sync: auto-sync from HOWARD-HOME at 2026-06-25 12:53:21

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-25 12:53:21
This commit is contained in:
2026-06-25 12:54:04 -07:00
parent 51751e6473
commit d4fd71baab
14 changed files with 153 additions and 51 deletions

View File

@@ -104,7 +104,7 @@ Nothing else in this tenant is touched. No office staff change. No password cuto
| Item | When | Blocker |
|---|---|---|
| **C1** Phase 2 sync — in-building office-PHI staff (Sharon, Allison, Alma, Kyla, etc.) | Week-2 or later | Pre-cutover AD password reset to known values; 48h user comms; scheduled maintenance window |
| **C1** Phase 2 sync — in-building office-PHI staff (Sharon, Allison, Kyla, etc.; ~~Alma~~ offboarded 2026-06-25) | Week-2 or later | Pre-cutover AD password reset to known values; 48h user comms; scheduled maintenance window |
| **C2** Phase 3 sync — remaining staff | Week-3 or later | Same mechanics as C1, larger batch |
| **C3** G2 role mailbox conversion (6 ready, 5 pending delegations) | Any time — execute the 6 with lists we have | 5 of 11 pending Meredith answers on delegates (Q8, Q11, Q14, Q15, Q16) |
| **C4** Synology → CS-SERVER file-share migration (Phase 4) | After Phase 2/3 sync | John answers on pacs/Activities/chat/Sandra Fish shares + MainOffice group membership |

View File

@@ -55,7 +55,7 @@ The CSV encodes access posture per person with three columns: **Access** (D / P
| Memory Care | Christine Nyanzunda | MC Admin Assistant |
| Resident Services | Christina DuPras | Resident Services Director |
| Life Enrichment | Susan Hicks | Life Enrichment Director |
| Life Enrichment | Alma R Montt | *(title blank in CSV — follow-up)* |
| ~~Life Enrichment~~ | ~~Alma R Montt~~ | **OFFBOARDED 2026-06-25** (was MC Life Enrichment) — see `docs/security/offboarding-2026-06-25-alma-montt.md` |
| Culinary | JD Martin | Culinary Director |
| Culinary | Alyssa Brooks | Dining Manager |
| Maintenance | John Trozzi | Facilities Director |
@@ -107,7 +107,7 @@ No answer yet. This decision directly changes the license count and the CA polic
| Scenario | Qty | Notes |
|---|---|---|
| Office staff with Outside=Y (Office-PHI external-OK) | **18** | Includes Alma. Britney removed (departed). |
| Office staff with Outside=Y (Office-PHI external-OK) | **17** | ~~18 incl. Alma~~ — Alma offboarded 2026-06-25 (SPB seat freed). Britney removed earlier (departed). |
| + Office Outside=N + ALIS=Y (Allison Reibschied, Sharon Edwards) | **20** | Need CA coverage even in building-only posture |
| + Matt Brooks (dual-dept, ALIS=Y) | **21** | Per rollout plan §3 |
| All licensed seats under building-only-default | 21 office + 3 Courtesy Patrol + 4 Reception + 37 caregivers = **65** | Plus Ramon Castaneda for office non-PHI = **66** total active identities |

View File

@@ -2,6 +2,11 @@
**Status:** Planning — no account creation or license assignment yet.
**Created:** 2026-04-22 (Howard)
> **[RECONCILE 2026-06-25]** Alma R Montt (`Alma.Montt`) was **OFFBOARDED 2026-06-25** (terminated).
> Disregard every "create account / add to SG-External-Signin-Allowed" line for her below; her AD
> account is disabled + moved to `OU=Excluded-From-Sync` and her M365 sign-in is blocked. Persona/seat
> counts that listed her should drop by 1. See `docs/security/offboarding-2026-06-25-alma-montt.md`.
**Inputs:**
- `reports/cascades-staff-2026-04-22.csv` — returned staff-editor questionnaire, 70 rows (source of truth for *who should exist* and *what access posture*)
- `docs/servers/active-directory.md` — current AD state (42 accounts, 40 enabled)
@@ -22,7 +27,7 @@ Build every person on the 2026-04-22 CSV into a consistent AD + M365 identity, l
| Persona | Access | Outside | ALIS | Count | Examples |
|---|---|---|---|---|---|
| **Office-PHI (external-OK)** | D+P | Y | Y | 18 | Meredith, Megan, Lois, Susan, Alma, JD, John Trozzi, Lupe |
| **Office-PHI (external-OK)** | D+P | Y | Y | 17 | Meredith, Megan, Lois, Susan, JD, John Trozzi, Lupe (~~Alma~~ offboarded 2026-06-25) |
| **Office-PHI (in-building)** | D+P | N | Y | 2 | Allison Reibschied, Sharon Edwards |
| **Office non-PHI (in-building)** | D+P | N | N | 1 | Ramon Castaneda |
| **Maintenance (in-building PHI)** | D+P | N | Y | 1 | Matt Brooks |
@@ -121,7 +126,7 @@ This collapses the earlier per-persona policy matrix into two primary CA policie
| `CSC - Caregivers Shared Phone` | `SG-Caregivers` | Already designed per `caregiver-m365-p2-rollout.md` (shared-phone Intune + named location) |
| `CSC - Drivers Phone-Only` | `SG-Drivers` | Require compliant Intune-managed phone; no web fallback. Drivers added to `SG-External-Signin-Allowed` as well if they need off-site phone access. |
**Initial `SG-External-Signin-Allowed` membership** — seed from the CSV's Outside=Y column, post-2026-04-22 updates. All 18 office-PHI staff (including Alma R Montt). Everyone else stays on the default building-only policy until Meredith adds them. Britney is no longer on this list — she departed 2026-04-22.
**Initial `SG-External-Signin-Allowed` membership** — seed from the CSV's Outside=Y column, post-2026-04-22 updates. All 17 office-PHI staff (~~Alma R Montt~~ offboarded 2026-06-25 — do NOT seed). Everyone else stays on the default building-only policy until Meredith adds them. Britney is no longer on this list — she departed 2026-04-22.
**Named location "Cascades Building":** Define once, reuse. Use the site's public IP range(s) from pfSense NAT (`clients/cascades-tucson/pfsense-firewall.sops.yaml`).
@@ -139,7 +144,7 @@ These must be resolved before creating or converting accounts. See also `cascade
| **Polett Pinazavala** — was on 2026-04-18 caregiver roster | **RESOLVED 2026-04-22 (John's reply) — DEPARTED.** | Remove from roster. No existing account — no AD/M365 action needed. |
| **Drivers (Richard Adams, Julian Crim, Christopher Holick)** — all have AD accounts + Transportation@ shared mailbox | **Decision 2026-04-22 (Howard) — drivers no longer get IT access.** | Disable the 3 AD accounts. Keep them on the working roster for employee tracking. Separate decision: keep or retire `Transportation@` shared mailbox — ask Meredith. |
| **Christine Nyanzunda** — one person, MC Admin + part-time Sun/Mon MedTech | **Resolved 2026-04-22 (Howard) — one account covers both roles.** | Single account in `OU=Care-MemoryCare`. Default building-only CA policy. When she's covering a MedTech shift she logs into the shared MC phone with her own account. If that sign-in gets blocked by the shared-phone CA, add her to a specific exception group rather than splitting into two accounts. |
| **Alma R Montt** — on CSV (Life Enrichment), NOT in AD | **RESOLVED 2026-04-22 (John's reply).** Username `Alma.Montt`, title "Memory Care Life Enrichment", D+P, ALIS=Y, Outside=Y. LE staff assigned to Memory Care residents — stays in `OU=Life Enrichment`. | Create AD account `Alma.Montt` (UPN `alma.montt@cascadestucson.com`). Add to SG-External-Signin-Allowed (Outside=Y). |
| ~~**Alma R Montt**~~**OFFBOARDED 2026-06-25** | Account was created 2026-05-19, then **terminated + offboarded 2026-06-25** (disabled, groups stripped, OU=Excluded-From-Sync; M365 sign-in blocked, mailbox → shared). | **No action — do NOT create or grant.** See `docs/security/offboarding-2026-06-25-alma-montt.md`. |
| **Kyla QuickTiffany** — on CSV and in AD "needs account" list | **Resolved 2026-04-22 (Howard, per Kyla's preference): `Kyla.QuickTiffany`** — last name treated as a single word. | Create AD account `Kyla.QuickTiffany` (UPN `kyla.quicktiffany@cascadestucson.com`). Persona: Shared-PC Reception. Building-only, no outside sign-in. |
| **Ederick Yuzon** — spelling not confirmed | **Still pending Meredith/John.** | Block on creation of his caregiver account only. Everyone else proceeds. Tentative: `Ederick.Yuzon` if needed to unblock Wave 3. |
| **Matt Brooks** — AD dept = Maintenance, CSV note "works in both departments" | Confirmed (CSV-inline). | Keep in Maintenance OU; add to secondary MC group for access overlap. |
@@ -213,7 +218,7 @@ User-visible impact: one Outlook password prompt on day-of-cutover. **No impact
- Disable 3 driver AD accounts (`Richard.Adams`, `Julian.Crim`, `Christopher.Holick`)
- Ask Meredith whether to keep or retire `Transportation@` shared mailbox
- Create AD accounts (and let Entra Connect sync to M365) for:
- Alma R Montt (`Alma.Montt` — Memory Care Life Enrichment, D+P, ALIS=Y, Outside=Y)
- ~~Alma R Montt (`Alma.Montt` — Memory Care Life Enrichment, D+P, ALIS=Y, Outside=Y)~~ — **OFFBOARDED 2026-06-25, skip**
- Kyla QuickTiffany (`Kyla.QuickTiffany` — Shared-PC Reception, D only, building-only)
- Validate group membership + CA policy assignment on the new accounts before moving to Wave 2
- Pilot the `CSC - Building Only (Default)` policy with Kyla (Report-only mode first)
@@ -288,7 +293,7 @@ Output goes to `docs/migration/synology-permission-inventory.md`, which is then
- Restrict-everyone default vs. selective → **building-only by default, allow-list for exceptions** (§5).
- Christine Nyanzunda → one account covers both roles.
- Kyla → `Kyla.QuickTiffany` (her preference).
- Alma R Montt → `Alma.Montt`, title "Memory Care Life Enrichment", D+P, ALIS=Y, Outside=Y (answered by John).
- Alma R Montt → `Alma.Montt`, title "Memory Care Life Enrichment", D+P, ALIS=Y, Outside=Y (answered by John). **[OFFBOARDED 2026-06-25 — terminated.]**
- Britney Thompson → **departed (John)**. Disable AD + harvest license.
- Polett Pinazavala → **departed (John)**. Remove from roster.
- Agency shared logins → **NOT CREATED** (HIPAA review supersedes John's confirmation — §164.312(a)(2)(i) prohibits shared PHI-access log-ons). Per-person accounts only when Reliable Agency provides names.

View File

@@ -136,7 +136,7 @@ $printers = @(
}
# Memory Care Reception (EPSON833571 — dc:cd:2f:83:35:71)
# Added 2026-05-29. Driver already installed from FrontDesk ET-5800 — no EPWizard re-run needed.
# Access: OU=Care-Memorycare (GPO ILT). Alma Montt (cloud-only M365) connects manually to \\CS-SERVER\MCReception.
# Access: OU=Care-Memorycare (GPO ILT). (Alma Montt offboarded 2026-06-25 — reassign to MC Reception replacement when named.)
@{
IP = '10.0.20.78'
Port = 'TCP_10.0.20.78'
@@ -144,7 +144,7 @@ $printers = @(
Driver = 'EPSON ET-5800 Series'
Share = 'MCReception'
Location = 'Memory Care Reception (Floors 5/6)'
Comment = 'Epson ET-5800 - MemCare Reception / Alma Montt + MC nurses'
Comment = 'Epson ET-5800 - MemCare Reception / MC nurses'
}
)

View File

@@ -147,9 +147,9 @@ Read-only: Management
Access: Directory, Life Enrichment
**Note:** Same LE-new-mapping note as Susan.
### Alma R Montt — MC Life Enrichment
Access: Directory, Life Enrichment
**Note:** AD account not yet created (Wave 1 of user rollout). LE-machine drive mapping applies once her account + PC are set up.
### ~~Alma R Montt — MC Life Enrichment~~ — OFFBOARDED 2026-06-25
~~Access: Directory, Life Enrichment~~
**Note:** **OFFBOARDED 2026-06-25 (terminated).** Excluded from all share groups — see the live roster `share-group-roster-proposed-2026-06-25.md` and `docs/security/offboarding-2026-06-25-alma-montt.md`.
---
@@ -233,7 +233,7 @@ These names show up on Synology but are not in John's current employee list. The
- **Crystal Suszek → Crystal Rodriguez** — same person, former name. Single AD account `Crystal.Rodriguez`; old Synology `Crystal Suszek` account disabled at cutover (settled 2026-04-23).
- **`CasAdmin201`** — will NOT become a domain user on cs-server/CS-SERVER. Disabled on Synology at cutover (settled 2026-04-23).
- **New CS-SERVER shares to create** (settled 2026-04-23):
- **`LifeEnrichment`** — CS-SERVER local, RW for Susan/Sharon/Alma only. LE workstations currently have no mapped drives — this will be their first.
- **`LifeEnrichment`** — CS-SERVER local, RW for Susan/Sharon only (~~Alma~~ offboarded 2026-06-25). LE workstations currently have no mapped drives — this will be their first.
- **`ALdocs`** — Assisted Living documentation, CS-SERVER local, RW for nurses (Lois, Karen) + Meredith + Ashley + Sales team (Megan, Crystal, Tamra).
- **`WebDocs`** — web/marketing collateral, CS-SERVER local, RW for Sales team + Meredith + Ashley. Distinct from the retired Synology `web` DSM share.
- **Sales team share set** (settled 2026-04-23) — Megan, Crystal, Tamra all get RW on: ALdocs, WebDocs, SalesDept, Management, Directory.

View File

@@ -15,7 +15,7 @@
| 9 | Room 206 (large printer) | 192.168.1.138 | 00:20:6b:b3:4a:55 | Konica Minolta Bizhub C368 | A7PV011016305 | Health Services | Network | Online |
| 10 | Kitchen Manager | 192.168.3.232 | — | Canon imageClass MFC743CDW | — | Alyssa (Brooks) | Network | Online |
| 11 | Chef | 192.168.3.88 | — | Brother MFC-9330CDW | — | Chef | Network | Online |
| 12 | MemCare Reception | 10.0.20.78 | dc:cd:2f:83:35:71 (EPSON833571) | Epson ET-5800 | — | Alma Montt (MemCare receptionist), MemCare nurses/users | Network — VLAN 20. Share: \\CS-SERVER\MCReception | Online 2026-05-29 |
| 12 | MemCare Reception | 10.0.20.78 | dc:cd:2f:83:35:71 (EPSON833571) | Epson ET-5800 | — | MemCare nurses/users (Alma Montt offboarded 2026-06-25 — reassign to MC Reception replacement when named) | Network — VLAN 20. Share: \\CS-SERVER\MCReception | Online 2026-05-29 |
| 13 | MemCare Room 615 | 192.168.2.53 | c8:a3:e8:a2:dd:93 (brwc8a3e8a2dd93) | Brother (model TBD) | — | MedTechs, Nurses | WiFi (static IP) | Online |
| 14 | Meredith's Office | 192.168.2.67 | — | Canon imageClass MF743CDW | — | Meredith (Kuhn) | Network | Online |
| 15 | MemCare Director (Room 603) | 192.168.3.52 | 20:0b:74:b2:29:08 | Canon Color imageClass MF751CDW | — | Shelby Trozzi | Network | Online |

View File

@@ -42,4 +42,4 @@
**The PAA role is still assigned to the SP and must be removed manually** in Entra
(Roles & admins → Privileged Authentication Administrator → remove `ComputerGuru - Tenant Admin`).
Its standing **Conditional Access Administrator** role is intentional — leave that.
- [ ] Reconcile: Alma removed from the proposed share rosters (`docs/migration/share-group-roster-proposed-2026-06-25.md`).
- [x] Reconcile: Alma removed from the proposed share rosters (`docs/migration/share-group-roster-proposed-2026-06-25.md`) **and all other active plans** (2026-06-25): `docs/servers/active-directory.md`, `docs/printers.md`, `docs/cloud/user-account-rollout-plan.md`, `docs/cloud/p2-staff-candidates.md`, `PLAN-AND-QUESTIONS-2026-04-24.md`, `docs/migration/share-access-matrix-2026-04-23.md`, `docs/migration/scripts/phase2-print-server.ps1`. Dated April/May questionnaires, CSVs, reports, and the archived plan left as historical record.

View File

@@ -11,7 +11,7 @@
## AD Users (updated 2026-05-19)
**Changes since 2026-04-13:**
- Alma.Montt added to OU=Administrative (provisioned 2026-05-19) — cloud-only M365 account also created same day; needs reconciliation (see Pending Issues)
- ~~Alma.Montt added to OU=Administrative (provisioned 2026-05-19)~~**OFFBOARDED 2026-06-25**: AD account disabled, groups stripped, moved to `OU=Excluded-From-Sync`; cloud-only M365 sign-in blocked + mailbox converted to shared. See `docs/security/offboarding-2026-06-25-alma-montt.md`.
- Kyla.QuickTiffany confirmed in OU=Resident Services (was listed as "needs account" in prior doc)
- Zachary.Nelson confirmed: Accounting Assistant (replacing Allison.Reibschied)
- Allison.Reibschied: no longer employed — account disabled in DC 2026-05-19
@@ -26,7 +26,7 @@
| Meredith.Kuhn | Meredith Kuhn | Executive Director | |
| Ashley.Jensen | Ashley Jensen | Assistant Executive Director | M365: Accounting@ |
| lauren.hasselman | Lauren Hasselman | Business Office Director | lowercase SAM. Replaced Jeff Bristol. M365: Accounting@ |
| Alma.Montt | Alma Montt | Life Enrichment | Provisioned 2026-05-19. **Cloud-only M365 account also created same day — reconcile before next Entra sync** (see Pending Issues) |
| ~~Alma.Montt~~ | ~~Alma Montt~~ | ~~Life Enrichment~~ | **OFFBOARDED 2026-06-25 — disabled, groups stripped, moved to OU=Excluded-From-Sync.** See `docs/security/offboarding-2026-06-25-alma-montt.md`. |
| Zachary.Nelson | Zachary Nelson | Accounting Assistant | Confirmed 2026-05-19. Replacing Allison.Reibschied. |
| ~~Allison.Reibschied~~ | ~~Allison Reibschied~~ | ~~Accounting Assistant~~ | **Disabled 2026-05-19 — no longer employed.** |
@@ -180,7 +180,7 @@ cascades.local
├── Domain Controllers
│ └── CS-SERVER
├── Departments
│ ├── Administrative — Alma.Montt, Ashley.Jensen, lauren.hasselman, Meredith.Kuhn, Zachary.Nelson
│ ├── Administrative — Ashley.Jensen, lauren.hasselman, Meredith.Kuhn, Zachary.Nelson (Alma.Montt offboarded 2026-06-25 → OU=Excluded-From-Sync)
│ ├── Care-Assisted Living — britney.thompson, karen.rossini, Lois.Lane, Veronica.Feller
│ │ └── Nurses (empty sub-OU)
│ ├── Caregivers — 38 accounts (shift caregivers/medtechs, first.last format)
@@ -310,7 +310,7 @@ Do NOT populate these further. They remain in service until Phase 4 cutover reti
| LifeEnrichment | (via Life Enrichment Printers GPO) | OU=Life Enrichment |
| MCDirector | Canon imageClass MF751CDW (192.168.3.52) | OU=Care-Memorycare |
| MCMedTech | Brother (192.168.2.53) | OU=Caregivers OR OU=Care-Memorycare |
| MCReception | Epson ET-5800 (10.0.20.78) | OU=Care-Memorycare. Alma Montt (cloud-only M365 — no GPO) connects manually. |
| MCReception | Epson ET-5800 (10.0.20.78) | OU=Care-Memorycare. (Alma Montt offboarded 2026-06-25 — reassign to the MC Reception replacement when named.) |
## Group Policy (as of 2026-05-20)
@@ -368,7 +368,7 @@ GPOs exist but effectiveness is limited since most PCs are not domain-joined. Al
| ~~Still enabled — departed~~ | ~~britney.thompson~~ | **DONE 2026-05-20** — AD disabled. M365: sign-in blocked, license removed, litigation hold applied. |
| ~~Still enabled — flagged for disable~~ | ~~Richard.Adams, Julian.Crim, Christopher.Holick~~ | **DONE 2026-05-20** — all disabled. |
| ~~Old-format account — superseded~~ | ~~Shontiel.Nunn~~ | **DONE 2026-05-20** — disabled. s.nunn (Caregivers) is the active account. |
| Cloud-only M365 account — RESOLVED | Alma.Montt | Intentional and correct — no AD sync conflict. |
| Cloud-only M365 account — ~~RESOLVED~~ OFFBOARDED | Alma.Montt | **OFFBOARDED 2026-06-25** — AD disabled + moved to OU=Excluded-From-Sync; M365 sign-in blocked, mailbox → shared (Shelby Trozzi FullAccess). See `docs/security/offboarding-2026-06-25-alma-montt.md`. |
| krbtgt password age | krbtgt | 569+ days old as of 2026-03-20. Needs rotation. Deferred. |
| Meredith.Kuhn + John.Trozzi in Domain Admins | Both | Non-IT staff — remove from Domain Admins. Deferred. |
| ~~britney.thompson M365 offboarding~~ | ~~britney.thompson~~ | **DONE 2026-05-20** — sign-in blocked, license removed, litigation hold applied via sysadmin@. |

View File

@@ -113,3 +113,32 @@ queue.
- Termination runbook: `docs/security/termination-procedures.md`
- Coord message id: `4b2bb6a9-881b-4003-984c-687183b96802`
- Cascades wiki: `wiki/clients/cascades-tucson.md`
## Update: 12:53 PT — Reconciled Alma out of all active plans
Following the verified offboarding, reconciled Alma Montt out of every forward-looking Cascades
doc so no future session/tech treats her as a current or to-be-created user. The 2026-06-25
proposed share roster was already done (struck + OFFBOARDED) by the lost session. Edited the
remaining active docs, each annotated with `OFFBOARDED 2026-06-25` + a pointer to the offboarding
record (strikethrough preserves the decision history rather than deleting it):
- `docs/servers/active-directory.md` — current-state AD reference: changelog entry, Enabled-Accounts
table row, OU tree (Administrative), MCReception printer access, and Pending-Issues row all updated
to reflect disabled + moved to OU=Excluded-From-Sync.
- `docs/printers.md` — MCReception printer user list (removed Alma; note to reassign replacement).
- `docs/cloud/user-account-rollout-plan.md` — added a [RECONCILE] banner; fixed persona count 18->17,
SG-External-Signin-Allowed seed line, the per-person resolution row, the Wave-1 create list, and the
decision summary.
- `docs/cloud/p2-staff-candidates.md` — license-math count 18->17; candidate roster row.
- `PLAN-AND-QUESTIONS-2026-04-24.md` — Track C / C1 Phase 2 sync list.
- `docs/migration/share-access-matrix-2026-04-23.md` — Alma section + LifeEnrichment share RW list.
- `docs/migration/scripts/phase2-print-server.ps1` — MCReception comment + printer Comment field.
Left as historical record (dated point-in-time artifacts, intentionally NOT rewritten): the April
questionnaires/working-lists/followups, `reports/cascades-staff-2026-04-22.csv`, the Canva and
orphan-deletes reports, the 2026-04-22 HIPAA review, `scripts/create-alma-montt-2026-05-18.ps1`,
`scripts/build-open-questions-docx.py`, and `PLAN-AND-QUESTIONS-2026-04-23-archived.md`.
Ticked the offboarding record follow-up checkbox (reconciliation complete). Remaining open item is
unchanged: Mike to remove the stranded Privileged Authentication Administrator role on the Tenant
Admin SP.