# Cascades — Work Log / Billing Record

## Session 1 — 2026-03-06 (Remote)

**Focus:** Initial audit, data gathering, documentation buildout

| Time | Task | Details |
|------|------|---------|
| | Initial server audit | Gathered systeminfo, AD users/computers/groups, DNS records, installed software, Hyper-V VMs, listening ports, disk info from CS-SERVER |
| | Network audit | Reviewed pfSense config (interfaces, firewall rules, VLANs, DHCP), UniFi APs/switches/SSIDs |
| | ARP/DHCP dump | Captured 802 ARP entries, 624 DHCP leases, identified all devices on network |
| | Printer inventory | Documented all printers with IPs, MACs, models, status |
| | Workstation inventory | Documented all PCs on INTERNAL and LAN with MACs, status, domain join state |
| | MDIRECTOR-PC audit | Gathered OS info (Win10 Home), users, network config via ScreenConnect |
| | Synology audit | Documented shares, storage capacity, permission report |
| | Full documentation buildout | Created/updated all .md files: overview, network/*, servers/*, security/*, migration/* |
| | Migration plan | Created phased migration plan with runbooks and PowerShell scripts |
| | CLAUDE.md | Created repo-level guidance file for AI tooling |

---

## Session 2 — 2026-03-06 (Remote)

**Focus:** Guest WiFi isolation, DNS fixes, security hardening

| Time | Task | Details |
|------|------|---------|
| | Guest WiFi isolation | Created VLAN 50 on pfSense (igc1.50, 10.0.50.1/24), DHCP scope, 4 firewall rules, UniFi Guest network, reassigned Guest SSID |
| | ~~RFC1918 alias~~ | ~~Created firewall alias~~ **CORRECTION (Session 6):** Never actually created. Using built-in `_private4_` alias instead. |
| | CS-SERVER DNS client fix | Changed DNS servers from pfSense+8.8.8.8 to 127.0.0.1+192.168.0.1, verified |
| | Stale DNS cleanup | Removed 9 stale records, added 3 correct records (@ → 192.168.2.254, DomainDnsZones, ForestDnsZones) |
| | pfSense domain overrides | Added cascades.local + _msdcs.cascades.local → 192.168.2.254 |
| | Reverse lookup zones | Created 5 zones (0/1/2/3.168.192 + 20.0.10.in-addr.arpa) |
| | DNS scavenging | Enabled server-level scavenging (7-day), zone aging on cascades.local |
| | Documentation updates | Updated all affected .md files to reflect changes |

---

## Session 3 — 2026-03-07 (Remote)

**Focus:** Backup setup, config exports, quick fixes, network diagnostics

| Time | Task | Details |
|------|------|---------|
| | CS-SERVER DNS forwarder verified | Confirmed forwarder is 192.168.0.1 (item G) |
| | CS-SERVER timezone fixed | Changed from Pacific to Arizona (UTC-07:00, no DST) to match pfSense |
| | Room 218 DHCP fixed | Changed range end from 10.2.18.2 to 10.2.18.14 in pfSense |
| | Room 130 firewall rule deleted | Removed disabled TCP PASS rule from Room130 interface |
| | pfSense config exported | Downloaded XML config (with and without RRD data), saved to D:\Shares\IT\Backups\pfSense\ |
| | Synology Active Backup for Business | Installed on Synology — **BLOCKED: requires Btrfs, NAS is ext4.** Cannot use ABB. Will use Windows Server Backup instead. |
| | Synology Drive Client | Reinstalled on CS-SERVER, configured live sync to D:\Shares\Main (all Synology shares) |
| | Synology share audit | Enumerated shares via SMB: homes (228 GB), Public (50 GB), SalesDept (13 GB), Server (2 GB), Management (1.4 GB), chat (0), home (0). Total ~294 GB. 4 shares (Activities, pacs, Sandra Fish, web) not visible via SMB. |
| | ARP flapping investigation | Analyzed pfSense ARP logs, found 5 IP conflicts |
| | LG TV ARP conflict fixed | TV was dual-connected (WiFi + ethernet). Disabled ethernet port on 1st Floor USW Port 18. Flapping resolved. |
| | Brother printer conflict identified | 192.168.2.53 — printer dual-connected (WiFi + ethernet). Needs onsite fix. |
| | Minor ARP conflicts triaged | Room 307, Room 130, iPhone MAC randomization — low priority, noted for onsite |
| | AD/DNS/Permissions exported | Exported users, computers, groups, domain admins, DNS records, zones, forwarders, SMB shares, GPOs to D:\Shares\IT\Backups\ |
| | AD export analysis | Identified: 3 non-IT users in Domain Admins, 12 accounts to remove, 3 undocumented GPOs from Dec 2025, most users never logged in |
| | GPO report export + analysis | Exported full GPO report (Get-GPOReport -All). Reviewed all 6 GPOs: 3 Dec 2025 GPOs (CopyRoomPrinter, Nurses-Kiosk, MemCareMedTechPrinter) are completely empty — no settings, no links. Found account lockout disabled (threshold=0) in Default Domain Policy. |
| | Session planning | Created session3 runbook, phase0-remote-checks.ps1 script |
| | Documentation updates | Updated issue log (6 issues resolved), AD docs, backup docs, migration docs, session log |

---

## Session 4 — 2026-03-07 (Remote)

**Focus:** AD OU structure cleanup planning + script creation

| Time | Task | Details |
|------|------|---------|
| | AD OU structure audit | Identified 10 duplicate root-level department OUs, 3 empty root OUs (Managment, MemCare, Sales), 20 misplaced accounts in CN=Users |
| | phase2-ou-cleanup.ps1 | Created script: audit root OUs (confirm empty + no GP links), delete 13 root-level OUs, delete/disable stale CN=Users accounts, flag Lupe.Sanchez duplicate |
| | phase2-ad-setup.ps1 updated | Added prerequisite note for OU cleanup, CS-QB exclusion comment |
| | active-directory.md updated | Added current vs target OU structure, CN=Users placement plan, 4 new issues (root OUs, CN=Users, CN=Computers, Lupe.Sanchez) |
| | Issue log updated | Added 2 issues: root-level OU junk, Lupe.Sanchez duplicate |

---

## Session 5 — 2026-03-08 (Remote)

**Focus:** M365 tenant audit, AD↔M365 identity mapping, shared workstation GPO design

| Time | Task | Details |
|------|------|---------|
| | M365 tenant documented | Tenant: cascadestucson.com, ID: 207fa277-..., domain: cascadestucson.com, admin: Sandra Fish (admin@NETORGFT4257522.onmicrosoft.com) |
| | User export analysis | Exported 51 M365 users, cross-referenced against 46 AD accounts. Built full AD↔M365 mapping. |
| | Identity mapping | 24 AD accounts matched to M365. 13 AD users have no M365. 2 M365 users (nick pavloff, Kristiana Dowse) not in AD. |
| | License audit | Business Standard 34/34 (0 available). 12 role-based accounts wasting licenses (~$150/mo). Entra ID P2 (1, Sandra Fish). |
| | Shared mailbox audit | 4 shared mailboxes: 3 former employees (Anna Pitzlin, Jeff Bristol, Nela Durut-Azizi) + Fax Cascades |
| | External guest audit | 6 guest accounts: 3 personal emails (jensen, dupras, rossini), 2 Howard accounts (1 typo "howaed"), 1 external partner (Debora Morris) |
| | Name mismatch found | Tamra Johnson (AD) → tamra.matthews@ (M365) — married name not updated in AD |
| | Shared workstation GPO | Added SharedComputers OU to phase2-ad-setup.ps1, GPO 6 design to phase2-server-prep.md, updated AD target OU tree |
| | cloud/m365.md | Fully populated from blank template — tenant info, licensing, full AD↔M365 mapping, shared mailboxes, issues |
| | 11 new issues logged | License exhaustion, role-account waste, Tamra name mismatch, 13 unmapped AD users, nick pavloff, Kristiana Dowse, Sandra Fish admin, former employee mailboxes, howaed typo, no Entra Connect |

---

## Session 6 — 2026-03-09 (Remote + Onsite Data)

**Focus:** Onsite data entry, printer inventory, AD quick fixes

| Time | Task | Details |
|------|------|---------|
| | Printer inventory update | Full onsite printer data entered — 15 printers documented with models, SNs, IPs, users, locations. Resolved 6 previously unidentified printers. |
| | Name changes documented | Tamra.Johnson→Matthews, Alyssa.Shestko→Brooks confirmed. Michelle.Shestko→Brooks pending. Updated all docs and scripts. |
| | **Remove Monica.Ramirez from Domain Admins (IMPLEMENTED)** | Removed disabled account from DA group |
| | **Delete 3 empty GPOs (IMPLEMENTED)** | Deleted CopyRoomPrinter, Nurses-Kiosk, MemCareMedTechPrinter — all empty, no links |
| | **Fix account lockout policy (IMPLEMENTED)** | Set lockout threshold to 5 attempts, 30 min duration/observation window |
| | **Rename QuickBooks group (IMPLEMENTED)** | Fixed "Quickboosk acccess" → "QuickBooks Access" |
| | **pfSense aliases created** | Server_IPs (192.168.2.254), NAS_IP (192.168.0.120) created. Printer_IPs, AD_Ports, Print_Ports created then removed — not needed. |
| | Firewall strategy revised | Original plan: scoped INTERNAL→LAN rules for each resource. Revised: move all PCs and printers to INTERNAL VLAN 20 (same subnet), then lock down after migration. Simpler, fewer rules needed. |
| | RFC1918 alias correction | Documented as created in Session 2 but was never actually created. Using built-in `_private4_` alias instead. |
| | **ASSISTNURSE-PC upgraded to Win11 Pro (IMPLEMENTED)** | Upgraded from Windows Home to Windows 11 Pro using product key — enables domain join |

---

## Session 7 — 2026-03-11 (Onsite)

**Focus:** Quick wins — Guest WiFi test, kitchen thermal printer inventory, printer doc corrections

| Time | Task | Details |
|------|------|---------|
| | **Guest WiFi isolation tested (VERIFIED)** | Connected to Guest SSID, got 10.0.50.x IP. Fixed DHCP: changed DNS to 8.8.8.8/1.1.1.1, cleared domain name (was cascades.local). Internet works, cannot ping CS-SERVER or access shares — isolation confirmed. |
| | **Guest DHCP DNS fix (IMPLEMENTED)** | GUEST DHCP scope was handing out pfSense DNS + cascades.local domain. Blocked by firewall rules (block all private IPs). Changed to public DNS 8.8.8.8/1.1.1.1, cleared domain name. |
| | **Kitchen thermal printer inventory (DONE)** | 2 printers: Bistro — Epson TM-T88VII (M371A) at 192.168.2.207, Kitchen cooks — Epson TM-U220IIB (M384B) at 10.0.20.225. Both ethernet, both receive orders from 9 iPads. |
| | **"Port 8 Epson" mystery resolved** | Previously unaccounted 192.168.2.207 is the Bistro thermal printer |
| | **MemCare printer corrections** | Room 615 printer (192.168.2.53) is WiFi-only with static IP, NOT dual-connected. MemCare Reception needs dummy switch replaced with UniFi. Added room numbers (615, 603). |
| | **Nick Pavloff clarification** | M365 account is for Synology admin only. Plan: change Synology admin email to another account, then delete Nick's M365 to free license. |
| | **Bistro dummy switch identified** | Bistro has a non-managed switch splitting connection for thermal printer, CC, and other devices. Plan: replace with UniFi switch, set ports to VLAN 20 (CSCNet). Same situation as MemCare reception. |
| | **Bistro printer VLAN move planned** | Bistro Epson TM-T88VII (192.168.2.207) to be moved to CSCNet (VLAN 20) once UniFi switch installed. Test iPad printing after move — cooks printer already on CSCNet (10.0.20.225) so iPads likely already route there. |

---

## Onsite / Remote — Migration Tasks

### PC Migration (Phase 1.4) — Move to CSCNet WiFi
Connect each PC to CSCNet, forget CSC ENT, verify connectivity.

| PC | Current IP | User(s) | Status |
|----|-----------|---------|--------|
| RECEPTIONIST-PC | 192.168.2.17 | CJ, Christina, Kyla, Tiffany | [ ] |
| RECEPTIONIST-PC (2nd) | 192.168.3.187 | Receptionist | [ ] |
| ASSISTMAN-PC | 192.168.2.38 | Assistant Manager | [ ] |
| ASSISTNURSE-PC | 192.168.2.153 | Assist Nurse | [ ] WiFi — upgraded to Win11 Pro, move to CSCNet later |
| NURSESTATION-PC | 192.168.3.135 | Nurse Station | [ ] |
| MEMRECEPT-PC | 192.168.3.41 | MemCare Reception | [ ] |
| ANN-PC | 192.168.3.252 | Ann | [ ] |
| MDIRECTOR-PC | 192.168.3.20 | Shelby Trozzi | [ ] Needs Pro upgrade first |
| DESKTOP-LPOPV30 | 192.168.2.250 | Unknown | [ ] |
| DESKTOP-U2DHAP0 | 192.168.3.37 | Unknown | [ ] |
| DESKTOP-TRCIEJA | 192.168.3.93 | Unknown | [ ] |
| DESKTOP-DLTAGOI | 192.168.3.133 | Unknown | [ ] |
| DESKTOP-ROK7VNM | 192.168.3.148 | Unknown | [ ] |
| DESKTOP-MD6UQI3 | 192.168.3.208 | Unknown | [ ] |

### Printer Migration (Phase 1.5) — Change switch port to VLAN 20
Requires: identify switch port, change VLAN, DHCP reservation, update PCs.

| Printer | Current IP | Users | Status |
|---------|-----------|-------|--------|
| Chef Brother | 192.168.3.88 | Chef | [ ] |
| Kitchen Manager Canon | 192.168.3.232 | Alyssa | [ ] |
| Meredith's Canon | 192.168.2.67 | Meredith | [ ] |
| MemCare Director Canon | 192.168.3.52 | Shelby | [ ] |
| MemCare Nurse Brother | 192.168.2.53 | MemCare nurses | [ ] |
| Room 103 Brother | 192.168.2.145 | Ashley, Christina | [ ] |
| Room 132 Canon | 192.168.3.211 | Sharon, Susan | [ ] |
| Room 217 Sales Brother | 192.168.3.44 | Sales team | [ ] |
| Room 206 Bizhub | 192.168.1.138 | Health Services | [ ] |
| Accounting Canon | 192.168.3.227 | Lauren | [ ] |
| Front Desk Epson | 192.168.2.147 | 4 users | [ ] |
| Copy Room Canon | 192.168.2.230 | Everyone | [ ] **LAST** |
| MemCare Reception Epson | — | MemCare Recept | [ ] Needs hardwire first |

### Other Onsite Tasks

| Task | Details |
|------|---------|
| ~~Test Guest WiFi isolation~~ | ~~Connect to Guest SSID, verify 10.0.50.x IP, no LAN access~~ **DONE 2026-03-11** |
| Identify unknown devices | DESKTOP-1ISF081, DESKTOP-KQSL232, DESKTOP-VAVKCIM |
| User-to-machine mapping | Document who uses each PC for GPO targeting |
| MDIRECTOR-PC Pro upgrade | Install Windows 10 Pro upgrade key |
| SALES4-PC status | Locate or confirm decommissioned |
| Two RECEPTIONIST-PCs | Determine which is primary |
| 9 offline APs | Check PoE, cables, re-adopt |
| Room 307 ARP conflict | Check if still occurring |

---

## Outstanding Work — Prioritized

### Priority 1: CRITICAL
- [ ] **Set up backup** — Windows Server Backup to Synology SMB share (ABB blocked by ext4)
- [x] ~~**Remove Monica.Ramirez from Domain Admins**~~ — DONE 2026-03-09

### Priority 2: HIGH (security)
- [x] ~~Create firewall aliases~~ — Server_IPs and NAS_IP created. Others not needed (printers moving to INTERNAL VLAN). DONE 2026-03-09
- [ ] Replace INTERNAL firewall rules — **deferred until after all devices migrated to VLAN 20**
- [ ] Disable floating rule #4 + add scoped room internet rule — **deferred until post-migration**
- [x] ~~Remove Meredith.Kuhn and John.Trozzi from Domain Admins~~ — DONE 2026-04-13
- [x] ~~Review 3 undocumented GPOs~~ — REVIEWED: all 3 are empty (no settings, no links). Delete in Phase 2.2.
- [x] ~~Delete 3 empty GPOs (CopyRoomPrinter, Nurses-Kiosk, MemCareMedTechPrinter)~~ — DONE 2026-03-09
- [x] ~~Fix account lockout policy~~ — Set to 5 attempts / 30 min lockout — DONE 2026-03-09

### Priority 3: MEDIUM (cleanup)
- [ ] Delete VLAN 10 from UniFi
- [x] ~~Disable/delete 12 stale AD accounts~~ — DONE 2026-04-13 (13 accounts deleted)
- [ ] Remove unused server roles (NPS, RDS)
- [ ] Create DHCP reservation for LG TV WiFi MAC (e0:85:4d:4d:f0:3e → 192.168.2.148)
- [x] ~~Fix Brother printer dual-connection (onsite)~~ — NOT an issue. 192.168.2.53 is WiFi-only with static IP. DONE 2026-03-11

### Priority 4: Phase 2+ (AD/server prep)
- [x] ~~**Run phase2-ou-cleanup.ps1** — audit + delete 13 root-level OUs, clean CN=Users accounts~~ — DONE 2026-04-13 (manual commands)
- [x] ~~**Run phase2-ad-setup.ps1** — security fixes, Workstations OU (incl. Shared PCs), security groups, computer moves~~ — Partially DONE 2026-04-13 (Workstations OU created, DA cleaned, UPNs updated. Security groups + computer moves still pending)
- [ ] Set up file share permissions on CS-SERVER
- [ ] Create GPOs (drive maps, printers, security baseline, updates, folder redirection, shared workstation)
- [ ] Domain-join non-domain machines
- [ ] Synology retirement + backup-only repurpose

### Priority 5: M365 Cleanup
- [ ] **Convert 12 role-based accounts to shared mailboxes** — accounting@, frontdesk@, hr@, security@, memcarereceptionist@, boadmin@, accountingassistant@, Training@, Kitchenipad@, medtech@, nurse@, transportation@. Frees ~12 licenses (~$150/mo)
- [ ] **Delete nick pavloff M365 account** — account was only for Synology admin. Change Synology admin email to another account first, then delete to free license.
- [x] ~~**Update Tamra.Johnson → Tamra.Matthews in AD**~~ — DONE 2026-04-13
- [ ] **Delete Kristiana Dowse M365 account** — HR confirmed not current employee (2026-03-10). Frees 1 license.
- [ ] **Delete "howaed" guest account** — typo duplicate of howard@azcomputerguru.com
- [ ] **Delete Anna Pitzlin & Nela Durut-Azizi shared mailboxes** — HR confirmed OK to delete (were forwarded to Meredith, no longer needed). Jeff Bristol still pending.
- [ ] **Review Sandra Fish global admin** — previous owner still holds the only global admin. Create break-glass admin?
- [ ] **Install Entra Connect** — planned for CS-SERVER, AD cleanup complete, UPNs updated. Blocked on: M365 shared mailbox conversions
- [ ] **Determine if AD users need M365** — HR confirmed all current employees (2026-03-10). Roles: Front Desk/Courtesy Patrol, MC Front Desk, Transportation, Housekeeping. Do they need email? Free licenses first via role account cleanup.

### Priority 6: Audit Findings (2026-03-10)

**Doc fixes:**
- [x] Fix Room 206 printers in `phase2-print-server.ps1` — Added Bizhub C368 + 206 Nurse Station Brother as separate entries — DONE
- [x] Fix `firewall.md` post-migration rules — changed "RFC1918" to `_private4_` — DONE
- [x] Fix `dhcp.md` Room 218 — marked as FIXED 2026-03-07 — DONE
- [x] Fix `dhcp.md` printer 192.168.2.53 — updated to online with MAC — DONE
- [x] Fix `step3-switch-ports.md` — Added Bizhub C368 + 206 Nurse Station — DONE
- [x] Fix RFC1918 alias entry in Session 2 billing record — corrected — DONE
- [x] Standardize "MemCare MedTech" printer naming across all docs — DONE

**Resolved with Howard's input:**
- [x] ~~**Duplicate Alyssa accounts**~~ — Resolved: Alyssa.Shestko renamed to Alyssa.Brooks, lowercase duplicate deleted — DONE 2026-04-13
- [x] **SALES4-PC** — Active, used by Tamra Matthews. Was just offline during audit. Updated overview.md. — DONE
- [x] **Azure docs** — No Azure services. M365 + GoDaddy web hosting only. Updated `cloud/azure.md`. — DONE

**Needs onsite / separate session:**
- [ ] M365 email audit — SPF, DKIM, DMARC, MX records all TBD
- [ ] Synology shares "pacs" and "web" — purpose unknown (may contain PHI)
- [ ] CS-SERVER ports 5504, 6783, 8019 — unidentified listeners
- [ ] Room 339 interface — may be disabled in pfSense
- [ ] 9 offline APs — need physical investigation
- [x] ~~**Kitchen thermal printer inventory**~~ — 2 printers: Bistro TM-T88VII (192.168.2.207), Kitchen TM-U220IIB (10.0.20.225). DONE 2026-03-11
- [ ] **Verify ALIS BAA** — ask management if signed BAA exists with go-alis.com
- [ ] **Sign Microsoft BAA** — M365 Admin → Settings → Org Settings → Security & Privacy → HIPAA BAA
- [ ] **Enable MFA** — Security Defaults in Entra ID (free, 5 min to enable)

### Onsite Visit Additions (from M365 audit)
- [ ] Identify shared workstation computer names for GPO 6 targeting
- [ ] Confirm nick pavloff's department and PC assignment
- [x] ~~Ask about Kristiana Dowse — current or former?~~ HR confirmed DELETE (2026-03-10)
- [ ] Map user-to-shared-PC rotation matrix for shared mailbox permissions

---

## Session 8 — 2026-03-20 (Remote)

**Focus:** Audit script deployment, GitHub hosting, ScreenConnect Toolbox setup

| Time | Task | Details |
|------|------|---------|
| | Audit script updates | Removed .txt transcript output (JSON only), added hostname to filenames (HOSTNAME_audit_DATE.json) |
| | Script self-relaunch fix | Changed `-Verb RunAs` to `-NoNewWindow -WindowStyle Hidden` for silent ScreenConnect execution |
| | GitHub repo created | Created public repo `Howweird/msp-audit-scripts` with server_audit.ps1, workstation_audit.ps1, README.md |
| | ScreenConnect Toolbox commands | Built commands for: server audit, workstation audit, clear C:\Temp. Documented ScreenConnect 80-char line limit. |
| | ScreenConnect line-wrapping fix | Discovered ScreenConnect silently truncates long lines (~120 chars). Rewrote all commands with URLs in variables, short lines. Added rules to CLAUDE.md. |

---

## Session 9 — 2026-03-20/21/22 (Remote)

**Focus:** Full fleet audit, security remediation, Windows upgrades

| Time | Task | Details |
|------|------|---------|
| | **Full fleet audit** | Ran server + workstation audits on 19 machines (1 server, 18 workstations) via ScreenConnect Toolbox |
| | **Workstation inventory created** | Created `cascades/workstations.md` — full hardware, OS, users, software, security findings for all 18 workstations |
| | **Documentation updates** | Updated cs-server.md (security findings, disk usage, software, share permissions), active-directory.md (functional levels, new users, login activity), antivirus.md (deployment status for all 19 endpoints), hipaa.md (11 new gaps), overview.md (workstation table with audit data) |
| | **Master issue tracker** | Built combined issue tracker (42 items) merging audit findings with all prior issue log entries, organized by severity |
| | **Pro key applied to 4 machines** | ANN-PC, DESKTOP-DLTAGOI, MAINTENANCE-PC, MDIRECTOR-PC — Win 11 Home → Pro via changepk ScreenConnect command |
| | **RDP disabled on 2 machines** | ASSISTMAN-PC and DESKTOP-U2DHAP0 — were exposed without NLA |
| | **AD Recycle Bin enabled** | Was off — deleted objects were unrecoverable |
| | **MachineAccountQuota set to 0** | Was 10 — any domain user could join machines |
| | **RestrictAnonymous set to 1** | Was 0 — null sessions allowed on CS-SERVER |
| | **Stale printer ports cleaned** | Ran cleanup script on all 18 workstations — removed orphan TCP/IP ports |
| | **AutoPatch + Win 11 upgrade pushed** | Created PSWindowsUpdate scheduled tasks on 15 machines (overnight, auto-stop 5AM). Skipped CS-SERVER, RECEPTIONIST-PC, MEMRECEPT-PC |
| | **Win 11 upgrade assistant** | Pushed to eligible Win 10 machines: DESKTOP-LPOPV30, NURSESTATION-PC, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8. Also 25H2 upgrade for CRYSTAL-PC, DESKTOP-U2DHAP0, LAPTOP2 |
| | **ScreenConnect Toolbox expanded** | Added commands for: auto-patch, auto-patch+upgrade, stop updates at 5AM, Pro key push, stale printer port cleanup |
| | **Network analysis** | Identified DNS misconfiguration (15 machines pointing to pfSense instead of CS-SERVER), cross-subnet routing issues, printer port IP mismatches |
| | **DirecTV VLAN issue documented** | Older DirecTV boxes can't connect to VLAN networks — must join CSC ENT first for update, then move to CSCNet |
| | **Pro key documented** | Volume license key added to root CLAUDE.md with usage log tracking requirement |

---

## Session 10 — 2026-04-13 (Onsite + Remote)

**Focus:** Workstation upgrades, domain joins, printer setup, AD cleanup, Entra Connect planning, MDM planning

### Workstation Upgrades & Domain Joins
| Task | Details |
|------|---------|
| **DESKTOP-DLTAGOI — Pro upgrade + domain join** | Upgraded Win 11 Home → Pro (manual key — PowerShell method caused Enterprise). Joined to cascades.local. |
| **DESKTOP-DLTAGOI — User setup** | Created domain user Sharon.Edwards (Life Enrichment Assistant). Removed local accounts: casadmin201, rootadmin, local "Sharon Edwards". Disabled system accounts. |
| **DESKTOP-DLTAGOI — Printer cleanup** | Removed all Brother printers. Added Copy Room printer manually. |
| **DESKTOP-ROK7VNM — Pro upgrade + domain join** | New machine (not in previous audit). Upgraded to Pro (manual key). Joined to cascades.local. |
| **DESKTOP-ROK7VNM — User setup** | Created domain user Susan.Hicks (Life Enrichment Director). Removed local accounts: casadmin201, nick, SusanH, Megan Wicker. |
| **MAINTENANCE-PC — Pro upgrade** | Upgraded Win 11 Home → Pro (manual key). Domain join pending. |
| **MAINTENANCE-PC — Disk cleanup** | Cleared SoftwareDistribution, temp files, DISM component cleanup, deleted nick user profile. |
| **Pro key issue documented** | PowerShell `changepk` method from Session 9 caused Enterprise edition on some machines. Manual key entry through Settings is the correct method. |

### Printer Work
| Task | Details |
|------|---------|
| **Room 132 Canon MF741CDW — Factory reset** | Printer was locked out (System Manager ID/PIN unknown). Factory reset successful. |
| **Room 132 Canon — Moved to INTERNAL VLAN** | Connected to CSCNet WiFi, set static IP 10.0.20.94. Previously was 192.168.3.211 on LAN. |
| **Print server planning** | Planned GPO-based printer deployment via CS-SERVER print server. Print Services role check needed. Naming convention: Floor-Room-Model (e.g. 1F-132-RecRoom-Canon). |

### AD Cleanup (on CS-SERVER)
| Task | Details |
|------|---------|
| **Deleted 13 stale accounts** | Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez (disabled/former). Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, Isabella.Islas, ann.dery (not on HR roster). alyssa.brooks (lowercase duplicate). Lupe.Sanchez (duplicate of Guadalupe). jeff.bristol (replaced by Lauren). |
| **Renamed 5 accounts** | Tamra.Johnson → Tamra.Matthews, Alyssa.Shestko → Alyssa.Brooks, Guadalupe.Sanchez → Lupe.Sanchez, strozzi → Shelby.Trozzi, Christopher.Holik → Christopher.Holick |
| **Removed non-IT from Domain Admins** | Removed Meredith.Kuhn and John.Trozzi. Only Administrator and sysadmin remain. |
| **Deleted root-level duplicate OUs** | 13 empty root-level OUs (confirmed already deleted from previous session). |
| **Created Workstations OU** | OU=Workstations with sub-OUs: Staff PCs, Shared PCs. |
| **Added UPN suffix** | Added cascadestucson.com as UPN suffix to AD forest. |
| **Updated all 33 user UPNs** | Changed from @cascades.local to @cascadestucson.com for Entra Connect SSO readiness. |
| **Created Kyla.QuickTiffany account** | New Resident Services Receptionist. Placed in OU=Resident Services. |
| **Full HR roster imported** | All 32 employees documented with positions, departments, and shared email group assignments. |

### Print Server & GPO Setup
| Task | Details |
|------|---------|
| **Removed Roaming share** | Deleted D:\Roaming and SMB share — unused, replaced by Folder Redirection |
| **Created homes share** | D:\Homes shared as \\CS-SERVER\homes — Domain Admins full, Domain Users change. For Folder Redirection. |
| **RecRoom Canon added to print server** | Added printer port TCP_10.0.20.94, shared as "RecRoom-Canon" using Canon Generic Plus PCL6 driver |
| **CSC - Life Enrichment Printers GPO** | Created and linked to OU=Life Enrichment. RecRoom Canon deployed via Print Management (per user). |
| **CSC - Folder Redirection GPO** | Created and linked to OU=Departments. GPMC Folder Redirection extension broken on CS-SERVER — fdeploy.ini not being created. Worked around using GP Preferences > Registry to set shell folder paths (Desktop, Documents, Downloads → \\CS-SERVER\homes\%USERNAME%\). |
| **Folder Redirection verified** | Tested with Sharon.Edwards — Desktop redirects to \\CS-SERVER\homes\sharon.edwards\Desktop. Documents and Downloads also configured. |
| **Moved 6 PCs to Staff PCs OU** | ACCT2-PC, CRYSTAL-PC, DESKTOP-H6QHRR7, DESKTOP-1ISF081, DESKTOP-DLTAGOI, DESKTOP-ROK7VNM moved to OU=Staff PCs,OU=Workstations. CS-QB left in CN=Computers. |
| **Data migration slow** | Robocopy to server limited by Sharon's 72 Mbps WiFi (~8 MB/s). Server storage is two PERC RAID virtual disks (300GB C: + 1.1TB D:), likely spinning SAS. Consider SSD upgrade + hardwiring PCs for speed. |

### Planning & Documentation
| Task | Details |
|------|---------|
| **Entra Connect SSO plan** | Documented full plan in cloud/m365.md — prerequisites, install steps, sync scope. Enables single sign-on: AD login → Office/Edge/Outlook auto-activate. |
| **M365 license optimization** | Planned conversion of 12 role-based accounts to shared mailboxes. 10 staff (drivers, receptionists, courtesy patrol) get AD + SSO but no paid license. Saves ~$137.50/month (11 licenses freed). |
| **ManageEngine MDM** | Account created. Will manage employee Android phones (HIPAA compliance) + 9 kitchen iPads (lockdown/kiosk mode). Created security/mdm.md. |
| **Len's Auto Brokerage (LAB)** | New client folder created. Documented lab-server (Server 2008 SP2, EOL) and DESKTOP-BMBTQLI (HPE MicroServer Gen10 Plus v2, current server). RDP troubleshooting on Server 2008 — CredSSP incompatibility. |

### Billing Summary — Session 10
| Category | Items |
|----------|-------|
| Workstation upgrades (Pro key + domain join) | 3 machines (DLTAGOI, ROK7VNM, MAINTENANCE-PC) |
| User setup + local account cleanup | 3 machines |
| Printer reset + VLAN move + print server | 1 printer factory reset, moved to INTERNAL VLAN, added to print server, deployed via GPO |
| AD cleanup | 13 accounts deleted, 5 renamed, 2 removed from Domain Admins, OU cleanup, UPN migration, 1 new account created |
| GPO setup | 2 GPOs created (Life Enrichment Printers, Folder Redirection). Folder Redirection working via GP Preferences workaround. |
| File server setup | Homes share created, Roaming share removed, 6 PCs moved to Staff PCs OU |
| Infrastructure planning | Entra Connect SSO, M365 license optimization, MDM setup |
| New client setup | Len's Auto Brokerage — folder + initial docs + RDP troubleshooting |

### Session 10b — 2026-04-14 (Remote + Onsite)

**Focus:** Continued Life Enrichment setup, GPO troubleshooting, OneDrive cleanup

| Task | Details |
|------|---------|
| **Narrowed Folder Redirection GPO** | Moved link from OU=Departments to OU=Life Enrichment only. Roll out dept by dept. |
| **Susan.Hicks OneDrive cleanup** | ProfWiz migrated old SusanH profile with OneDrive folder redirection. Fixed shell folders (Desktop, Documents, Downloads, Videos, Pictures, Attachments) back to local %USERPROFILE% paths. Uninstalled OneDrive. |
| **Printer GPO troubleshooting** | Print Management "Deploy with Group Policy" not saving to SYSVOL (same broken GPMC issue as Folder Redirection). Fixed using GP Preferences > Shared Printer instead — \\CS-SERVER\RecRoom-Canon. Printers.xml confirmed in SYSVOL. |
| **Susan data migration** | Robocopy of Susan's data to \\CS-SERVER\homes in progress — slow due to WiFi. |

### Session 10c — 2026-04-14 (Remote)

**Focus:** M365 admin cleanup, MDM planning, ALIS SSO research, proposal

| Task | Details |
|------|---------|
| **Sandra Fish admin removed** | Revoked global admin, blocked sign-in, removed P2 license. sysadmin@cascadestucson.com is now sole global admin. |
| **Entra P2 license freed** | 1 P2 license available for Conditional Access testing when ready. |
| **ALIS SSO confirmed** | ALIS supports Microsoft Entra SSO (Azure AD / Office 365). Requires App Registration in Azure Portal + ALIS App Store config. Users must have matching email in ALIS and Entra. |
| **M365 Business Premium proposal** | Created formal proposal at cascades/proposals/m365-premium-upgrade.md. Net savings of $56.50/mo after shared mailbox cleanup. Covers Intune, Conditional Access, Defender, DLP. |
| **MDM plan documented** | Full 7-phase ManageEngine MDM rollout plan in security/mdm.md. 25 shared Android phones + 9 kitchen iPads. |
| **Folder Redirection GPO narrowed** | Moved from OU=Departments to OU=Life Enrichment only. Roll out dept by dept. |
| **Susan Hicks OneDrive cleanup** | Fixed shell folders pointing to old OneDrive paths after ProfWiz migration. Uninstalled OneDrive. |

### Session 10d — 2026-04-14 (Remote, extended diagnostic — inconclusive)

**Focus:** Try to make Folder Redirection work natively and retire the GP Preferences Registry hack.

| Task | Details |
|------|---------|
| **SYSVOL health verified** | `dcdiag /test:sysvolcheck` passed, SYSVOL permissions correct, writable as admin |
| **FR extension registration confirmed** | `gPCUserExtensionNames` on the old GPO correctly lists `{25537BA6-77A8-11D2-9B6C-0000F8080861}` (FR CSE) |
| **NTFS on D:\Homes hardened** | Removed `BUILTIN\Users ReadAndExecute` inheritance to subfolders/files — was allowing cross-user read of redirected PHI (HIPAA violation). Scoped to "This folder only". CREATOR OWNER Full Control still inherits so each user owns their own home folder. |
| **First diagnosis (WRONG)** | Initially thought GPMC on CS-SERVER was writing FR config to the wrong location (`User\Documents & Settings\fdeploy1.ini` with `FullPath=` + `Flags=1231`). Hypothesized a broken legacy ADMX template. |
| **RSAT installed + tested** | Installed RSAT GPMC on Sharon.Edwards' Win11 PC (`Add-WindowsCapability -Online -Name "Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0"`). Recreated `CSC - Folder Redirection (LE)` GPO from RSAT. |
| **First diagnosis disproven** | RSAT wrote to the **same path** as CS-SERVER's GPMC (`User\Documents & Settings\fdeploy1.ini` with `FullPath=`). Two independent tools writing identical files = that IS the correct modern format. The "Documents & Settings" subfolder and `FullPath=` syntax are NOT legacy — they're normal modern FR layout. The original GPO was broken simply because the save was incomplete (empty `fdeploy.ini`, stub `fdeploy1.ini` with `Flags=4` and no FullPath). |
| **New GPO linked, old unlinked** | `CSC - Folder Redirection (LE)` linked to OU=Life Enrichment; `CSC - Folder Redirection` unlinked from OU=Life Enrichment (GPO itself kept as 1-week rollback). |
| **FR refuses to commit on Sharon** | At Sharon's logon, FR CSE fires, logs event **1006 "Documents has to be redirected"** with correct path+flags, logs event **1001 "extension finished"**. **No event 1013 (success), no error events.** `User Shell Folders\Personal` stays at `C:\Users\Sharon Edwards\Documents`. Multiple logon cycles don't help. `gpupdate /force` doesn't help. Permissions verified (Sharon has FullControl, write test succeeds). Target path reachable. FR history key (`HKCU\...\History\{25537BA6-...}`) still references OLD unlinked GPO; key is SYSTEM-protected, can't clear from user context. |
| **Investigation parked** | Howard wants to avoid the registry hack as the answer. Captured leading hypothesis + research search terms in plan file `C:\Users\howar\.claude\plans\immutable-imagining-spring.md`. |
| **Documented** | Revised `servers/cs-server.md` "Known Admin Issues" section to correct the earlier wrong theories and accurately describe the silent-no-commit symptom. |

### Where We Left Off (2026-04-14 — Session end, investigation parked)

**Leading hypothesis (needs confirmation via research):**
The FR policy has "Grant user exclusive rights" enabled (Flags=1231 bit 0x1). When the target folder `\\CS-SERVER\homes\sharon.edwards\Documents` already exists with a non-Sharon owner (sysadmin created it during the original registry-hack migration, and we re-created it manually during tonight's diagnostic), FR can't rewrite the folder's ACL to Sharon-only. Documented FR quirk: logs intent via 1006, silently aborts without logging to Operational channel. This matches our exact fingerprint (1006 fires, 1013 never fires, zero errors).

**Fast sanity-check for next session (read-only):**
```powershell
(Get-Acl "D:\Homes\sharon.edwards\Documents").Owner
```
If owner is anything other than `CASCADES\sharon.edwards`, hypothesis strongly supported.

**Search terms Howard will research:**
1. Primary: `Folder Redirection "has to be redirected" event 1006 no 1013 silent no error`
2. Hypothesis-driven: `Folder Redirection "Grant the user exclusive rights" existing folder silently fails ownership`
3. Fallback: `Folder Redirection Windows 10 event 1001 finished but folder not redirected registry`

**If hypothesis confirmed — next steps:**
1. `takeown /F "D:\Homes\sharon.edwards\Documents" /A` then `icacls ... /setowner "CASCADES\sharon.edwards" /T`
2. Clear FR history from elevated context via `HKU\<SID>`
3. Sharon log off + on, verify event 1013 fires and Documents redirects
4. If successful, script this across all LE users' homes folders

**If hypothesis wrong — secondary paths to try:**
- Enable FR verbose debug logging (`HKLM\...\Diagnostics\FdeployDebugLevel=0x10`), read `%windir%\debug\usermode\fdeploy.log` for the real skip reason
- Test FR on a brand-new user with no profile history to rule out profile corruption
- If still blocked, fall back to GP Preferences Registry for Documents (as already deployed for Desktop) — documented workaround, not the end state

**Current Sharon state (unchanged tonight):**
- Desktop: `\\CS-SERVER\homes\Sharon.Edwards\Desktop` (working, via original registry hack — no FR involvement)
- Documents: `C:\Users\Sharon Edwards\Documents` (local, FR failed to redirect)
- Downloads: `C:\Users\Sharon Edwards\Downloads` (local)

**Phase D HIPAA hardening (still pending, after FR is working):**
- `Set-SmbShare -Name homes -EncryptData $true -Force` (SMB encryption in transit)
- Enable file access auditing on D:\Homes (§164.312(b) Audit Controls)
- VSS + daily shadow copies on D: (§164.308(a)(7) Contingency Plan)
- Backup D:\Homes to Synology via Windows Server Backup

**Phase D HIPAA hardening** (after FR is working):
- `Set-SmbShare -Name homes -EncryptData $true -Force` (SMB encryption in transit)
- Enable file access auditing on D:\Homes (§164.312(b) Audit Controls)
- VSS + daily shadow copies on D: (§164.308(a)(7) Contingency Plan)
- Backup D:\Homes to Synology via Windows Server Backup
- Manually set NTFS permissions on D:\Homes (commands ready, not yet run):
  - CREATOR OWNER: full access to own folder only
  - Domain Users: can create subfolder, cannot access others
  - Domain Admins: full access
  - Lock down existing sharon.edwards and susan.hicks folders

**D:\Homes NTFS permissions (not yet run):**
```
icacls D:\Homes /inheritance:d
icacls D:\Homes /remove "BUILTIN\Users"
icacls D:\Homes /grant "CASCADES\Domain Admins:(OI)(CI)F"
icacls D:\Homes /grant "CREATOR OWNER:(OI)(CI)F"
icacls D:\Homes /grant "CASCADES\Domain Users:(CI)(AD)(RD)"
```

**Data migration script ready (not yet run):**
- Copy-only test version (robocopy /L for dry run, remove /L for real copy)
- Move version (robocopy /MOVE) for production
- Run on each user's machine while logged in as them

**Other pending:**
- **Printer GPO:** RecRoom Canon added via GP Preferences. Needs gpupdate + re-login test on Sharon/Susan machines.
- **Copy Room printer:** Not yet added to print server or GPO.
- **MAINTENANCE-PC:** Pro upgraded, domain join + local account cleanup still pending.
- **ANN-PC, MDIRECTOR-PC:** Check for Enterprise edition from PowerShell Pro key push.
- **M365:** Sandra removed. Shared mailbox conversions pending. Entra Connect pending. Sign BAA. 23 licensed users confirmed.
- **MDM:** ManageEngine Phase 1 tenant setup in progress. 25 shared Android phones + 9 kitchen iPads.
- **ALIS SSO:** Confirmed Entra support. Needs App Registration in Azure Portal.
- **Business Premium proposal:** cascades/proposals/m365-premium-upgrade.md — net -$56.50/mo.
- **Len's:** RDP to Server 2008 still failing (CredSSP).
- **Server storage:** Likely spinning SAS in Dell R610 — evaluate SSD upgrade.