--- name: Cascades history — fdeploy root cause, CA rescoping decision, design rationale description: Detail and rationale behind the active Cascades rules — fdeploy 502/ACL root cause and the Flags=1211→187 fix, the 2026-04-29 CA-policy rescoping decision (Howard pulled the brakes on tenant-wide rollout), and the per-user security-group decision. Read on-demand when judging an edge case or revisiting a design decision. type: project --- This file is the rationale archive for [[project_cascades]] and [[feedback_cascades]]. Read on-demand. --- ## fdeploy folder-redirection root cause (the "stuck forever" failure) **Symptom:** new Cascades user logs in, folder redirection silently doesn't take effect. fdeploy logs "no changes detected" indefinitely. **Root cause:** `fdeploy1.ini` had `Flags=1211` which includes **Grant Exclusive Rights** (bit `0x400`). The Homes share grants `Domain Users = Change`, which excludes `WRITE_DAC`. fdeploy fails to set NTFS on new subfolders → logs 502 → **caches the failure** and never retries. **Fix:** changed to `Flags=187` in: ``` {512B43A4-F049-4CE5-BFAC-860AD13E92BE}\User\Documents & Settings\fdeploy1.ini ``` on CS-SERVER. **Why both GUID and legacy registry keys matter at the client side:** Downloads has no legacy-name key, so GUID alone works. Documents / Music / Pictures have BOTH `{GUID}` AND `Personal` / `My Music` / `My Pictures`. Windows reads the legacy key for the actual shell folder — GUID alone is insufficient. The recovery script `fix-shell-redirect.ps1` sets both. --- ## CA policy rescoping decision (2026-04-29) The original §5 design in `clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md` and the resume-point in `2026-04-29-howard-cascades-bypass-pilot-phase-b-buildout.md` both implied a **tenant-wide cutover**. Howard pulled the brakes on 2026-04-29 after spotting that policies #1, #2, #3 in the original design hit ALL users — would have blocked any office user signing in off-site who wasn't in `SG-External-Signin-Allowed`. The replay he pasted contained the correct rescoping: > *"Re-scope the new policies so they only target the pilot group initially, and roll out to other groups one at a time later."* **Why phased:** preserves today's behavior for everyone except the pilot group while we validate the bypass mechanics. Tenant-wide cutover would have been a regression risk for office staff. **Operational application of this decision** is captured in [[project_cascades]] "CA caregiver pilot — phased, group-scoped". Treat any "let's just push it tenant-wide now that the pilot worked" suggestion as a regression of this decision and flag it. --- ## Per-user security-group decision (2026-05-14) Howard explicitly **declined** an `OU=Caregivers` → `SG-Caregivers` auto-mirror script. Security-group membership controls access + CA-policy coverage; that decision should stay deliberate and reviewed per user, never automated away. OU placement is mechanical (controls Entra Connect sync scope). Group membership is an access-control decision and must be conscious. The active rule that comes from this is in [[feedback_cascades]] §2. --- ## Pilot cleanup obligations (forward-looking) The Cascades caregiver shared-phone bypass pilot (Path B, cloud-only) uses temporary pilot artifacts. At pilot wrap, all must be cleaned up — checklist lives in [[project_cascades]] "Pilot cleanup checklist". Originally flagged by Howard 2026-04-29 with the explicit "all pilot artifacts must be cleaned up" direction (clean tenant hygiene + license recovery: Business Premium seat returned to the 34-spare pool).