155 lines
13 KiB
Markdown
155 lines
13 KiB
Markdown
# Cascades — Printer / VLAN 20 Migration Map (GPO planning)
|
|
|
|
Living reference for the migration of staff machines + printers off the flat old LAN
|
|
("CSC ENT", 192.168.0.0/22) onto **Staff VLAN 20 (10.0.20.0/24, "CSCNET")** and the eventual
|
|
**printer GPO** build. Started 2026-06-30 (Howard). **Last reconciled to LIVE state 2026-07-01**
|
|
(full GuruRMM fleet IP pull + CS-SERVER `Get-Printer`/`Get-PrinterPort` + TCP reachability).
|
|
|
|
## STATE AT A GLANCE (live 2026-07-01)
|
|
|
|
- **Machines: essentially migrated.** 22 online hosts are on VLAN 20 (10.0.20.x). Only CS-SERVER
|
|
(stays on the LAN by design) + 6 stragglers (ASSISTMAN-PC, CascadesProxess, Laptop2,
|
|
NurseAssist, 2 roaming laptops) remain on 192.168.x. See "Machine migration status" below.
|
|
- **Printer shares: lagging — 4 of 15 repointed.** Only FrontDesk, BusinessOffice, LifeEnrichment,
|
|
MCReception point at 10.0.20.x. The other 11 CS-SERVER print shares still target old-LAN
|
|
printer IPs. (Server-share printing still WORKS for those — CS-SERVER is on the old LAN and
|
|
reaches them fine — but the printer hardware hasn't been moved onto VLAN 20 yet.)
|
|
- **All 7 VLAN20 printer targets reachable** from CS-SERVER on 9100 (incl. .74, the MCMedTech
|
|
target that the share hasn't been repointed to yet). Gateway 10.0.20.1 pings.
|
|
- **GPO: not fleet-live.** Point-and-Print GPO is built but scoped to one pilot box; the silent
|
|
new-driver-install gap is still open (reboot vs pre-stage drivers — decision pending). See
|
|
"PILOT RESULT" below.
|
|
|
|
## How the GPO needs to be built (two layers)
|
|
|
|
1. **Point-and-Print policy (computer GPO, fleet-wide)** — REQUIRED prerequisite or any
|
|
GPO-pushed printer fails (PrintService event 513 / error 0xBCB) for standard users.
|
|
Set on `HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers`:
|
|
`RestrictDriverInstallationToAdministrators=0`; subkey `PointAndPrint`:
|
|
`Restricted=1, TrustedServers=1, ServerList=CS-SERVER, InForest=0,`
|
|
`NoWarningNoElevationOnInstall=1, UpdatePromptSettings=2` (scopes silent driver install
|
|
to CS-SERVER only). Caregiver machines already have this — that's why their printer GPO
|
|
works. GPO `CSC - Point and Print (CS-SERVER)` `{BFAB721A-513D-4C14-8255-DEB1D4266830}` is
|
|
BUILT but scoped to DESKTOP-H6QHRR7 only (see PILOT RESULT).
|
|
2. **Printer deployment** — GPP Printers / Deployed Printers mapping `\\CS-SERVER\<share>`
|
|
to the right users/OU/room. Existing GPO `CSC - Life Enrichment Printers` still points at
|
|
OLD share name `RecRoom-Canon` — repoint. `CSC - Printer Deployment` is disabled/empty (do not use).
|
|
|
|
**Driver trap:** Canon MF741/743/751 are **UFR II only** — PCL6 produces Error #822 (spools, never
|
|
prints). Any GPO/share for those Canons MUST use `Canon Generic Plus UFR II V250` (INF cnlb0ma64.inf).
|
|
NOTE: `MCDirector` (Canon MF751CDW) and `Kitchen`/`ExecDirector` (Canon MF743CDW) shares are
|
|
currently on **PCL6** on the server — they will hit Error #822 and need the UFR II driver when touched.
|
|
|
|
## Printer share inventory — CS-SERVER (live 2026-07-01)
|
|
|
|
All shares `Shared=True, Published=False`. "VLAN20?" = does the port point at 10.0.20.x yet.
|
|
|
|
| Share | Model | Port host IP | VLAN20? | Driver (on server) | Action |
|
|
|---|---|---|---|---|---|
|
|
| `FrontDesk` | Epson ET-5800 | 10.0.20.221 | YES | EPSON ET-5800 Series | DONE. Add to GPO. |
|
|
| `BusinessOffice` | Brother MFC-L8900CDW | 10.0.20.220 | YES | Brother Generic Jpeg Type2 | DONE (now reachable; was powered-off 6/30). Add to GPO. |
|
|
| `LifeEnrichment` | Canon MF741CDW | 10.0.20.94 | YES | Canon Generic Plus UFR II V250 | DONE. **Repoint `CSC - Life Enrichment Printers` GPO `RecRoom-Canon`->`LifeEnrichment`.** |
|
|
| `MCReception` | Epson ET-5800 | 10.0.20.78 | YES | EPSON ET-5800 Series | DONE (share now on .78). Client-side setup on MEMRECEPT-PC still TBD. |
|
|
| `MCMedTech` | Brother (L8900CDW) | **192.168.2.53** | NO — STALE | Brother Generic Jpeg Type2 | **REPOINT to 10.0.20.74** (target is LIVE + reachable). Caregiver GPO deploys this share. |
|
|
| `NursesPrinter` | Brother MFC-L8900CDW | 192.168.2.75 | NO | Brother Generic Jpeg Type2 | Re-IP to VLAN20 + repoint. Caregiver GPO default printer. |
|
|
| `HealthServices` | Konica Minolta C368 | 192.168.1.138 | NO | KONICA MINOLTA Universal PCL | Re-IP to VLAN20 + repoint. Caregiver GPO. |
|
|
| `MCDirector` | Canon MF751CDW | 192.168.3.52 | NO | Canon Generic Plus **PCL6** | Re-IP + repoint; **switch to UFR II** (MF751 = UFR II only). Caregiver GPO. |
|
|
| `CopyRoom` | Canon | 192.168.2.230 | NO | Canon Generic Plus PCL6 | Re-IP + repoint; verify model/PDL. Caregiver GPO default fallback. |
|
|
| `Kitchen` | Canon MF743CDW | 192.168.3.232 | NO | Canon Generic Plus **PCL6** | Kitchen printer (with chefs). Re-IP + repoint; **UFR II**. Separate from Dining .228. |
|
|
| `CulinaryChef` | Brother MFC-9330CDW | 192.168.3.88 | NO | Brother Generic Jpeg Type2 | **Likely redundant** with the Chef direct-IP printer (.236 on CHEF-PC). Verify same device -> retire or repoint. |
|
|
| `Accounting` | Canon MF455DW | 192.168.3.227 | NO | Canon Generic Plus PCL6 | Re-IP + repoint (verify PDL; MF455 supports PCL). |
|
|
| `AdminOffice` | Brother MFC-9340CDW | 192.168.2.145 | NO | Brother Generic Jpeg Type2 | Re-IP + repoint. |
|
|
| `ExecDirector` | Canon MF743CDW | 192.168.2.67 | NO | Canon Generic Plus **PCL6** | Re-IP + repoint; **UFR II** (MF743). |
|
|
| `SalesMarketing` | Brother MFC-L8900CDW | 192.168.3.44 | NO | Brother Generic Jpeg Type2 | Re-IP + repoint. |
|
|
|
|
Progress: **4 / 15 shares on VLAN 20.** 11 remain on old-LAN IPs.
|
|
|
|
### Direct-IP printers (workgroup machines — no CS-SERVER share)
|
|
| Printer | Model | IP (VLAN20) | Machine | User(s) | Status |
|
|
|---|---|---|---|---|---|
|
|
| Dining Room Manager | Canon MF743CDW | 10.0.20.228 | DESKTOP-MD6UQI3 (workgroup) | dining manager (Alyssa) | DONE direct-IP (UFR II), default. **Domain-join -> move to `\\CS-SERVER\<share>` + GPO.** |
|
|
| Chef Office | Brother MFC-9330CDW | 10.0.20.236 | CHEF-PC (workgroup) | chef / JD Martin (USB stays default) | DONE direct-IP machine-wide. **Domain-join -> GPO.** May correspond to stale `CulinaryChef` server share (.88) — reconcile. |
|
|
| MedTech (also `MCMedTech`) | Brother MFC-L8900CDW | 10.0.20.74 | RECEPTIONIST-PC (memcare box) + DESKTOP-LPOPV30 | memory care; karen rossini | DONE direct-IP machine-wide on both; server `MCMedTech` share still needs repoint to .74. |
|
|
|
|
## Machine migration status — VLAN 20 (live 2026-07-01)
|
|
|
|
**On VLAN 20 (10.0.20.x) — 22 online hosts:** ACCT2-PC (.209), ANN-PC (.218), ASSISTNURSE-PC (.181),
|
|
CHEF-PC (.232, workgroup), CRYSTAL-PC (.205), DESKTOP-DLTAGOI (.72, sharon.edwards),
|
|
DESKTOP-H6QHRR7 (.235, Lauren — P&P pilot box), DESKTOP-LPOPV30 (.100, karen), DESKTOP-MD6UQI3
|
|
(.222, workgroup, Alyssa), DESKTOP-N5G1ROO (.183, Chris Knight), DESKTOP-ROK7VNM (.223, susan.hicks),
|
|
DESKTOP-TRCIEJA (.184, Lupe — slated for replacement), Health-Services-Director (.178),
|
|
LAPTOP-DRQ5L558 (.237, caregiver device), MAINTENANCE-PC (.96), MDIRECTOR-PC (.71, Shelby Trozzi),
|
|
MEMRECEPT-PC (.97, workgroup, memfrtdesk), NURSESTATION-PC (.180, caregiver device),
|
|
RECEPTIONIST-PC frontdesk box (.102, S/N MJ0KQHNP), RECEPTIONIST-PC memcare box (.68, S/N MJ0KQH4R
|
|
— pending MEMCARE-STATION rename), SALES4-PC (.203), megan (.202).
|
|
|
|
**Still on old LAN (192.168.x):**
|
|
- CS-SERVER (192.168.2.248 / .254) — DC + print server, **stays on the LAN by design**.
|
|
- ASSISTMAN-PC (192.168.2.38, Meredith Kuhn) — known watch-host, not migrated.
|
|
- CascadesProxess (192.168.2.178), Laptop2 (192.168.2.118), NurseAssist (192.168.3.254),
|
|
LAPTOP-8P7HDSEI (192.168.3.101, roaming), LAPTOP-E0STJJE8 (192.168.3.9, roaming).
|
|
|
|
**Offline (last-known IP from DC DNS):** DESKTOP-F94M8UT (10.0.20.171, was on VLAN20 — Alma's old box),
|
|
DESKTOP-U2DHAP0 (192.168.3.37, Ashley — old LAN, seen 2026-07-01), DESKTOP-KQSL232 (decommissioned),
|
|
Laptop4 (no DNS record).
|
|
|
|
## Current GPO state (live-inspected 2026-06-30)
|
|
|
|
- **NO GPO sets the Point-and-Print policy** (missing **Layer 1**; explains the 513 / 0xBCB failures). `CSC - Point and Print (CS-SERVER)` was built to fill this but is pilot-scoped only.
|
|
- Printer deployment is via **User-side GPP Printers**, linked per-department OU:
|
|
- **CSC - Caregiver Workstation** -> OU `Departments/Caregivers` (ComputerSettingsDisabled). Deploys 6 shares (action=Update): `NursesPrinter`, `HealthServices`, `MCMedTech`, `MCReception`, `MCDirector`, `CopyRoom`; defaults = NursesPrinter + MCMedTech (default=1, no item-level targeting parsed). **NOTE: 5 of these 6 shares still point at old-LAN IPs (only MCReception is on VLAN20) — repointing them is what actually moves the caregiver fleet's printers onto VLAN 20.**
|
|
- **CSC - Life Enrichment Printers** -> OU `Departments/Life Enrichment`. Deploys ONE printer `\\CS-SERVER\RecRoom-Canon` — **STALE share name; now `LifeEnrichment`**.
|
|
- **CSC - Reception Workstation Policy** -> OU `Workstations/Staff PCs`. Registry only, no printers.
|
|
- **CSC - Printer Deployment** -> not linked, empty. Dead — ignore.
|
|
- AD OU structure in play: `Departments/{Caregivers, Life Enrichment}`, `Workstations/Staff PCs`.
|
|
|
|
## Target-state design + action list
|
|
|
|
**Layer 1 — Point-and-Print policy (fleet-wide computer GPO).** `CSC - Point and Print (CS-SERVER)` exists; broaden its link/filter to all staff/department workstation OUs once the silent-install gap below is resolved.
|
|
|
|
**Layer 2 — per-department printer GPOs (existing pattern, User GPP Printers).** To add a printer: department GPO -> User Config -> Preferences -> Control Panel -> Printers -> Shared Printer item, action=Update/Create, path `\\CS-SERVER\<share>`, + default + item-level targeting as needed.
|
|
|
|
**Immediate fixes (priority order):**
|
|
1. **Resolve the silent-install gap** (see PILOT RESULT): decide reboot-test vs pre-stage-drivers, then take the P&P GPO fleet-live.
|
|
2. **Repoint the 5 stale caregiver-GPO shares to VLAN20** as those printers get re-IP'd: `MCMedTech` -> 10.0.20.74 (target already live — do this now), `NursesPrinter` (.75), `HealthServices` (.138), `MCDirector` (.52, +UFR II), `CopyRoom` (.230). This is the highest-leverage remaining printer work.
|
|
3. REPOINT `CSC - Life Enrichment Printers` `RecRoom-Canon` -> `LifeEnrichment`.
|
|
4. Re-IP + repoint the remaining old-LAN shares: `Kitchen` (+UFR II), `Accounting`, `AdminOffice`, `ExecDirector` (+UFR II), `SalesMarketing`.
|
|
5. Reconcile `CulinaryChef` (192.168.3.88) vs the Chef direct-IP (.236) — retire the redundant share if same device.
|
|
6. Confirm caregiver default-printer item-level targeting (Nurses vs MCMedTech by location group).
|
|
7. Domain-join the workgroup machines (DESKTOP-MD6UQI3, CHEF-PC, MEMRECEPT-PC, MEMCARE-STATION, DESKTOP-LPOPV30) -> move to GPO-deployed `\\CS-SERVER\<share>`.
|
|
|
|
## PILOT RESULT (2026-06-30) — still the open blocker
|
|
|
|
Created `CSC - Point and Print (CS-SERVER)`, scoped (security filter) to ONE machine
|
|
**DESKTOP-H6QHRR7** (Lauren Hasselman, Staff PCs OU), linked, `gpupdate`. **The policy registry
|
|
landed correctly via GPO.** BUT the in-session test **still PROMPTED** for a printer whose driver
|
|
was NOT already local (front-desk Epson), even after a spooler restart — the driver did not install.
|
|
The earlier LE-machine "silent" maps only worked because that driver was already present.
|
|
|
|
**Conclusion:** the P&P policy is necessary but NOT sufficient to make a *brand-new driver install*
|
|
silent in a running session. Likely: `RestrictDriverInstallationToAdministrators=0` needs a **reboot**
|
|
(CVE-2021-34527 mitigation) and/or v3 (non-package) drivers still elevate.
|
|
|
|
**Two reliable paths (decide):**
|
|
1. **Reboot-dependent:** test — reboot a machine, then confirm a new-driver map is silent.
|
|
2. **Pre-stage drivers (recommended):** deploy each printer's driver machine-wide (computer GPO
|
|
startup script installing from CS-SERVER as SYSTEM). GPP connection then attaches to an
|
|
already-present driver -> always silent, no reboot/P&P-install dependency.
|
|
|
|
**State:** GPO scoped to DESKTOP-H6QHRR7 only (harmless; not fleet-live). NOT rolled out.
|
|
|
|
## Machine rename TODO
|
|
- **RECEPTIONIST-PC** (Memory Care box, S/N MJ0KQH4R, 10.0.20.68, agent 57f19e17) -> `MEMCARE-STATION`
|
|
rename was STAGED 2026-06-30 but **NOT YET APPLIED (live 2026-07-01 still reports RECEPTIONIST-PC)** —
|
|
needs the reboot. The OTHER RECEPTIONIST-PC (frontdesk, S/N MJ0KQHNP, 10.0.20.102) is the real front desk.
|
|
|
|
## Notes
|
|
- Server-share printing works even while a printer is still on the old-LAN IP (CS-SERVER is on the
|
|
old LAN and reaches it). Re-IP'ing printers to 10.0.20.x is about VLAN isolation, not print function.
|
|
- Workgroup machines get **direct-IP local printers** until domain-joined, then switch to
|
|
GPO-deployed `\\CS-SERVER\<share>`.
|
|
- Some Brother shares use the generic **"Brother Generic Jpeg Type2 Class Driver"**, not a
|
|
model-specific driver (BusinessOffice, MCMedTech, NursesPrinter, CulinaryChef, AdminOffice, SalesMarketing).
|
|
- Detailed how-to + pfSense routing fix: `.claude/memory/project_cascades_vlan20_migration_routing.md`
|
|
and session log `clients/cascades-tucson/session-logs/2026-06/2026-06-30-howard-vlan20-printer-migration.md`.
|