# G1 AD Hygiene Dry-Run

**Command ID:** 110f0836-9fa7-4773-b82c-e7f0eb9b5bbe
**Exit:** 0
**Completed:** 2026-04-23T03:26:52.186400Z

## STDOUT

```
G1 AD Hygiene - 2026-04-22 20:26:50 -07:00

Host: CS-SERVER

Mode: DRY-RUN (no changes)

Backup dir: D:\Backups\g1-hygiene-2026-04-22-202650



============================================================================

== 0. Pre-state backup (always runs)

============================================================================

[OK]    Exported users-pre.csv

[OK]    Exported groups-pre.csv

[OK]    Exported ous-pre.csv



[OK]    Pre-state saved at D:\Backups\g1-hygiene-2026-04-22-202650

Rollback commands (if needed after execute):

   - proxyAddresses: Set-ADUser from users-pre.csv column ProxyAddresses

   - OU moves: Move-ADObject back to old DistinguishedName

   - Groups created today: Remove-ADGroup (safe since memberless)



============================================================================

== 1. OU=Excluded-From-Sync  +  move 4 role accounts

============================================================================

[WOULD] Create OU=Excluded-From-Sync (ProtectedFromAccidentalDeletion=true)

[WOULD] Move Culinary from OU=Culinary,OU=Departments,DC=cascades,DC=local to OU=Excluded-From-Sync,DC=cascades,DC=local

[WOULD] Move Receptionist from CN=Users,DC=cascades,DC=local to OU=Excluded-From-Sync,DC=cascades,DC=local

[WOULD] Move saleshare from OU=Marketing,OU=Departments,DC=cascades,DC=local to OU=Excluded-From-Sync,DC=cascades,DC=local

[WOULD] Move directoryshare from CN=Users,DC=cascades,DC=local to OU=Excluded-From-Sync,DC=cascades,DC=local



============================================================================

== 2. Populate proxyAddresses (34 users - live data from M365 Graph 2026-04-22)

============================================================================

[WOULD] Allison.Reibschied

       before: <empty>

       after:  SMTP:Allison.Reibschied@cascadestucson.com

       mail=<empty> -> Allison.Reibschied@cascadestucson.com

[WOULD] Alyssa.Brooks

       before: <empty>

       after:  SMTP:alyssa.brooks@cascadestucson.com

       mail=<empty> -> alyssa.brooks@cascadestucson.com

[WOULD] Ashley.Jensen

       before: <empty>

       after:  SMTP:ashley.jensen@cascadestucson.com; smtp:ashley.jenson@cascadestucson.com

       mail=<empty> -> ashley.jensen@cascadestucson.com

[WOULD] britney.thompson

       before: <empty>

       after:  SMTP:Britney.Thompson@cascadestucson.com

       mail=<empty> -> Britney.Thompson@cascadestucson.com

[WOULD] Cathy.Kingston

       before: <empty>

       after:  SMTP:cathy.kingston@cascadestucson.com

       mail=<empty> -> cathy.kingston@cascadestucson.com

[WOULD] Christina.DuPras

       before: <empty>

       after:  SMTP:christina.dupras@cascadestucson.com

       mail=<empty> -> christina.dupras@cascadestucson.com

[WOULD] Christine.Nyanzunda

       before: <empty>

       after:  SMTP:christine.nyanzunda@cascadestucson.com

       mail=<empty> -> christine.nyanzunda@cascadestucson.com

[WOULD] Christopher.Holick

       before: <empty>

       after:  SMTP:christopher.holick@cascadestucson.com

       mail=<empty> -> christopher.holick@cascadestucson.com

[WOULD] Crystal.Rodriguez

       before: <empty>

       after:  SMTP:crystal.rodriguez@cascadestucson.com; smtp:crystal.suszek@cascadestucson.com

       mail=<empty> -> crystal.rodriguez@cascadestucson.com

[WOULD] howard

       before: <empty>

       after:  SMTP:dax.howard@cascadestucson.com; smtp:cara.lespron@cascadestucson.com

       mail=<empty> -> dax.howard@cascadestucson.com

[WOULD] JD.Martin

       before: <empty>

       after:  SMTP:jd.martin@cascadestucson.com

       mail=<empty> -> jd.martin@cascadestucson.com

[WOULD] John.Trozzi

       before: <empty>

       after:  SMTP:john.trozzi@cascadestucson.com

       mail=<empty> -> john.trozzi@cascadestucson.com

[WOULD] Julian.Crim

       before: <empty>

       after:  SMTP:julian.crim@cascadestucson.com

       mail=<empty> -> julian.crim@cascadestucson.com

[WOULD] karen.rossini

       before: <empty>

       after:  SMTP:karen.rossini@cascadestucson.com

       mail=<empty> -> karen.rossini@cascadestucson.com

[WOULD] Kyla.QuickTiffany

       before: <empty>

       after:  SMTP:kyla.quicktiffany@cascadestucson.com

       mail=<empty> -> kyla.quicktiffany@cascadestucson.com

[WOULD] lauren.hasselman

       before: <empty>

       after:  SMTP:lauren.hasselman@cascadestucson.com

       mail=<empty> -> lauren.hasselman@cascadestucson.com

[WOULD] Lois.Lane

       before: <empty>

       after:  SMTP:lois.lane@cascadestucson.com

       mail=<empty> -> lois.lane@cascadestucson.com

[WOULD] Lupe.Sanchez

       before: <empty>

       after:  SMTP:lupe.sanchez@cascadestucson.com

       mail=<empty> -> lupe.sanchez@cascadestucson.com

[WOULD] Matt.Brooks

       before: <empty>

       after:  SMTP:matthew.brooks@cascadestucson.com

       mail=<empty> -> matthew.brooks@cascadestucson.com

[WOULD] Megan.Hiatt

       before: <empty>

       after:  SMTP:megan.hiatt@cascadestucson.com

       mail=<empty> -> megan.hiatt@cascadestucson.com

[WOULD] Meredith.Kuhn

       before: <empty>

       after:  SMTP:meredith.kuhn@cascadestucson.com

       mail=<empty> -> meredith.kuhn@cascadestucson.com

[WOULD] Michelle.Shestko

       before: <empty>

       after:  SMTP:michelle.shestko@cascadestucson.com

       mail=<empty> -> michelle.shestko@cascadestucson.com

[WOULD] Ramon.Castaneda

       before: <empty>

       after:  SMTP:ramon.castaneda@cascadestucson.com; smtp:ramon.castanada@cascadestucson.com; smtp:ramon.casteneda@cascadestucson.com

       mail=<empty> -> ramon.castaneda@cascadestucson.com

[WOULD] Ray.Rai

       before: <empty>

       after:  SMTP:ray.rai@cascadestucson.com

       mail=<empty> -> ray.rai@cascadestucson.com

[WOULD] Richard.Adams

       before: <empty>

       after:  SMTP:richard.adams@cascadestucson.com

       mail=<empty> -> richard.adams@cascadestucson.com

[WOULD] Sebastian.Leon

       before: <empty>

       after:  SMTP:sebastian.leon@cascadestucson.com

       mail=<empty> -> sebastian.leon@cascadestucson.com

[WOULD] Sharon.Edwards

       before: <empty>

       after:  SMTP:sharon.edwards@cascadestucson.com

       mail=<empty> -> sharon.edwards@cascadestucson.com

[WOULD] Shelby.Trozzi

       before: <empty>

       after:  SMTP:Shelby.Trozzi@cascadestucson.com

       mail=<empty> -> Shelby.Trozzi@cascadestucson.com

[WOULD] Sheldon.Gardfrey

       before: <empty>

       after:  SMTP:sheldon.gardfrey@cascadestucson.com

       mail=<empty> -> sheldon.gardfrey@cascadestucson.com

[WOULD] Shontiel.Nunn

       before: <empty>

       after:  SMTP:shontiel.nunn@cascadestucson.com

       mail=<empty> -> shontiel.nunn@cascadestucson.com

[WOULD] Susan.Hicks

       before: <empty>

       after:  SMTP:susan.hicks@cascadestucson.com

       mail=<empty> -> susan.hicks@cascadestucson.com

[WOULD] sysadmin

       before: <empty>

       after:  SMTP:sysadmin@cascadestucson.com

       mail=<empty> -> sysadmin@cascadestucson.com

[WOULD] Tamra.Matthews

       before: <empty>

       after:  SMTP:tamra.matthews@cascadestucson.com; smtp:tamra.johnson@cascadestucson.com

       mail=<empty> -> tamra.matthews@cascadestucson.com

[WOULD] Veronica.Feller

       before: <empty>

       after:  SMTP:veronica.feller@cascadestucson.com

       mail=<empty> -> veronica.feller@cascadestucson.com



============================================================================

== 3. Create 16 SG-* security groups (CA / file-share / break-glass)

============================================================================

[WOULD] Create SG-External-Signin-Allowed (Global Security) in OU=Groups,DC=cascades,DC=local

       desc: Members may sign in from outside Cascades building (CA policy target).

[WOULD] Create SG-Caregivers (Global Security) in OU=Groups,DC=cascades,DC=local

       desc: All shift-work caregivers. CA policy target for shared-phone mobile policy.

[WOULD] Create SG-FrontDesk (Global Security) in OU=Groups,DC=cascades,DC=local

       desc: Front desk receptionists sharing reception PCs.

[WOULD] Create SG-CourtesyPatrol (Global Security) in OU=Groups,DC=cascades,DC=local

       desc: Courtesy patrol staff.

[WOULD] Create SG-Drivers (Global Security) in OU=Groups,DC=cascades,DC=local

       desc: Transportation drivers (AD accounts being disabled 2026-04-22 - group retained for history).

[WOULD] Create SG-Management-RW (Global Security) in OU=Groups,DC=cascades,DC=local

       desc: Read/write on \\CS-SERVER\Management file share (Phase 4).

[WOULD] Create SG-Sales-RW (Global Security) in OU=Groups,DC=cascades,DC=local

       desc: Read/write on \\CS-SERVER\SalesDept file share (Phase 4).

[WOULD] Create SG-Culinary-RW (Global Security) in OU=Groups,DC=cascades,DC=local

       desc: Read/write on \\CS-SERVER\Culinary file share (Phase 4).

[WOULD] Create SG-IT-RW (Global Security) in OU=Groups,DC=cascades,DC=local

       desc: Read/write on \\CS-SERVER\IT file share (Phase 4).

[WOULD] Create SG-Receptionist-RW (Global Security) in OU=Groups,DC=cascades,DC=local

       desc: Read/write on \\CS-SERVER\Receptionist file share (Phase 4).

[WOULD] Create SG-Directory-RW (Global Security) in OU=Groups,DC=cascades,DC=local

       desc: Read/write on \\CS-SERVER\directoryshare file share (Phase 4).

[WOULD] Create SG-Server-RW (Global Security) in OU=Groups,DC=cascades,DC=local

       desc: Read/write on \\CS-SERVER\Server share (IT admin, Phase 4).

[WOULD] Create SG-Chat-RW (Global Security) in OU=Groups,DC=cascades,DC=local

       desc: Read/write on \\CS-SERVER\chat file share (Phase 4).

[WOULD] Create SG-Office-PHI-External (Global Security) in OU=Groups,DC=cascades,DC=local

       desc: Office PHI staff with external sign-in permission (CA policy).

[WOULD] Create SG-Office-PHI-Internal (Global Security) in OU=Groups,DC=cascades,DC=local

       desc: Office PHI staff limited to in-building sign-in (CA policy).

[WOULD] Create SG-CA-BreakGlass (Global Security) in OU=Groups,DC=cascades,DC=local

       desc: Break-glass accounts excluded from all Conditional Access policies.



============================================================================

== 4. DisplayName cosmetic fixes (3 users)

============================================================================

[WOULD] Crystal.Rodriguez DisplayName: 'Crystal  Rodriguez' -> 'Crystal Rodriguez'

[WOULD] howard DisplayName: 'howard' -> 'Howard Dax'

[WOULD] Cathy.Kingston DisplayName: 'Cathy.Kingston' -> 'Cathy Kingston'



============================================================================

== 5. Summary

============================================================================

Mode:         DRY-RUN (no changes)

Created:      17

Moved:        4

Updated:      37

Skipped:      0

Errors:       0



Backup dir:   D:\Backups\g1-hygiene-2026-04-22-202650



DRY-RUN complete. To execute:

  1. Review the [WOULD] lines above

  2. Re-run this script with $doExecute = $true

  3. Compare post-state vs pre-state CSVs in the backup dir



Completed at 2026-04-22 20:26:51 -07:00


```

stderr:
```

```