sync: auto-sync from HOWARD-HOME at 2026-05-22 15:40:30

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-22 15:40:30

clients/cascades-tucson/scripts/fix-shell-redirect.ps1

@@ -0,0 +1,62 @@
+# fix-shell-redirect.ps1
+# Recovery script for when fdeploy cached a failure and won't retry.
+# Run via GuruRMM on the CLIENT machine while the affected user is logged in.
+#
+# Usage:
+#   $SID = (Get-ADUser -Identity "lauren.hasselman").SID.Value
+#   # Paste the SID and username below, then run via GuruRMM on the target machine.
+#
+# Parameters — edit before running:
+$Username = "Nurses"        # AD SAMAccountName (used to build server path)
+$UserSID  = "S-1-5-21-388235164-2207693853-3666415804-1259"   # from Get-ADUser on CS-SERVER
+
+# -----------------------------------------------------------------------
+$bs   = [char]92
+$base = $bs + $bs + "CS-SERVER" + $bs + "Homes" + $bs + $Username
+
+if (-not (Test-Path "Registry::HKU\$UserSID")) {
+    Write-Error "User hive not loaded — user must be logged in on this machine."
+    exit 1
+}
+
+$ushf = "Registry::HKU\$UserSID\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
+$sf   = "Registry::HKU\$UserSID\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
+
+# GUID-based Known Folder IDs (modern Windows)
+$guidMap = @{
+    "{FDD39AD0-238F-46AF-ADB4-6C85480369C7}" = "Documents"
+    "{374DE290-123F-4565-9164-39C4925E467B}" = "Downloads"
+    "{4BD8D571-6D19-48D3-BE97-422220080E43}" = "Music"
+    "{33E28130-4E1E-4676-835A-98395C3BC3BB}" = "Pictures"
+    "{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}" = "Desktop"
+}
+
+# Legacy name-based keys (also read by shell and older apps)
+$legacyMap = @{
+    "Personal"    = "Documents"
+    "My Music"    = "Music"
+    "My Pictures" = "Pictures"
+    "Desktop"     = "Desktop"
+}
+
+foreach ($kv in $guidMap.GetEnumerator()) {
+    $p = $base + $bs + $kv.Value
+    Set-ItemProperty -Path $ushf -Name $kv.Key -Value $p -Type ExpandString -Force
+    Set-ItemProperty -Path $sf   -Name $kv.Key -Value $p -Type String -Force
+}
+
+foreach ($kv in $legacyMap.GetEnumerator()) {
+    $p = $base + $bs + $kv.Value
+    Set-ItemProperty -Path $ushf -Name $kv.Key -Value $p -Type ExpandString -Force
+    Set-ItemProperty -Path $sf   -Name $kv.Key -Value $p -Type String -Force
+}
+
+Write-Host "Registry updated for $Username. Log the user off and back on to apply."
+Write-Host ""
+Write-Host "Verify:"
+$v = Get-ItemProperty $sf
+Write-Host "  Desktop:   $($v.Desktop)"
+Write-Host "  Documents: $($v.Personal)"
+Write-Host "  Downloads: $($v.'{374DE290-123F-4565-9164-39C4925E467B}')"
+Write-Host "  Music:     $($v.'My Music')"
+Write-Host "  Pictures:  $($v.'My Pictures')"

clients/cascades-tucson/scripts/new-home-folder.ps1

@@ -1,17 +1,46 @@
 function New-HomeFolder {
 param([string]$Username)
 $path = "D:\Homes\$Username"
-if (Test-Path $path) { Write-Host "$path already exists - check ACL manually"; return }
-New-Item -ItemType Directory -Path $path -Force | Out-Null
-$acl = New-Object System.Security.AccessControl.DirectorySecurity
-$acl.SetAccessRuleProtection($true, $false)
-$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("CASCADES\$Username","FullControl","ContainerInherit,ObjectInherit","None","Allow")))
-$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("SYSTEM","FullControl","ContainerInherit,ObjectInherit","None","Allow")))
-$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrators","FullControl","ContainerInherit,ObjectInherit","None","Allow")))
-Set-Acl $path $acl
-Write-Host "$path created with clean ACL"
+
+if (Test-Path $path) {
+    Write-Host "$path already exists - verifying subfolders"
+} else {
+    New-Item -ItemType Directory -Path $path -Force | Out-Null
+    $acl = New-Object System.Security.AccessControl.DirectorySecurity
+    $acl.SetAccessRuleProtection($true, $false)
+    $acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("CASCADES\$Username","FullControl","ContainerInherit,ObjectInherit","None","Allow")))
+    $acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("SYSTEM","FullControl","ContainerInherit,ObjectInherit","None","Allow")))
+    $acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrators","FullControl","ContainerInherit,ObjectInherit","None","Allow")))
+    Set-Acl $path $acl
+    Write-Host "$path created with clean ACL"
 }
 
-# Usage: dot-source this file, then call:
+# Pre-create all redirect subfolders so fdeploy never fails on first logon.
+# fdeploy caches failures and won't retry if subfolders don't exist at first logon.
+foreach ($folder in @("Desktop","Documents","Downloads","Music","Pictures")) {
+    $sub = "$path\$folder"
+    if (Test-Path $sub) {
+        Write-Host "  $sub already exists"
+    } else {
+        New-Item -ItemType Directory -Path $sub -Force | Out-Null
+        $acl = New-Object System.Security.AccessControl.DirectorySecurity
+        $acl.SetAccessRuleProtection($true, $false)
+        $acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("CASCADES\$Username","FullControl","ContainerInherit,ObjectInherit","None","Allow")))
+        $acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("SYSTEM","FullControl","ContainerInherit,ObjectInherit","None","Allow")))
+        $acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrators","FullControl","ContainerInherit,ObjectInherit","None","Allow")))
+        Set-Acl $sub $acl
+        Write-Host "  Created: $sub"
+    }
+}
+}
+
+# Usage: dot-source this file on CS-SERVER, then call:
 #   New-HomeFolder -Username "lauren.hasselman"
-# Run on CS-SERVER before adding user to SG-FolderRedirect.
+#
+# IMPORTANT: Run this BEFORE adding the user to SG-FolderRedirect and BEFORE
+# their first domain logon. fdeploy caches failures — if it runs before
+# subfolders exist it will say "no changes detected" on all future logons and
+# never retry.
+#
+# If a user already logged in and redirection failed, use
+# fix-shell-redirect.ps1 on the client machine instead.