--- name: Cascades-specific operational rules (folder redirect, security groups) description: Two active rules for Cascades work — (1) folder redirection (fdeploy) needs subfolders pre-created before first logon or it caches a failure forever; recovery via fix-shell-redirect.ps1; (2) always ASK which security group(s) a new user goes into — never auto-derive from OU. Root-cause / incident detail in project_cascades_history.md. type: feedback --- Current-state context: [[project_cascades]]. Root cause / incident detail: [[project_cascades_history]]. --- ## 1. Folder redirection — pre-create subfolders BEFORE first logon fdeploy caches failures and never retries if subfolders don't exist at first logon. "No changes detected" = stuck forever without manual intervention. **Mandatory order for every new user:** 1. Create AD user. 2. Run `New-HomeFolder -Username ""` on **CS-SERVER** — creates root + Desktop / Documents / Downloads / Music / Pictures subfolders with correct ACL. 3. Add user to `SG-FolderRedirect`. 4. THEN first domain logon. **Recovery (fdeploy already cached a failure):** - Run `clients/cascades-tucson/scripts/fix-shell-redirect.ps1` via GuruRMM on the client **while the user is logged in**. - Script sets both GUID-based and legacy-name registry keys (`Personal`, `My Music`, `My Pictures`) in `HKU\`. - Folders must already exist on server — script doesn't create them. - User logs off and on to pick up changes. Why both GUID and legacy keys: Downloads has no legacy-name key (GUID alone suffices); Documents / Music / Pictures have both, and Windows reads the legacy key for the actual shell folder — GUID alone is insufficient. --- ## 2. ASK which security group(s) a new user goes into — never auto-derive When creating or being asked to create any Cascades user account (AD or M365), always ask the user **which security group(s)** the new account should be a member of. Include it explicitly in the creation preview/confirmation alongside name, UPN, and OU — do not assume from OU, department, or job title. **Why:** Howard explicitly declined an `OU=Caregivers` → `SG-Caregivers` auto-mirror script (2026-05-14). Security-group membership controls access and CA-policy coverage; he wants that to stay a deliberate, reviewed decision per user, never automated. OU placement is mechanical (controls Entra Connect sync scope); group membership is an access-control decision and must be made consciously. **Caregivers example:** account goes in `OU=Caregivers` (sync scope) AND must be deliberately added to `SG-Caregivers` (CA policy coverage) — two separate, intentional steps; neither auto-derived from the other.