sync: auto-sync from HOWARD-HOME at 2026-04-23 11:09:16

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-04-23 11:09:16

clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md

@@ -94,6 +94,20 @@ OU=Cascades Users
 
 CA policies target groups, not OUs. OUs drive GPO inheritance (folder redirection, local policy) only.
 
+**File-share access groups (created 2026-04-22 by `g1-ad-hygiene.ps1`, memberships populated in Phase 4 per `phase2-file-shares.ps1`):**
+
+| Persona | `SG-Receptionist-RW`<br/>(`\\CS-SERVER\Receptionist`) | `SG-Directory-RW`<br/>(`\\CS-SERVER\directoryshare`) | Other shares | Notes |
+|---|---|---|---|---|
+| **Shared-PC Reception** (Cathy, Shontiel, Kyla, Michelle) | **Y** | **Y** | — | Reception-desk workflows need the `Receptionist` share (printed directories, sign-in sheets, fax-in scans) **and** the Resident `directoryshare` (resident contact lists). Everything else these users do is in M365 (Frontdesk@ shared mailbox, Teams, SharePoint). No other on-prem share access required. |
+| **Courtesy Patrol** (Sebastian, Sheldon, Ray) | **Y** | **Y** | — | Same reception-coverage scope — they back up the front desk after hours. |
+| Office-PHI (external-OK) | per-role | Y | per-role (Mgmt, Sales, etc.) | directoryshare is resident-contact data; all office-PHI staff need read at minimum. RW memberships granted per department (e.g., Meredith → SG-Management-RW, Megan → SG-Sales-RW). |
+| Office-PHI (in-building) | N | Y | per-role | |
+| Maintenance PHI (Matt Brooks) | N | Y | — | directoryshare read access for room-assignment lookups. |
+| Caregiver / Agency | N | Y | — | Caregivers need resident contact info — directoryshare is the single canonical source. |
+| Drivers | N | N | — | Drivers lose all IT access per 2026-04-22 decision. |
+
+**Operational note — Workgroup (non-domain-joined) reception PCs:** RECEPTIONIST-PC and MEMRECEPT-PC are both WORKGROUP machines. Until they're domain-joined (Phase 3), users must enter `cascades\<username>` explicitly when Windows prompts for the share credential, then tick "Remember my credentials" so File Explorer doesn't silently fall back to the local machine user on next reboot. After Entra Connect + domain join, SSO removes this step.
+
 ## 5. Conditional Access policy set
 
 **Decision 2026-04-22 (Howard → Meredith/John):** Default-deny external sign-in for all licensed users. Maintain a small allow-list group for users who legitimately work off-site.

clients/valleywide/docs/yealink-t54w-recovery-procedure.md

@@ -0,0 +1,116 @@
+# Yealink T54W TFTP Recovery — Procedure
+
+**Use case:** Phone stuck at "Welcome" / "Initializing" / "Upgrading" screen. Bricked from a failed firmware update (often the known-bad 96.86.0.20 build). Factory reset from the menu won't work because the phone never gets that far. TFTP recovery flashes fresh firmware over ethernet direct from a laptop.
+
+## What you need
+
+| Item | Source |
+|---|---|
+| Tftpd64 (TFTP server for Windows) | <https://pjo2.github.io/tftpd64/> (v4.60 recommended) |
+| Current T54W recovery firmware ("NEW RM") | <https://support.yealink.com/support-service/attachment/downLoadFile?fileCode=97231f319498b7fa> |
+| Legacy recovery files (OLD RM + SPEAKER variants) | <https://support.yealink.com/support-service/attachment/downLoadFile?fileCode=8f07e4b2c57a31ed> |
+| Ethernet cable | direct laptop → phone Internet port |
+| Power brick (or PoE injector) | standard phone PSU |
+
+## File rename
+
+After extracting recovery zips, the TFTP root directory must contain exactly these three files for a T54W:
+
+```
+T54W.rom     # renamed from T54W(T57W,T53W,T53,T53C,T54,T57)-XX.XX.X.XX.rom
+T54W.bin     # renamed from T53-T53W-T54W-T57W.bin
+T54W.rfs     # optional — only include if present in the package
+```
+
+**Do NOT mix files between recovery sets.** Delete old files before trying a different set.
+
+## Procedure
+
+### 1. Laptop network setup
+
+- Disable WiFi (force traffic through ethernet)
+- Assign the ethernet NIC a static IP:
+  - IP: `192.168.81.100`
+  - Subnet: `255.255.255.0`
+  - Gateway: `192.168.81.1` (placeholder — doesn't need to exist)
+- Verify with `ipconfig` that the NIC has `192.168.81.100`
+
+### 2. Tftpd64
+
+- Launch Tftpd64
+- Current Directory → folder containing `T54W.rom`, `T54W.bin`, `T54W.rfs`
+- Server Interface → `192.168.81.100`
+- Leave running
+
+### 3. Physical cabling
+
+- Phone UNPOWERED (pull power AND ethernet)
+- Ethernet cable: laptop NIC → phone **Internet port** (NOT PC port)
+- Have the power brick ready to reconnect
+
+### 4. Enter recovery mode
+
+Two methods. **Try Redial first; fall back to Speaker.**
+
+**Method A — Redial hold:**
+1. Press and hold the **Redial** key
+2. While holding Redial, plug power back in
+3. Keep holding until the recovery wizard appears on the LCD
+4. Release
+
+**Method B — Speaker hold (fallback):**
+1. Unplug power, wait 5s
+2. Press and hold the **Speaker** key
+3. Plug power in while still holding
+4. Keep holding until the recovery wizard appears
+
+### 5. In the recovery menu
+
+- Press **`1`** on the keypad — selects TFTP method
+- Phone prompts for network config:
+  - Phone IP: `192.168.81.10` (any unused IP in the same /24)
+  - Subnet: `255.255.255.0`
+  - TFTP server IP: `192.168.81.100` (your laptop)
+- Confirm
+- Watch Tftpd64 log — should see `T54W.bin` and `T54W.rom` being served
+- Phone reboots automatically when flash completes (~3–5 min)
+
+### 6. Post-flash
+
+- Phone should come up to normal boot sequence
+- If previously enrolled in YMCS, it'll re-register on first contact
+- Re-provision to SIP registrar as needed
+
+## If first attempt fails
+
+Try each of three recovery file sets in order. **Delete old files before each retry.**
+
+| # | Set | Source |
+|---|---|---|
+| 1 | **NEW RM** | Current download (firmware 86+) |
+| 2 | **OLD RM** | Legacy file pack — for different hardware revision |
+| 3 | **SPEAKER** variant | Legacy file pack — for units that only respond to Speaker key |
+
+## USB fallback
+
+If TFTP is finicky:
+1. Format USB drive as FAT32
+2. Place the three renamed files at the root
+3. Insert USB into phone's USB port
+4. Hold Redial while reconnecting power (Method A above)
+5. Phone detects USB and flashes automatically
+
+**Kingston USB drives reported most reliable**; some newer SanDisk drives don't enumerate.
+
+## Known-bad firmware
+
+Firmware `96.86.0.20` is a documented T54W brick-maker. If YMCS is configured to push this version to your fleet, update the YMCS firmware policy to a known-good version BEFORE letting more phones pull the update. See <https://www.3cx.com/community/threads/bricked-yealink-t54ws-with-96-86-0-20-firmware.82455/> for the 3CX community thread documenting this issue.
+
+## Sources
+
+- [Yealink T54W Recovery — Call Central](https://callcentral.com.au/yealink-t54w-recovery/)
+- [Yealink T5x(w) Recovery Process — 888VoIP](https://support.888voip.com/article/349-yealink-t5x-w-recovery-process)
+- [How to recover T5XW phone stuck on Initializing or Upgrading screen — URL Networks](https://url.net.au/support/help-articles/how-to-recover-t5xw-phone-stuck-on-initializing-or-upgrading-screen)
+- [Yealink KB — How to get a recovery file](https://support.yealink.com/en/portal/knowledge/show?id=626290f54142767a8e372625)
+- [3CX — Bricked Yealink T54Ws with 96.86.0.20 firmware](https://www.3cx.com/community/threads/bricked-yealink-t54ws-with-96-86-0-20-firmware.82455/)
+- [TFTP Recovery on a Yealink Phone (video)](https://www.youtube.com/watch?v=rL947TH9EFY)