The 2026-06-18 repo restructure (history rewrite + project->submodule split)
dropped these 4 Cascades files from the new clone. Copied byte-identical from
the pre-cutover claudetools.old clone (md5-verified):
- docs/network/network-optimization-master-plan.md
- docs/network/phase1-voice-qos-design.md
- reports/2026-06-18-voice-quality-diagnostic.md
- session-logs/2026-06/2026-06-18-howard-cascades-rf-voice-optimization-plan.md
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add the Memory Care Reception Epson ET-5800 (EPSON833571, 10.0.20.78,
dc:cd:2f:83:35:71) as a named print share on CS-SERVER. The printer was
previously pending a UniFi switch replacement; it is now online on VLAN 20.
- Created TCP port TCP_10.0.20.78 and shared as MCReception via GuruRMM
remote PS (driver already present from FrontDesk ET-5800 setup)
- Updated printers.md entry #12 with IP, MAC, share path, and Online status
- Added MCReception to active-directory.md printer table with OU=Care-Memorycare
ILT scope; GPO count bumped to 14
- Added MCReception entry to phase2-print-server.ps1 for reference
Access: OU=Care-Memorycare via Printer Deployment GPO (unlinked until Phase 3).
Alma Montt (cloud-only M365) connects manually to \CS-SERVER\MCReception.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Rewrote with verified IPs and confirmed drivers. All 8 printers created and
shared via GuruRMM 2026-05-20. Deferred: FrontDesk Epson (needs Epson
Universal driver), Health-206 Konica Minolta (needs KM PCL6 Universal driver).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Created SG-Mgmt-RW, SG-Sales-RO, SG-Activities-RW in OU=Groups.
Created SMB shares Management, Sales, Activities, Server on D:\Shares
with ABE enabled and correct NTFS ACLs per group.
Scripts run on CS-SERVER via GuruRMM 2026-05-20. AD doc updated to live state.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Gap #13 in hipaa.md marked resolved. Same update in hipaa-caregiver-controls.md and m365.md.
Confirmed 2026-05-14: no separate HIPAA BAA acceptance exists or is required for M365 Business
plan tenants under the Microsoft Customer Agreement.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Full tenant verification sweep: all Intune/Entra objects match session logs
- Entra Connect staging mode exited; 17 AD groups synced to cloud
- CA policies (Block-off-network, Sign-in-frequency-8h, Block-non-compliant) patched from SG-Caregivers-Pilot to AD-synced SG-Caregivers
- Registration Campaign exclusion updated to SG-Caregivers
- Deleted test accounts: howard.enos (AD) and pilot.test (M365)
- Documented Christine Nyanzunda collision risk, Ederick Yuzon open item, standing security-group rule
- Session log written
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Lauren Hasselman could not create a Teams group on 2026-05-05.
Diagnostic confirmed the block is at the Teams Admin policy layer
(intentional, gated on HIPAA prerequisites in m365.md issues #12-#14),
not an Entra/M365-Group permissions defect. New teams-rollout.md
captures prerequisites, HIPAA config checklist, canary test plan
(Lauren as primary canary), and exit criteria. Linked from m365.md
issue #14.
Major work from 2026-04-23:
Folder redirection (OU=Life Enrichment):
- Added 5 folders (Desktop, Pictures, Music, Videos, Favorites) to CSC - Folder
Redirection (LE) alongside existing Documents + Downloads. All use Flags=1021
(Basic + create folder per user + move contents + policy-removal: redirect back).
- Created CSC - Always Wait For Network GPO, linked at OU=Workstations. Disables
FLO via correct Winlogon registry path (HKLM\Software\Policies\Microsoft\
Windows NT\CurrentVersion\Winlogon\SyncForegroundPolicy=1). First attempt used
wrong path (Windows\System) which Winlogon ignored.
- Proved GPO FR works for clean-hive users (test user LE.FRTest, now removed).
- Wrote susan-profile-fix.ps1 to repair ProfWiz-poisoned profiles: robocopies
local content to \CS-SERVER\homes\<user>, loads NTUSER.DAT, rewrites User
Shell Folders (legacy + modern GUIDs) to UNC, unloads. Applied to Susan Hicks,
verified via live SMB session + content access.
Share access review doc:
- share-access-matrix-2026-04-23.md drafted for John/Meredith review. One
short block per employee (department + position + folders they can access).
All settled decisions from today's calls captured (Sandra Fish = Meredith-
only, Culinary = kitchen + M/J/A, no chat share, caregivers zero on-prem,
Veronica = Meredith tier, CasAdmin201 retired, pacs empty).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Deleted 7 former-employee / zombie accounts via Graph user-manager tier.
All verified in soft-delete bin (30-day recovery):
- ann.dery, anna.pitzlin, jeff.bristol, kristiana.dowse, nela.durut-azizi,
nick.pavloff (all were disabled already)
- jodi.ramstack (was a zombie: enabled in M365 with 1 Business Standard
license but deleted from AD 2026-04-13. Freed $12.50/mo seat.)
admin@NETORGFT... (Sandra Fish) confirmed already gone from tenant.
Role-based accounts (accounting@, frontdesk@, hr@, etc.) NOT touched —
pending delegation decisions before shared-mailbox conversion. Stephanie.Devin
left alone pending Meredith confirmation.
Report: reports/2026-04-22-m365-orphan-deletes.md
Docs updated: docs/cloud/m365.md
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>