# Step 4: Server Preparation — AD & Shares (~4-6 hours, remote via ScreenConnect) **No user impact — server-side work only.** --- ## 4a — DNS cleanup Run `scripts/phase2-dns-cleanup.ps1` on CS-SERVER. Actions: - Remove stale A records pointing to old IPs (192.168.0.5, 192.168.2.59, etc.) - Fix DomainDnsZones/ForestDnsZones records to point to 192.168.2.254 - Enable DNS scavenging (7-day interval) - Enable aging on cascades.local zone - Create reverse lookup zones for 192.168.0.0/22 and 10.0.20.0/24 **Verify after:** `nslookup cs-server.cascades.local` should return only 192.168.2.254. --- ## 4b — AD cleanup Run `scripts/phase2-ad-setup.ps1` on CS-SERVER. ### Security fixes (immediate) - Remove disabled Monica.Ramirez from **Domain Admins** group - Disable Haris.Durut (still enabled, no longer employed) - Rename "Quickboosk acccess" group → "QuickBooks Access" - Add lauren.hasselman to QuickBooks Access (replaced Jeff Bristol) ### OU cleanup - Fix misspelled OU: "Managment" → "Management" - Create OU structure: `Workstations\Staff PCs` ### Security groups (created and populated with members) | Group | Members | |-------|---------| | SG-Management-RW | Meredith.Kuhn, Ashley.Jensen, Megan.Hiatt, Crystal.Rodriguez, Tamra.Matthews, britney.thompson, Veronica.Feller, strozzi, Alyssa.Brooks, lauren.hasselman | | SG-Sales-RW | Megan.Hiatt, Crystal.Rodriguez, Tamra.Matthews | | SG-Server-RW | Ashley.Jensen, britney.thompson, Christina.DuPras, Veronica.Feller, Meredith.Kuhn | | SG-Chat-RW | Ashley.Jensen, britney.thompson, Veronica.Feller | | SG-Culinary-RW | JD.Martin, Ramon.Castaneda, Alyssa.Brooks | | SG-IT-RW | howard, sysadmin | | SG-Receptionist-RW | Cathy.Kingston, Shontiel.Nunn, Ray.Rai, Sebastian.Leon, Michelle.Shestko | | SG-Directory-RW | Cathy.Kingston, Shontiel.Nunn, Christina.DuPras | | SG-AllShares-RO | (populated as needed) | ### Account removals (client confirmed) **Already disabled — delete:** - Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, jeff.bristol **Still enabled — disable + delete (not in HR list, former employees):** - Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, alyssa.brooks, Isabella.Islas, ann.dery **Keep:** lauren.hasselman (took over Bristol's role as Business Office Director) ### Move computers to Workstations OU - CRYSTAL-PC, ACCT2-PC, DESKTOP-H6QHRR7, DESKTOP-1ISF081 --- ## 4c — Sync data from Synology NAS — DONE 2026-03-07 ~~Run `scripts/phase2-sync-synology.ps1` on CS-SERVER.~~ **Synology Drive Client** reinstalled on CS-SERVER and configured for live sync to `D:\Shares\Main`. All Synology shares sync continuously to this location. **Sync method:** Synology Drive Client (live, ongoing sync) **Sync destination:** `D:\Shares\Main` on CS-SERVER **Direction:** Synology → CS-SERVER (one-way) ### Synology shares visible via SMB (2026-03-07 audit) | Synology Share | Size | Syncing to `D:\Shares\Main` | |---|---|---| | `homes` | 228.14 GB | Yes | | `Public` | 50.15 GB | Yes | | `SalesDept` | 12.61 GB | Yes | | `Server` | 1.84 GB | Yes | | `Management` | 1.4 GB | Yes | | `chat` | 0 GB (empty) | Yes | | `home` | 0 GB (empty) | Yes | **Total:** ~294 GB syncing. D: had 635 GB free — sufficient. ### Shares NOT visible via SMB | Synology Share | Notes | |---|---| | `Activities` | Not shared via SMB — may be internal Synology folder or removed | | `pacs` | Not shared via SMB — verify on Synology DSM | | `Sandra Fish` | Not shared via SMB — verify on Synology DSM | | `web` | Not shared via SMB — verify on Synology DSM | **Note:** Synology uses local accounts (not AD-joined). Authenticated from CS-SERVER via `net use \\192.168.0.120 /user:admin`. Already on CS-SERVER (no sync needed): Culinary, IT, Receptionist, directoryshare `SaleShare` is the old/duplicate folder — ignore it. `SalesDept` is the real one. --- ## 4d — Set up file share permissions (HIPAA: access control + audit) Run `scripts/phase2-file-shares.ps1` on CS-SERVER (AFTER sync completes). Creates SMB shares for synced folders and sets NTFS permissions matching Synology access. **HIPAA §164.312(b):** After shares are created, enable Advanced Audit Logging on all PHI-containing shares (Management, Server, homes) to track read/write/delete operations. **Prerequisite (added 2026-04-22 per `docs/security/hipaa-review-2026-04-22.md` + user-rollout dependency):** Before this script runs, the Synology permission inventory must be captured and translated to AD security group memberships. See `docs/migration/phase4-synology.md` §6.0.1–6.0.2 for the discovery commands and `docs/migration/synology-permission-inventory.md` (to be created) for the mapping output. **HIPAA-review additions (must be applied as part of this phase, not deferred):** - `Set-SmbShare -EncryptData $true` on every share in the table — satisfies Addressable specs §164.312(a)(2)(iv) at-rest and §164.312(e)(2)(ii) in-transit encryption - NTFS SACL (audit rule) set to audit Success + Failure for ReadData / WriteData / Delete / ChangePermissions on all PHI shares — satisfies Required spec §164.312(b) Audit Controls - See `phase4-synology.md` §6.0.3 for the exact PowerShell | Share | NTFS Access | SMB Share | |---|---|---| | Management | SG-Management-RW = Modify | `\\CS-SERVER\Management` | | SalesDept | SG-Sales-RW = Modify | `\\CS-SERVER\SalesDept` | | Server | SG-Server-RW = Modify | `\\CS-SERVER\Server` | | chat | SG-Chat-RW = Modify | `\\CS-SERVER\chat` | | Public | Authenticated Users = Modify | `\\CS-SERVER\Public` | | Culinary | SG-Culinary-RW = Modify | `\\CS-SERVER\Culinary` (exists) | | IT | SG-IT-RW = Modify | `\\CS-SERVER\IT` (exists) | | Receptionist | SG-Receptionist-RW = Modify | `\\CS-SERVER\Receptionist` (exists) | | directoryshare | SG-Directory-RW = Modify | `\\CS-SERVER\directoryshare` (exists) | | homes | CREATOR OWNER = Full (subfolder) | `\\CS-SERVER\homes` (ABE enabled) | All shares also get: Domain Admins = Full Control, SYSTEM = Full Control. --- ## 4e — Set up print server Run `scripts/phase2-print-server.ps1` on CS-SERVER. Creates TCP/IP printer ports for each printer. Drivers must be downloaded separately from manufacturer websites and installed manually, then the script can create the shared printers. | Printer | IP | Driver Source | |---------|-----|---------------| | Front Desk - Epson ET-5800 | 192.168.2.147 | epson.com | | Business Office - Canon MF455DW | 192.168.3.227 | canon.com | | Marketing - Brother MFC-L8900CDW | 192.168.2.21 | brother.com | | 206 Health - Brother MFC-L8900CDW | 192.168.1.138 | brother.com | | MemCare MedTech - Brother MFC-L8900CDW | 192.168.2.53 | brother.com | | MemCare Director - Canon MF451CDW | 192.168.3.52 | canon.com | | Kitchen Printer | 192.168.0.121 | _TBD_ | **Test:** Print a test page from CS-SERVER to each shared printer before deploying via GPO. --- ## 4f — Create GPOs (DO NOT link yet) ### GPO 1: "CSC - Drive Mappings" User Configuration → Preferences → Drive Maps | Drive | Path | Targeting | |-------|------|-----------| | S: | `\\CS-SERVER\Shares` | All domain users | | M: | `\\CS-SERVER\Management` | SG-Management-RW members | | T: | `\\CS-SERVER\SalesDept` | SG-Sales-RW members | | K: | `\\CS-SERVER\Culinary` | SG-Culinary-RW members | | I: | `\\CS-SERVER\IT` | SG-IT-RW members | | R: | `\\CS-SERVER\Receptionist` | SG-Receptionist-RW members | | P: | `\\CS-SERVER\Public` | All domain users | Use Item-Level Targeting → Security Group for department-specific drives. ### GPO 2: "CSC - Printer Deployment" Computer Configuration → Preferences → Printers Deploy shared printers with Item-Level Targeting by computer name or security group: - `\\CS-SERVER\FrontDesk-Epson` → Front desk PCs - `\\CS-SERVER\BizOffice-Canon` → Accounting PCs - `\\CS-SERVER\Marketing-Brother` → Marketing group - (etc.) ### GPO 3: "CSC - Security Baseline" Computer Configuration → Security Settings | Setting | Value | |---------|-------| | Min password length | 12 characters | | Password complexity | Enabled | | Max password age | 90 days | | Password history | 10 | | Account lockout threshold | 5 attempts | | Account lockout duration | 30 minutes | | Lockout counter reset | 30 minutes | | Screen lock timeout | 15 minutes | | Windows Firewall | All profiles ON | ### GPO 4: "CSC - Windows Update" Computer Configuration → Admin Templates → Windows Update - Auto download + scheduled install - Schedule: Sundays at 3:00 AM - No auto-restart with logged-on users ### GPO 6: "CSC - Shared Workstation" Linked to: `OU=Shared PCs,OU=Workstations,DC=cascades,DC=local` Applies only to machines in the Shared PCs OU. Uses Item-Level Targeting by computer name so different shared PCs get different printers/drives/mailboxes. **User Configuration → Preferences → Drive Maps** | Drive | Path | ILT | |-------|------|-----| | R: | `\\CS-SERVER\Receptionist` | Computer Name = [TBD — front desk PC] | **User Configuration → Preferences → Printers** | Printer | Set Default | ILT | |---------|-------------|-----| | `\\CS-SERVER\FrontDesk-Epson` | Yes | Computer Name = [TBD — front desk PC] | **User Configuration → Admin Templates → Microsoft Outlook 2016 → Account Settings → Exchange** | Setting | Value | |---------|-------| | Cached Exchange Mode | Disabled (forces Online Mode) | Online mode prevents shared mailbox data from caching on every shared PC — important when multiple users rotate through the same machine. **User Configuration → Preferences → Registry** Auto-mount shared mailbox via registry (only on targeted shared PCs): | Key Path | Value | Data | ILT | |----------|-------|------|-----| | `HKCU\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002` | `001f6610` | `reception@[tenant-domain]` | Computer Name = [TBD] | > **Note:** The registry path above is a placeholder — the exact profile key varies per installation. The shared mailbox SMTP address depends on the M365 tenant domain (Step 3 blocker). Computer names will be filled in after the onsite visit identifies which PCs are shared. **Onsite TODO (before this GPO is functional):** - [ ] Identify shared workstation computer names and roles - [ ] Move shared PCs into `OU=Shared PCs,OU=Workstations` - [ ] Fill in ILT computer names above - [ ] Create shared mailbox in M365 (see Step 4 in shared workstation plan) - [ ] Document user-to-shared-PC rotation matrix - [ ] Test: log into shared PC → verify R: drive, default printer, and shared mailbox appear - [ ] Test: log into normal PC → verify reception drive/printer/mailbox do NOT appear --- ### GPO 5: "CSC - Folder Redirection" User Configuration → Policies → Windows Settings → Folder Redirection | Folder | Redirect to | Setting | |--------|------------|---------| | Desktop | `\\CS-SERVER\homes\%username%\Desktop` | Basic, create folder | | Documents | `\\CS-SERVER\homes\%username%\Documents` | Basic, create folder | | Downloads | `\\CS-SERVER\homes\%username%\Downloads` | Basic, create folder | Settings: - Grant user exclusive rights: **Yes** - Move contents to new location: **Yes** (first time only) - Policy removal: Leave contents - Also applies to Windows 10/11 This replaces roaming profiles — user data lives on the server but profiles stay local (fast logon, no corruption issues). --- ## Rollback - Unlink any GPO from GPMC — takes effect at next `gpupdate` - DNS records were exported in Step 1 - AD changes can be reverted from Step 1 exports