azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0a264ee3fabfdfded7e2bb64dc86ece16c31d99e
claudetools/clients/cascades-tucson/docs/servers/active-directory.md

23 KiB
Raw Blame History

Active Directory — cascades.local

Domain Info (audit 2026-03-20)

  • Domain: cascades.local (NetBIOS: CASCADES)
  • Forest Functional Level: Windows2016Forest
  • Domain Functional Level: Windows2016Domain
  • Domain Controllers: CS-SERVER (192.168.2.254) — ONLY DC (all FSMO roles)
  • Sites: Default-First-Site-Name
  • No trusts configured

AD Users (updated 2026-05-19)

Changes since 2026-04-13:

  • Alma.Montt added to OU=Administrative (provisioned 2026-05-19) — cloud-only M365 account also created same day; needs reconciliation (see Pending Issues)
  • Kyla.QuickTiffany confirmed in OU=Resident Services (was listed as "needs account" in prior doc)
  • Zachary.Nelson confirmed: Accounting Assistant (replacing Allison.Reibschied)
  • Allison.Reibschied: no longer employed — account disabled in DC 2026-05-19
  • 38 caregiver accounts active in OU=Caregivers (new dedicated OU, all syncing to Entra)
  • s.nunn confirmed as the correct Shontiel Nunn account (Caregivers/MedTech). Shontiel.Nunn (old format, OU=Resident Services) to be disabled.

Enabled Accounts — Staff (updated 2026-05-19)

OU=Administrative

SamAccountName Name Position Notes
Meredith.Kuhn Meredith Kuhn Executive Director
Ashley.Jensen Ashley Jensen Assistant Executive Director M365: Accounting@
lauren.hasselman Lauren Hasselman Business Office Director lowercase SAM. Replaced Jeff Bristol. M365: Accounting@
Alma.Montt Alma Montt Life Enrichment Provisioned 2026-05-19. Cloud-only M365 account also created same day — reconcile before next Entra sync (see Pending Issues)
Zachary.Nelson Zachary Nelson Accounting Assistant Confirmed 2026-05-19. Replacing Allison.Reibschied.
Allison.Reibschied Allison Reibschied Accounting Assistant Disabled 2026-05-19 — no longer employed.

OU=Care-Assisted Living

SamAccountName Name Position Notes
Lois.Lane Lois Lane Health Services Director M365: Nurses@
karen.rossini Karen Rossini Health Services Manager lowercase SAM. M365: Nurses@
Veronica.Feller Veronica Feller Care Assisted Living Aide
britney.thompson Britney Thompson Memory Care Nurse Disabled 2026-05-20 — departed 2026-04-22. M365 license still to harvest.

OU=Care-Memorycare

SamAccountName Name Position Notes
Christine.Nyanzunda Christine Nyanzunda Memory Care Admin Assistant
Shelby.Trozzi Shelby Trozzi Memory Care Director Renamed from strozzi (2026-04-13)

OU=Caregivers — 38 accounts, all shift caregivers/medtechs, all in SG-Caregivers, all syncing to Entra. See Caregiver Accounts section below.

OU=Culinary

SamAccountName Name Position Notes
JD.Martin JD Martin Culinary Director
Alyssa.Brooks Alyssa Brooks Dining Manager Renamed from Alyssa.Shestko (2026-04-13)
Ramon.Castaneda Ramon Castaneda Kitchen Manager

OU=Housekeeping

SamAccountName Name Position Notes
Lupe.Sanchez Lupe Sanchez Housekeeping Director Renamed from Guadalupe.Sanchez, duplicate deleted (2026-04-13)

OU=Life Enrichment

SamAccountName Name Position Notes
Sharon.Edwards Sharon Edwards Life Enrichment Assistant PC: DESKTOP-DLTAGOI
Susan.Hicks Susan Hicks Life Enrichment Director PC: DESKTOP-ROK7VNM

OU=Maintenance

SamAccountName Name Position Notes
John.Trozzi John Trozzi Maintenance Director PC: MAINTENANCE-PC
Matt.Brooks Matt Brooks Memory Care Receptionist Dept listed as Maintenance in HR data

OU=Marketing

SamAccountName Name Position Notes
Megan.Hiatt Megan Hiatt Sales Director M365: Sales@
Crystal.Rodriguez Crystal Rodriguez Sales Associate PC: CRYSTAL-PC. M365: Sales@
Tamra.Matthews Tamra Matthews Move-In Coordinator Renamed from Tamra.Johnson (2026-04-13)

OU=Resident Services

SamAccountName Name Position Notes
Christina.DuPras Christina DuPras Resident Services Director
Cathy.Kingston Cathy Kingston RS Receptionist M365: Frontdesk@
Kyla.QuickTiffany Kyla Quick Tiffany RS Receptionist M365: Frontdesk@. Previously listed as "needs account" — now confirmed in AD
Michelle.Shestko Michelle Shestko RS Receptionist M365: MC Front Desk
Ray.Rai Ray Rai RS Courtesy Patrol M365: Frontdesk@
Sebastian.Leon Sebastian Leon RS Courtesy Patrol M365: Frontdesk@, Courtesypatrol@
Sheldon.Gardfrey Sheldon Gardfrey RS Courtesy Patrol M365: Frontdesk@, Courtesypatrol@
Shontiel.Nunn Shontiel Nunn RS Receptionist M365: Frontdesk@. Disabled 2026-05-20 — s.nunn (Caregivers) is the correct current account.

OU=Transportation — all accounts disabled 2026-05-20

SamAccountName Name Position Notes
Christopher.Holick Christopher Holick Driver Fixed from Holik (2026-04-13). Disabled 2026-05-20 — drivers no longer get IT access
Julian.Crim Julian Crim Driver Disabled 2026-05-20 — drivers no longer get IT access
Richard.Adams Richard Adams Driver Disabled 2026-05-20 — drivers no longer get IT access

CN=Users — Service Accounts

SamAccountName Notes
Administrator Built-in
localadmin Local admin
sysadmin System admin (IT)
MSOL_12be42ce1269 Entra Connect service account
QBDataServiceUser34 QuickBooks service account

OU=Excluded-From-Sync — Shared/Generic Accounts (intentionally not syncing to Entra)

SamAccountName Notes
Culinary Generic dept account — replace Phase 5
directoryshare Shared resource — replace Phase 5
RECEPTIONIST Generic role account — replace Phase 5
saleshare Shared resource — replace Phase 5

OU=ServiceAccounts

SamAccountName Notes
svc-audit-upload GuruRMM audit upload service account

Disabled Accounts

SamAccountName Notes
Guest Built-in — correct to leave disabled
krbtgt Built-in Kerberos — password 569+ days old as of 2026-03-20, needs rotation

Accounts Deleted (2026-04-13 cleanup)

Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, Isabella.Islas, ann.dery, alyssa.brooks (lowercase duplicate), Lupe.Sanchez (duplicate), jeff.bristol

Caregiver Accounts (OU=Caregivers)

38 accounts, all shift caregivers/medtechs, first-initial-last format (e.g., a.mcferren). All members of SG-Caregivers. All syncing to Entra ID (full-domain sync scope includes this OU).

a.atwood, a.mcferren, b.johnson, b.mendoza, b.sika, c.johnson, c.lassey, c.tate, d.fierros, e.esperance, e.huerta, e.sanchez, e.yuzon, g.williams, g.williford, j.andrade, j.clarke, j.dittbenner, j.higdon, k.aziakpo, k.flores, k.wyzykowski, l.fuster, l.hogan, m.baker, m.kariuki, m.kastner, m.lopez, p.doran, p.sandoval-beck, r.cooper, r.flores, r.morales, s.carroll, s.nunn, s.padilla, s.ramirez, t.abainza, t.lassey-assiakoley, w.reed

s.nunn confirmed as the correct account (2026-05-19). Shontiel.Nunn (OU=Resident Services) is the old-format account — disable it.

Domain-Joined Computers (8)

OU=Domain Controllers

Computer Role
CS-SERVER Primary DC, File Server, Hyper-V host

CN=Computers (default)

Computer Role
CS-QB Hyper-V VM — VoIP server

OU=Staff PCs,OU=Workstations

Computer User Role
ACCT2-PC Allison Reibschied Accounting
CRYSTAL-PC Crystal Rodriguez Sales Associate
DESKTOP-H6QHRR7 Sylvia Cuen Staff workstation
DESKTOP-1ISF081 TBD Unknown — needs identification
DESKTOP-DLTAGOI Sharon Edwards Life Enrichment Assistant
DESKTOP-ROK7VNM Susan Hicks Life Enrichment Director

OU=Shared PCs,OU=Workstations

Empty — created for future shared/rotation workstations (GPO: CSC - Shared Workstation).

Not Domain-Joined (on network but workgroup/unjoined)

  • SALES4-PC — Sales workstation (10.0.20.203)
  • CHEF-PC — Kitchen workstation (10.0.20.232)
  • MDIRECTOR-PC — MemCare Director (192.168.3.20)
  • DESKTOP-KQSL232 — Unknown (10.0.20.227)

Domain join for these machines planned in Phase 3 (OU=Staff PCs,OU=Workstations).

Organizational Units (current state — 2026-05-19)

OU cleanup is complete. All root-level duplicate OUs have been deleted. The structure below reflects live state.

cascades.local
├── Builtin (system)
├── Computers (default) — CS-QB (VoIP VM)
├── Users (default) — service accounts: Administrator, localadmin, MSOL_12be42ce1269, QBDataServiceUser34, sysadmin
├── Domain Controllers
│   └── CS-SERVER
├── Departments
│   ├── Administrative — Alma.Montt, Ashley.Jensen, lauren.hasselman, Meredith.Kuhn, Zachary.Nelson
│   ├── Care-Assisted Living — britney.thompson, karen.rossini, Lois.Lane, Veronica.Feller
│   │   └── Nurses (empty sub-OU)
│   ├── Caregivers — 38 accounts (shift caregivers/medtechs, first.last format)
│   ├── Care-Memorycare — Christine.Nyanzunda, Shelby.Trozzi
│   ├── Culinary — Alyssa.Brooks, JD.Martin, Ramon.Castaneda
│   ├── Housekeeping — Lupe.Sanchez
│   ├── Life Enrichment — Sharon.Edwards, Susan.Hicks
│   ├── Maintenance — John.Trozzi, Matt.Brooks
│   ├── Marketing — Crystal.Rodriguez, Megan.Hiatt, Tamra.Matthews
│   ├── Resident Services — Cathy.Kingston, Christina.DuPras, Kyla.QuickTiffany, Michelle.Shestko, Ray.Rai, Sebastian.Leon, Sheldon.Gardfrey, Shontiel.Nunn
│   └── Transportation — Christopher.Holick, Julian.Crim, Richard.Adams
├── Excluded-From-Sync — Culinary, directoryshare, RECEPTIONIST, saleshare
├── Groups — SG-* groups + AuditUploaders (see Security Groups section)
├── ServiceAccounts — svc-audit-upload
└── Workstations
    ├── Shared PCs (empty)
    └── Staff PCs — domain-joined workstations

Historical note: Prior to 2026-04-13, 13 root-level OUs existed (10 duplicate department OUs + Managment misspelled + MemCare + Sales, all empty). All deleted as part of Phase 2.1 cleanup.

Security Groups (OU=Groups — live state 2026-05-20)

Group Members Notes
SG-Activities-RW 0 Activities share — Read/Write (Life Enrichment). Created 2026-05-20.
SG-CA-BreakGlass 0 Conditional Access break-glass group
SG-Caregivers 38 All shift caregivers/medtechs — syncing to Entra
SG-Chat-RW 0 Chat share access — legacy
SG-CourtesyPatrol 0 Courtesy patrol dept
SG-Culinary-RW 0 Culinary share access
SG-Directory-RW 0 Directory share access
SG-Drivers 0 Transportation drivers
SG-External-Signin-Allowed 0 CA policy — allowed external sign-in
SG-FrontDesk 0 Front desk dept
SG-IT-RW 0 IT share access
SG-Management-RW 0 Management share — OLD group, superseded by SG-Mgmt-RW. Do not use for new share.
SG-Mgmt-RW 0 Management share — Read/Write. Replaces SG-Management-RW. Created 2026-05-20.
SG-Office-PHI-External 0 PHI-authorized external access
SG-Office-PHI-Internal 0 PHI-authorized internal access
SG-Receptionist-RW 0 Receptionist share access
SG-Sales-RO 0 Sales share — Read Only. Created 2026-05-20.
SG-Sales-RW 0 Sales share — Read/Write
SG-Server-RW 0 Server share — OLD group, do not use for new Server share
AuditUploaders 0 GuruRMM audit upload service

Legacy groups (CN=Users, not in OU=Groups):

Group Members Notes
QuickBooks Access Meredith.Kuhn, Megan.Hiatt, Ashley.Jensen, lauren.hasselman Renamed from "Quickboosk acccess" on 2026-03-09
Roaming (empty) Old roaming profile attempt — unused
MemoryCareDepartment (empty) Never populated
KitchenAdmin (empty) Never populated

Entra Connect (live state 2026-05-19)

Entra Connect is installed and running on CS-SERVER in production mode.

Setting Value
Installed on CS-SERVER
Staging mode FALSE (live production sync)
Scheduler Enabled — next run: Delta
AD connector cascades.local
Entra connector NETORGFT4257522.onmicrosoft.com
OU sync scope Full domain (dnList empty — unfiltered)
Service account MSOL_12be42ce1269 (CN=Users)

OU=Excluded-From-Sync is explicitly excluded from sync. The shared accounts (Culinary, directoryshare, RECEPTIONIST, saleshare) placed there do not appear in Entra ID.

All other OUs — including OU=Caregivers — are within scope and sync to Entra.

Historical note: As of the 2026-04-13 doc, Entra Connect was planned as Phase 2.7 (blocked on AD cleanup). Cleanup is now complete and Entra Connect is deployed.

SMB Shares (live — D:\ on CS-SERVER)

Verified live via GuruRMM Get-SmbShare on 2026-05-20. ABE = Access-Based Enumeration (users see only folders they can access).

New shares — Phase 2.5 (created 2026-05-20, ABE on, proper SG- NTFS)

These are the authoritative Phase 2.5 shares. Empty until each department cuts over from Synology/legacy. Groups will be populated at cutover.

Share Path NTFS Permissions Drive letter (planned)
Activities D:\Shares\Activities SG-Activities-RW (Modify), Domain Admins (Full) A: or T: (TBD)
Management D:\Shares\Management SG-Mgmt-RW (Modify), Domain Admins (Full) M:
Sales D:\Shares\Sales SG-Sales-RW (Modify), SG-Sales-RO (ReadAndExecute) S:
Server D:\Shares\Server SG-IT-RW (Modify), Domain Users (ReadAndExecute) V: (IT use)

Legacy shares — still active, pre-Phase 2.5 (no ABE, no SG- groups)

Do NOT populate these further. They remain in service until Phase 4 cutover retires Synology + legacy paths.

Share Path Status
Culinary D:\Shares\Culinary Active — kitchen staff use this now
directoryshare D:\Shares\directoryshare Active — resident directory
homes D:\Homes Active — folder redirection target (D:\Homes, not D:\Shares\Homes)
Receptionist D:\Shares\Receptionist Active — Tower front-desk scan drop
IT D:\Shares\IT Superseded by Server share above — leave in place until Phase 4, do not add new content
Shares D:\Shares Root share — legacy access path

Service / system shares

Share Path Notes
AuditDrop$ D:\Shares\AuditDrop GuruRMM audit drop — hidden, write-only for AuditUploaders
MemCare Director Printer (printer) MF451CDW
MemCare MedTech Printer (printer) Brother MFC-L8900CDW
RecRoom-Canon (printer) 1F-132-RecRoom-Canon
ADMIN$, C$, D$, IPC$, print$ (system) Standard Windows — do not remove
RDVirtualDesktopTemplate C:\RDVirtualDesktopTemplate RDS artifact — remove with RDS role in Phase 5

Printers shared from CS-SERVER (13 — Phase 2.6 COMPLETE 2026-05-20):

Share Device ILT (GPO)
CopyRoom Canon imageRunner C478iF (192.168.2.230) All staff
BusinessOffice Brother MFC-L8900CDW (10.0.20.220) OU=Administrative
Accounting Canon imageClass MF455DW (192.168.3.227) OU=Administrative
AdminOffice Brother MFC-9340CDW (192.168.2.145) OU=Administrative OR OU=Resident Services
ExecDirector Canon imageClass MF743CDW (192.168.2.67) OU=Administrative
SalesMarketing Brother MFC-L8900CDW (192.168.3.44) OU=Marketing
Kitchen Canon imageClass MF743CDW (192.168.3.232) OU=Culinary
CulinaryChef Brother MFC-9330CDW (192.168.3.88) OU=Culinary
FrontDesk Epson ET-5800 (192.168.2.147) OU=Resident Services
HealthServices KM C368 (192.168.1.138) OU=Care-Assisted Living OR OU=Care-Memorycare
LifeEnrichment (via Life Enrichment Printers GPO) OU=Life Enrichment
MCDirector Canon imageClass MF751CDW (192.168.3.52) OU=Care-Memorycare
MCMedTech Brother (192.168.2.53) OU=Caregivers OR OU=Care-Memorycare

Group Policy (as of 2026-05-20)

GPOs exist but effectiveness is limited since most PCs are not domain-joined. All CSC - GPOs are UNLINKED until Phase 3 domain join cutover.

GPO Link Settings Notes
Default Domain Policy Domain root Password: 7-char min, 42-day max, complexity on, 24 history. Lockout: 5 attempts / 30 min. Kerberos defaults. OK
Default Domain Controllers Policy OU=Domain Controllers IIS app pool audit rights, print operator driver loading. OK
Power Options "Cascades Default" power plan: never sleep/hibernate, display off 15 min (plugged in) / 10 min (battery), password on wake. Keep
CSC - Always Wait For Network AlwaysWaitForNetwork + synchronous logon Pre-existing
CSC - Folder Redirection (LE) OU=Life Enrichment Documents + Downloads → \\CS-SERVER\homes\%USERNAME%\. GrantExclusive=false, MoveContents=true. LIVE — Sharon Edwards + Susan Hicks
CSC - Folder Redirection Same as LE GPO but for all staff OUs. UNLINKED. Blocked on Phase 3
CSC - Life Enrichment Printers OU=Life Enrichment Printer preferences for LE staff LIVE
CSC - Security Baseline UNLINKED Screen lock 15 min / password on resume (HKCU). GptTmpl.inf: password min 12, history 24, max-age 90, lockout 5/30. Created 2026-05-20. Link at domain root at Phase 3.
CSC - Windows Update UNLINKED AUOptions=4 (auto DL+install), Sunday 3 AM, NoAutoRebootWithLoggedOnUsers=1, featured software off. Created 2026-05-20. Link at domain root at Phase 3.
CSC - Printer Deployment UNLINKED 13 printers with OU-based ILT in Printers.xml. CopyRoom = all staff. Others scoped by OU. Created 2026-05-20. Link to OU=Workstations at Phase 3.
CSC - Drive Mappings UNLINKED M: Management (SG-Mgmt-RW), S: Sales (SG-Sales-RW), T: Activities (SG-Activities-RW), K: Culinary (OU), R: Receptionist (OU). Created 2026-05-20. Link to OU=Departments at Phase 3.
CopyRoomPrinter EMPTY DELETED 2026-03-09
Nurses-Kiosk EMPTY DELETED 2026-03-09
MemCareMedTechPrinter EMPTY DELETED 2026-03-09

GPOs Remaining (Phase 3+):

  • CSC - Folder Redirection — Link to OU=Departments at Phase 3. Blocked on domain joins. CRITICAL: check OneDrive KFM before applying; use GPMC close-and-reopen workaround between folder adds (see 2026-04-17 session log).
  • CSC - Shared Workstation — Future: linked to Shared PCs OU; ILT for reception drive (R:), front desk printer, Outlook online mode, shared mailbox auto-mount.

Phase 3 GPO linking order (after first successful domain join per phase3-domain-join.md step 5c):

  1. Link CSC - Security Baseline → domain root
  2. Link CSC - Windows Update → domain root
  3. Link CSC - Printer Deployment → OU=Workstations
  4. Link CSC - Drive Mappings → OU=Departments

RDS Licensing

  • Mode: NotConfigured
  • License Servers: None
  • RDS roles installed on CS-SERVER (Connection Broker, Session Host, Web Access) but licensing is NOT configured.
  • Compliance risk: grace period is 120 days. Server installed 2024-08-04 (~21 months ago as of 2026-05-19). Grace period expired. RDS is running non-compliant.
  • Decision deferred to Phase 5.

Domain Admins

Account Status Notes
Administrator Enabled OK (built-in)
Meredith.Kuhn Enabled Should be removed — administrative staff, not IT
John.Trozzi Enabled Should be removed — maintenance, not IT
Monica.Ramirez Removed Removed 2026-03-09 (account was disabled)
sysadmin Enabled OK (IT account)

Pending Issues

Issue Account Action Needed
Still enabled — departed britney.thompson DONE 2026-05-20 — AD disabled. M365: sign-in blocked, license removed, litigation hold applied.
Still enabled — flagged for disable Richard.Adams, Julian.Crim, Christopher.Holick DONE 2026-05-20 — all disabled.
Old-format account — superseded Shontiel.Nunn DONE 2026-05-20 — disabled. s.nunn (Caregivers) is the active account.
Cloud-only M365 account — RESOLVED Alma.Montt Intentional and correct — no AD sync conflict.
krbtgt password age krbtgt 569+ days old as of 2026-03-20. Needs rotation. Deferred.
Meredith.Kuhn + John.Trozzi in Domain Admins Both Non-IT staff — remove from Domain Admins. Deferred.
britney.thompson M365 offboarding britney.thompson DONE 2026-05-20 — sign-in blocked, license removed, litigation hold applied via sysadmin@.

Login Activity (audit 2026-03-20 — historical/stale)

Data below is from the 2026-03-20 audit. Only 12 of 49 enabled accounts had ever logged in at that time. Most staff had never used AD accounts because their PCs were not domain-joined.

Account Last Logon Notes
sysadmin 2026-03-16
QBDataServiceUser34 2026-03-14 QuickBooks service
Allison.Reibschied 2026-03-13 Administrative
lauren.hasselman 2026-03-12 Business Office Director
Administrator 2026-03-11
Receptionist 2026-03-11 Shared account
directoryshare 2026-03-10 Shared account
localadmin 2026-03-09
Crystal.Rodriguez 2026-03-09 CRYSTAL-PC
Culinary 2026-02-20 Shared account
Christina.DuPras 2026-01-06
saleshare 2025-12-08 Shared account
Monica.Ramirez 2024-11-04 Disabled — now deleted

37 accounts had never logged in as of 2026-03-20. Login activity will improve as more PCs are domain-joined (Phase 3).

Migration Plan Reference

See migration/phase2-server-prep.md for full phase details. Scripts referenced throughout this doc:

  • migration/scripts/phase2-ou-cleanup.ps1 — OU audit + delete (COMPLETE)
  • migration/scripts/phase2-ad-setup.ps1 — Security fixes, Workstations OU, security groups, move computers (COMPLETE)
  • migration/scripts/phase2-ad-groups-new.ps1 — New SG- groups (SG-Mgmt-RW, SG-Sales-RO, SG-Activities-RW) — COMPLETE 2026-05-20
  • migration/scripts/phase2-new-shares.ps1 — New SMB shares (Management, Sales, Activities, Server) — COMPLETE 2026-05-20
  • migration/scripts/phase2-print-server.ps1 — 13 printers installed + shared on CS-SERVER — COMPLETE 2026-05-20
  • .claude/temp/gpo-script1.ps1 — AD account cleanup (5 accounts disabled) + CSC - Security Baseline + CSC - Windows Update — COMPLETE 2026-05-20
  • .claude/temp/gpo-script2.ps1 — CSC - Printer Deployment (13 printers, OU ILT) + CSC - Drive Mappings (M: S: T: K: R:) — COMPLETE 2026-05-20

Phase 3 domain joins (pending): DESKTOP-KQSL232, CHEF-PC, SALES4-PC, MDIRECTOR-PC — all to OU=Staff PCs,OU=Workstations. MDIRECTOR-PC needs Windows 10 Pro upgrade first.

Phase 5 (deferred): Replace shared accounts (Culinary, Receptionist, saleshare, directoryshare) with group-based access. RDS licensing decision.

Reference in New Issue View Git Blame Copy Permalink