sync: auto-sync from HOWARD-HOME at 2026-06-25 12:53:21

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-25 12:53:21
This commit is contained in:
2026-06-25 12:54:04 -07:00
parent 51751e6473
commit d4fd71baab
14 changed files with 153 additions and 51 deletions

View File

@@ -123,9 +123,7 @@
- [pfSense 25.07 ops quirks](reference_pfsense_25_07_ops.md) — Cascades pfSense Plus 25.07: logs are PLAIN TEXT (use tail/grep, NOT clog → clog returns empty); clean dhcpd restart = `services_dhcpd_configure()` via slow pfSsh.php (needs 50s+ timeout); dirty boot can leave 2 dhcpd → DISCOVER/OFFER but no ACK; reboot the Cox modem after a config restore; ZFS survives power loss. From the 2026-06-17 power-outage incident.
- [feedback_ascii_only_api_payloads](feedback_ascii_only_api_payloads.md) -- On Windows/Git-bash, non-ASCII chars (em-dash, arrow, smart quotes) in JSON payload TEXT passed to curl get mangled and rejected — Discord bot-alert returns 400, the coord API returns "error parsing the body". Use ASCII-only in API payload text, or a single-quoted heredoc.
- [feedback_bitdefender_unattended_install](feedback_bitdefender_unattended_install.md) -- Bitdefender unattended RMM install must use the FULL KIT as SYSTEM (silent, no UAC) — the downloader stub fails headless and triggers UAC
- [Broken [[backlinks]] are write-me-later markers — flesh out from session history, don't delete](feedback_broken_backlinks_are_writeme_markers.md) -- A [[name]] link in a memory body whose target file doesn't exist is NOT an error to clean up — it's an intentional marker that that memory is worth writing. When you hit one (or memory-dream lists them), flesh the missing memory out from the session logs / session history, don't strip the link.
- [feedback_rmm_longops_fire_and_forget](feedback_rmm_longops_fire_and_forget.md) -- Long-running RMM endpoint ops (software installs, big downloads) must be fire-and-forget, not live-monitored
- [Broken [[backlinks]] are write-me-later markers — flesh out from session history, don't delete](feedback_broken_backlinks_are_writeme_markers.md) -- A [[name]] link in a memory body whose target file doesn't exist is NOT an error to clean up — it's an intentional marker that that memory is worth writing. When you hit one (or memory-dream lists them), flesh the missing memory out from the session logs / session history, don't strip the link.
## Machine
- [GURU-5070 Workstation Setup](reference_workstation_setup.md) — Mike's primary (owner confirmed 2026-05-26). Windows 11 Pro. Renamed from OC-5070 → ACG-5070/acg-guru-5070 → GURU-5070; all the same box, all Mike's.

View File

@@ -23,9 +23,11 @@ import os
import random
import subprocess
import sys
import tempfile
import time
import urllib.error
import urllib.request
from contextlib import contextmanager
from dataclasses import dataclass, field
from datetime import datetime, timezone
from email.utils import parsedate_to_datetime
@@ -111,6 +113,11 @@ CACHE_TTL_SECONDS = 86400
SKILL_DIR = Path(__file__).resolve().parent.parent
CACHE_DIR = SKILL_DIR / ".cache"
CACHE_FILE = CACHE_DIR / "inventory.json"
CACHE_LOCK_FILE = CACHE_DIR / "inventory.lock"
# Best-effort advisory lock for read-modify-write of the cache. Short timeout:
# losing a write-through update is acceptable; hanging the CLI is not.
CACHE_LOCK_TIMEOUT_SECONDS = 5.0
CACHE_LOCK_STALE_SECONDS = 30.0
class GravityZoneError(RuntimeError):
@@ -1136,10 +1143,60 @@ class GravityZoneClient:
return None
def _write_cache(self, cache: dict) -> None:
"""Atomically replace the cache file (temp write + os.replace) so a crash
mid-write or a concurrent reader can never see a truncated file."""
CACHE_DIR.mkdir(parents=True, exist_ok=True)
CACHE_FILE.write_text(
json.dumps(cache, indent=2, sort_keys=True), encoding="utf-8"
)
payload = json.dumps(cache, indent=2, sort_keys=True)
fd, tmp = tempfile.mkstemp(dir=str(CACHE_DIR), prefix=".inventory.",
suffix=".tmp")
try:
with os.fdopen(fd, "w", encoding="utf-8") as fh:
fh.write(payload)
fh.flush()
os.fsync(fh.fileno())
os.replace(tmp, CACHE_FILE) # atomic on the same filesystem
except BaseException:
try:
os.unlink(tmp)
except OSError:
pass
raise
@contextmanager
def _cache_lock(self):
"""Best-effort cross-platform advisory lock around a read-modify-write of
the cache, so two concurrent gz.py invocations don't lose each other's
write-through update. Steals a stale lock; on timeout proceeds unlocked
(a lost update is tolerable, a hang is not)."""
CACHE_DIR.mkdir(parents=True, exist_ok=True)
deadline = time.monotonic() + CACHE_LOCK_TIMEOUT_SECONDS
acquired = False
while True:
try:
fd = os.open(str(CACHE_LOCK_FILE),
os.O_CREAT | os.O_EXCL | os.O_WRONLY)
os.close(fd)
acquired = True
break
except FileExistsError:
try:
age = time.time() - os.path.getmtime(CACHE_LOCK_FILE)
if age > CACHE_LOCK_STALE_SECONDS:
os.unlink(CACHE_LOCK_FILE)
continue
except OSError:
pass
if time.monotonic() >= deadline:
break # give up the lock, proceed unlocked
time.sleep(0.1)
try:
yield
finally:
if acquired:
try:
os.unlink(CACHE_LOCK_FILE)
except OSError:
pass
def _cache_is_fresh(self, cache: dict) -> bool:
fetched = cache.get("fetched_at")
@@ -1226,27 +1283,29 @@ class GravityZoneClient:
return self.refresh_inventory()
def _cache_add_group(self, group_id: str, name: str) -> None:
cache = self._read_cache()
if cache is None:
return # no cache yet - next refresh picks it up
cache.setdefault("companies", {})
# Groups live in the inventory tree; store under a 'groups' map.
cache.setdefault("groups", {})[group_id] = name
self._write_cache(cache)
with self._cache_lock():
cache = self._read_cache()
if cache is None:
return # no cache yet - next refresh picks it up
# Groups live in the inventory tree; store under a 'groups' map.
cache.setdefault("groups", {})[group_id] = name
self._write_cache(cache)
def _cache_add_package(self, package_name: str, create_result: Any) -> None:
cache = self._read_cache()
if cache is None:
return
packages = cache.setdefault("packages", [])
pkg_id = create_result if isinstance(create_result, str) else None
if isinstance(create_result, dict):
pkg_id = create_result.get("id")
if not any(
(isinstance(p, dict) and p.get("name") == package_name) for p in packages
):
packages.append({"id": pkg_id, "name": package_name})
self._write_cache(cache)
with self._cache_lock():
cache = self._read_cache()
if cache is None:
return
packages = cache.setdefault("packages", [])
pkg_id = create_result if isinstance(create_result, str) else None
if isinstance(create_result, dict):
pkg_id = create_result.get("id")
if not any(
(isinstance(p, dict) and p.get("name") == package_name)
for p in packages
):
packages.append({"id": pkg_id, "name": package_name})
self._write_cache(cache)
def main() -> int:
@@ -1258,9 +1317,4 @@ def main() -> int:
"httpx" if _HAS_HTTPX else "urllib")
return 0
except GravityZoneError as exc:
print(f"[ERROR] {exc}", file=sys.stderr)
return 1
if __name__ == "__main__":
raise SystemExit(main())
prin

1
.x_edr_aid.txt Normal file
View File

@@ -0,0 +1 @@
99d6d692-99e0-4359-9f9c-f43be89f49e5

1
.x_edr_install_cmd.txt Normal file
View File

@@ -0,0 +1 @@
84537db7-e9a6-4e95-b024-aa8ab03f0b14

View File

@@ -104,7 +104,7 @@ Nothing else in this tenant is touched. No office staff change. No password cuto
| Item | When | Blocker |
|---|---|---|
| **C1** Phase 2 sync — in-building office-PHI staff (Sharon, Allison, Alma, Kyla, etc.) | Week-2 or later | Pre-cutover AD password reset to known values; 48h user comms; scheduled maintenance window |
| **C1** Phase 2 sync — in-building office-PHI staff (Sharon, Allison, Kyla, etc.; ~~Alma~~ offboarded 2026-06-25) | Week-2 or later | Pre-cutover AD password reset to known values; 48h user comms; scheduled maintenance window |
| **C2** Phase 3 sync — remaining staff | Week-3 or later | Same mechanics as C1, larger batch |
| **C3** G2 role mailbox conversion (6 ready, 5 pending delegations) | Any time — execute the 6 with lists we have | 5 of 11 pending Meredith answers on delegates (Q8, Q11, Q14, Q15, Q16) |
| **C4** Synology → CS-SERVER file-share migration (Phase 4) | After Phase 2/3 sync | John answers on pacs/Activities/chat/Sandra Fish shares + MainOffice group membership |

View File

@@ -55,7 +55,7 @@ The CSV encodes access posture per person with three columns: **Access** (D / P
| Memory Care | Christine Nyanzunda | MC Admin Assistant |
| Resident Services | Christina DuPras | Resident Services Director |
| Life Enrichment | Susan Hicks | Life Enrichment Director |
| Life Enrichment | Alma R Montt | *(title blank in CSV — follow-up)* |
| ~~Life Enrichment~~ | ~~Alma R Montt~~ | **OFFBOARDED 2026-06-25** (was MC Life Enrichment) — see `docs/security/offboarding-2026-06-25-alma-montt.md` |
| Culinary | JD Martin | Culinary Director |
| Culinary | Alyssa Brooks | Dining Manager |
| Maintenance | John Trozzi | Facilities Director |
@@ -107,7 +107,7 @@ No answer yet. This decision directly changes the license count and the CA polic
| Scenario | Qty | Notes |
|---|---|---|
| Office staff with Outside=Y (Office-PHI external-OK) | **18** | Includes Alma. Britney removed (departed). |
| Office staff with Outside=Y (Office-PHI external-OK) | **17** | ~~18 incl. Alma~~ — Alma offboarded 2026-06-25 (SPB seat freed). Britney removed earlier (departed). |
| + Office Outside=N + ALIS=Y (Allison Reibschied, Sharon Edwards) | **20** | Need CA coverage even in building-only posture |
| + Matt Brooks (dual-dept, ALIS=Y) | **21** | Per rollout plan §3 |
| All licensed seats under building-only-default | 21 office + 3 Courtesy Patrol + 4 Reception + 37 caregivers = **65** | Plus Ramon Castaneda for office non-PHI = **66** total active identities |

View File

@@ -2,6 +2,11 @@
**Status:** Planning — no account creation or license assignment yet.
**Created:** 2026-04-22 (Howard)
> **[RECONCILE 2026-06-25]** Alma R Montt (`Alma.Montt`) was **OFFBOARDED 2026-06-25** (terminated).
> Disregard every "create account / add to SG-External-Signin-Allowed" line for her below; her AD
> account is disabled + moved to `OU=Excluded-From-Sync` and her M365 sign-in is blocked. Persona/seat
> counts that listed her should drop by 1. See `docs/security/offboarding-2026-06-25-alma-montt.md`.
**Inputs:**
- `reports/cascades-staff-2026-04-22.csv` — returned staff-editor questionnaire, 70 rows (source of truth for *who should exist* and *what access posture*)
- `docs/servers/active-directory.md` — current AD state (42 accounts, 40 enabled)
@@ -22,7 +27,7 @@ Build every person on the 2026-04-22 CSV into a consistent AD + M365 identity, l
| Persona | Access | Outside | ALIS | Count | Examples |
|---|---|---|---|---|---|
| **Office-PHI (external-OK)** | D+P | Y | Y | 18 | Meredith, Megan, Lois, Susan, Alma, JD, John Trozzi, Lupe |
| **Office-PHI (external-OK)** | D+P | Y | Y | 17 | Meredith, Megan, Lois, Susan, JD, John Trozzi, Lupe (~~Alma~~ offboarded 2026-06-25) |
| **Office-PHI (in-building)** | D+P | N | Y | 2 | Allison Reibschied, Sharon Edwards |
| **Office non-PHI (in-building)** | D+P | N | N | 1 | Ramon Castaneda |
| **Maintenance (in-building PHI)** | D+P | N | Y | 1 | Matt Brooks |
@@ -121,7 +126,7 @@ This collapses the earlier per-persona policy matrix into two primary CA policie
| `CSC - Caregivers Shared Phone` | `SG-Caregivers` | Already designed per `caregiver-m365-p2-rollout.md` (shared-phone Intune + named location) |
| `CSC - Drivers Phone-Only` | `SG-Drivers` | Require compliant Intune-managed phone; no web fallback. Drivers added to `SG-External-Signin-Allowed` as well if they need off-site phone access. |
**Initial `SG-External-Signin-Allowed` membership** — seed from the CSV's Outside=Y column, post-2026-04-22 updates. All 18 office-PHI staff (including Alma R Montt). Everyone else stays on the default building-only policy until Meredith adds them. Britney is no longer on this list — she departed 2026-04-22.
**Initial `SG-External-Signin-Allowed` membership** — seed from the CSV's Outside=Y column, post-2026-04-22 updates. All 17 office-PHI staff (~~Alma R Montt~~ offboarded 2026-06-25 — do NOT seed). Everyone else stays on the default building-only policy until Meredith adds them. Britney is no longer on this list — she departed 2026-04-22.
**Named location "Cascades Building":** Define once, reuse. Use the site's public IP range(s) from pfSense NAT (`clients/cascades-tucson/pfsense-firewall.sops.yaml`).
@@ -139,7 +144,7 @@ These must be resolved before creating or converting accounts. See also `cascade
| **Polett Pinazavala** — was on 2026-04-18 caregiver roster | **RESOLVED 2026-04-22 (John's reply) — DEPARTED.** | Remove from roster. No existing account — no AD/M365 action needed. |
| **Drivers (Richard Adams, Julian Crim, Christopher Holick)** — all have AD accounts + Transportation@ shared mailbox | **Decision 2026-04-22 (Howard) — drivers no longer get IT access.** | Disable the 3 AD accounts. Keep them on the working roster for employee tracking. Separate decision: keep or retire `Transportation@` shared mailbox — ask Meredith. |
| **Christine Nyanzunda** — one person, MC Admin + part-time Sun/Mon MedTech | **Resolved 2026-04-22 (Howard) — one account covers both roles.** | Single account in `OU=Care-MemoryCare`. Default building-only CA policy. When she's covering a MedTech shift she logs into the shared MC phone with her own account. If that sign-in gets blocked by the shared-phone CA, add her to a specific exception group rather than splitting into two accounts. |
| **Alma R Montt** — on CSV (Life Enrichment), NOT in AD | **RESOLVED 2026-04-22 (John's reply).** Username `Alma.Montt`, title "Memory Care Life Enrichment", D+P, ALIS=Y, Outside=Y. LE staff assigned to Memory Care residents — stays in `OU=Life Enrichment`. | Create AD account `Alma.Montt` (UPN `alma.montt@cascadestucson.com`). Add to SG-External-Signin-Allowed (Outside=Y). |
| ~~**Alma R Montt**~~**OFFBOARDED 2026-06-25** | Account was created 2026-05-19, then **terminated + offboarded 2026-06-25** (disabled, groups stripped, OU=Excluded-From-Sync; M365 sign-in blocked, mailbox → shared). | **No action — do NOT create or grant.** See `docs/security/offboarding-2026-06-25-alma-montt.md`. |
| **Kyla QuickTiffany** — on CSV and in AD "needs account" list | **Resolved 2026-04-22 (Howard, per Kyla's preference): `Kyla.QuickTiffany`** — last name treated as a single word. | Create AD account `Kyla.QuickTiffany` (UPN `kyla.quicktiffany@cascadestucson.com`). Persona: Shared-PC Reception. Building-only, no outside sign-in. |
| **Ederick Yuzon** — spelling not confirmed | **Still pending Meredith/John.** | Block on creation of his caregiver account only. Everyone else proceeds. Tentative: `Ederick.Yuzon` if needed to unblock Wave 3. |
| **Matt Brooks** — AD dept = Maintenance, CSV note "works in both departments" | Confirmed (CSV-inline). | Keep in Maintenance OU; add to secondary MC group for access overlap. |
@@ -213,7 +218,7 @@ User-visible impact: one Outlook password prompt on day-of-cutover. **No impact
- Disable 3 driver AD accounts (`Richard.Adams`, `Julian.Crim`, `Christopher.Holick`)
- Ask Meredith whether to keep or retire `Transportation@` shared mailbox
- Create AD accounts (and let Entra Connect sync to M365) for:
- Alma R Montt (`Alma.Montt` — Memory Care Life Enrichment, D+P, ALIS=Y, Outside=Y)
- ~~Alma R Montt (`Alma.Montt` — Memory Care Life Enrichment, D+P, ALIS=Y, Outside=Y)~~ — **OFFBOARDED 2026-06-25, skip**
- Kyla QuickTiffany (`Kyla.QuickTiffany` — Shared-PC Reception, D only, building-only)
- Validate group membership + CA policy assignment on the new accounts before moving to Wave 2
- Pilot the `CSC - Building Only (Default)` policy with Kyla (Report-only mode first)
@@ -288,7 +293,7 @@ Output goes to `docs/migration/synology-permission-inventory.md`, which is then
- Restrict-everyone default vs. selective → **building-only by default, allow-list for exceptions** (§5).
- Christine Nyanzunda → one account covers both roles.
- Kyla → `Kyla.QuickTiffany` (her preference).
- Alma R Montt → `Alma.Montt`, title "Memory Care Life Enrichment", D+P, ALIS=Y, Outside=Y (answered by John).
- Alma R Montt → `Alma.Montt`, title "Memory Care Life Enrichment", D+P, ALIS=Y, Outside=Y (answered by John). **[OFFBOARDED 2026-06-25 — terminated.]**
- Britney Thompson → **departed (John)**. Disable AD + harvest license.
- Polett Pinazavala → **departed (John)**. Remove from roster.
- Agency shared logins → **NOT CREATED** (HIPAA review supersedes John's confirmation — §164.312(a)(2)(i) prohibits shared PHI-access log-ons). Per-person accounts only when Reliable Agency provides names.

View File

@@ -136,7 +136,7 @@ $printers = @(
}
# Memory Care Reception (EPSON833571 — dc:cd:2f:83:35:71)
# Added 2026-05-29. Driver already installed from FrontDesk ET-5800 — no EPWizard re-run needed.
# Access: OU=Care-Memorycare (GPO ILT). Alma Montt (cloud-only M365) connects manually to \\CS-SERVER\MCReception.
# Access: OU=Care-Memorycare (GPO ILT). (Alma Montt offboarded 2026-06-25 — reassign to MC Reception replacement when named.)
@{
IP = '10.0.20.78'
Port = 'TCP_10.0.20.78'
@@ -144,7 +144,7 @@ $printers = @(
Driver = 'EPSON ET-5800 Series'
Share = 'MCReception'
Location = 'Memory Care Reception (Floors 5/6)'
Comment = 'Epson ET-5800 - MemCare Reception / Alma Montt + MC nurses'
Comment = 'Epson ET-5800 - MemCare Reception / MC nurses'
}
)

View File

@@ -147,9 +147,9 @@ Read-only: Management
Access: Directory, Life Enrichment
**Note:** Same LE-new-mapping note as Susan.
### Alma R Montt — MC Life Enrichment
Access: Directory, Life Enrichment
**Note:** AD account not yet created (Wave 1 of user rollout). LE-machine drive mapping applies once her account + PC are set up.
### ~~Alma R Montt — MC Life Enrichment~~ — OFFBOARDED 2026-06-25
~~Access: Directory, Life Enrichment~~
**Note:** **OFFBOARDED 2026-06-25 (terminated).** Excluded from all share groups — see the live roster `share-group-roster-proposed-2026-06-25.md` and `docs/security/offboarding-2026-06-25-alma-montt.md`.
---
@@ -233,7 +233,7 @@ These names show up on Synology but are not in John's current employee list. The
- **Crystal Suszek → Crystal Rodriguez** — same person, former name. Single AD account `Crystal.Rodriguez`; old Synology `Crystal Suszek` account disabled at cutover (settled 2026-04-23).
- **`CasAdmin201`** — will NOT become a domain user on cs-server/CS-SERVER. Disabled on Synology at cutover (settled 2026-04-23).
- **New CS-SERVER shares to create** (settled 2026-04-23):
- **`LifeEnrichment`** — CS-SERVER local, RW for Susan/Sharon/Alma only. LE workstations currently have no mapped drives — this will be their first.
- **`LifeEnrichment`** — CS-SERVER local, RW for Susan/Sharon only (~~Alma~~ offboarded 2026-06-25). LE workstations currently have no mapped drives — this will be their first.
- **`ALdocs`** — Assisted Living documentation, CS-SERVER local, RW for nurses (Lois, Karen) + Meredith + Ashley + Sales team (Megan, Crystal, Tamra).
- **`WebDocs`** — web/marketing collateral, CS-SERVER local, RW for Sales team + Meredith + Ashley. Distinct from the retired Synology `web` DSM share.
- **Sales team share set** (settled 2026-04-23) — Megan, Crystal, Tamra all get RW on: ALdocs, WebDocs, SalesDept, Management, Directory.

View File

@@ -15,7 +15,7 @@
| 9 | Room 206 (large printer) | 192.168.1.138 | 00:20:6b:b3:4a:55 | Konica Minolta Bizhub C368 | A7PV011016305 | Health Services | Network | Online |
| 10 | Kitchen Manager | 192.168.3.232 | — | Canon imageClass MFC743CDW | — | Alyssa (Brooks) | Network | Online |
| 11 | Chef | 192.168.3.88 | — | Brother MFC-9330CDW | — | Chef | Network | Online |
| 12 | MemCare Reception | 10.0.20.78 | dc:cd:2f:83:35:71 (EPSON833571) | Epson ET-5800 | — | Alma Montt (MemCare receptionist), MemCare nurses/users | Network — VLAN 20. Share: \\CS-SERVER\MCReception | Online 2026-05-29 |
| 12 | MemCare Reception | 10.0.20.78 | dc:cd:2f:83:35:71 (EPSON833571) | Epson ET-5800 | — | MemCare nurses/users (Alma Montt offboarded 2026-06-25 — reassign to MC Reception replacement when named) | Network — VLAN 20. Share: \\CS-SERVER\MCReception | Online 2026-05-29 |
| 13 | MemCare Room 615 | 192.168.2.53 | c8:a3:e8:a2:dd:93 (brwc8a3e8a2dd93) | Brother (model TBD) | — | MedTechs, Nurses | WiFi (static IP) | Online |
| 14 | Meredith's Office | 192.168.2.67 | — | Canon imageClass MF743CDW | — | Meredith (Kuhn) | Network | Online |
| 15 | MemCare Director (Room 603) | 192.168.3.52 | 20:0b:74:b2:29:08 | Canon Color imageClass MF751CDW | — | Shelby Trozzi | Network | Online |

View File

@@ -42,4 +42,4 @@
**The PAA role is still assigned to the SP and must be removed manually** in Entra
(Roles & admins → Privileged Authentication Administrator → remove `ComputerGuru - Tenant Admin`).
Its standing **Conditional Access Administrator** role is intentional — leave that.
- [ ] Reconcile: Alma removed from the proposed share rosters (`docs/migration/share-group-roster-proposed-2026-06-25.md`).
- [x] Reconcile: Alma removed from the proposed share rosters (`docs/migration/share-group-roster-proposed-2026-06-25.md`) **and all other active plans** (2026-06-25): `docs/servers/active-directory.md`, `docs/printers.md`, `docs/cloud/user-account-rollout-plan.md`, `docs/cloud/p2-staff-candidates.md`, `PLAN-AND-QUESTIONS-2026-04-24.md`, `docs/migration/share-access-matrix-2026-04-23.md`, `docs/migration/scripts/phase2-print-server.ps1`. Dated April/May questionnaires, CSVs, reports, and the archived plan left as historical record.

View File

@@ -11,7 +11,7 @@
## AD Users (updated 2026-05-19)
**Changes since 2026-04-13:**
- Alma.Montt added to OU=Administrative (provisioned 2026-05-19) — cloud-only M365 account also created same day; needs reconciliation (see Pending Issues)
- ~~Alma.Montt added to OU=Administrative (provisioned 2026-05-19)~~**OFFBOARDED 2026-06-25**: AD account disabled, groups stripped, moved to `OU=Excluded-From-Sync`; cloud-only M365 sign-in blocked + mailbox converted to shared. See `docs/security/offboarding-2026-06-25-alma-montt.md`.
- Kyla.QuickTiffany confirmed in OU=Resident Services (was listed as "needs account" in prior doc)
- Zachary.Nelson confirmed: Accounting Assistant (replacing Allison.Reibschied)
- Allison.Reibschied: no longer employed — account disabled in DC 2026-05-19
@@ -26,7 +26,7 @@
| Meredith.Kuhn | Meredith Kuhn | Executive Director | |
| Ashley.Jensen | Ashley Jensen | Assistant Executive Director | M365: Accounting@ |
| lauren.hasselman | Lauren Hasselman | Business Office Director | lowercase SAM. Replaced Jeff Bristol. M365: Accounting@ |
| Alma.Montt | Alma Montt | Life Enrichment | Provisioned 2026-05-19. **Cloud-only M365 account also created same day — reconcile before next Entra sync** (see Pending Issues) |
| ~~Alma.Montt~~ | ~~Alma Montt~~ | ~~Life Enrichment~~ | **OFFBOARDED 2026-06-25 — disabled, groups stripped, moved to OU=Excluded-From-Sync.** See `docs/security/offboarding-2026-06-25-alma-montt.md`. |
| Zachary.Nelson | Zachary Nelson | Accounting Assistant | Confirmed 2026-05-19. Replacing Allison.Reibschied. |
| ~~Allison.Reibschied~~ | ~~Allison Reibschied~~ | ~~Accounting Assistant~~ | **Disabled 2026-05-19 — no longer employed.** |
@@ -180,7 +180,7 @@ cascades.local
├── Domain Controllers
│ └── CS-SERVER
├── Departments
│ ├── Administrative — Alma.Montt, Ashley.Jensen, lauren.hasselman, Meredith.Kuhn, Zachary.Nelson
│ ├── Administrative — Ashley.Jensen, lauren.hasselman, Meredith.Kuhn, Zachary.Nelson (Alma.Montt offboarded 2026-06-25 → OU=Excluded-From-Sync)
│ ├── Care-Assisted Living — britney.thompson, karen.rossini, Lois.Lane, Veronica.Feller
│ │ └── Nurses (empty sub-OU)
│ ├── Caregivers — 38 accounts (shift caregivers/medtechs, first.last format)
@@ -310,7 +310,7 @@ Do NOT populate these further. They remain in service until Phase 4 cutover reti
| LifeEnrichment | (via Life Enrichment Printers GPO) | OU=Life Enrichment |
| MCDirector | Canon imageClass MF751CDW (192.168.3.52) | OU=Care-Memorycare |
| MCMedTech | Brother (192.168.2.53) | OU=Caregivers OR OU=Care-Memorycare |
| MCReception | Epson ET-5800 (10.0.20.78) | OU=Care-Memorycare. Alma Montt (cloud-only M365 — no GPO) connects manually. |
| MCReception | Epson ET-5800 (10.0.20.78) | OU=Care-Memorycare. (Alma Montt offboarded 2026-06-25 — reassign to the MC Reception replacement when named.) |
## Group Policy (as of 2026-05-20)
@@ -368,7 +368,7 @@ GPOs exist but effectiveness is limited since most PCs are not domain-joined. Al
| ~~Still enabled — departed~~ | ~~britney.thompson~~ | **DONE 2026-05-20** — AD disabled. M365: sign-in blocked, license removed, litigation hold applied. |
| ~~Still enabled — flagged for disable~~ | ~~Richard.Adams, Julian.Crim, Christopher.Holick~~ | **DONE 2026-05-20** — all disabled. |
| ~~Old-format account — superseded~~ | ~~Shontiel.Nunn~~ | **DONE 2026-05-20** — disabled. s.nunn (Caregivers) is the active account. |
| Cloud-only M365 account — RESOLVED | Alma.Montt | Intentional and correct — no AD sync conflict. |
| Cloud-only M365 account — ~~RESOLVED~~ OFFBOARDED | Alma.Montt | **OFFBOARDED 2026-06-25** — AD disabled + moved to OU=Excluded-From-Sync; M365 sign-in blocked, mailbox → shared (Shelby Trozzi FullAccess). See `docs/security/offboarding-2026-06-25-alma-montt.md`. |
| krbtgt password age | krbtgt | 569+ days old as of 2026-03-20. Needs rotation. Deferred. |
| Meredith.Kuhn + John.Trozzi in Domain Admins | Both | Non-IT staff — remove from Domain Admins. Deferred. |
| ~~britney.thompson M365 offboarding~~ | ~~britney.thompson~~ | **DONE 2026-05-20** — sign-in blocked, license removed, litigation hold applied via sysadmin@. |

View File

@@ -113,3 +113,32 @@ queue.
- Termination runbook: `docs/security/termination-procedures.md`
- Coord message id: `4b2bb6a9-881b-4003-984c-687183b96802`
- Cascades wiki: `wiki/clients/cascades-tucson.md`
## Update: 12:53 PT — Reconciled Alma out of all active plans
Following the verified offboarding, reconciled Alma Montt out of every forward-looking Cascades
doc so no future session/tech treats her as a current or to-be-created user. The 2026-06-25
proposed share roster was already done (struck + OFFBOARDED) by the lost session. Edited the
remaining active docs, each annotated with `OFFBOARDED 2026-06-25` + a pointer to the offboarding
record (strikethrough preserves the decision history rather than deleting it):
- `docs/servers/active-directory.md` — current-state AD reference: changelog entry, Enabled-Accounts
table row, OU tree (Administrative), MCReception printer access, and Pending-Issues row all updated
to reflect disabled + moved to OU=Excluded-From-Sync.
- `docs/printers.md` — MCReception printer user list (removed Alma; note to reassign replacement).
- `docs/cloud/user-account-rollout-plan.md` — added a [RECONCILE] banner; fixed persona count 18->17,
SG-External-Signin-Allowed seed line, the per-person resolution row, the Wave-1 create list, and the
decision summary.
- `docs/cloud/p2-staff-candidates.md` — license-math count 18->17; candidate roster row.
- `PLAN-AND-QUESTIONS-2026-04-24.md` — Track C / C1 Phase 2 sync list.
- `docs/migration/share-access-matrix-2026-04-23.md` — Alma section + LifeEnrichment share RW list.
- `docs/migration/scripts/phase2-print-server.ps1` — MCReception comment + printer Comment field.
Left as historical record (dated point-in-time artifacts, intentionally NOT rewritten): the April
questionnaires/working-lists/followups, `reports/cascades-staff-2026-04-22.csv`, the Canva and
orphan-deletes reports, the 2026-04-22 HIPAA review, `scripts/create-alma-montt-2026-05-18.ps1`,
`scripts/build-open-questions-docx.py`, and `PLAN-AND-QUESTIONS-2026-04-23-archived.md`.
Ticked the offboarding record follow-up checkbox (reconciliation complete). Remaining open item is
unchanged: Mike to remove the stranded Privileged Authentication Administrator role on the Tenant
Admin SP.

View File

@@ -17,6 +17,20 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure ·
<!-- Append entries below this line -->
2026-06-25 | Howard-Home | synology/ssh | syno-ssh recipe 'shares' failed (rc=1) [ctx: host=192.168.0.120]
2026-06-25 | Howard-Home | synology/ssh | syno-ssh recipe 'acl' failed (rc=1) [ctx: host=192.168.0.120]
2026-06-25 | Howard-Home | synology/ssh | syno-ssh recipe 'acl' failed (rc=1) [ctx: host=192.168.0.120]
2026-06-25 | Howard-Home | synology/ssh | syno-ssh recipe 'groups' failed (rc=127) [ctx: host=192.168.0.120]
2026-06-25 | Howard-Home | synology/ssh | syno-ssh recipe 'users' failed (rc=127) [ctx: host=192.168.0.120]
2026-06-25 | Howard-Home | synology/ssh | syno-ssh recipe 'shares' failed (rc=1) [ctx: host=192.168.0.120]
2026-06-25 | Howard-Home | memory-dream | orphan detector mis-parses index lines containing [[wikilink]] text: flags feedback_broken_backlinks_are_writeme_markers.md as orphan despite being indexed (L174), so --apply-safe appends duplicate index lines every run. Fix: match orphan on the ](<filename>.md) link target, not the rendered link text. [ctx: skill=memory-dream file=scripts/memory_dream.py recurring=yes]
2026-06-25 | GURU-5070 | remediation-tool/EOP | [friction] checking ACG own-tenant EOP quarantine: reached for investigator-exo (401 - Exchange Admin role only on Exchange OPERATOR SP, not Investigator), then RecipientAddress needs JSON array not string (400); skill has no EOP/quarantine section at all [ctx: ref=feedback_exchange_role_recurring_gap]
2026-06-25 | GURU-5070 | sync/tailscale | [correction] diagnosed 172.16.3.x unreachable as transient blip; real cause was Tailscale node KEY EXPIRY on the subnet-router node (pfSense advertising 172.16.0.0/22) dropping it off the tailnet [ctx: fix=disabled key expiration on the node; symptom=internet OK but whole 172.16.3.x dead]