Howard Enos
468f4287bf
Phase 2.5 complete. Folder redirection GPO decision documented — deferred to Phase 3 (blocked on domain joins). Pending items carried forward. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
20 KiB
20 KiB
Active Directory — cascades.local
Domain Info (audit 2026-03-20)
- Domain: cascades.local (NetBIOS: CASCADES)
- Forest Functional Level: Windows2016Forest
- Domain Functional Level: Windows2016Domain
- Domain Controllers: CS-SERVER (192.168.2.254) — ONLY DC (all FSMO roles)
- Sites: Default-First-Site-Name
- No trusts configured
AD Users (updated 2026-05-19)
Changes since 2026-04-13:
- Alma.Montt added to OU=Administrative (provisioned 2026-05-19) — cloud-only M365 account also created same day; needs reconciliation (see Pending Issues)
- Kyla.QuickTiffany confirmed in OU=Resident Services (was listed as "needs account" in prior doc)
- Zachary.Nelson confirmed: Accounting Assistant (replacing Allison.Reibschied)
- Allison.Reibschied: no longer employed — account disabled in DC 2026-05-19
- 38 caregiver accounts active in OU=Caregivers (new dedicated OU, all syncing to Entra)
- s.nunn confirmed as the correct Shontiel Nunn account (Caregivers/MedTech). Shontiel.Nunn (old format, OU=Resident Services) to be disabled.
Enabled Accounts — Staff (updated 2026-05-19)
OU=Administrative
| SamAccountName | Name | Position | Notes |
|---|---|---|---|
| Meredith.Kuhn | Meredith Kuhn | Executive Director | |
| Ashley.Jensen | Ashley Jensen | Assistant Executive Director | M365: Accounting@ |
| lauren.hasselman | Lauren Hasselman | Business Office Director | lowercase SAM. Replaced Jeff Bristol. M365: Accounting@ |
| Alma.Montt | Alma Montt | Life Enrichment | Provisioned 2026-05-19. Cloud-only M365 account also created same day — reconcile before next Entra sync (see Pending Issues) |
| Zachary.Nelson | Zachary Nelson | Accounting Assistant | Confirmed 2026-05-19. Replacing Allison.Reibschied. |
| Disabled 2026-05-19 — no longer employed. |
OU=Care-Assisted Living
| SamAccountName | Name | Position | Notes |
|---|---|---|---|
| Lois.Lane | Lois Lane | Health Services Director | M365: Nurses@ |
| karen.rossini | Karen Rossini | Health Services Manager | lowercase SAM. M365: Nurses@ |
| Veronica.Feller | Veronica Feller | Care Assisted Living Aide | |
| britney.thompson | Britney Thompson | Memory Care Nurse | DEPARTED 2026-04-22 — still enabled. Disable + harvest license. |
OU=Care-Memorycare
| SamAccountName | Name | Position | Notes |
|---|---|---|---|
| Christine.Nyanzunda | Christine Nyanzunda | Memory Care Admin Assistant | |
| Shelby.Trozzi | Shelby Trozzi | Memory Care Director | Renamed from strozzi (2026-04-13) |
OU=Caregivers — 38 accounts, all shift caregivers/medtechs, all in SG-Caregivers, all syncing to Entra. See Caregiver Accounts section below.
OU=Culinary
| SamAccountName | Name | Position | Notes |
|---|---|---|---|
| JD.Martin | JD Martin | Culinary Director | |
| Alyssa.Brooks | Alyssa Brooks | Dining Manager | Renamed from Alyssa.Shestko (2026-04-13) |
| Ramon.Castaneda | Ramon Castaneda | Kitchen Manager |
OU=Housekeeping
| SamAccountName | Name | Position | Notes |
|---|---|---|---|
| Lupe.Sanchez | Lupe Sanchez | Housekeeping Director | Renamed from Guadalupe.Sanchez, duplicate deleted (2026-04-13) |
OU=Life Enrichment
| SamAccountName | Name | Position | Notes |
|---|---|---|---|
| Sharon.Edwards | Sharon Edwards | Life Enrichment Assistant | PC: DESKTOP-DLTAGOI |
| Susan.Hicks | Susan Hicks | Life Enrichment Director | PC: DESKTOP-ROK7VNM |
OU=Maintenance
| SamAccountName | Name | Position | Notes |
|---|---|---|---|
| John.Trozzi | John Trozzi | Maintenance Director | PC: MAINTENANCE-PC |
| Matt.Brooks | Matt Brooks | Memory Care Receptionist | Dept listed as Maintenance in HR data |
OU=Marketing
| SamAccountName | Name | Position | Notes |
|---|---|---|---|
| Megan.Hiatt | Megan Hiatt | Sales Director | M365: Sales@ |
| Crystal.Rodriguez | Crystal Rodriguez | Sales Associate | PC: CRYSTAL-PC. M365: Sales@ |
| Tamra.Matthews | Tamra Matthews | Move-In Coordinator | Renamed from Tamra.Johnson (2026-04-13) |
OU=Resident Services
| SamAccountName | Name | Position | Notes |
|---|---|---|---|
| Christina.DuPras | Christina DuPras | Resident Services Director | |
| Cathy.Kingston | Cathy Kingston | RS Receptionist | M365: Frontdesk@ |
| Kyla.QuickTiffany | Kyla Quick Tiffany | RS Receptionist | M365: Frontdesk@. Previously listed as "needs account" — now confirmed in AD |
| Michelle.Shestko | Michelle Shestko | RS Receptionist | M365: MC Front Desk |
| Ray.Rai | Ray Rai | RS Courtesy Patrol | M365: Frontdesk@ |
| Sebastian.Leon | Sebastian Leon | RS Courtesy Patrol | M365: Frontdesk@, Courtesypatrol@ |
| Sheldon.Gardfrey | Sheldon Gardfrey | RS Courtesy Patrol | M365: Frontdesk@, Courtesypatrol@ |
| Shontiel.Nunn | Shontiel Nunn | RS Receptionist | M365: Frontdesk@. Disable — s.nunn (Caregivers) is the correct current account (confirmed 2026-05-19) |
OU=Transportation — accounts still enabled but flagged for disable
| SamAccountName | Name | Position | Notes |
|---|---|---|---|
| Christopher.Holick | Christopher Holick | Driver | Fixed from Holik (2026-04-13). Disable — drivers no longer get IT access |
| Julian.Crim | Julian Crim | Driver | Disable — drivers no longer get IT access |
| Richard.Adams | Richard Adams | Driver | Disable — drivers no longer get IT access |
CN=Users — Service Accounts
| SamAccountName | Notes |
|---|---|
| Administrator | Built-in |
| localadmin | Local admin |
| sysadmin | System admin (IT) |
| MSOL_12be42ce1269 | Entra Connect service account |
| QBDataServiceUser34 | QuickBooks service account |
OU=Excluded-From-Sync — Shared/Generic Accounts (intentionally not syncing to Entra)
| SamAccountName | Notes |
|---|---|
| Culinary | Generic dept account — replace Phase 5 |
| directoryshare | Shared resource — replace Phase 5 |
| RECEPTIONIST | Generic role account — replace Phase 5 |
| saleshare | Shared resource — replace Phase 5 |
OU=ServiceAccounts
| SamAccountName | Notes |
|---|---|
| svc-audit-upload | GuruRMM audit upload service account |
Disabled Accounts
| SamAccountName | Notes |
|---|---|
| Guest | Built-in — correct to leave disabled |
| krbtgt | Built-in Kerberos — password 569+ days old as of 2026-03-20, needs rotation |
Accounts Deleted (2026-04-13 cleanup)
Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, Isabella.Islas, ann.dery, alyssa.brooks (lowercase duplicate), Lupe.Sanchez (duplicate), jeff.bristol
Caregiver Accounts (OU=Caregivers)
38 accounts, all shift caregivers/medtechs, first-initial-last format (e.g., a.mcferren). All members of SG-Caregivers. All syncing to Entra ID (full-domain sync scope includes this OU).
a.atwood, a.mcferren, b.johnson, b.mendoza, b.sika, c.johnson, c.lassey, c.tate, d.fierros, e.esperance, e.huerta, e.sanchez, e.yuzon, g.williams, g.williford, j.andrade, j.clarke, j.dittbenner, j.higdon, k.aziakpo, k.flores, k.wyzykowski, l.fuster, l.hogan, m.baker, m.kariuki, m.kastner, m.lopez, p.doran, p.sandoval-beck, r.cooper, r.flores, r.morales, s.carroll, s.nunn, s.padilla, s.ramirez, t.abainza, t.lassey-assiakoley, w.reed
s.nunn confirmed as the correct account (2026-05-19). Shontiel.Nunn (OU=Resident Services) is the old-format account — disable it.
Domain-Joined Computers (8)
OU=Domain Controllers
| Computer | Role |
|---|---|
| CS-SERVER | Primary DC, File Server, Hyper-V host |
CN=Computers (default)
| Computer | Role |
|---|---|
| CS-QB | Hyper-V VM — VoIP server |
OU=Staff PCs,OU=Workstations
| Computer | User | Role |
|---|---|---|
| ACCT2-PC | Allison Reibschied | Accounting |
| CRYSTAL-PC | Crystal Rodriguez | Sales Associate |
| DESKTOP-H6QHRR7 | Sylvia Cuen | Staff workstation |
| DESKTOP-1ISF081 | TBD | Unknown — needs identification |
| DESKTOP-DLTAGOI | Sharon Edwards | Life Enrichment Assistant |
| DESKTOP-ROK7VNM | Susan Hicks | Life Enrichment Director |
OU=Shared PCs,OU=Workstations
Empty — created for future shared/rotation workstations (GPO: CSC - Shared Workstation).
Not Domain-Joined (on network but workgroup/unjoined)
- SALES4-PC — Sales workstation (10.0.20.203)
- CHEF-PC — Kitchen workstation (10.0.20.232)
- MDIRECTOR-PC — MemCare Director (192.168.3.20)
- DESKTOP-KQSL232 — Unknown (10.0.20.227)
Domain join for these machines planned in Phase 3 (OU=Staff PCs,OU=Workstations).
Organizational Units (current state — 2026-05-19)
OU cleanup is complete. All root-level duplicate OUs have been deleted. The structure below reflects live state.
cascades.local
├── Builtin (system)
├── Computers (default) — CS-QB (VoIP VM)
├── Users (default) — service accounts: Administrator, localadmin, MSOL_12be42ce1269, QBDataServiceUser34, sysadmin
├── Domain Controllers
│ └── CS-SERVER
├── Departments
│ ├── Administrative — Alma.Montt, Ashley.Jensen, lauren.hasselman, Meredith.Kuhn, Zachary.Nelson
│ ├── Care-Assisted Living — britney.thompson, karen.rossini, Lois.Lane, Veronica.Feller
│ │ └── Nurses (empty sub-OU)
│ ├── Caregivers — 38 accounts (shift caregivers/medtechs, first.last format)
│ ├── Care-Memorycare — Christine.Nyanzunda, Shelby.Trozzi
│ ├── Culinary — Alyssa.Brooks, JD.Martin, Ramon.Castaneda
│ ├── Housekeeping — Lupe.Sanchez
│ ├── Life Enrichment — Sharon.Edwards, Susan.Hicks
│ ├── Maintenance — John.Trozzi, Matt.Brooks
│ ├── Marketing — Crystal.Rodriguez, Megan.Hiatt, Tamra.Matthews
│ ├── Resident Services — Cathy.Kingston, Christina.DuPras, Kyla.QuickTiffany, Michelle.Shestko, Ray.Rai, Sebastian.Leon, Sheldon.Gardfrey, Shontiel.Nunn
│ └── Transportation — Christopher.Holick, Julian.Crim, Richard.Adams
├── Excluded-From-Sync — Culinary, directoryshare, RECEPTIONIST, saleshare
├── Groups — SG-* groups + AuditUploaders (see Security Groups section)
├── ServiceAccounts — svc-audit-upload
└── Workstations
├── Shared PCs (empty)
└── Staff PCs — domain-joined workstations
Historical note: Prior to 2026-04-13, 13 root-level OUs existed (10 duplicate department OUs + Managment misspelled + MemCare + Sales, all empty). All deleted as part of Phase 2.1 cleanup.
Security Groups (OU=Groups — live state 2026-05-20)
| Group | Members | Notes |
|---|---|---|
| SG-Activities-RW | 0 | Activities share — Read/Write (Life Enrichment). Created 2026-05-20. |
| SG-CA-BreakGlass | 0 | Conditional Access break-glass group |
| SG-Caregivers | 38 | All shift caregivers/medtechs — syncing to Entra |
| SG-Chat-RW | 0 | Chat share access — legacy |
| SG-CourtesyPatrol | 0 | Courtesy patrol dept |
| SG-Culinary-RW | 0 | Culinary share access |
| SG-Directory-RW | 0 | Directory share access |
| SG-Drivers | 0 | Transportation drivers |
| SG-External-Signin-Allowed | 0 | CA policy — allowed external sign-in |
| SG-FrontDesk | 0 | Front desk dept |
| SG-IT-RW | 0 | IT share access |
| SG-Management-RW | 0 | Management share — OLD group, superseded by SG-Mgmt-RW. Do not use for new share. |
| SG-Mgmt-RW | 0 | Management share — Read/Write. Replaces SG-Management-RW. Created 2026-05-20. |
| SG-Office-PHI-External | 0 | PHI-authorized external access |
| SG-Office-PHI-Internal | 0 | PHI-authorized internal access |
| SG-Receptionist-RW | 0 | Receptionist share access |
| SG-Sales-RO | 0 | Sales share — Read Only. Created 2026-05-20. |
| SG-Sales-RW | 0 | Sales share — Read/Write |
| SG-Server-RW | 0 | Server share — OLD group, do not use for new Server share |
| AuditUploaders | 0 | GuruRMM audit upload service |
Legacy groups (CN=Users, not in OU=Groups):
| Group | Members | Notes |
|---|---|---|
| QuickBooks Access | Meredith.Kuhn, Megan.Hiatt, Ashley.Jensen, lauren.hasselman | Renamed from "Quickboosk acccess" on 2026-03-09 |
| Roaming | (empty) | Old roaming profile attempt — unused |
| MemoryCareDepartment | (empty) | Never populated |
| KitchenAdmin | (empty) | Never populated |
Entra Connect (live state 2026-05-19)
Entra Connect is installed and running on CS-SERVER in production mode.
| Setting | Value |
|---|---|
| Installed on | CS-SERVER |
| Staging mode | FALSE (live production sync) |
| Scheduler | Enabled — next run: Delta |
| AD connector | cascades.local |
| Entra connector | NETORGFT4257522.onmicrosoft.com |
| OU sync scope | Full domain (dnList empty — unfiltered) |
| Service account | MSOL_12be42ce1269 (CN=Users) |
OU=Excluded-From-Sync is explicitly excluded from sync. The shared accounts (Culinary, directoryshare, RECEPTIONIST, saleshare) placed there do not appear in Entra ID.
All other OUs — including OU=Caregivers — are within scope and sync to Entra.
Historical note: As of the 2026-04-13 doc, Entra Connect was planned as Phase 2.7 (blocked on AD cleanup). Cleanup is now complete and Entra Connect is deployed.
SMB Shares (live — D:\ on CS-SERVER)
Full share details, permissions, and drive letter mappings are in docs/servers/cs-server.md.
| Share | Path | Notes |
|---|---|---|
| AuditDrop$ | D:\Shares\AuditDrop | GuruRMM audit drop — hidden share, write-only |
| Culinary | D:\Shares\Culinary | |
| directoryshare | D:\Shares\directoryshare | |
| homes | D:\Homes | NOTE: D:\Homes, not D:\Shares\Homes |
| IT | D:\Shares\IT | |
| Activities | D:\Shares\Activities | ABE enabled. NTFS: SG-Activities-RW (Modify), Domain Admins (Full). Created 2026-05-20. |
| Management | D:\Shares\Management | ABE enabled. NTFS: SG-Mgmt-RW (Modify), Domain Admins (Full). Created 2026-05-20. |
| Receptionist | D:\Shares\Receptionist | |
| Sales | D:\Shares\Sales | ABE enabled. NTFS: SG-Sales-RW (Modify), SG-Sales-RO (ReadAndExecute). Created 2026-05-20. |
| Server | D:\Shares\Server | ABE enabled. NTFS: SG-IT-RW (Modify), Domain Users (ReadAndExecute). Created 2026-05-20. |
| Shares | D:\Shares | Root share |
Printers shared from CS-SERVER:
| Share | Device |
|---|---|
| RecRoom-Canon | 1F-132-RecRoom-Canon |
| MemCare Director Printer | MF451CDW |
| MemCare MedTech Printer | Brother MFC-L8900CDW |
Group Policy (as of 2026-05-20)
GPOs exist but effectiveness is limited since most PCs are not domain-joined.
| GPO | Created | Modified | Settings | Notes |
|---|---|---|---|---|
| Default Domain Policy | Aug 2024 | Mar 2026 | Password: 7-char min, 42-day max, complexity on, 24 history. Lockout: 5 attempts / 30 min (fixed 2026-03-09). Kerberos defaults. | OK |
| Default Domain Controllers Policy | Aug 2024 | Oct 2024 | IIS app pool audit rights, print operator driver loading. Standard. | OK |
| Power Options | Jul 2025 | Jul 2025 | "Cascades Default" power plan: never sleep/hibernate, display off 15 min (plugged in) / 10 min (battery), password on wake. | Keep |
| CSC - Folder Redirection (LE) | Apr 2026 | Apr 2026 | Documents + Downloads → \\CS-SERVER\homes\%USERNAME%\. GrantExclusive=false, MoveContents=true. Linked to OU=Life Enrichment. |
LIVE — Sharon Edwards + Susan Hicks |
| Dec 2025 | Dec 2025 | EMPTY | DELETED 2026-03-09 | |
| Dec 2025 | Dec 2025 | EMPTY | DELETED 2026-03-09 | |
| Dec 2025 | Dec 2025 | EMPTY | DELETED 2026-03-09 |
GPOs to Create (Phase 2.6 — not yet run):
- CSC - Drive Mappings — S:, M:, T:, K:, I:, R:, P: with item-level targeting
- CSC - Printer Deployment — Deploy printers by OU/group targeting (Life Enrichment first: 1F-132-RecRoom-Canon + CopyRoom)
- CSC - Security Baseline — 12-char passwords, complexity, lockout 5/30, screen lock 15 min
- CSC - Windows Update — Auto download, Sundays 3 AM, no auto-restart
- CSC - Folder Redirection — Single GPO linked at
OU=Departments, covering all staff OUs. Same settings as the LE GPO: Documents + Downloads + Desktop →\\CS-SERVER\homes\%USERNAME%\<Folder>, GrantExclusive=false, MoveContents=true. Blocked on Phase 3 domain joins — most dept machines not joined yet. Life Enrichment already covered by existing LE GPO. CRITICAL: check for OneDrive KFM on each machine before applying; use GPMC close-and-reopen workaround between folder adds (see 2026-04-17 session log for full procedure). - CSC - Shared Workstation — Linked to Shared PCs OU; ILT by computer name for reception drive (R:), front desk printer, Outlook online mode, shared mailbox auto-mount
RDS Licensing
- Mode: NotConfigured
- License Servers: None
- RDS roles installed on CS-SERVER (Connection Broker, Session Host, Web Access) but licensing is NOT configured.
- Compliance risk: grace period is 120 days. Server installed 2024-08-04 (~21 months ago as of 2026-05-19). Grace period expired. RDS is running non-compliant.
- Decision deferred to Phase 5.
Domain Admins
| Account | Status | Notes |
|---|---|---|
| Administrator | Enabled | OK (built-in) |
| Meredith.Kuhn | Enabled | Should be removed — administrative staff, not IT |
| John.Trozzi | Enabled | Should be removed — maintenance, not IT |
| Removed | Removed 2026-03-09 (account was disabled) | |
| sysadmin | Enabled | OK (IT account) |
Pending Issues (discovered 2026-05-19 audit)
| Issue | Account | Action Needed |
|---|---|---|
| Still enabled — departed | britney.thompson | Disable — departed 2026-04-22. Harvest M365 license. |
| Still enabled — flagged for disable | Richard.Adams, Julian.Crim, Christopher.Holick | Disable — drivers no longer get IT access (flagged 2026-04-22, not yet done) |
| Old-format account — superseded | Shontiel.Nunn (OU=Resident Services) | Disable — s.nunn (OU=Caregivers) confirmed as the correct account 2026-05-19 |
| AD + cloud-only M365 conflict | Alma.Montt | AD account exists in OU=Administrative (will sync via Entra Connect). Cloud-only M365 account also created 2026-05-19. Delete the cloud-only M365 account and let AD sync create it properly — otherwise Entra Connect will create a duplicate and both will break. |
| krbtgt password age | krbtgt | 569+ days old as of 2026-03-20. Needs rotation. |
| Meredith.Kuhn + John.Trozzi in Domain Admins | Both | Non-IT staff — remove from Domain Admins |
Login Activity (audit 2026-03-20 — historical/stale)
Data below is from the 2026-03-20 audit. Only 12 of 49 enabled accounts had ever logged in at that time. Most staff had never used AD accounts because their PCs were not domain-joined.
| Account | Last Logon | Notes |
|---|---|---|
| sysadmin | 2026-03-16 | |
| QBDataServiceUser34 | 2026-03-14 | QuickBooks service |
| Allison.Reibschied | 2026-03-13 | Administrative |
| lauren.hasselman | 2026-03-12 | Business Office Director |
| Administrator | 2026-03-11 | |
| Receptionist | 2026-03-11 | Shared account |
| directoryshare | 2026-03-10 | Shared account |
| localadmin | 2026-03-09 | |
| Crystal.Rodriguez | 2026-03-09 | CRYSTAL-PC |
| Culinary | 2026-02-20 | Shared account |
| Christina.DuPras | 2026-01-06 | |
| saleshare | 2025-12-08 | Shared account |
| Monica.Ramirez | 2024-11-04 | Disabled — now deleted |
37 accounts had never logged in as of 2026-03-20. Login activity will improve as more PCs are domain-joined (Phase 3).
Migration Plan Reference
See migration/phase2-server-prep.md for full phase details. Scripts referenced throughout this doc:
migration/scripts/phase2-ou-cleanup.ps1— OU audit + delete (COMPLETE)migration/scripts/phase2-ad-setup.ps1— Security fixes, Workstations OU, security groups, move computers (COMPLETE)migration/scripts/phase2-ad-groups-new.ps1— New SG- groups (SG-Mgmt-RW, SG-Sales-RO, SG-Activities-RW) — COMPLETE 2026-05-20migration/scripts/phase2-new-shares.ps1— New SMB shares (Management, Sales, Activities, Server) — COMPLETE 2026-05-20
Phase 3 domain joins (pending): DESKTOP-KQSL232, CHEF-PC, SALES4-PC, MDIRECTOR-PC — all to OU=Staff PCs,OU=Workstations.
Phase 5 (deferred): Replace shared accounts (Culinary, Receptionist, saleshare, directoryshare) with group-based access. RDS licensing decision.