azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
098e1d415621d5fa2bb9e65a1d4c90288789fd35
claudetools/clients/cascades-tucson/session-logs/2026-05-20-howard-phase2-ad-groups-and-shares.md
Howard Enos 468f4287bf client/cascades: session log + AD doc update 2026-05-20 
Phase 2.5 complete. Folder redirection GPO decision documented — deferred
to Phase 3 (blocked on domain joins). Pending items carried forward.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-19 22:32:20 -07:00

5.0 KiB
Raw Blame History

Cascades of Tucson — Phase 2.5 AD Groups and Shares

Date: 2026-05-20 Syncro tickets: none opened this session

User

  • User: Howard Enos (howard)
  • Machine: HOWARD-HOME
  • Role: tech

Session Summary

Resumed from a crash mid-session on 2026-05-19. Context was recovered from the prior session log and active-directory.md. A live verification against CS-SERVER via GuruRMM confirmed the Phase 2.5 scripts had not run before the crash.

Ran both Phase 2.5 scripts on CS-SERVER via GuruRMM remote PowerShell:

phase2-ad-groups-new.ps1 — Created three new security groups in OU=Groups,DC=cascades,DC=local:

  • SG-Mgmt-RW — Management share Read/Write (replaces old SG-Management-RW)
  • SG-Sales-RO — Sales share Read Only
  • SG-Activities-RW — Activities share Read/Write

Tamra.Matthews was not in SG-Sales-RW so no removal was needed (SKIP result — expected).

phase2-new-shares.ps1 — Created four new SMB shares on D:\Shares, all with ABE enabled and broken inheritance:

  • Management — NTFS: SG-Mgmt-RW (Modify), Domain Admins (Full)
  • Sales — NTFS: SG-Sales-RW (Modify), SG-Sales-RO (ReadAndExecute)
  • Activities — NTFS: SG-Activities-RW (Modify), Domain Admins (Full)
  • Server — NTFS: SG-IT-RW (Modify), Domain Users (ReadAndExecute)

All folders are empty — data sync and group membership population are separate steps per department when each is ready to cut over.

Discussed folder redirection for the new shares. Decision: create a single CSC - Folder Redirection GPO linked at OU=Departments rather than per-OU GPOs. Blocked on Phase 3 domain joins — most affected machines are not domain-joined yet. Life Enrichment is already covered by the existing CSC - Folder Redirection (LE) GPO. Will return to this after Phase 3.

Key Decisions

  • Single domain-wide folder redirection GPO — Link at OU=Departments rather than duplicating the LE GPO per department. As machines get domain-joined in Phase 3 they pick it up automatically. Blocked until Phase 3 domain joins are further along.
  • phase2-new-shares.ps1 sent as base64 EncodedCommand — Direct JSON serialization of the script caused a Missing closing '}' parser error. Workaround: encode as UTF-16LE base64 and launch via powershell.exe -EncodedCommand. This pattern should be used for any multi-line PS scripts sent via the GuruRMM command API.

Problems Encountered

  • phase2-new-shares.ps1 parser error via GuruRMM API — Sending the script as a raw JSON string caused PowerShell to fail with Missing closing '}'. Root cause: JSON serialization mangled backtick line continuations. Fixed by encoding the script as UTF-16LE base64 and using -EncodedCommand.

Configuration Changes

File Change
clients/cascades-tucson/docs/migration/scripts/phase2-ad-groups-new.ps1 New — committed
clients/cascades-tucson/docs/migration/scripts/phase2-new-shares.ps1 New — committed
clients/cascades-tucson/docs/servers/active-directory.md Updated: SG- groups table, SMB shares table, GPO section, script status

Infrastructure Changes on CS-SERVER

Object Type Action
SG-Mgmt-RW AD Security Group Created in OU=Groups
SG-Sales-RO AD Security Group Created in OU=Groups
SG-Activities-RW AD Security Group Created in OU=Groups
D:\Shares\Management Folder + SMB share Created, ABE enabled, NTFS set
D:\Shares\Sales Folder + SMB share Created, ABE enabled, NTFS set
D:\Shares\Activities Folder + SMB share Created, ABE enabled, NTFS set
D:\Shares\Server Folder + SMB share Created, ABE enabled, NTFS set

Pending / Incomplete Tasks

Item Status Notes
Populate new SG- groups with members Pending Per-dept when each cuts over to new shares
CSC - Folder Redirection GPO (all depts) Pending Blocked on Phase 3 domain joins. Check OneDrive KFM on each machine before applying. Use GPMC close-and-reopen workaround (see 2026-04-17 session log).
n.castro — block M365 sign-in Pending (from 2026-05-18) Update-MgUser -UserId n.castro@cascadestucson.com -AccountEnabled:$false
Shontiel.Nunn old account — disable Pending (from 2026-05-18) s.nunn is the correct account
britney.thompson — disable + harvest M365 license Pending Departed 2026-04-22
Alma.Montt — AD + cloud-only M365 conflict Pending Delete cloud-only account, let Entra Connect sync the AD account
k.flores, g.williford, m.kariuki — employment status On hold Unconfirmed
Phase 3 domain joins Pending DESKTOP-KQSL232, CHEF-PC, SALES4-PC, MDIRECTOR-PC → OU=Staff PCs

Reference

  • Prior session log: clients/cascades-tucson/session-logs/2026-05-19-howard-alma-montt-account-completion.md
  • Folder redirection procedure: clients/cascades-tucson/session-logs/2026-04-17-howard-cascades-onboarding-and-folder-redirection.md
  • AD structure: clients/cascades-tucson/docs/servers/active-directory.md
Reference in New Issue View Git Blame Copy Permalink