azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-05-20 17:08:25

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-20 17:08:25
This commit is contained in:
Howard Enos
2026-05-20 17:08:26 -07:00
parent 6c476066ee
commit bc984d9c78
15 changed files with 638 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

160
clients/cascades-tucson/session-logs/2026-05-20-howard-phase2.6-printers-gpos-account-cleanup.md
View File

@@ -217,3 +217,163 @@ Planned work for next session:
| Remove Meredith.Kuhn + John.Trozzi from Domain Admins | Low | Deferred |
| SG-Mgmt-RW + SG-Sales-RW membership | Medium | Populate before Phase 3 GPO linking |
| CSC - Folder Redirection (full) | Medium | Blocked on Phase 3 — check OneDrive KFM on each PC first |
---
## Update: 17:06 PT — Admin folder redirection setup + department migration master plan
### Session scope
Continued from context-limit session. Completed the accounting/admin folder redirection GPO setup for Zachary Nelson, resolved architecture questions about OneDrive/HIPAA/AppData, and built the full department migration master plan.
---
### 1. Folder Redirection Architecture Decisions
**GPO approach — native FRD, not GPP Registry:**
- Inspected `CSC - Folder Redirection` GPO SYSVOL: had `User\Preferences\Registry\Registry.xml` (GPP Registry approach, 550 bytes) plus empty `Documents & Settings` folder.
- Decision: use native Group Policy Folder Redirection (GPMC UI → User Configuration → Windows Settings → Folder Redirection), not the GPP Registry hack. Howard configured this directly in GPMC on CS-SERVER.
**One GPO for all non-LE departments (not per-dept):**
- `%USERNAME%` in the redirect path makes it universal — `\\CS-SERVER\homes\zachary.nelson\Documents`, `\\CS-SERVER\homes\lauren.hasselman\Documents`, etc. all handled by one policy.
- Keep `CSC - Folder Redirection (LE)` for Life Enrichment. `CSC - Folder Redirection` becomes the universal GPO for all other departments.
**Security group filter instead of OU scope:**
- All 6 users in OU=Administrative (Zachary.Nelson, lauren.hasselman, Alma.Montt, Meredith.Kuhn, Ashley.Jensen, Allison.Reibschied) — cannot use OU scope without hitting users not ready for redirection.
- Solution: `SG-FolderRedirect` security group. Only members get the GPO applied.
- Future: when all departments migrated, remove SG filter, add Authenticated Users — existing redirected users see zero disruption.
**AppData — do not redirect:**
- Confirmed: redirect only Documents, Desktop, Downloads. AppData causes login slowdowns, application breakage, and network overhead with no meaningful benefit for assigned-machine users.
---
### 2. GPO Configuration (Howard in GPMC on CS-SERVER)
Howard opened GPMC, edited `CSC - Folder Redirection`, configured:
- Documents → `\\CS-SERVER\homes` (Basic redirection, grant exclusive rights, move contents)
- Desktop → `\\CS-SERVER\homes` (same settings)
- Downloads → `\\CS-SERVER\homes` (same settings)
- Policy removal: leave folder in new location
Howard also removed `Authenticated Users` from Security Filtering directly in GPMC (scripted removal failed — `Set-GPPermission -PermissionLevel None` triggers interactive confirmation prompt even with `-Confirm:$false` in NonInteractive PS sessions; GPMC COM `CreateSecurityInfo` method also unavailable).
---
### 3. SG-FolderRedirect Created and Wired
Dispatched via GuruRMM to CS-SERVER:
- Created `SG-FolderRedirect` (Global Security group, created in CN=Users fallback since OU=Security Groups,OU=Groups path failed)
- Added `Zachary.Nelson` as sole member
- Added `SG-FolderRedirect` with GpoApply permission on `CSC - Folder Redirection`
- Linked `CSC - Folder Redirection` to `OU=Administrative,OU=Departments,DC=cascades,DC=local` (Enabled, Order 1)
**Final GPO state:**
```
CSC - Folder Redirection
Linked: OU=Administrative — Enabled: True
Security filter: SG-FolderRedirect [GpoApply]
Members of SG-FolderRedirect: Zachary.Nelson
```
---
### 4. GuruRMM API Auth Change
GuruRMM API (port 3001) now requires JWT auth header. Previous sessions worked without it — behavior changed. Resolved:
```bash
TOKEN=$(curl -s -X POST "http://172.16.3.30:3001/api/auth/login" \
-H "Content-Type: application/json" \
-d '{"email":"claude-api@azcomputerguru.com","password":"ClaudeAPI2026!@#"}' \
| grep -o '"token":"[^"]*"' | cut -d'"' -f4)
```
Command dispatch also now requires `command_type` field: `{"command_type":"powershell","command":"..."}`.
Result polling endpoint is `/api/commands/{id}` (not `/api/agents/{id}/command/{id}`).
---
### 5. HIPAA / OneDrive Discussion
Concluded: server folder redirection is the correct posture for PHI-adjacent roles (accounting/admin). OneDrive requires a signed Microsoft HIPAA BAA, conditional access to block personal device sync, and Business Premium or E3 for full compliance tooling. Until BAA status is confirmed for cascadestucson.com tenant, PHI should stay on-prem.
---
### 6. Entra Connect — Expansion Plan
Entra Connect is live on CS-SERVER, production mode. Currently syncing OU=Caregivers + OU=Groups only. Not yet syncing Administrative or other department OUs.
Key facts for expansion:
- On-prem UPN suffix is `@cascades.local` (non-routable). Must add `cascadestucson.com` as alternate UPN suffix in AD before syncing any new dept OU.
- Change user UPNs to `@cascadestucson.com` → soft-match links to existing M365 cloud accounts.
- PHS makes on-prem password win — M365 password changes to Windows domain password on first sync. Notify users or align passwords first.
- Local Windows login behavior is unchanged. GPOs, group memberships, folder paths — all unchanged.
---
### 7. Department Migration Master Plan
Created comprehensive multi-day migration plan. Covers:
- Per-department template: pre-checks → machine prep → domain join → ProfWiz → prep-profile script → SG-FolderRedirect → Entra sync
- Department sequence (Admin → LE → Culinary → RS → Marketing → Care → Caregivers)
- Final switchover: SG-FolderRedirect removed, Authenticated Users restored — zero disruption to already-redirected users
- Clean machine end state: fresh domain join → all GPOs apply automatically, no manual steps
- Key guardrails from 2026-04-17 LE session (ProfWiz NTUSER.DAT poisoning, KFM conflict procedure)
- Prerequisites before Phase 3 GPO linking (SG membership, krbtgt rotation, Domain Admins cleanup)
**Plan file:** `C:\Users\Howard\.claude\plans\wise-discovering-panda.md`
**Resume command:** "resume the Cascades migration plan" at session start
**Syncro ticket:** https://computerguru.syncromsp.com/tickets/110680053
---
### Configuration Changes
| File | Action | Notes |
|------|--------|-------|
| `clients/cascades-tucson/session-logs/2026-05-20-howard-phase2.6-printers-gpos-account-cleanup.md` | Appended | This update |
| `C:\Users\Howard\.claude\plans\wise-discovering-panda.md` | Created | Master migration plan with save-point tracking |
| `.claude/memory/project-cascades-migration-plan.md` | Created | Memory entry for plan file + Syncro ticket |
| `.claude/memory/MEMORY.md` | Updated | Added Cascades migration plan pointer |
| `C:\claudetools\.claude\temp\check-frd-gpo.ps1` | Created | GPO inspection script |
| `C:\claudetools\.claude\temp\frd-prep.ps1` | Created | SG create + GPO filter setup |
| `C:\claudetools\.claude\temp\frd-link.ps1` | Created | GPO link to OU=Administrative |
| `C:\claudetools\.claude\temp\find-zachary.ps1` | Created | AD user lookup + OU=Administrative inventory |
**AD changes (via GuruRMM on CS-SERVER):**
- Created security group `SG-FolderRedirect` (CN=Users,DC=cascades,DC=local)
- Added Zachary.Nelson to SG-FolderRedirect
- Removed Authenticated Users from CSC - Folder Redirection security filter (done by Howard in GPMC)
- Linked CSC - Folder Redirection to OU=Administrative (Enabled, Order 1)
**GPMC changes (Howard on CS-SERVER directly):**
- Configured native folder redirection in CSC - Folder Redirection:
- Documents, Desktop, Downloads → `\\CS-SERVER\homes` (Basic, GrantExclusive, MoveContents)
- Policy removal: leave folder in new location
---
### Infrastructure & Servers
| Resource | Value |
|----------|-------|
| CS-SERVER agent ID | `6766e973-e703-47c1-be56-76950290f87c` |
| GuruRMM API | `http://172.16.3.30:3001` (now requires JWT auth) |
| GuruRMM API admin | `claude-api@azcomputerguru.com` / `ClaudeAPI2026!@#` |
| cascades.local GPO GUID | CSC - Folder Redirection = `{512B43A4-F049-4CE5-BFAC-860AD13E92BE}` |
| ACCT2-PC | Zachary.Nelson's machine — test folder redirection tonight |
| DESKTOP-H6QHRR7 | lauren.hasselman — OneDrive KFM active, Howard moves data manually first |
---
### Pending / Next Steps
| Item | Priority | Notes |
|------|----------|-------|
| Zachary folder redirection live test | High | Tonight on ACCT2-PC — gpupdate /force as zachary.nelson, verify \\CS-SERVER\homes\zachary.nelson\ populated |
| Lauren Hasselman | High | Howard moves OneDrive data manually first, then add to SG-FolderRedirect |
| Entra Connect: add OU=Administrative to sync | Medium | Set cascadestucson.com UPN suffix first, align passwords, then delta sync |
| Phase 3 domain joins | High | DESKTOP-KQSL232 first; MDIRECTOR-PC blocked on Win10 Pro upgrade |
| Phase 3 GPO linking | High | After first successful domain join: Security Baseline, Drive Mappings, Printer Deployment, Windows Update |
| SG-Mgmt-RW / SG-Sales-RW / SG-Activities-RW | Medium | Populate before Drive Mappings GPO linked |
| krbtgt password rotation | Medium | 569+ days old |
| Remove Meredith.Kuhn + John.Trozzi from Domain Admins | Low | Deferred |
| Update Syncro ticket #110680053 | Medium | Log today's work |