Add SG-FolderRedirect with GpoApply ---
+try {
+    Set-GPPermission -Name $gpoName -Domain $domain `
+        -PermissionLevel GpoApply -TargetName $groupName -TargetType Group -EA Stop
+    Write-Output "[OK] Added $groupName with GpoApply"
+} catch {
+    Write-Output "[ERROR] Add group to GPO: $($_.Exception.Message)"
+}
+
+# --- Confirm final state ---
+Write-Output ""
+Write-Output "=== GPO Security Filter ==="
+Get-GPPermission -Name $gpoName -Domain $domain -All | ForEach-Object {
+    Write-Output "  $($_.Trustee.Name) [$($_.Trustee.TrusteeType)] — $($_.Permission)"
+}
+
+Write-Output ""
+Write-Output "=== $groupName members ==="
+Get-ADGroupMember -Identity $groupName -EA SilentlyContinue | ForEach-Object {
+    Write-Output "  $($_.SamAccountName)"
+}
--- a/.claude/temp/frd-remove-authedusers.ps1
+++ b/.claude/temp/frd-remove-authedusers.ps1
@@ -0,0 +1,17 @@
+$domain = 'cascades.local'
+$gpoName = 'CSC - Folder Redirection'
+
+try {
+    Set-GPPermission -Name $gpoName -Domain $domain `
+        -PermissionLevel None -TargetName 'Authenticated Users' -TargetType Group `
+        -Confirm:$false -EA Stop
+    Write-Output "[OK] Removed Authenticated Users from security filter"
+} catch {
+    Write-Output "[ERROR] $($_.Exception.Message)"
+}
+
+Write-Output ""
+Write-Output "=== GPO Security Filter ==="
+Get-GPPermission -Name $gpoName -Domain $domain -All | ForEach-Object {
+    Write-Output "  $($_.Trustee.Name) [$($_.Trustee.TrusteeType)] — $($_.Permission)"
+}
--- a/.claude/temp/frd-remove-authedusers2.ps1
+++ b/.claude/temp/frd-remove-authedusers2.ps1
@@ -0,0 +1,30 @@
+$domain = 'cascades.local'
+$gpoName = 'CSC - Folder Redirection'
+$gpoGuid = '{512B43A4-F049-4CE5-BFAC-860AD13E92BE}'
+
+# Remove Authenticated Users directly from the GPO AD object ACL
+$gpoADPath = "AD:CN=$gpoGuid,CN=Policies,CN=System,DC=$($domain.Replace('.',',DC='))"
+try {
+    $acl = Get-Acl $gpoADPath -EA Stop
+    $au = [System.Security.Principal.NTAccount]'NT AUTHORITY\Authenticated Users'
+    $removed = 0
+    $acl.Access | Where-Object { $_.IdentityReference.Value -like '*Authenticated Users*' } | ForEach-Object {
+        $acl.RemoveAccessRule($_) | Out-Null
+        $removed++
+    }
+    if ($removed -gt 0) {
+        Set-Acl -Path $gpoADPath -AclObject $acl -EA Stop
+        Write-Output "[OK] Removed $removed ACE(s) for Authenticated Users from GPO AD object"
+    } else {
+        Write-Output "[INFO] Authenticated Users not found in ACL"
+    }
+} catch {
+    Write-Output "[ERROR] ACL approach: $($_.Exception.Message)"
+}
+
+# Verify via Get-GPPermission
+Write-Output ""
+Write-Output "=== GPO Security Filter (final) ==="
+Get-GPPermission -Name $gpoName -Domain $domain -All | ForEach-Object {
+    Write-Output "  $($_.Trustee.Name) [$($_.Trustee.TrusteeType)] — $($_.Permission)"
+}
--- a/.claude/temp/frd-remove-authedusers3.ps1
+++ b/.claude/temp/frd-remove-authedusers3.ps1
@@ -0,0 +1,44 @@
+$domain = 'cascades.local'
+$gpoName = 'CSC - Folder Redirection'
+$gpoGuid = '{512B43A4-F049-4CE5-BFAC-860AD13E92BE}'
+
+Import-Module ActiveDirectory -EA SilentlyContinue
+Import-Module GroupPolicy -EA SilentlyContinue
+
+# Suppress all ShouldProcess confirmations
+$ConfirmPreference = 'None'
+
+# Try Set-GPPermission with ConfirmPreference suppressed
+try {
+    Set-GPPermission -Name $gpoName -Domain $domain `
+        -PermissionLevel None -TargetName 'Authenticated Users' -TargetType Group -EA Stop
+    Write-Output "[OK] Removed via Set-GPPermission"
+} catch {
+    Write-Output "[WARN] Set-GPPermission failed: $($_.Exception.Message)"
+
+    # Fallback: GPMC COM object
+    try {
+        $gpm = New-Object -ComObject GPMgmt.GPM
+        $constants = $gpm.GetConstants()
+        $gpmDomain = $gpm.GetDomain($domain, '', $constants.UseAnyDC)
+        $gpo = $gpmDomain.GetGPO($gpoGuid)
+        $secInfo = $gpo.GetSecurityInfo()
+        $newSec = $gpm.CreateSecurityInfo()
+        for ($i = 0; $i -lt $secInfo.Count; $i++) {
+            $perm = $secInfo.Item($i)
+            if ($perm.Trustee.TrusteeName -ne 'Authenticated Users') {
+                $newSec.Add($perm)
+            }
+        }
+        $gpo.SetSecurityInfo($newSec)
+        Write-Output "[OK] Removed via GPMC COM"
+    } catch {
+        Write-Output "[ERROR] COM approach: $($_.Exception.Message)"
+    }
+}
+
+Write-Output ""
+Write-Output "=== GPO Security Filter (final) ==="
+Get-GPPermission -Name $gpoName -Domain $domain -All | ForEach-Object {
+    Write-Output "  $($_.Trustee.Name) [$($_.Trustee.TrusteeType)] — $($_.Permission)"
+}
--- a/.claude/temp/frd-scope-zachary.ps1
+++ b/.claude/temp/frd-scope-zachary.ps1
@@ -0,0 +1,56 @@
+$domain = 'cascades.local'
+$gpoName = 'CSC - Folder Redirection'
+
+# Security filter: remove Authenticated Users, add zachary.nelson
+$gpo = Get-GPO -Name $gpoName -Domain $domain
+Write-Output "GPO: $($gpo.DisplayName) — $($gpo.Id)"
+
+# Remove Authenticated Users from Security Filtering
+try {
+    Set-GPPermission -Name $gpoName -Domain $domain -PermissionLevel None -TargetName 'Authenticated Users' -TargetType Group -EA Stop
+    Write-Output "[OK] Removed Authenticated Users from security filter"
+} catch {
+    Write-Output "[WARN] Remove Authenticated Users: $($_.Exception.Message)"
+}
+
+# Grant zachary.nelson Apply Group Policy permission
+try {
+    Set-GPPermission -Name $gpoName -Domain $domain -PermissionLevel GpoApply -TargetName 'zachary.nelson' -TargetType User -EA Stop
+    Write-Output "[OK] Added zachary.nelson with GpoApply"
+} catch {
+    Write-Output "[ERROR] Add zachary.nelson: $($_.Exception.Message)"
+}
+
+# Also ensure Domain Admins can still read/edit the GPO
+try {
+    Set-GPPermission -Name $gpoName -Domain $domain -PermissionLevel GpoEditDeleteModifySecurity -TargetName 'Domain Admins' -TargetType Group -EA Stop
+    Write-Output "[OK] Domain Admins GpoEditDeleteModifySecurity confirmed"
+} catch {
+    Write-Output "[WARN] Domain Admins: $($_.Exception.Message)"
+}
+
+# Link GPO to OU=Administrative
+$ouDN = 'OU=Administrative,OU=Departments,DC=cascades,DC=local'
+try {
+    $link = New-GPLink -Name $gpoName -Domain $domain -Target $ouDN -LinkEnabled Yes -EA Stop
+    Write-Output "[OK] Linked to $ouDN"
+} catch {
+    if ($_.Exception.Message -like '*already exists*') {
+        Write-Output "[INFO] Link already exists — enabling it"
+        Set-GPLink -Name $gpoName -Domain $domain -Target $ouDN -LinkEnabled Yes -EA SilentlyContinue
+        Write-Output "[OK] Link enabled"
+    } else {
+        Write-Output "[ERROR] Link: $($_.Exception.Message)"
+    }
+}
+
+Write-Output ""
+Write-Output "=== GPO Scope after changes ==="
+Get-GPPermission -Name $gpoName -Domain $domain -All | ForEach-Object {
+    Write-Output "  $($_.Trustee.Name) — $($_.Permission)"
+}
+Write-Output ""
+Write-Output "=== GPO Links ==="
+(Get-GPO -Name $gpoName -Domain $domain).GpoLinks | ForEach-Object {
+    Write-Output "  $($_.SomName) — Enabled: $($_.Enabled)"
+}
--- a/.claude/temp/gpo-inspect-le.ps1
+++ b/.claude/temp/gpo-inspect-le.ps1
@@ -0,0 +1,51 @@
+$domain = 'cascades.local'
+$srv = 'CS-SERVER'
+$sysvol = "\\$srv\SYSVOL\$domain\Policies"
+
+# Find the LE folder redirection GPO
+$gpo = Get-GPO -Name 'CSC - Folder Redirection (LE)' -Domain $domain
+Write-Output "GPO: $($gpo.DisplayName)"
+Write-Output "GUID: {$($gpo.Id.ToString().ToUpper())}"
+$gpoPath = "$sysvol\{$($gpo.Id.ToString().ToUpper())}"
+Write-Output "Path: $gpoPath"
+Write-Output ""
+
+# List all files in the GPO folder recursively
+Write-Output "=== SYSVOL file tree ==="
+Get-ChildItem $gpoPath -Recurse -File -EA SilentlyContinue | ForEach-Object {
+    Write-Output "  $($_.FullName.Replace($gpoPath, ''))"
+}
+Write-Output ""
+
+# Show GPT.INI
+Write-Output "=== GPT.INI ==="
+[System.IO.File]::ReadAllText("$gpoPath\GPT.INI") | Write-Output
+Write-Output ""
+
+# Show any fdeploy.ini or redirection files
+$fdeployPath = "$gpoPath\User\Documents & Settings"
+if (Test-Path $fdeployPath) {
+    Write-Output "=== fdeploy.ini ==="
+    [System.IO.File]::ReadAllText("$fdeployPath\fdeploy.ini") | Write-Output
+} else {
+    Write-Output "No 'Documents & Settings' folder found"
+}
+
+# Also check the unlinked CSC - Folder Redirection GPO
+Write-Output ""
+Write-Output "=== CSC - Folder Redirection (unlinked) ==="
+$gpo2 = Get-GPO -Name 'CSC - Folder Redirection' -Domain $domain -EA SilentlyContinue
+if ($gpo2) {
+    Write-Output "GUID: {$($gpo2.Id.ToString().ToUpper())}"
+    $gpo2Path = "$sysvol\{$($gpo2.Id.ToString().ToUpper())}"
+    Get-ChildItem $gpo2Path -Recurse -File -EA SilentlyContinue | ForEach-Object {
+        Write-Output "  $($_.FullName.Replace($gpo2Path, ''))"
+    }
+    $fd2 = "$gpo2Path\User\Documents & Settings\fdeploy.ini"
+    if (Test-Path $fd2) {
+        Write-Output "fdeploy.ini:"
+        [System.IO.File]::ReadAllText($fd2) | Write-Output
+    }
+} else {
+    Write-Output "GPO not found"
+}
--- a/.claude/temp/gpo-inspect2.ps1
+++ b/.claude/temp/gpo-inspect2.ps1
@@ -0,0 +1,30 @@
+$domain = 'cascades.local'
+$srv = 'CS-SERVER'
+$sysvol = "\\$srv\SYSVOL\$domain\Policies"
+
+# Read the unlinked CSC - Folder Redirection Registry.xml
+$gpo = Get-GPO -Name 'CSC - Folder Redirection' -Domain $domain
+$guid = "{$($gpo.Id.ToString().ToUpper())}"
+$xmlPath = "$sysvol\$guid\User\Preferences\Registry\Registry.xml"
+Write-Output "=== CSC - Folder Redirection Registry.xml ==="
+[System.IO.File]::ReadAllText($xmlPath) | Write-Output
+
+Write-Output ""
+Write-Output "=== LE GPO GPC attributes (AD) ==="
+$gpoLE = Get-GPO -Name 'CSC - Folder Redirection (LE)' -Domain $domain
+$leGuid = "{$($gpoLE.Id.ToString().ToUpper())}"
+$gpcObj = Get-ADObject -Filter { Name -eq $leGuid } -Properties 'gPCUserExtensionNames','gPCMachineExtensionNames','versionNumber','gPCFileSysPath' -SearchBase "CN=Policies,CN=System,DC=cascades,DC=local" -EA SilentlyContinue
+if ($gpcObj) {
+    Write-Output "  gPCUserExtensionNames: $($gpcObj.gPCUserExtensionNames)"
+    Write-Output "  gPCMachineExtensionNames: $($gpcObj.gPCMachineExtensionNames)"
+    Write-Output "  versionNumber: $($gpcObj.versionNumber)"
+    Write-Output "  gPCFileSysPath: $($gpcObj.gPCFileSysPath)"
+} else { Write-Output "  GPC object not found" }
+
+Write-Output ""
+Write-Output "=== LE GPO full SYSVOL tree (including empty dirs) ==="
+Get-ChildItem "\\$srv\SYSVOL\$domain\Policies\$leGuid" -Recurse -EA SilentlyContinue | ForEach-Object {
+    $rel = $_.FullName.Replace("\\$srv\SYSVOL\$domain\Policies\$leGuid", '')
+    $type = if ($_.PSIsContainer) { '[DIR]' } else { "[FILE $(($_.Length))]" }
+    Write-Output "  $type $rel"
+}
--- a/.claude/temp/kfm-check.ps1
+++ b/.claude/temp/kfm-check.ps1
@@ -0,0 +1,40 @@
+$ErrorActionPreference = 'Continue'
+Write-Output "=== KFM Check: $env:COMPUTERNAME ==="
+Write-Output ""
+Write-Output "--- Logged on users ---"
+query user 2>&1 | ForEach-Object { Write-Output $_ }
+Write-Output ""
+Write-Output "--- OneDrive.exe processes ---"
+$odProcs = Get-CimInstance Win32_Process -Filter "Name='OneDrive.exe'" -EA SilentlyContinue
+if ($odProcs) {
+    foreach ($p in $odProcs) {
+        $o = $p.GetOwner()
+        Write-Output "  Running as: $($o.Domain)\$($o.User)"
+    }
+} else { Write-Output "  Not running" }
+Write-Output ""
+Write-Output "--- User profile OneDrive folders ---"
+Get-ChildItem C:\Users -Directory -EA SilentlyContinue |
+    Where-Object { $_.Name -notin @('Public','Default','Default User','All Users') } |
+    ForEach-Object {
+        $od = Get-ChildItem $_.FullName -Directory -Filter 'OneDrive*' -EA SilentlyContinue
+        Write-Output "  $($_.Name): $(if ($od) { $od.Name -join ', ' } else { 'no OneDrive folder' })"
+    }
+Write-Output ""
+Write-Output "--- Loaded HKU shell folders ---"
+Get-ChildItem 'Registry::HKEY_USERS' -EA SilentlyContinue |
+    Where-Object { $_.Name -match 'S-1-5-21' -and $_.Name -notmatch '_Classes' } |
+    ForEach-Object {
+        $sid = $_.PSChildName
+        try { $un = ([System.Security.Principal.SecurityIdentifier]$sid).Translate([System.Security.Principal.NTAccount]).Value } catch { $un = $sid }
+        Write-Output "  User: $un"
+        $sf = Get-ItemProperty "Registry::HKEY_USERS\$sid\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -EA SilentlyContinue
+        if ($sf) {
+            $d  = $sf.Personal
+            $dt = $sf.Desktop
+            $dl = $sf.'{374DE290-123F-4565-9164-39C4925E467B}'
+            Write-Output "    Documents: $d$(if ($d  -like '*OneDrive*') { ' [KFM ACTIVE]' })"
+            Write-Output "    Desktop:   $dt$(if ($dt -like '*OneDrive*') { ' [KFM ACTIVE]' })"
+            Write-Output "    Downloads: $dl$(if ($dl -like '*OneDrive*') { ' [KFM ACTIVE]' })"
+        } else { Write-Output "    Shell Folders key not present (user not logged in or hive not loaded)" }
+    }
--- a/.claude/temp/read-regxml.ps1
+++ b/.claude/temp/read-regxml.ps1
@@ -0,0 +1,21 @@
+$domain = 'cascades.local'
+$srv = 'CS-SERVER'
+$sysvol = "\\$srv\SYSVOL\$domain\Policies"
+
+$gpo = Get-GPO -Name 'CSC - Folder Redirection' -Domain $domain
+$guid = "{$($gpo.Id.ToString().ToUpper())}"
+$xmlPath = "$sysvol\$guid\User\Preferences\Registry\Registry.xml"
+
+$bytes = [System.IO.File]::ReadAllBytes($xmlPath)
+Write-Output "REGXML_B64_START"
+Write-Output ([Convert]::ToBase64String($bytes))
+Write-Output "REGXML_B64_END"
+
+# Also get LE GPO GPC attributes from AD
+Import-Module ActiveDirectory -EA SilentlyContinue
+$leGpo = Get-GPO -Name 'CSC - Folder Redirection (LE)' -Domain $domain
+$leGuid = $leGpo.Id.ToString().ToUpper()
+$gpcObj = Get-ADObject -Filter "Name -eq '{$leGuid}'" `
+    -SearchBase "CN=Policies,CN=System,DC=cascades,DC=local" `
+    -Properties gPCUserExtensionNames,gPCMachineExtensionNames,versionNumber -EA SilentlyContinue
+Write-Output "LEGPO_EXT: $($gpcObj.gPCUserExtensionNames)"