azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0a264ee3fabfdfded7e2bb64dc86ece16c31d99e
claudetools/clients/cascades-tucson/docs/servers/active-directory.md

411 lines
23 KiB
Markdown
Raw Blame History

# Active Directory — cascades.local
## Domain Info (audit 2026-03-20)
- Domain: cascades.local (NetBIOS: CASCADES)
- Forest Functional Level: Windows2016Forest
- Domain Functional Level: Windows2016Domain
- Domain Controllers: CS-SERVER (192.168.2.254) — **ONLY DC** (all FSMO roles)
- Sites: Default-First-Site-Name
- No trusts configured
## AD Users (updated 2026-05-19)
**Changes since 2026-04-13:**
- Alma.Montt added to OU=Administrative (provisioned 2026-05-19) — cloud-only M365 account also created same day; needs reconciliation (see Pending Issues)
- Kyla.QuickTiffany confirmed in OU=Resident Services (was listed as "needs account" in prior doc)
- Zachary.Nelson confirmed: Accounting Assistant (replacing Allison.Reibschied)
- Allison.Reibschied: no longer employed — account disabled in DC 2026-05-19
- 38 caregiver accounts active in OU=Caregivers (new dedicated OU, all syncing to Entra)
- s.nunn confirmed as the correct Shontiel Nunn account (Caregivers/MedTech). Shontiel.Nunn (old format, OU=Resident Services) to be disabled.
### Enabled Accounts — Staff (updated 2026-05-19)
**OU=Administrative**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| Meredith.Kuhn | Meredith Kuhn | Executive Director | |
| Ashley.Jensen | Ashley Jensen | Assistant Executive Director | M365: Accounting@ |
| lauren.hasselman | Lauren Hasselman | Business Office Director | lowercase SAM. Replaced Jeff Bristol. M365: Accounting@ |
| Alma.Montt | Alma Montt | Life Enrichment | Provisioned 2026-05-19. **Cloud-only M365 account also created same day — reconcile before next Entra sync** (see Pending Issues) |
| Zachary.Nelson | Zachary Nelson | Accounting Assistant | Confirmed 2026-05-19. Replacing Allison.Reibschied. |
| ~~Allison.Reibschied~~ | ~~Allison Reibschied~~ | ~~Accounting Assistant~~ | **Disabled 2026-05-19 — no longer employed.** |
**OU=Care-Assisted Living**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| Lois.Lane | Lois Lane | Health Services Director | M365: Nurses@ |
| karen.rossini | Karen Rossini | Health Services Manager | lowercase SAM. M365: Nurses@ |
| Veronica.Feller | Veronica Feller | Care Assisted Living Aide | |
| ~~britney.thompson~~ | ~~Britney Thompson~~ | ~~Memory Care Nurse~~ | **Disabled 2026-05-20 — departed 2026-04-22. M365 license still to harvest.** |
**OU=Care-Memorycare**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| Christine.Nyanzunda | Christine Nyanzunda | Memory Care Admin Assistant | |
| Shelby.Trozzi | Shelby Trozzi | Memory Care Director | Renamed from strozzi (2026-04-13) |
**OU=Caregivers** — 38 accounts, all shift caregivers/medtechs, all in SG-Caregivers, all syncing to Entra. See Caregiver Accounts section below.
**OU=Culinary**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| JD.Martin | JD Martin | Culinary Director | |
| Alyssa.Brooks | Alyssa Brooks | Dining Manager | Renamed from Alyssa.Shestko (2026-04-13) |
| Ramon.Castaneda | Ramon Castaneda | Kitchen Manager | |
**OU=Housekeeping**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| Lupe.Sanchez | Lupe Sanchez | Housekeeping Director | Renamed from Guadalupe.Sanchez, duplicate deleted (2026-04-13) |
**OU=Life Enrichment**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| Sharon.Edwards | Sharon Edwards | Life Enrichment Assistant | PC: DESKTOP-DLTAGOI |
| Susan.Hicks | Susan Hicks | Life Enrichment Director | PC: DESKTOP-ROK7VNM |
**OU=Maintenance**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| John.Trozzi | John Trozzi | Maintenance Director | PC: MAINTENANCE-PC |
| Matt.Brooks | Matt Brooks | Memory Care Receptionist | Dept listed as Maintenance in HR data |
**OU=Marketing**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| Megan.Hiatt | Megan Hiatt | Sales Director | M365: Sales@ |
| Crystal.Rodriguez | Crystal Rodriguez | Sales Associate | PC: CRYSTAL-PC. M365: Sales@ |
| Tamra.Matthews | Tamra Matthews | Move-In Coordinator | Renamed from Tamra.Johnson (2026-04-13) |
**OU=Resident Services**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| Christina.DuPras | Christina DuPras | Resident Services Director | |
| Cathy.Kingston | Cathy Kingston | RS Receptionist | M365: Frontdesk@ |
| Kyla.QuickTiffany | Kyla Quick Tiffany | RS Receptionist | M365: Frontdesk@. Previously listed as "needs account" — now confirmed in AD |
| Michelle.Shestko | Michelle Shestko | RS Receptionist | M365: MC Front Desk |
| Ray.Rai | Ray Rai | RS Courtesy Patrol | M365: Frontdesk@ |
| Sebastian.Leon | Sebastian Leon | RS Courtesy Patrol | M365: Frontdesk@, Courtesypatrol@ |
| Sheldon.Gardfrey | Sheldon Gardfrey | RS Courtesy Patrol | M365: Frontdesk@, Courtesypatrol@ |
| ~~Shontiel.Nunn~~ | ~~Shontiel Nunn~~ | ~~RS Receptionist~~ | M365: Frontdesk@. **Disabled 2026-05-20 — s.nunn (Caregivers) is the correct current account.** |
**OU=Transportation** — all accounts disabled 2026-05-20
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| ~~Christopher.Holick~~ | ~~Christopher Holick~~ | ~~Driver~~ | Fixed from Holik (2026-04-13). **Disabled 2026-05-20 — drivers no longer get IT access** |
| ~~Julian.Crim~~ | ~~Julian Crim~~ | ~~Driver~~ | **Disabled 2026-05-20 — drivers no longer get IT access** |
| ~~Richard.Adams~~ | ~~Richard Adams~~ | ~~Driver~~ | **Disabled 2026-05-20 — drivers no longer get IT access** |
**CN=Users — Service Accounts**
| SamAccountName | Notes |
|---------------|-------|
| Administrator | Built-in |
| localadmin | Local admin |
| sysadmin | System admin (IT) |
| MSOL_12be42ce1269 | Entra Connect service account |
| QBDataServiceUser34 | QuickBooks service account |
**OU=Excluded-From-Sync — Shared/Generic Accounts** (intentionally not syncing to Entra)
| SamAccountName | Notes |
|---------------|-------|
| Culinary | Generic dept account — replace Phase 5 |
| directoryshare | Shared resource — replace Phase 5 |
| RECEPTIONIST | Generic role account — replace Phase 5 |
| saleshare | Shared resource — replace Phase 5 |
**OU=ServiceAccounts**
| SamAccountName | Notes |
|---------------|-------|
| svc-audit-upload | GuruRMM audit upload service account |
### Disabled Accounts
| SamAccountName | Notes |
|---------------|-------|
| Guest | Built-in — correct to leave disabled |
| krbtgt | Built-in Kerberos — **password 569+ days old as of 2026-03-20, needs rotation** |
### Accounts Deleted (2026-04-13 cleanup)
Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, Isabella.Islas, ann.dery, alyssa.brooks (lowercase duplicate), Lupe.Sanchez (duplicate), jeff.bristol
## Caregiver Accounts (OU=Caregivers)
38 accounts, all shift caregivers/medtechs, first-initial-last format (e.g., a.mcferren). All members of SG-Caregivers. All syncing to Entra ID (full-domain sync scope includes this OU).
a.atwood, a.mcferren, b.johnson, b.mendoza, b.sika, c.johnson, c.lassey, c.tate, d.fierros, e.esperance, e.huerta, e.sanchez, e.yuzon, g.williams, g.williford, j.andrade, j.clarke, j.dittbenner, j.higdon, k.aziakpo, k.flores, k.wyzykowski, l.fuster, l.hogan, m.baker, m.kariuki, m.kastner, m.lopez, p.doran, p.sandoval-beck, r.cooper, r.flores, r.morales, s.carroll, s.nunn, s.padilla, s.ramirez, t.abainza, t.lassey-assiakoley, w.reed
s.nunn confirmed as the correct account (2026-05-19). Shontiel.Nunn (OU=Resident Services) is the old-format account — disable it.
## Domain-Joined Computers (8)
### OU=Domain Controllers
| Computer | Role |
|----------|------|
| CS-SERVER | Primary DC, File Server, Hyper-V host |
### CN=Computers (default)
| Computer | Role |
|----------|------|
| CS-QB | Hyper-V VM — VoIP server |
### OU=Staff PCs,OU=Workstations
| Computer | User | Role |
|----------|------|------|
| ACCT2-PC | Allison Reibschied | Accounting |
| CRYSTAL-PC | Crystal Rodriguez | Sales Associate |
| DESKTOP-H6QHRR7 | Sylvia Cuen | Staff workstation |
| DESKTOP-1ISF081 | TBD | Unknown — needs identification |
| DESKTOP-DLTAGOI | Sharon Edwards | Life Enrichment Assistant |
| DESKTOP-ROK7VNM | Susan Hicks | Life Enrichment Director |
### OU=Shared PCs,OU=Workstations
Empty — created for future shared/rotation workstations (GPO: CSC - Shared Workstation).
### Not Domain-Joined (on network but workgroup/unjoined)
- **SALES4-PC** — Sales workstation (10.0.20.203)
- **CHEF-PC** — Kitchen workstation (10.0.20.232)
- **MDIRECTOR-PC** — MemCare Director (192.168.3.20)
- **DESKTOP-KQSL232** — Unknown (10.0.20.227)
Domain join for these machines planned in Phase 3 (OU=Staff PCs,OU=Workstations).
## Organizational Units (current state — 2026-05-19)
OU cleanup is **complete**. All root-level duplicate OUs have been deleted. The structure below reflects live state.
```
cascades.local
├── Builtin (system)
├── Computers (default) — CS-QB (VoIP VM)
├── Users (default) — service accounts: Administrator, localadmin, MSOL_12be42ce1269, QBDataServiceUser34, sysadmin
├── Domain Controllers
│ └── CS-SERVER
├── Departments
│ ├── Administrative — Alma.Montt, Ashley.Jensen, lauren.hasselman, Meredith.Kuhn, Zachary.Nelson
│ ├── Care-Assisted Living — britney.thompson, karen.rossini, Lois.Lane, Veronica.Feller
│ │ └── Nurses (empty sub-OU)
│ ├── Caregivers — 38 accounts (shift caregivers/medtechs, first.last format)
│ ├── Care-Memorycare — Christine.Nyanzunda, Shelby.Trozzi
│ ├── Culinary — Alyssa.Brooks, JD.Martin, Ramon.Castaneda
│ ├── Housekeeping — Lupe.Sanchez
│ ├── Life Enrichment — Sharon.Edwards, Susan.Hicks
│ ├── Maintenance — John.Trozzi, Matt.Brooks
│ ├── Marketing — Crystal.Rodriguez, Megan.Hiatt, Tamra.Matthews
│ ├── Resident Services — Cathy.Kingston, Christina.DuPras, Kyla.QuickTiffany, Michelle.Shestko, Ray.Rai, Sebastian.Leon, Sheldon.Gardfrey, Shontiel.Nunn
│ └── Transportation — Christopher.Holick, Julian.Crim, Richard.Adams
├── Excluded-From-Sync — Culinary, directoryshare, RECEPTIONIST, saleshare
├── Groups — SG-* groups + AuditUploaders (see Security Groups section)
├── ServiceAccounts — svc-audit-upload
└── Workstations
├── Shared PCs (empty)
└── Staff PCs — domain-joined workstations
```
**Historical note:** Prior to 2026-04-13, 13 root-level OUs existed (10 duplicate department OUs + Managment misspelled + MemCare + Sales, all empty). All deleted as part of Phase 2.1 cleanup.
## Security Groups (OU=Groups — live state 2026-05-20)
| Group | Members | Notes |
|-------|---------|-------|
| SG-Activities-RW | 0 | Activities share — Read/Write (Life Enrichment). Created 2026-05-20. |
| SG-CA-BreakGlass | 0 | Conditional Access break-glass group |
| SG-Caregivers | 38 | All shift caregivers/medtechs — syncing to Entra |
| SG-Chat-RW | 0 | Chat share access — legacy |
| SG-CourtesyPatrol | 0 | Courtesy patrol dept |
| SG-Culinary-RW | 0 | Culinary share access |
| SG-Directory-RW | 0 | Directory share access |
| SG-Drivers | 0 | Transportation drivers |
| SG-External-Signin-Allowed | 0 | CA policy — allowed external sign-in |
| SG-FrontDesk | 0 | Front desk dept |
| SG-IT-RW | 0 | IT share access |
| SG-Management-RW | 0 | Management share — OLD group, superseded by SG-Mgmt-RW. Do not use for new share. |
| SG-Mgmt-RW | 0 | Management share — Read/Write. Replaces SG-Management-RW. Created 2026-05-20. |
| SG-Office-PHI-External | 0 | PHI-authorized external access |
| SG-Office-PHI-Internal | 0 | PHI-authorized internal access |
| SG-Receptionist-RW | 0 | Receptionist share access |
| SG-Sales-RO | 0 | Sales share — Read Only. Created 2026-05-20. |
| SG-Sales-RW | 0 | Sales share — Read/Write |
| SG-Server-RW | 0 | Server share — OLD group, do not use for new Server share |
| AuditUploaders | 0 | GuruRMM audit upload service |
**Legacy groups (CN=Users, not in OU=Groups):**
| Group | Members | Notes |
|-------|---------|-------|
| QuickBooks Access | Meredith.Kuhn, Megan.Hiatt, Ashley.Jensen, lauren.hasselman | Renamed from "Quickboosk acccess" on 2026-03-09 |
| Roaming | (empty) | Old roaming profile attempt — unused |
| MemoryCareDepartment | (empty) | Never populated |
| KitchenAdmin | (empty) | Never populated |
## Entra Connect (live state 2026-05-19)
Entra Connect is installed and running on CS-SERVER in production mode.
| Setting | Value |
|---------|-------|
| Installed on | CS-SERVER |
| Staging mode | FALSE (live production sync) |
| Scheduler | Enabled — next run: Delta |
| AD connector | cascades.local |
| Entra connector | NETORGFT4257522.onmicrosoft.com |
| OU sync scope | Full domain (dnList empty — unfiltered) |
| Service account | MSOL_12be42ce1269 (CN=Users) |
**OU=Excluded-From-Sync** is explicitly excluded from sync. The shared accounts (Culinary, directoryshare, RECEPTIONIST, saleshare) placed there do not appear in Entra ID.
All other OUs — including OU=Caregivers — are within scope and sync to Entra.
**Historical note:** As of the 2026-04-13 doc, Entra Connect was planned as Phase 2.7 (blocked on AD cleanup). Cleanup is now complete and Entra Connect is deployed.
## SMB Shares (live — D:\ on CS-SERVER)
Verified live via GuruRMM `Get-SmbShare` on 2026-05-20. ABE = Access-Based Enumeration (users see only folders they can access).
### New shares — Phase 2.5 (created 2026-05-20, ABE on, proper SG- NTFS)
These are the authoritative Phase 2.5 shares. Empty until each department cuts over from Synology/legacy. Groups will be populated at cutover.
| Share | Path | NTFS Permissions | Drive letter (planned) |
|-------|------|-----------------|----------------------|
| Activities | D:\Shares\Activities | SG-Activities-RW (Modify), Domain Admins (Full) | A: or T: (TBD) |
| Management | D:\Shares\Management | SG-Mgmt-RW (Modify), Domain Admins (Full) | M: |
| Sales | D:\Shares\Sales | SG-Sales-RW (Modify), SG-Sales-RO (ReadAndExecute) | S: |
| Server | D:\Shares\Server | SG-IT-RW (Modify), Domain Users (ReadAndExecute) | V: (IT use) |
### Legacy shares — still active, pre-Phase 2.5 (no ABE, no SG- groups)
Do NOT populate these further. They remain in service until Phase 4 cutover retires Synology + legacy paths.
| Share | Path | Status |
|-------|------|--------|
| Culinary | D:\Shares\Culinary | Active — kitchen staff use this now |
| directoryshare | D:\Shares\directoryshare | Active — resident directory |
| homes | D:\Homes | Active — folder redirection target (D:\Homes, not D:\Shares\Homes) |
| Receptionist | D:\Shares\Receptionist | Active — Tower front-desk scan drop |
| IT | D:\Shares\IT | **Superseded by Server share above** — leave in place until Phase 4, do not add new content |
| Shares | D:\Shares | Root share — legacy access path |
### Service / system shares
| Share | Path | Notes |
|-------|------|-------|
| AuditDrop$ | D:\Shares\AuditDrop | GuruRMM audit drop — hidden, write-only for AuditUploaders |
| MemCare Director Printer | (printer) | MF451CDW |
| MemCare MedTech Printer | (printer) | Brother MFC-L8900CDW |
| RecRoom-Canon | (printer) | 1F-132-RecRoom-Canon |
| ADMIN$, C$, D$, IPC$, print$ | (system) | Standard Windows — do not remove |
| RDVirtualDesktopTemplate | C:\RDVirtualDesktopTemplate | RDS artifact — remove with RDS role in Phase 5 |
**Printers shared from CS-SERVER (13 — Phase 2.6 COMPLETE 2026-05-20):**
| Share | Device | ILT (GPO) |
|-------|--------|-----------|
| CopyRoom | Canon imageRunner C478iF (192.168.2.230) | All staff |
| BusinessOffice | Brother MFC-L8900CDW (10.0.20.220) | OU=Administrative |
| Accounting | Canon imageClass MF455DW (192.168.3.227) | OU=Administrative |
| AdminOffice | Brother MFC-9340CDW (192.168.2.145) | OU=Administrative OR OU=Resident Services |
| ExecDirector | Canon imageClass MF743CDW (192.168.2.67) | OU=Administrative |
| SalesMarketing | Brother MFC-L8900CDW (192.168.3.44) | OU=Marketing |
| Kitchen | Canon imageClass MF743CDW (192.168.3.232) | OU=Culinary |
| CulinaryChef | Brother MFC-9330CDW (192.168.3.88) | OU=Culinary |
| FrontDesk | Epson ET-5800 (192.168.2.147) | OU=Resident Services |
| HealthServices | KM C368 (192.168.1.138) | OU=Care-Assisted Living OR OU=Care-Memorycare |
| LifeEnrichment | (via Life Enrichment Printers GPO) | OU=Life Enrichment |
| MCDirector | Canon imageClass MF751CDW (192.168.3.52) | OU=Care-Memorycare |
| MCMedTech | Brother (192.168.2.53) | OU=Caregivers OR OU=Care-Memorycare |
## Group Policy (as of 2026-05-20)
GPOs exist but effectiveness is limited since most PCs are not domain-joined. All CSC - GPOs are **UNLINKED** until Phase 3 domain join cutover.
| GPO | Link | Settings | Notes |
|-----|------|----------|-------|
| Default Domain Policy | Domain root | Password: 7-char min, 42-day max, complexity on, 24 history. Lockout: 5 attempts / 30 min. Kerberos defaults. | OK |
| Default Domain Controllers Policy | OU=Domain Controllers | IIS app pool audit rights, print operator driver loading. | OK |
| Power Options | — | "Cascades Default" power plan: never sleep/hibernate, display off 15 min (plugged in) / 10 min (battery), password on wake. | Keep |
| CSC - Always Wait For Network | — | AlwaysWaitForNetwork + synchronous logon | Pre-existing |
| CSC - Folder Redirection (LE) | OU=Life Enrichment | Documents + Downloads → `\\CS-SERVER\homes\%USERNAME%\`. GrantExclusive=false, MoveContents=true. | LIVE — Sharon Edwards + Susan Hicks |
| CSC - Folder Redirection | — | Same as LE GPO but for all staff OUs. UNLINKED. | Blocked on Phase 3 |
| CSC - Life Enrichment Printers | OU=Life Enrichment | Printer preferences for LE staff | LIVE |
| CSC - Security Baseline | UNLINKED | Screen lock 15 min / password on resume (HKCU). GptTmpl.inf: password min 12, history 24, max-age 90, lockout 5/30. | Created 2026-05-20. Link at domain root at Phase 3. |
| CSC - Windows Update | UNLINKED | AUOptions=4 (auto DL+install), Sunday 3 AM, NoAutoRebootWithLoggedOnUsers=1, featured software off. | Created 2026-05-20. Link at domain root at Phase 3. |
| CSC - Printer Deployment | UNLINKED | 13 printers with OU-based ILT in Printers.xml. CopyRoom = all staff. Others scoped by OU. | Created 2026-05-20. Link to OU=Workstations at Phase 3. |
| CSC - Drive Mappings | UNLINKED | M: Management (SG-Mgmt-RW), S: Sales (SG-Sales-RW), T: Activities (SG-Activities-RW), K: Culinary (OU), R: Receptionist (OU). | Created 2026-05-20. Link to OU=Departments at Phase 3. |
| ~~CopyRoomPrinter~~ | — | EMPTY | **DELETED 2026-03-09** |
| ~~Nurses-Kiosk~~ | — | EMPTY | **DELETED 2026-03-09** |
| ~~MemCareMedTechPrinter~~ | — | EMPTY | **DELETED 2026-03-09** |
**GPOs Remaining (Phase 3+):**
- **CSC - Folder Redirection** — Link to OU=Departments at Phase 3. Blocked on domain joins. CRITICAL: check OneDrive KFM before applying; use GPMC close-and-reopen workaround between folder adds (see 2026-04-17 session log).
- **CSC - Shared Workstation** — Future: linked to Shared PCs OU; ILT for reception drive (R:), front desk printer, Outlook online mode, shared mailbox auto-mount.
**Phase 3 GPO linking order** (after first successful domain join per phase3-domain-join.md step 5c):
1. Link CSC - Security Baseline → domain root
2. Link CSC - Windows Update → domain root
3. Link CSC - Printer Deployment → OU=Workstations
4. Link CSC - Drive Mappings → OU=Departments
## RDS Licensing
- **Mode: NotConfigured**
- **License Servers: None**
- RDS roles installed on CS-SERVER (Connection Broker, Session Host, Web Access) but licensing is NOT configured.
- Compliance risk: grace period is 120 days. Server installed 2024-08-04 (~21 months ago as of 2026-05-19). Grace period expired. RDS is running non-compliant.
- Decision deferred to Phase 5.
## Domain Admins
| Account | Status | Notes |
|---------|--------|-------|
| Administrator | Enabled | OK (built-in) |
| Meredith.Kuhn | Enabled | Should be removed — administrative staff, not IT |
| John.Trozzi | Enabled | Should be removed — maintenance, not IT |
| ~~Monica.Ramirez~~ | Removed | Removed 2026-03-09 (account was disabled) |
| sysadmin | Enabled | OK (IT account) |
## Pending Issues
| Issue | Account | Action Needed |
|-------|---------|---------------|
| ~~Still enabled — departed~~ | ~~britney.thompson~~ | **DONE 2026-05-20** — AD disabled. M365: sign-in blocked, license removed, litigation hold applied. |
| ~~Still enabled — flagged for disable~~ | ~~Richard.Adams, Julian.Crim, Christopher.Holick~~ | **DONE 2026-05-20** — all disabled. |
| ~~Old-format account — superseded~~ | ~~Shontiel.Nunn~~ | **DONE 2026-05-20** — disabled. s.nunn (Caregivers) is the active account. |
| Cloud-only M365 account — RESOLVED | Alma.Montt | Intentional and correct — no AD sync conflict. |
| krbtgt password age | krbtgt | 569+ days old as of 2026-03-20. Needs rotation. Deferred. |
| Meredith.Kuhn + John.Trozzi in Domain Admins | Both | Non-IT staff — remove from Domain Admins. Deferred. |
| ~~britney.thompson M365 offboarding~~ | ~~britney.thompson~~ | **DONE 2026-05-20** — sign-in blocked, license removed, litigation hold applied via sysadmin@. |
## Login Activity (audit 2026-03-20 — historical/stale)
Data below is from the 2026-03-20 audit. Only 12 of 49 enabled accounts had ever logged in at that time. Most staff had never used AD accounts because their PCs were not domain-joined.
| Account | Last Logon | Notes |
|---------|-----------|-------|
| sysadmin | 2026-03-16 | |
| QBDataServiceUser34 | 2026-03-14 | QuickBooks service |
| Allison.Reibschied | 2026-03-13 | Administrative |
| lauren.hasselman | 2026-03-12 | Business Office Director |
| Administrator | 2026-03-11 | |
| Receptionist | 2026-03-11 | Shared account |
| directoryshare | 2026-03-10 | Shared account |
| localadmin | 2026-03-09 | |
| Crystal.Rodriguez | 2026-03-09 | CRYSTAL-PC |
| Culinary | 2026-02-20 | Shared account |
| Christina.DuPras | 2026-01-06 | |
| saleshare | 2025-12-08 | Shared account |
| Monica.Ramirez | 2024-11-04 | Disabled — now deleted |
37 accounts had never logged in as of 2026-03-20. Login activity will improve as more PCs are domain-joined (Phase 3).
## Migration Plan Reference
See `migration/phase2-server-prep.md` for full phase details. Scripts referenced throughout this doc:
- `migration/scripts/phase2-ou-cleanup.ps1` — OU audit + delete (COMPLETE)
- `migration/scripts/phase2-ad-setup.ps1` — Security fixes, Workstations OU, security groups, move computers (COMPLETE)
- `migration/scripts/phase2-ad-groups-new.ps1` — New SG- groups (SG-Mgmt-RW, SG-Sales-RO, SG-Activities-RW) — COMPLETE 2026-05-20
- `migration/scripts/phase2-new-shares.ps1` — New SMB shares (Management, Sales, Activities, Server) — COMPLETE 2026-05-20
- `migration/scripts/phase2-print-server.ps1` — 13 printers installed + shared on CS-SERVER — COMPLETE 2026-05-20
- `.claude/temp/gpo-script1.ps1` — AD account cleanup (5 accounts disabled) + CSC - Security Baseline + CSC - Windows Update — COMPLETE 2026-05-20
- `.claude/temp/gpo-script2.ps1` — CSC - Printer Deployment (13 printers, OU ILT) + CSC - Drive Mappings (M: S: T: K: R:) — COMPLETE 2026-05-20
**Phase 3 domain joins** (pending): DESKTOP-KQSL232, CHEF-PC, SALES4-PC, MDIRECTOR-PC — all to OU=Staff PCs,OU=Workstations. MDIRECTOR-PC needs Windows 10 Pro upgrade first.
**Phase 5** (deferred): Replace shared accounts (Culinary, Receptionist, saleshare, directoryshare) with group-based access. RDS licensing decision.
Reference in New Issue View Git Blame Copy Permalink