# Active Directory — cascades.local

## Domain Info (audit 2026-03-20)
- Domain: cascades.local (NetBIOS: CASCADES)
- Forest Functional Level: Windows2016Forest
- Domain Functional Level: Windows2016Domain
- Domain Controllers: CS-SERVER (192.168.2.254) — **ONLY DC** (all FSMO roles)
- Sites: Default-First-Site-Name
- No trusts configured

## AD Users (42 total — 40 enabled, 2 disabled) — cleaned 2026-04-13

**New since last doc update:** Allison Reibschied (2026-03-13), Lauren Hasselman (2026-02-26)

### Enabled Accounts — HR Roster (updated 2026-04-13)
| Name | SamAccountName | Position | Department | Shared Email | Notes |
|------|---------------|----------|------------|-------------|-------|
| Administrator | Administrator | — | — | — | Built-in |
| localadmin | localadmin | — | — | — | Local admin |
| Sysadmin | sysadmin | — | — | — | System admin |
| Howard Dax | howard | Home Office | Administrative | first.last@ | MSP technician |
| Meredith Kuhn | Meredith.Kuhn | Executive Director | Administrative | first.last@ | |
| John Trozzi | John.Trozzi | Maintenance Director | Maintenance | first.last@ | PC: MAINTENANCE-PC |
| Lupe Sanchez | Lupe.Sanchez | Housekeeping Director | Housekeeping | first.last@ | Renamed from Guadalupe.Sanchez, duplicate deleted (2026-04-13) |
| Megan Hiatt | Megan.Hiatt | Sales Director | Marketing | first.last@, Sales@ | |
| Crystal Rodriguez | Crystal.Rodriguez | Sales Associate | Marketing | first.last@, Sales@ | PC: CRYSTAL-PC |
| Tamra Matthews | Tamra.Matthews | Move-In Coordinator | Marketing | first.last@ | Renamed from Tamra.Johnson (2026-04-13) |
| Lois Lane | Lois.Lane | Health Services Director | Care, Assisted Living | first.last@, Nurses@ | |
| Christina DuPras | Christina.DuPras | Resident Services Director | Resident Services | first.last@ | |
| Christine Nyanzunda | Christine.Nyanzunda | Memory Care Admin Assistant | Care, Memory Care | first.last@ | |
| Susan Hicks | Susan.Hicks | Life Enrichment Director | Life Enrichment | first.last@ | PC: DESKTOP-ROK7VNM |
| Ashley Jensen | Ashley.Jensen | Assistant Executive Director | Administrative | first.last@, Accounting@ | |
| Veronica Feller | Veronica.Feller | Care, Assisted Living Aide | Care, Assisted Living | first.last@ | |
| Sebastian Leon | Sebastian.Leon | RS Courtesy Patrol | Resident Services | Frontdesk@, Courtesypatrol@ | |
| JD Martin | JD.Martin | Culinary Director | Culinary | first.last@ | |
| Alyssa Brooks | Alyssa.Brooks | Dining Manager | Culinary | first.last@ | Renamed from Alyssa.Shestko, duplicate deleted (2026-04-13) |
| Matt Brooks | Matt.Brooks | Memory Care Receptionist | Maintenance | first.last@ | Dept says Maintenance (HR data) |
| Ramon Castaneda | Ramon.Castaneda | Kitchen Manager | Culinary | first.last@ | |
| Michelle Shestko | Michelle.Shestko | Resident Services Receptionist | Resident Services | MC Front Desk | |
| Sharon Edwards | Sharon.Edwards | Life Enrichment Assistant | Life Enrichment | first.last@ | PC: DESKTOP-DLTAGOI |
| Britney Thompson | britney.thompson | Memory Care Nurse | Care, Assisted Living | first.last@, Nurses@ | **DEPARTED 2026-04-22 per John — disable account + harvest license** |
| Shelby Trozzi | Shelby.Trozzi | Memory Care Director | Care, Memory Care | first.last@ | Renamed from strozzi (2026-04-13) |
| Karen Rossini | karen.rossini | Health Services Manager | Care, Assisted Living | first.last@, Nurses@ | lowercase SamAccountName |
| Sheldon Gardfrey | Sheldon.Gardfrey | RS Courtesy Patrol | Resident Services | Frontdesk@, Courtesypatrol@ | |
| Cathy Kingston | Cathy.Kingston | Resident Services Receptionist | Resident Services | Frontdesk@ | |
| Shontiel Nunn | Shontiel.Nunn | Resident Services Receptionist | Resident Services | Frontdesk@ | |
| Ray Rai | Ray.Rai | RS Courtesy Patrol | Resident Services | Frontdesk@ | |
| Richard Adams | Richard.Adams | Driver | Transportation | Transportation@ | **2026-04-22: disable — drivers no longer get IT access** |
| Julian Crim | Julian.Crim | Driver | Transportation | Transportation@ | **2026-04-22: disable — drivers no longer get IT access** |
| Christopher Holick | Christopher.Holick | Driver | Transportation | Transportation@ | Fixed from Holik (2026-04-13). **2026-04-22: disable — drivers no longer get IT access** |
| Lauren Hasselman | lauren.hasselman | Business Office Director | Administrative | first.last@, Accounting@ | Replaced Jeff Bristol. lowercase SamAccountName |
| Allison Reibschied | Allison.Reibschied | Accounting Assistant | Administrative | first.last@ | Added 2026-03-13. PC: ACCT2-PC |
| QBDataServiceUser34 | QBDataServiceUser34 | — | — | — | QuickBooks service account |
| Culinary | Culinary | — | — | — | Generic department account — replace Phase 5 |
| RECEPTIONIST | Receptionist | — | — | — | Generic role account — replace Phase 5 |
| saleshare | saleshare | — | — | — | Shared sales resource — replace Phase 5 |
| directoryshare | directoryshare | — | — | — | Shared directory resource — replace Phase 5 |

### Not in AD — Needs Account Created
| Name | Position | Department | Shared Email | Notes |
|------|----------|------------|-------------|-------|
| Kyla Quick Tiffany | Resident Services Receptionist | Resident Services | Frontdesk@ | New — needs AD + M365 account |

### Accounts Deleted (2026-04-13 cleanup)
Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, Isabella.Islas, ann.dery, alyssa.brooks (duplicate), Lupe.Sanchez (duplicate), jeff.bristol

### Disabled Accounts (2) — cleaned 2026-04-13
| Name | SamAccountName | Notes |
|------|---------------|-------|
| Guest | Guest | Built-in — correct to leave disabled |
| krbtgt | krbtgt | Built-in Kerberos — correct to leave disabled. **Password 569+ days old — needs rotation** |

## Domain-Joined Computers (8)

### OU=Domain Controllers
| Computer | Role |
|----------|------|
| CS-SERVER | Primary DC, File Server, Hyper-V host |

### CN=Computers (default)
| Computer | Role |
|----------|------|
| CS-QB | Hyper-V VM — VoIP server |

### OU=Staff PCs,OU=Workstations (moved 2026-04-13)
| Computer | User | Role |
|----------|------|------|
| ACCT2-PC | Allison Reibschied | Accounting |
| CRYSTAL-PC | Crystal Rodriguez | Sales Associate |
| DESKTOP-H6QHRR7 | Sylvia Cuen | Staff workstation |
| DESKTOP-1ISF081 | TBD | Unknown — needs identification |
| DESKTOP-DLTAGOI | Sharon Edwards | Life Enrichment Assistant |
| DESKTOP-ROK7VNM | Susan Hicks | Life Enrichment Director |

### Missing from AD (listed in overview but NOT domain-joined)
- **SALES4-PC** — Sales workstation (10.0.20.203) — NOT in AD
- **CHEF-PC** — Kitchen workstation (10.0.20.232) — NOT in AD
- **MDIRECTOR-PC** — MemCare Director (192.168.3.20) — NOT in AD
- **DESKTOP-KQSL232** — Unknown (10.0.20.227) — NOT in AD

These 4 machines are on the network but not domain-joined. They may be workgroup machines or were never joined to the domain.

## Organizational Units

### Current State (pre-cleanup)
```
cascades.local
├── Builtin (system)
├── Computers (default container) ← 5 PCs here: ACCT2-PC, CRYSTAL-PC, CS-QB, DESKTOP-1ISF081, DESKTOP-H6QHRR7
├── Users (default container) ← 20 accounts dumped here (system + stale + needs placement)
├── Domain Controllers
│   └── CS-SERVER
├── Managment              ← MISSPELLED, empty — DELETE
├── Sales                  ← empty — DELETE
├── MemCare                ← empty — DELETE
├── Administrative         ← ROOT DUPLICATE of Departments\Administrative — DELETE
├── Care-Assisted Living   ← ROOT DUPLICATE — DELETE
├── Care-Memorycare        ← ROOT DUPLICATE — DELETE
├── Culinary               ← ROOT DUPLICATE — DELETE
├── Housekeeping           ← ROOT DUPLICATE — DELETE
├── Life Enrichment        ← ROOT DUPLICATE — DELETE
├── Maintenance            ← ROOT DUPLICATE — DELETE
├── Marketing              ← ROOT DUPLICATE — DELETE
├── Resident Services      ← ROOT DUPLICATE — DELETE
├── Transportation         ← ROOT DUPLICATE — DELETE
└── Departments
    ├── Administrative (6 users)
    ├── Care-Assisted Living (4 users)
    │   └── Nurses (sub-OU, empty)
    ├── Care-Memorycare (2 users)
    ├── Culinary (4 users)
    ├── Housekeeping (1 user)
    ├── Life Enrichment (2 users)
    ├── Maintenance (2 users)
    ├── Marketing (4 users)
    ├── Resident Services (7 users)
    └── Transportation (3 users)
```

### Target State (after cleanup — Phase 2.1 + 2.2)
```
cascades.local
├── Builtin (system)
├── Computers (default container) ← CS-QB stays here (VM, not staff PC)
├── Users (default container) ← system/service accounts only
├── Domain Controllers
│   └── CS-SERVER
├── Workstations           ← NEW
│   ├── Staff PCs          ← NEW — CRYSTAL-PC, ACCT2-PC, DESKTOP-H6QHRR7, DESKTOP-1ISF081, DESKTOP-DLTAGOI, DESKTOP-ROK7VNM
│   └── Shared PCs         ← NEW — shared/rotation workstations (GPO: CSC - Shared Workstation)
└── Departments
    ├── Administrative (6 users)
    ├── Care-Assisted Living (4 users)
    │   └── Nurses (sub-OU)
    ├── Care-Memorycare (2 users)
    ├── Culinary (4 users)
    ├── Housekeeping (1 user)
    ├── Life Enrichment (2 users)
    ├── Maintenance (2 users)
    ├── Marketing (4 users)
    ├── Resident Services (7 users)
    └── Transportation (3 users)
```

### Cleanup Scripts
- `migration/scripts/phase2-ou-cleanup.ps1` — Audit + delete 13 root-level OUs, handle CN=Users accounts
- `migration/scripts/phase2-ad-setup.ps1` — Security fixes, create Workstations OU, security groups, move computers

## Group Policy (as of 2026-03-07 export)

GPOs exist but effectiveness is limited since most PCs aren't domain-joined.

| GPO | Created | Modified | Settings | Notes |
|-----|---------|----------|----------|-------|
| Default Domain Policy | Aug 2024 | Mar 2026 | Password: 7-char min, 42-day max, complexity on, 24 history. **Lockout: 5 attempts / 30 min** (fixed 2026-03-09). Kerberos defaults. | OK |
| Default Domain Controllers Policy | Aug 2024 | Oct 2024 | IIS app pool audit rights, print operator driver loading. Standard. | OK |
| Power Options | Jul 2025 | Jul 2025 | "Cascades Default" power plan: never sleep/hibernate, display off 15 min (plugged in) / 10 min (battery), password on wake. | Reasonable — keep |
| ~~CopyRoomPrinter~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** |
| ~~Nurses-Kiosk~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** |
| ~~MemCareMedTechPrinter~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** |

**GPO Review (2026-03-07):** All 3 Dec 2025 GPOs are completely empty shells — no computer or user settings, not linked to any OU. Safe to delete with zero impact. The Default Domain Policy has account lockout disabled (threshold = 0), allowing unlimited password brute-force attempts — this needs to be fixed in the security baseline GPO.

## RDS Licensing
- **Mode: NotConfigured**
- **License Servers: None**
- RDS roles are installed on CS-SERVER (Connection Broker, Session Host, Web Access) but licensing is NOT configured.
- **Compliance risk:** Windows Server allows a 120-day grace period for RDS without licensing. After that, connections may be refused. Since the server was installed 8/4/2024 (~19 months ago), the grace period has long expired. RDS may be running in non-compliant mode.

## Existing AD Groups (Custom)

| Group | Members | Notes |
|-------|---------|-------|
| QuickBooks Access | Meredith.Kuhn, Megan.Hiatt, Ashley.Jensen, lauren.hasselman | Renamed from "Quickboosk acccess" on 2026-03-09 |
| Roaming | (empty) | Old roaming profile attempt — unused |
| MemoryCareDepartment | (empty) | Never populated |
| KitchenAdmin | (empty) | Never populated |

## Migration Plan — AD Changes (Phase 2.2 + 2.6 + 3)

See `migration/phase2-server-prep.md` and `migration/scripts/phase2-ad-setup.ps1`.

### Security Fixes (immediate)
- Remove disabled Monica.Ramirez from **Domain Admins** (security risk)
- Disable Haris.Durut (still enabled, not employed)
- Fix "Quickboosk acccess" → "QuickBooks Access"
- Add lauren.hasselman to QuickBooks Access (replaced Jeff Bristol)

### OU Changes
- **DELETE 10 root-level duplicate OUs** (Administrative, Care-Assisted Living, Care-Memorycare, Culinary, Housekeeping, Life Enrichment, Maintenance, Marketing, Resident Services, Transportation) — duplicates of Departments sub-OUs
- **DELETE 3 empty root-level OUs** (Managment, MemCare, Sales) — unused
- Create: `OU=Workstations,DC=cascades,DC=local`
- Create: `OU=Staff PCs,OU=Workstations,DC=cascades,DC=local`

### Security Groups (created with members from Synology permission mapping)

| Group | Members |
|-------|---------|
| SG-Management-RW | Meredith.Kuhn, Ashley.Jensen, Megan.Hiatt, Crystal.Rodriguez, Tamra.Matthews, britney.thompson, Veronica.Feller, strozzi, Alyssa.Brooks, lauren.hasselman |
| SG-Sales-RW | Megan.Hiatt, Crystal.Rodriguez, Tamra.Matthews |
| SG-Server-RW | Ashley.Jensen, britney.thompson, Christina.DuPras, Veronica.Feller, Meredith.Kuhn |
| SG-Chat-RW | Ashley.Jensen, britney.thompson, Veronica.Feller |
| SG-Culinary-RW | JD.Martin, Ramon.Castaneda, Alyssa.Brooks |
| SG-IT-RW | howard, sysadmin |
| SG-Receptionist-RW | Cathy.Kingston, Shontiel.Nunn, Ray.Rai, Sebastian.Leon, Michelle.Shestko |
| SG-Directory-RW | Cathy.Kingston, Shontiel.Nunn, Christina.DuPras |
| SG-AllShares-RO | (populated as needed) |

### Account Removals (client confirmed)

**Already disabled — delete:** Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, jeff.bristol

**Enabled but not in HR — disable + delete:** Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, alyssa.brooks, Isabella.Islas, ann.dery

**Keep:** lauren.hasselman (replaced Bristol as Business Office Director)

### CN=Users — HR Verified (2026-03-10)

HR (Meredith) responded. All accounts resolved:

| Account | Enabled | Last Logon | Action |
|---------|---------|-----------|--------|
| Lupe.Sanchez | Yes | Never | **Keep** — confirmed same person as Guadalupe.Sanchez (M365: lupe.sanchez@). Merge or delete duplicate |
| Receptionist | Yes | 2/22/2026 | Shared account — keep until Phase 5 replacement |
| directoryshare | Yes | 2/26/2026 | Shared/service account — keep until Phase 5 replacement |

**Confirmed DELETE by HR:**
- Anna.Pitzlin (disabled) — was forwarded to Meredith, OK to delete now
- Nela.Durut-Azizi (disabled) — was forwarded to Meredith, OK to delete now
- Jodi.Ramstack (disabled)
- Monica.Ramirez (disabled, already removed from Domain Admins)
- Kristiana.Dowse — M365 only, not in AD. Delete M365 account + remove license

**Already confirmed for removal (not current employees, never logged in):**
Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, Isabella.Islas, ann.dery, alyssa.brooks (lowercase duplicate)

**System/service accounts staying in CN=Users:**
Administrator, Guest, krbtgt, localadmin, sysadmin, QBDataServiceUser34

### Domain Join (Phase 3)
Join these PCs to cascades.local in OU=Staff PCs,OU=Workstations:
- DESKTOP-KQSL232 (first)
- CHEF-PC
- SALES4-PC
- MDIRECTOR-PC (last)

### GPOs to Create (Phase 2.6)
1. **CSC - Drive Mappings** — S:, M:, T:, K:, I:, R:, P: with item-level targeting
2. **CSC - Printer Deployment** — Deploy printers by OU/group targeting (Life Enrichment first: 1F-132-RecRoom-Canon + CopyRoom)
3. **CSC - Security Baseline** — 12-char passwords, complexity, lockout 5/30, screen lock 15 min
4. **CSC - Windows Update** — Auto download, Sundays 3 AM, no auto-restart
5. **CSC - Folder Redirection** — Desktop, Documents, Downloads → `\\CS-SERVER\homes\%username%\`
6. **CSC - Shared Workstation** — Linked to Shared PCs OU; ILT by computer name for reception drive (R:), front desk printer, Outlook online mode, shared mailbox auto-mount. Blocked on: M365 tenant details, onsite PC identification.

### Entra Connect (Phase 2.7 — NEW)
- Install Entra Connect on CS-SERVER for AD → M365 sync + SSO
- **BLOCKED ON:** AD cleanup (renames, deletions, duplicate resolution) must complete first
- See `cloud/m365.md` → "Entra Connect — SSO Setup Plan" for full prerequisites and steps
- Enables: single sign-on, one password, auto Office/Edge activation per user, roaming experience without roaming profiles

### Shared Account Replacement (Phase 5)
Replace Culinary, Receptionist, saleshare, directoryshare with security group access.

## Domain Admins (from 2026-03-07 export)

| Account | Status | Action Needed |
|---------|--------|---------------|
| Administrator | Enabled | OK (built-in) |
| Meredith.Kuhn | Enabled | **REMOVE** — administrative staff, not IT |
| John.Trozzi | Enabled | **REMOVE** — maintenance, not IT |
| ~~Monica.Ramirez~~ | **Disabled** | **REMOVED 2026-03-09** |
| sysadmin | Enabled | OK (IT account) |

## Login Activity (audit 2026-03-20)

Only 12 of 49 enabled accounts have ever logged in. Most staff have never used their AD accounts because their PCs aren't domain-joined.

| Account | Last Logon | Notes |
|---------|-----------|-------|
| sysadmin | 2026-03-16 | |
| QBDataServiceUser34 | 2026-03-14 | QuickBooks service |
| Allison.Reibschied | 2026-03-13 | **NEW** — Administrative |
| lauren.hasselman | 2026-03-12 | Business Office Director |
| Administrator | 2026-03-11 | |
| Receptionist | 2026-03-11 | Shared account |
| directoryshare | 2026-03-10 | Shared account |
| localadmin | 2026-03-09 | |
| Crystal.Rodriguez | 2026-03-09 | CRYSTAL-PC |
| Culinary | 2026-02-20 | Shared account |
| saleshare | 2025-12-08 | Shared account |
| Christina.DuPras | 2026-01-06 | |
| Monica.Ramirez | 2024-11-04 | **Disabled** |

**37 enabled accounts have NEVER logged in** — most have never set a password either.

## Issues Found
1. **Only 6 computers domain-joined** — At least 4 known staff PCs are NOT in AD. (Migration Phase 3 will fix)
2. **3 GPOs from Dec 2025 undocumented** — CopyRoomPrinter, Nurses-Kiosk, MemCareMedTechPrinter. Need to review settings and linkage. Previous MSP or sysadmin created these.
3. **RDS licensing not configured** — Compliance risk, grace period expired ~17 months ago. (Phase 5 decision)
4. **12 accounts to remove** — 5 disabled + 7 former employees still enabled. (Phase 2.1/2.2)
5. **4 shared/generic accounts** (Culinary, Receptionist, saleshare, directoryshare) — To be replaced. (Phase 5)
6. **Monica.Ramirez (disabled) still in Domain Admins** — Security risk, fix immediately. (Phase 2.2)
7. **Meredith.Kuhn and John.Trozzi in Domain Admins** — Non-IT staff should not be DAs. (Phase 2.2)
8. **"Managment" OU misspelled** — To be deleted (empty). (Phase 2.1)
9. **"Quickboosk acccess" group typo** — To be fixed. (Phase 2.2)
10. **13 junk root-level OUs** — 10 duplicate department OUs + Managment + MemCare + Sales, all empty. Delete in Phase 2.1.
11. **20 accounts in CN=Users** — Mix of system, stale, and misplaced. Clean up in Phase 2.1.
12. **5 computers in CN=Computers** — Move 4 staff PCs to Workstations OU. CS-QB stays. (Phase 2.2)
13. **Lupe.Sanchez** — In CN=Users, possible duplicate of Guadalupe.Sanchez (Housekeeping). Flag for onsite review.