29 KiB
29 KiB
CS-SERVER G1 AD Audit
Command ID: e83befb7-4c8c-4f24-9b24-56cb641e6464 Run: 2026-04-23T02:55:50.634848Z Exit: 0
STDOUT
G1 AD Audit - 2026-04-22 19:55:51 -07:00
Host: CS-SERVER
============================================================================
== 1. Forest / Domain / Schema
============================================================================
Forest FQDN: cascades.local
Forest mode: Windows2016Forest
Domain mode: Windows2016Domain
Domain DN: DC=cascades,DC=local
NetBIOS: CASCADES
UPN suffixes (forest):
- cascadestucson.com
Schema objectVersion: 88
FSMO roles:
Schema Master: CS-SERVER.cascades.local
Domain Naming Master: CS-SERVER.cascades.local
PDC Emulator: CS-SERVER.cascades.local
RID Master: CS-SERVER.cascades.local
Infrastructure Master: CS-SERVER.cascades.local
============================================================================
== 2. OU structure
============================================================================
Total OUs: 18
OU=Administrative,OU=Departments,DC=cascades,DC=local users=5 groups=0 computers=0
OU=Care-Assisted Living,OU=Departments,DC=cascades,DC=local users=4 groups=0 computers=0
OU=Care-Memorycare,OU=Departments,DC=cascades,DC=local users=2 groups=0 computers=0
OU=Culinary,OU=Departments,DC=cascades,DC=local users=4 groups=0 computers=0
OU=Departments,DC=cascades,DC=local users=0 groups=0 computers=0
OU=Domain Controllers,DC=cascades,DC=local users=0 groups=0 computers=1
OU=Groups,DC=cascades,DC=local users=0 groups=1 computers=0
OU=Housekeeping,OU=Departments,DC=cascades,DC=local users=1 groups=0 computers=0
OU=Life Enrichment,OU=Departments,DC=cascades,DC=local users=2 groups=0 computers=0
OU=Maintenance,OU=Departments,DC=cascades,DC=local users=2 groups=0 computers=0
OU=Marketing,OU=Departments,DC=cascades,DC=local users=4 groups=0 computers=0
OU=Nurses,OU=Care-Assisted Living,OU=Departments,DC=cascades,DC=local users=0 groups=0 computers=0
OU=Resident Services,OU=Departments,DC=cascades,DC=local users=8 groups=0 computers=0
OU=ServiceAccounts,DC=cascades,DC=local users=1 groups=0 computers=0
OU=Shared PCs,OU=Workstations,DC=cascades,DC=local users=0 groups=0 computers=0
OU=Staff PCs,OU=Workstations,DC=cascades,DC=local users=0 groups=0 computers=6
OU=Transportation,OU=Departments,DC=cascades,DC=local users=3 groups=0 computers=0
OU=Workstations,DC=cascades,DC=local users=0 groups=0 computers=0
Users in default CN=Users container (not ideal - should be in an OU for sync scope):
Count: 8
- Administrator (Administrator)
- directoryshare (directoryshare)
- Guest (Guest)
- krbtgt (krbtgt)
- localadmin (localadmin)
- QBDataServiceUser34 (QBDataServiceUser34)
- Receptionist (RECEPTIONIST)
- sysadmin (Sysadmin)
============================================================================
== 3. All AD users - identity attributes for sync match
============================================================================
Total users: 44
Enabled: 42
Disabled: 2
Per-user identity dump (focus: anything that affects soft-match):
SAM | UPN | Mail | ProxyAddrs | PwdLastSet | PwdNeverExp | Enabled | OU
---
Administrator | | | | 2024-08-04 | True | True | CN=Users
Allison.Reibschied | Allison.Reibschied@cascadestucson.com | | | 2026-03-13 | False | True | OU=Administrative,OU=Departments
Alyssa.Brooks | Alyssa.Brooks@cascadestucson.com | | | 2025-12-12 | False | True | OU=Culinary,OU=Departments
Ashley.Jensen | Ashley.Jensen@cascadestucson.com | | | NULL | False | True | OU=Administrative,OU=Departments
britney.thompson | britney.thompson@cascadestucson.com | | | NULL | False | True | OU=Care-Assisted Living,OU=Departments
Cathy.Kingston | Cathy.Kingston@cascadestucson.com | | | 2025-12-12 | False | True | OU=Resident Services,OU=Departments
Christina.DuPras | Christina.DuPras@cascadestucson.com | | | 2026-01-06 | False | True | OU=Resident Services,OU=Departments
Christine.Nyanzunda | Christine.Nyanzunda@cascadestucson.com | | | NULL | False | True | OU=Care-Memorycare,OU=Departments
Christopher.Holick | Christopher.Holick@cascadestucson.com | | | 2025-12-12 | False | True | OU=Transportation,OU=Departments
Crystal.Rodriguez | Crystal.Rodriguez@cascadestucson.com | | | 2026-04-20 | False | True | OU=Marketing,OU=Departments
Culinary | Culinary@cascades.local | | | 2024-12-27 | True | True | OU=Culinary,OU=Departments
directoryshare | directoryshare@cascades.local | | | 2025-12-01 | True | True | CN=Users
Guest | | | | NULL | True | False | CN=Users
howard | howard@cascadestucson.com | | | 2025-08-11 | True | True | OU=Administrative,OU=Departments
JD.Martin | JD.Martin@cascadestucson.com | | | NULL | False | True | OU=Culinary,OU=Departments
John.Trozzi | John.Trozzi@cascadestucson.com | | | NULL | False | True | OU=Maintenance,OU=Departments
Julian.Crim | Julian.Crim@cascadestucson.com | | | 2025-12-12 | False | True | OU=Transportation,OU=Departments
karen.rossini | karen.rossini@cascadestucson.com | | | 2025-12-12 | False | True | OU=Care-Assisted Living,OU=Departments
krbtgt | | | | 2024-08-28 | False | False | CN=Users
Kyla.QuickTiffany | Kyla.QuickTiffany@cascadestucson.com | | | 2026-04-13 | False | True | OU=Resident Services,OU=Departments
lauren.hasselman | lauren.hasselman@cascadestucson.com | | | 2026-04-01 | False | True | OU=Administrative,OU=Departments
localadmin | | | | 2024-12-03 | True | True | CN=Users
Lois.Lane | Lois.Lane@cascadestucson.com | | | 2025-12-22 | True | True | OU=Care-Assisted Living,OU=Departments
Lupe.Sanchez | Lupe.Sanchez@cascadestucson.com | | | 2025-12-12 | False | True | OU=Housekeeping,OU=Departments
Matt.Brooks | Matt.Brooks@cascadestucson.com | | | NULL | False | True | OU=Maintenance,OU=Departments
Megan.Hiatt | Megan.Hiatt@cascadestucson.com | | | NULL | False | True | OU=Marketing,OU=Departments
Meredith.Kuhn | Meredith.Kuhn@cascadestucson.com | | | NULL | False | True | OU=Administrative,OU=Departments
Michelle.Shestko | Michelle.Shestko@cascadestucson.com | | | NULL | False | True | OU=Resident Services,OU=Departments
QBDataServiceUser34 | | | | 2024-10-02 | True | True | CN=Users
Ramon.Castaneda | Ramon.Castaneda@cascadestucson.com | | | NULL | False | True | OU=Culinary,OU=Departments
Ray.Rai | Ray.Rai@cascadestucson.com | | | 2025-12-12 | False | True | OU=Resident Services,OU=Departments
Receptionist | RECEPTIONIST@cascades.local | | | 2026-04-07 | True | True | CN=Users
Richard.Adams | Richard.Adams@cascadestucson.com | | | 2025-12-12 | False | True | OU=Transportation,OU=Departments
saleshare | | | | 2025-10-27 | False | True | OU=Marketing,OU=Departments
Sebastian.Leon | Sebastian.Leon@cascadestucson.com | | | NULL | False | True | OU=Resident Services,OU=Departments
Sharon.Edwards | Sharon.Edwards@cascadestucson.com | | | 2026-04-13 | False | True | OU=Life Enrichment,OU=Departments
Shelby.Trozzi | Shelby.Trozzi@cascadestucson.com | | | 2025-12-11 | True | True | OU=Care-Memorycare,OU=Departments
Sheldon.Gardfrey | Sheldon.Gardfrey@cascadestucson.com | | | 2025-12-12 | False | True | OU=Resident Services,OU=Departments
Shontiel.Nunn | Shontiel.Nunn@cascadestucson.com | | | 2025-12-12 | False | True | OU=Resident Services,OU=Departments
Susan.Hicks | Susan.Hicks@cascadestucson.com | | | 2026-04-13 | False | True | OU=Life Enrichment,OU=Departments
svc-audit-upload | | | | 2026-04-17 | True | True | OU=ServiceAccounts
sysadmin | sysadmin@cascadestucson.com | | | 2024-09-29 | True | True | CN=Users
Tamra.Matthews | Tamra.Matthews@cascadestucson.com | | | NULL | False | True | OU=Marketing,OU=Departments
Veronica.Feller | Veronica.Feller@cascadestucson.com | | | NULL | False | True | OU=Care-Assisted Living,OU=Departments
============================================================================
== 4. Soft-match risk scan - accounts likely to duplicate in Entra
============================================================================
--- Users with NO proxyAddresses and NO mail (soft-match engine has nothing to work with):
- Administrator (UPN: )
- localadmin (UPN: )
- Meredith.Kuhn (UPN: Meredith.Kuhn@cascadestucson.com)
- John.Trozzi (UPN: John.Trozzi@cascadestucson.com)
- Megan.Hiatt (UPN: Megan.Hiatt@cascadestucson.com)
- Crystal.Rodriguez (UPN: Crystal.Rodriguez@cascadestucson.com)
- Tamra.Matthews (UPN: Tamra.Matthews@cascadestucson.com)
- Lois.Lane (UPN: Lois.Lane@cascadestucson.com)
- Christina.DuPras (UPN: Christina.DuPras@cascadestucson.com)
- Christine.Nyanzunda (UPN: Christine.Nyanzunda@cascadestucson.com)
- Susan.Hicks (UPN: Susan.Hicks@cascadestucson.com)
- Ashley.Jensen (UPN: Ashley.Jensen@cascadestucson.com)
- Veronica.Feller (UPN: Veronica.Feller@cascadestucson.com)
- Sebastian.Leon (UPN: Sebastian.Leon@cascadestucson.com)
- JD.Martin (UPN: JD.Martin@cascadestucson.com)
- Matt.Brooks (UPN: Matt.Brooks@cascadestucson.com)
- Ramon.Castaneda (UPN: Ramon.Castaneda@cascadestucson.com)
- Michelle.Shestko (UPN: Michelle.Shestko@cascadestucson.com)
- Sharon.Edwards (UPN: Sharon.Edwards@cascadestucson.com)
- sysadmin (UPN: sysadmin@cascadestucson.com)
- QBDataServiceUser34 (UPN: )
- Culinary (UPN: Culinary@cascades.local)
- Receptionist (UPN: RECEPTIONIST@cascades.local)
- britney.thompson (UPN: britney.thompson@cascadestucson.com)
- howard (UPN: howard@cascadestucson.com)
- saleshare (UPN: )
- directoryshare (UPN: directoryshare@cascades.local)
- Shelby.Trozzi (UPN: Shelby.Trozzi@cascadestucson.com)
- karen.rossini (UPN: karen.rossini@cascadestucson.com)
- Alyssa.Brooks (UPN: Alyssa.Brooks@cascadestucson.com)
- Lupe.Sanchez (UPN: Lupe.Sanchez@cascadestucson.com)
- Sheldon.Gardfrey (UPN: Sheldon.Gardfrey@cascadestucson.com)
- Cathy.Kingston (UPN: Cathy.Kingston@cascadestucson.com)
- Shontiel.Nunn (UPN: Shontiel.Nunn@cascadestucson.com)
- Ray.Rai (UPN: Ray.Rai@cascadestucson.com)
- Richard.Adams (UPN: Richard.Adams@cascadestucson.com)
- Julian.Crim (UPN: Julian.Crim@cascadestucson.com)
- Christopher.Holick (UPN: Christopher.Holick@cascadestucson.com)
- lauren.hasselman (UPN: lauren.hasselman@cascadestucson.com)
- Allison.Reibschied (UPN: Allison.Reibschied@cascadestucson.com)
- Kyla.QuickTiffany (UPN: Kyla.QuickTiffany@cascadestucson.com)
- svc-audit-upload (UPN: )
--- Users whose UPN suffix is NOT cascadestucson.com (will mismatch M365 target unless renamed):
- Culinary UPN=Culinary@cascades.local
- Receptionist UPN=RECEPTIONIST@cascades.local
- directoryshare UPN=directoryshare@cascades.local
--- Users whose SAM does not match their UPN prefix (name mismatch candidates):
--- Users with DisplayName different from Given+Surname (may cause display oddities post-sync):
- SAM=Crystal.Rodriguez display='Crystal Rodriguez' expected='Crystal Rodriguez'
- SAM=howard display='howard' expected='Howard Dax'
- SAM=Cathy.Kingston display='Cathy.Kingston' expected='Cathy Kingston'
============================================================================
== 5. Password hygiene (affects whether sync-derived sign-in will work)
============================================================================
--- Enabled users with null PasswordLastSet (never set a password):
- Meredith.Kuhn whenCreated=2024-08-28
- John.Trozzi whenCreated=2024-08-28
- Megan.Hiatt whenCreated=2024-08-28
- Tamra.Matthews whenCreated=2024-08-28
- Christine.Nyanzunda whenCreated=2024-08-28
- Ashley.Jensen whenCreated=2024-08-28
- Veronica.Feller whenCreated=2024-08-28
- Sebastian.Leon whenCreated=2024-08-28
- JD.Martin whenCreated=2024-08-28
- Matt.Brooks whenCreated=2024-08-28
- Ramon.Castaneda whenCreated=2024-08-28
- Michelle.Shestko whenCreated=2024-08-28
- britney.thompson whenCreated=2025-06-12
--- Users with PasswordNotRequired=True:
- Guest enabled=False
--- Users with PasswordNeverExpires=True:
- Administrator PwdLastSet=08/04/2024 18:39:34 Description='Built-in account for administering the computer/domain'
- localadmin PwdLastSet=12/03/2024 15:22:15 Description=''
- Lois.Lane PwdLastSet=12/22/2025 09:52:55 Description=''
- sysadmin PwdLastSet=09/29/2024 21:23:28 Description=''
- QBDataServiceUser34 PwdLastSet=10/02/2024 12:22:12 Description='This account has been established to run the QuickBooks database system.'
- Culinary PwdLastSet=12/27/2024 10:17:03 Description=''
- Receptionist PwdLastSet=04/07/2026 12:54:47 Description=''
- howard PwdLastSet=08/11/2025 13:18:03 Description='Home Offie'
- directoryshare PwdLastSet=12/01/2025 10:02:12 Description=''
- Shelby.Trozzi PwdLastSet=12/11/2025 14:03:27 Description=''
- svc-audit-upload PwdLastSet=04/17/2026 15:21:13 Description='Write-only access to \\CS-SERVER\AuditDrop$. Used by Syncro audit upload script. Do not use interactively.'
--- Currently locked-out accounts:
krbtgt password last set: 08/28/2024 10:02:37 (age: 602 days)
(best practice: rotate every 180 days; > 180 is a known audit finding)
============================================================================
== 6. Role-based / shared accounts (should NOT sync)
============================================================================
Accounts whose SamAccountName looks role-based (should be EXCLUDED from sync scope):
- Culinary enabled=True OU=CN=Culinary,OU=Culinary,OU=Departments,DC=cascades,DC=local
- Receptionist enabled=True OU=CN=RECEPTIONIST,CN=Users,DC=cascades,DC=local
- saleshare enabled=True OU=CN=saleshare,OU=Marketing,OU=Departments,DC=cascades,DC=local
- directoryshare enabled=True OU=CN=directoryshare,CN=Users,DC=cascades,DC=local
Service / built-in accounts (context - usually excluded from sync):
- Administrator enabled=True
- Guest enabled=False
- localadmin enabled=True
- krbtgt enabled=False
- sysadmin enabled=True
- QBDataServiceUser34 enabled=True
- howard enabled=True
============================================================================
== 7. Likely-departed accounts still enabled (HIPAA termination risk)
============================================================================
Enabled accounts with no logon activity in 90+ days:
- britney.thompson lastLogon=never
- karen.rossini lastLogon=never
- Shelby.Trozzi lastLogon=never
- Ramon.Castaneda lastLogon=never
- Matt.Brooks lastLogon=never
- Christopher.Holick lastLogon=never
- Michelle.Shestko lastLogon=never
- Ray.Rai lastLogon=never
- Shontiel.Nunn lastLogon=never
- Julian.Crim lastLogon=never
- Richard.Adams lastLogon=never
- Lupe.Sanchez lastLogon=never
- Alyssa.Brooks lastLogon=never
- Cathy.Kingston lastLogon=never
- Sheldon.Gardfrey lastLogon=never
- JD.Martin lastLogon=never
- Tamra.Matthews lastLogon=never
- Megan.Hiatt lastLogon=never
- svc-audit-upload lastLogon=never
- Lois.Lane lastLogon=never
- John.Trozzi lastLogon=never
- Kyla.QuickTiffany lastLogon=never
- Meredith.Kuhn lastLogon=never
- Ashley.Jensen lastLogon=never
- Veronica.Feller lastLogon=never
- Sebastian.Leon lastLogon=never
- Christine.Nyanzunda lastLogon=never
- saleshare lastLogon=2025-12-08
- Christina.DuPras lastLogon=2026-01-06
============================================================================
== 8. AD groups inventory
============================================================================
Total groups: 55
Group name | Scope | Category | Members | Created | Description
---
Access Control Assistance Operators | DomainLocal | Security | 0 | 2024-08-28 | Members of this group can remotely query authorization attributes and permissions for resources on this computer.
Account Operators | DomainLocal | Security | 0 | 2024-08-28 | Members can administer domain user and group accounts
Administrators | DomainLocal | Security | 4 | 2024-08-28 | Administrators have complete and unrestricted access to the computer/domain
Allowed RODC Password Replication Group | DomainLocal | Security | 0 | 2024-08-28 | Members in this group can have their passwords replicated to all read-only domain controllers in the domain
AuditUploaders | Global | Security | 1 | 2026-04-17 | Members can WRITE-ONLY to \\CS-SERVER\AuditDrop$. No read/list.
Backup Operators | DomainLocal | Security | 0 | 2024-08-28 | Backup Operators can override security restrictions for the sole purpose of backing up or restoring files
Cert Publishers | DomainLocal | Security | 0 | 2024-08-28 | Members of this group are permitted to publish certificates to the directory
Certificate Service DCOM Access | DomainLocal | Security | 0 | 2024-08-28 | Members of this group are allowed to connect to Certification Authorities in the enterprise
Cloneable Domain Controllers | Global | Security | 0 | 2024-08-28 | Members of this group that are domain controllers may be cloned.
Cryptographic Operators | DomainLocal | Security | 0 | 2024-08-28 | Members are authorized to perform cryptographic operations.
Denied RODC Password Replication Group | DomainLocal | Security | 8 | 2024-08-28 | Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain
DHCP Administrators | DomainLocal | Security | 0 | 2025-12-22 | Members who have administrative access to the DHCP Service
DHCP Users | DomainLocal | Security | 0 | 2025-12-22 | Members who have view-only access to the DHCP service
Distributed COM Users | DomainLocal | Security | 0 | 2024-08-28 | Members are allowed to launch, activate and use Distributed COM objects on this machine.
DnsAdmins | DomainLocal | Security | 0 | 2024-08-28 | DNS Administrators Group
DnsUpdateProxy | Global | Security | 0 | 2024-08-28 | DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers).
Domain Admins | Global | Security | 2 | 2024-08-28 | Designated administrators of the domain
Domain Computers | Global | Security | 0 | 2024-08-28 | All workstations and servers joined to the domain
Domain Controllers | Global | Security | 0 | 2024-08-28 | All domain controllers in the domain
Domain Guests | Global | Security | 0 | 2024-08-28 | All domain guests
Domain Users | Global | Security | 0 | 2024-08-28 | All domain users
Enterprise Admins | Universal | Security | 1 | 2024-08-28 | Designated administrators of the enterprise
Enterprise Key Admins | Universal | Security | 0 | 2024-08-28 | Members of this group can perform administrative actions on key objects within the forest.
Enterprise Read-only Domain Controllers | Universal | Security | 0 | 2024-08-28 | Members of this group are Read-Only Domain Controllers in the enterprise
Event Log Readers | DomainLocal | Security | 0 | 2024-08-28 | Members of this group can read event logs from local machine
Group Policy Creator Owners | Global | Security | 1 | 2024-08-28 | Members in this group can modify group policy for the domain
Guests | DomainLocal | Security | 2 | 2024-08-28 | Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted
Hyper-V Administrators | DomainLocal | Security | 0 | 2024-08-28 | Members of this group have complete and unrestricted access to all features of Hyper-V.
IIS_IUSRS | DomainLocal | Security | 0 | 2024-08-28 | Built-in group used by Internet Information Services.
Incoming Forest Trust Builders | DomainLocal | Security | 0 | 2024-08-28 | Members of this group can create incoming, one-way trusts to this forest
Key Admins | Global | Security | 0 | 2024-08-28 | Members of this group can perform administrative actions on key objects within the domain.
KitchenAdmin | Global | Security | 0 | 2025-12-11 |
MemoryCareDepartment | Global | Security | 0 | 2025-12-11 |
Network Configuration Operators | DomainLocal | Security | 0 | 2024-08-28 | Members in this group can have some administrative privileges to manage configuration of networking features
Performance Log Users | DomainLocal | Security | 0 | 2024-08-28 | Members of this group may schedule logging of performance counters, enable trace providers, and collect event traces both locally and via remote access to this computer
Performance Monitor Users | DomainLocal | Security | 0 | 2024-08-28 | Members of this group can access performance counter data locally and remotely
Pre-Windows 2000 Compatible Access | DomainLocal | Security | 1 | 2024-08-28 | A backward compatibility group which allows read access on all users and groups in the domain
Print Operators | DomainLocal | Security | 0 | 2024-08-28 | Members can administer printers installed on domain controllers
Protected Users | Global | Security | 0 | 2024-08-28 | Members of this group are afforded additional protections against authentication security threats. See http://go.microsoft.com/fwlink/?LinkId=298939 for more information.
QuickBooks Access | DomainLocal | Security | 3 | 2024-10-25 |
RAS and IAS Servers | DomainLocal | Security | 0 | 2024-08-28 | Servers in this group can access remote access properties of users
RDS Endpoint Servers | DomainLocal | Security | 2 | 2024-08-28 | Servers in this group run virtual machines and host sessions where users RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. RD Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group.
RDS Management Servers | DomainLocal | Security | 2 | 2024-08-28 | Servers in this group can perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group.
RDS Remote Access Servers | DomainLocal | Security | 1 | 2024-08-28 | Servers in this group enable users of RemoteApp programs and personal virtual desktops access to these resources. In Internet-facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers used in the deployment need to be in this group.
Read-only Domain Controllers | Global | Security | 0 | 2024-08-28 | Members of this group are Read-Only Domain Controllers in the domain
Remote Desktop Users | DomainLocal | Security | 1 | 2024-08-28 | Members in this group are granted the right to logon remotely
Remote Management Users | DomainLocal | Security | 0 | 2024-08-28 | Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.
Replicator | DomainLocal | Security | 0 | 2024-08-28 | Supports file replication in a domain
Roaming | Global | Security | 0 | 2025-03-18 |
Schema Admins | Universal | Security | 1 | 2024-08-28 | Designated administrators of the schema
Server Operators | DomainLocal | Security | 0 | 2024-08-28 | Members can administer domain servers
Storage Replica Administrators | DomainLocal | Security | 0 | 2024-08-28 | Members of this group have complete and unrestricted access to all features of Storage Replica.
Terminal Server License Servers | DomainLocal | Security | 0 | 2024-08-28 | Members of this group can update user accounts in Active Directory with information about license issuance, for the purpose of tracking and reporting TS Per User CAL usage
Users | DomainLocal | Security | 6 | 2024-08-28 | Users are prevented from making accidental or intentional system-wide changes and can run most applications
Windows Authorization Access Group | DomainLocal | Security | 1 | 2024-08-28 | Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects
Security groups our rollout plan assumes (checking existence):
[MISSING] SG-External-Signin-Allowed (needs creation)
[MISSING] SG-Caregivers (needs creation)
[MISSING] SG-FrontDesk (needs creation)
[MISSING] SG-CourtesyPatrol (needs creation)
[MISSING] SG-Drivers (needs creation)
[MISSING] SG-Management-RW (needs creation)
[MISSING] SG-Sales-RW (needs creation)
[MISSING] SG-Culinary-RW (needs creation)
[MISSING] SG-IT-RW (needs creation)
[MISSING] SG-Receptionist-RW (needs creation)
[MISSING] SG-Directory-RW (needs creation)
[MISSING] SG-Server-RW (needs creation)
[MISSING] SG-Chat-RW (needs creation)
[MISSING] SG-Office-PHI-External (needs creation)
[MISSING] SG-Office-PHI-Internal (needs creation)
[MISSING] SG-CA-BreakGlass (needs creation)
============================================================================
== 9. Computers (for sync scope decision)
============================================================================
Total computer accounts: 8
Enabled: 8
Disabled: 0
Computer | OS | Enabled | LastLogon
---
ACCT2-PC | Windows 11 Pro for Workstations | True | 2026-04-22
CRYSTAL-PC | Windows 11 Pro | True | 2026-04-16
CS-QB | Windows 10 Pro | True | 2026-04-16
CS-SERVER | Windows Server 2019 Standard | True | 2026-04-22
DESKTOP-1ISF081 | Windows 10 Pro | True | 2025-03-22
DESKTOP-DLTAGOI | Windows 11 Pro for Workstations | True | 2026-04-13
DESKTOP-H6QHRR7 | Windows 11 Pro for Workstations | True | 2026-04-13
DESKTOP-ROK7VNM | Windows 11 Pro for Workstations | True | 2026-04-13
============================================================================
== 10. Existing Entra Connect / MSOL account check
============================================================================
[OK] No MSOL_* accounts in AD (clean install target)
============================================================================
== 11. Recycle Bin + deleted objects
============================================================================
AD Recycle Bin enabled: True
Deleted objects (sample of 10):
- Deleted Objects deletedFrom=''
- Lupe Sanchez
DEL:7234271e-68da-467e-aa9f-b505ec62e06f deletedFrom='CN=Users,DC=cascades,DC=local'
- Anna Pitzlin
DEL:e0a3ddf4-a062-494a-9ca3-d4887acea4d9 deletedFrom='CN=Users,DC=cascades,DC=local'
- Nela Durut-Azizi
DEL:744b63c4-c4d0-4740-b5b9-a864ac4a6e64 deletedFrom='CN=Users,DC=cascades,DC=local'
- Haris Durut
DEL:7b8e8152-2f9b-481f-8776-33a1949c95b5 deletedFrom='CN=Users,DC=cascades,DC=local'
- Jodi Ramstack
DEL:831930f5-0d71-403a-8360-7ffcc6ec3a62 deletedFrom='CN=Users,DC=cascades,DC=local'
- Monica Ramirez
DEL:23bbc7b2-43c2-4db8-a8f7-97a93f48272e deletedFrom='CN=Users,DC=cascades,DC=local'
- Nuria Diaz
DEL:11f586e9-ea83-4db5-aa74-cca5696abbcf deletedFrom='CN=Users,DC=cascades,DC=local'
- Cathy Reece
DEL:c10591da-72ee-4074-9b50-1d004bc46eb2 deletedFrom='CN=Users,DC=cascades,DC=local'
- Kelly Wallace
DEL:1940c00c-6382-449b-be19-8460e74b8317 deletedFrom='CN=Users,DC=cascades,DC=local'
============================================================================
== 12. DNS / DC connectivity (sync path)
============================================================================
--- Key outbound hostnames (already verified clean in readiness check, re-verify):
[OK] login.microsoftonline.com ->
[OK] login.windows.net ->
[OK] adminwebservice.microsoftonline.com ->
============================================================================
== 13. DC health quick recheck
============================================================================
(Any entries above mean a dcdiag warning/failure; otherwise silent = all pass.)
============================================================================
== 14. NTP time sync (re-verify)
============================================================================
Source: time.nist.gov,0x8
System.Object[]
============================================================================
== Done
============================================================================
Completed at 04/22/2026 19:55:54