Files
claudetools/clients/cascades-tucson/reports/2026-04-22-g1-ad-audit.md
Howard Enos 5c6f7dca5e sync: auto-sync from HOWARD-HOME at 2026-04-22 21:40:31
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-04-22 21:40:31
2026-04-22 21:40:33 -07:00

29 KiB

CS-SERVER G1 AD Audit

Command ID: e83befb7-4c8c-4f24-9b24-56cb641e6464 Run: 2026-04-23T02:55:50.634848Z Exit: 0

STDOUT

G1 AD Audit - 2026-04-22 19:55:51 -07:00

Host: CS-SERVER



============================================================================

== 1. Forest / Domain / Schema

============================================================================

Forest FQDN:           cascades.local

Forest mode:           Windows2016Forest

Domain mode:           Windows2016Domain

Domain DN:             DC=cascades,DC=local

NetBIOS:               CASCADES

UPN suffixes (forest):

   - cascadestucson.com

Schema objectVersion:  88



FSMO roles:

   Schema Master:           CS-SERVER.cascades.local

   Domain Naming Master:    CS-SERVER.cascades.local

   PDC Emulator:            CS-SERVER.cascades.local

   RID Master:              CS-SERVER.cascades.local

   Infrastructure Master:   CS-SERVER.cascades.local



============================================================================

== 2. OU structure

============================================================================

Total OUs: 18



   OU=Administrative,OU=Departments,DC=cascades,DC=local                            users=5 groups=0 computers=0

   OU=Care-Assisted Living,OU=Departments,DC=cascades,DC=local                      users=4 groups=0 computers=0

   OU=Care-Memorycare,OU=Departments,DC=cascades,DC=local                           users=2 groups=0 computers=0

   OU=Culinary,OU=Departments,DC=cascades,DC=local                                  users=4 groups=0 computers=0

   OU=Departments,DC=cascades,DC=local                                              users=0 groups=0 computers=0

   OU=Domain Controllers,DC=cascades,DC=local                                       users=0 groups=0 computers=1

   OU=Groups,DC=cascades,DC=local                                                   users=0 groups=1 computers=0

   OU=Housekeeping,OU=Departments,DC=cascades,DC=local                              users=1 groups=0 computers=0

   OU=Life Enrichment,OU=Departments,DC=cascades,DC=local                           users=2 groups=0 computers=0

   OU=Maintenance,OU=Departments,DC=cascades,DC=local                               users=2 groups=0 computers=0

   OU=Marketing,OU=Departments,DC=cascades,DC=local                                 users=4 groups=0 computers=0

   OU=Nurses,OU=Care-Assisted Living,OU=Departments,DC=cascades,DC=local            users=0 groups=0 computers=0

   OU=Resident Services,OU=Departments,DC=cascades,DC=local                         users=8 groups=0 computers=0

   OU=ServiceAccounts,DC=cascades,DC=local                                          users=1 groups=0 computers=0

   OU=Shared PCs,OU=Workstations,DC=cascades,DC=local                               users=0 groups=0 computers=0

   OU=Staff PCs,OU=Workstations,DC=cascades,DC=local                                users=0 groups=0 computers=6

   OU=Transportation,OU=Departments,DC=cascades,DC=local                            users=3 groups=0 computers=0

   OU=Workstations,DC=cascades,DC=local                                             users=0 groups=0 computers=0



Users in default CN=Users container (not ideal - should be in an OU for sync scope):

   Count: 8

   - Administrator (Administrator)

   - directoryshare (directoryshare)

   - Guest (Guest)

   - krbtgt (krbtgt)

   - localadmin (localadmin)

   - QBDataServiceUser34 (QBDataServiceUser34)

   - Receptionist (RECEPTIONIST)

   - sysadmin (Sysadmin)



============================================================================

== 3. All AD users - identity attributes for sync match

============================================================================

Total users: 44

Enabled:     42

Disabled:    2



Per-user identity dump (focus: anything that affects soft-match):



SAM | UPN | Mail | ProxyAddrs | PwdLastSet | PwdNeverExp | Enabled | OU

---

Administrator |  |  |  | 2024-08-04 | True | True | CN=Users

Allison.Reibschied | Allison.Reibschied@cascadestucson.com |  |  | 2026-03-13 | False | True | OU=Administrative,OU=Departments

Alyssa.Brooks | Alyssa.Brooks@cascadestucson.com |  |  | 2025-12-12 | False | True | OU=Culinary,OU=Departments

Ashley.Jensen | Ashley.Jensen@cascadestucson.com |  |  | NULL | False | True | OU=Administrative,OU=Departments

britney.thompson | britney.thompson@cascadestucson.com |  |  | NULL | False | True | OU=Care-Assisted Living,OU=Departments

Cathy.Kingston | Cathy.Kingston@cascadestucson.com |  |  | 2025-12-12 | False | True | OU=Resident Services,OU=Departments

Christina.DuPras | Christina.DuPras@cascadestucson.com |  |  | 2026-01-06 | False | True | OU=Resident Services,OU=Departments

Christine.Nyanzunda | Christine.Nyanzunda@cascadestucson.com |  |  | NULL | False | True | OU=Care-Memorycare,OU=Departments

Christopher.Holick | Christopher.Holick@cascadestucson.com |  |  | 2025-12-12 | False | True | OU=Transportation,OU=Departments

Crystal.Rodriguez | Crystal.Rodriguez@cascadestucson.com |  |  | 2026-04-20 | False | True | OU=Marketing,OU=Departments

Culinary | Culinary@cascades.local |  |  | 2024-12-27 | True | True | OU=Culinary,OU=Departments

directoryshare | directoryshare@cascades.local |  |  | 2025-12-01 | True | True | CN=Users

Guest |  |  |  | NULL | True | False | CN=Users

howard | howard@cascadestucson.com |  |  | 2025-08-11 | True | True | OU=Administrative,OU=Departments

JD.Martin | JD.Martin@cascadestucson.com |  |  | NULL | False | True | OU=Culinary,OU=Departments

John.Trozzi | John.Trozzi@cascadestucson.com |  |  | NULL | False | True | OU=Maintenance,OU=Departments

Julian.Crim | Julian.Crim@cascadestucson.com |  |  | 2025-12-12 | False | True | OU=Transportation,OU=Departments

karen.rossini | karen.rossini@cascadestucson.com |  |  | 2025-12-12 | False | True | OU=Care-Assisted Living,OU=Departments

krbtgt |  |  |  | 2024-08-28 | False | False | CN=Users

Kyla.QuickTiffany | Kyla.QuickTiffany@cascadestucson.com |  |  | 2026-04-13 | False | True | OU=Resident Services,OU=Departments

lauren.hasselman | lauren.hasselman@cascadestucson.com |  |  | 2026-04-01 | False | True | OU=Administrative,OU=Departments

localadmin |  |  |  | 2024-12-03 | True | True | CN=Users

Lois.Lane | Lois.Lane@cascadestucson.com |  |  | 2025-12-22 | True | True | OU=Care-Assisted Living,OU=Departments

Lupe.Sanchez | Lupe.Sanchez@cascadestucson.com |  |  | 2025-12-12 | False | True | OU=Housekeeping,OU=Departments

Matt.Brooks | Matt.Brooks@cascadestucson.com |  |  | NULL | False | True | OU=Maintenance,OU=Departments

Megan.Hiatt | Megan.Hiatt@cascadestucson.com |  |  | NULL | False | True | OU=Marketing,OU=Departments

Meredith.Kuhn | Meredith.Kuhn@cascadestucson.com |  |  | NULL | False | True | OU=Administrative,OU=Departments

Michelle.Shestko | Michelle.Shestko@cascadestucson.com |  |  | NULL | False | True | OU=Resident Services,OU=Departments

QBDataServiceUser34 |  |  |  | 2024-10-02 | True | True | CN=Users

Ramon.Castaneda | Ramon.Castaneda@cascadestucson.com |  |  | NULL | False | True | OU=Culinary,OU=Departments

Ray.Rai | Ray.Rai@cascadestucson.com |  |  | 2025-12-12 | False | True | OU=Resident Services,OU=Departments

Receptionist | RECEPTIONIST@cascades.local |  |  | 2026-04-07 | True | True | CN=Users

Richard.Adams | Richard.Adams@cascadestucson.com |  |  | 2025-12-12 | False | True | OU=Transportation,OU=Departments

saleshare |  |  |  | 2025-10-27 | False | True | OU=Marketing,OU=Departments

Sebastian.Leon | Sebastian.Leon@cascadestucson.com |  |  | NULL | False | True | OU=Resident Services,OU=Departments

Sharon.Edwards | Sharon.Edwards@cascadestucson.com |  |  | 2026-04-13 | False | True | OU=Life Enrichment,OU=Departments

Shelby.Trozzi | Shelby.Trozzi@cascadestucson.com |  |  | 2025-12-11 | True | True | OU=Care-Memorycare,OU=Departments

Sheldon.Gardfrey | Sheldon.Gardfrey@cascadestucson.com |  |  | 2025-12-12 | False | True | OU=Resident Services,OU=Departments

Shontiel.Nunn | Shontiel.Nunn@cascadestucson.com |  |  | 2025-12-12 | False | True | OU=Resident Services,OU=Departments

Susan.Hicks | Susan.Hicks@cascadestucson.com |  |  | 2026-04-13 | False | True | OU=Life Enrichment,OU=Departments

svc-audit-upload |  |  |  | 2026-04-17 | True | True | OU=ServiceAccounts

sysadmin | sysadmin@cascadestucson.com |  |  | 2024-09-29 | True | True | CN=Users

Tamra.Matthews | Tamra.Matthews@cascadestucson.com |  |  | NULL | False | True | OU=Marketing,OU=Departments

Veronica.Feller | Veronica.Feller@cascadestucson.com |  |  | NULL | False | True | OU=Care-Assisted Living,OU=Departments



============================================================================

== 4. Soft-match risk scan - accounts likely to duplicate in Entra

============================================================================

--- Users with NO proxyAddresses and NO mail (soft-match engine has nothing to work with):

   - Administrator (UPN: )

   - localadmin (UPN: )

   - Meredith.Kuhn (UPN: Meredith.Kuhn@cascadestucson.com)

   - John.Trozzi (UPN: John.Trozzi@cascadestucson.com)

   - Megan.Hiatt (UPN: Megan.Hiatt@cascadestucson.com)

   - Crystal.Rodriguez (UPN: Crystal.Rodriguez@cascadestucson.com)

   - Tamra.Matthews (UPN: Tamra.Matthews@cascadestucson.com)

   - Lois.Lane (UPN: Lois.Lane@cascadestucson.com)

   - Christina.DuPras (UPN: Christina.DuPras@cascadestucson.com)

   - Christine.Nyanzunda (UPN: Christine.Nyanzunda@cascadestucson.com)

   - Susan.Hicks (UPN: Susan.Hicks@cascadestucson.com)

   - Ashley.Jensen (UPN: Ashley.Jensen@cascadestucson.com)

   - Veronica.Feller (UPN: Veronica.Feller@cascadestucson.com)

   - Sebastian.Leon (UPN: Sebastian.Leon@cascadestucson.com)

   - JD.Martin (UPN: JD.Martin@cascadestucson.com)

   - Matt.Brooks (UPN: Matt.Brooks@cascadestucson.com)

   - Ramon.Castaneda (UPN: Ramon.Castaneda@cascadestucson.com)

   - Michelle.Shestko (UPN: Michelle.Shestko@cascadestucson.com)

   - Sharon.Edwards (UPN: Sharon.Edwards@cascadestucson.com)

   - sysadmin (UPN: sysadmin@cascadestucson.com)

   - QBDataServiceUser34 (UPN: )

   - Culinary (UPN: Culinary@cascades.local)

   - Receptionist (UPN: RECEPTIONIST@cascades.local)

   - britney.thompson (UPN: britney.thompson@cascadestucson.com)

   - howard (UPN: howard@cascadestucson.com)

   - saleshare (UPN: )

   - directoryshare (UPN: directoryshare@cascades.local)

   - Shelby.Trozzi (UPN: Shelby.Trozzi@cascadestucson.com)

   - karen.rossini (UPN: karen.rossini@cascadestucson.com)

   - Alyssa.Brooks (UPN: Alyssa.Brooks@cascadestucson.com)

   - Lupe.Sanchez (UPN: Lupe.Sanchez@cascadestucson.com)

   - Sheldon.Gardfrey (UPN: Sheldon.Gardfrey@cascadestucson.com)

   - Cathy.Kingston (UPN: Cathy.Kingston@cascadestucson.com)

   - Shontiel.Nunn (UPN: Shontiel.Nunn@cascadestucson.com)

   - Ray.Rai (UPN: Ray.Rai@cascadestucson.com)

   - Richard.Adams (UPN: Richard.Adams@cascadestucson.com)

   - Julian.Crim (UPN: Julian.Crim@cascadestucson.com)

   - Christopher.Holick (UPN: Christopher.Holick@cascadestucson.com)

   - lauren.hasselman (UPN: lauren.hasselman@cascadestucson.com)

   - Allison.Reibschied (UPN: Allison.Reibschied@cascadestucson.com)

   - Kyla.QuickTiffany (UPN: Kyla.QuickTiffany@cascadestucson.com)

   - svc-audit-upload (UPN: )



--- Users whose UPN suffix is NOT cascadestucson.com (will mismatch M365 target unless renamed):

   - Culinary UPN=Culinary@cascades.local

   - Receptionist UPN=RECEPTIONIST@cascades.local

   - directoryshare UPN=directoryshare@cascades.local



--- Users whose SAM does not match their UPN prefix (name mismatch candidates):



--- Users with DisplayName different from Given+Surname (may cause display oddities post-sync):

   - SAM=Crystal.Rodriguez display='Crystal  Rodriguez' expected='Crystal Rodriguez'

   - SAM=howard display='howard' expected='Howard Dax'

   - SAM=Cathy.Kingston display='Cathy.Kingston' expected='Cathy Kingston'



============================================================================

== 5. Password hygiene (affects whether sync-derived sign-in will work)

============================================================================

--- Enabled users with null PasswordLastSet (never set a password):

   - Meredith.Kuhn whenCreated=2024-08-28

   - John.Trozzi whenCreated=2024-08-28

   - Megan.Hiatt whenCreated=2024-08-28

   - Tamra.Matthews whenCreated=2024-08-28

   - Christine.Nyanzunda whenCreated=2024-08-28

   - Ashley.Jensen whenCreated=2024-08-28

   - Veronica.Feller whenCreated=2024-08-28

   - Sebastian.Leon whenCreated=2024-08-28

   - JD.Martin whenCreated=2024-08-28

   - Matt.Brooks whenCreated=2024-08-28

   - Ramon.Castaneda whenCreated=2024-08-28

   - Michelle.Shestko whenCreated=2024-08-28

   - britney.thompson whenCreated=2025-06-12



--- Users with PasswordNotRequired=True:

   - Guest enabled=False



--- Users with PasswordNeverExpires=True:

   - Administrator PwdLastSet=08/04/2024 18:39:34 Description='Built-in account for administering the computer/domain'

   - localadmin PwdLastSet=12/03/2024 15:22:15 Description=''

   - Lois.Lane PwdLastSet=12/22/2025 09:52:55 Description=''

   - sysadmin PwdLastSet=09/29/2024 21:23:28 Description=''

   - QBDataServiceUser34 PwdLastSet=10/02/2024 12:22:12 Description='This account has been established to run the QuickBooks database system.'

   - Culinary PwdLastSet=12/27/2024 10:17:03 Description=''

   - Receptionist PwdLastSet=04/07/2026 12:54:47 Description=''

   - howard PwdLastSet=08/11/2025 13:18:03 Description='Home Offie'

   - directoryshare PwdLastSet=12/01/2025 10:02:12 Description=''

   - Shelby.Trozzi PwdLastSet=12/11/2025 14:03:27 Description=''

   - svc-audit-upload PwdLastSet=04/17/2026 15:21:13 Description='Write-only access to \\CS-SERVER\AuditDrop$. Used by Syncro audit upload script. Do not use interactively.'



--- Currently locked-out accounts:



krbtgt password last set: 08/28/2024 10:02:37 (age: 602 days)

   (best practice: rotate every 180 days; > 180 is a known audit finding)



============================================================================

== 6. Role-based / shared accounts (should NOT sync)

============================================================================

Accounts whose SamAccountName looks role-based (should be EXCLUDED from sync scope):

   - Culinary enabled=True OU=CN=Culinary,OU=Culinary,OU=Departments,DC=cascades,DC=local

   - Receptionist enabled=True OU=CN=RECEPTIONIST,CN=Users,DC=cascades,DC=local

   - saleshare enabled=True OU=CN=saleshare,OU=Marketing,OU=Departments,DC=cascades,DC=local

   - directoryshare enabled=True OU=CN=directoryshare,CN=Users,DC=cascades,DC=local



Service / built-in accounts (context - usually excluded from sync):

   - Administrator enabled=True

   - Guest enabled=False

   - localadmin enabled=True

   - krbtgt enabled=False

   - sysadmin enabled=True

   - QBDataServiceUser34 enabled=True

   - howard enabled=True



============================================================================

== 7. Likely-departed accounts still enabled (HIPAA termination risk)

============================================================================

Enabled accounts with no logon activity in 90+ days:

   - britney.thompson lastLogon=never

   - karen.rossini lastLogon=never

   - Shelby.Trozzi lastLogon=never

   - Ramon.Castaneda lastLogon=never

   - Matt.Brooks lastLogon=never

   - Christopher.Holick lastLogon=never

   - Michelle.Shestko lastLogon=never

   - Ray.Rai lastLogon=never

   - Shontiel.Nunn lastLogon=never

   - Julian.Crim lastLogon=never

   - Richard.Adams lastLogon=never

   - Lupe.Sanchez lastLogon=never

   - Alyssa.Brooks lastLogon=never

   - Cathy.Kingston lastLogon=never

   - Sheldon.Gardfrey lastLogon=never

   - JD.Martin lastLogon=never

   - Tamra.Matthews lastLogon=never

   - Megan.Hiatt lastLogon=never

   - svc-audit-upload lastLogon=never

   - Lois.Lane lastLogon=never

   - John.Trozzi lastLogon=never

   - Kyla.QuickTiffany lastLogon=never

   - Meredith.Kuhn lastLogon=never

   - Ashley.Jensen lastLogon=never

   - Veronica.Feller lastLogon=never

   - Sebastian.Leon lastLogon=never

   - Christine.Nyanzunda lastLogon=never

   - saleshare lastLogon=2025-12-08

   - Christina.DuPras lastLogon=2026-01-06



============================================================================

== 8. AD groups inventory

============================================================================

Total groups: 55



Group name | Scope | Category | Members | Created | Description

---

Access Control Assistance Operators | DomainLocal | Security | 0 | 2024-08-28 | Members of this group can remotely query authorization attributes and permissions for resources on this computer.

Account Operators | DomainLocal | Security | 0 | 2024-08-28 | Members can administer domain user and group accounts

Administrators | DomainLocal | Security | 4 | 2024-08-28 | Administrators have complete and unrestricted access to the computer/domain

Allowed RODC Password Replication Group | DomainLocal | Security | 0 | 2024-08-28 | Members in this group can have their passwords replicated to all read-only domain controllers in the domain

AuditUploaders | Global | Security | 1 | 2026-04-17 | Members can WRITE-ONLY to \\CS-SERVER\AuditDrop$. No read/list.

Backup Operators | DomainLocal | Security | 0 | 2024-08-28 | Backup Operators can override security restrictions for the sole purpose of backing up or restoring files

Cert Publishers | DomainLocal | Security | 0 | 2024-08-28 | Members of this group are permitted to publish certificates to the directory

Certificate Service DCOM Access | DomainLocal | Security | 0 | 2024-08-28 | Members of this group are allowed to connect to Certification Authorities in the enterprise

Cloneable Domain Controllers | Global | Security | 0 | 2024-08-28 | Members of this group that are domain controllers may be cloned.

Cryptographic Operators | DomainLocal | Security | 0 | 2024-08-28 | Members are authorized to perform cryptographic operations.

Denied RODC Password Replication Group | DomainLocal | Security | 8 | 2024-08-28 | Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain

DHCP Administrators | DomainLocal | Security | 0 | 2025-12-22 | Members who have administrative access to the DHCP Service

DHCP Users | DomainLocal | Security | 0 | 2025-12-22 | Members who have view-only access to the DHCP service

Distributed COM Users | DomainLocal | Security | 0 | 2024-08-28 | Members are allowed to launch, activate and use Distributed COM objects on this machine.

DnsAdmins | DomainLocal | Security | 0 | 2024-08-28 | DNS Administrators Group

DnsUpdateProxy | Global | Security | 0 | 2024-08-28 | DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers).

Domain Admins | Global | Security | 2 | 2024-08-28 | Designated administrators of the domain

Domain Computers | Global | Security | 0 | 2024-08-28 | All workstations and servers joined to the domain

Domain Controllers | Global | Security | 0 | 2024-08-28 | All domain controllers in the domain

Domain Guests | Global | Security | 0 | 2024-08-28 | All domain guests

Domain Users | Global | Security | 0 | 2024-08-28 | All domain users

Enterprise Admins | Universal | Security | 1 | 2024-08-28 | Designated administrators of the enterprise

Enterprise Key Admins | Universal | Security | 0 | 2024-08-28 | Members of this group can perform administrative actions on key objects within the forest.

Enterprise Read-only Domain Controllers | Universal | Security | 0 | 2024-08-28 | Members of this group are Read-Only Domain Controllers in the enterprise

Event Log Readers | DomainLocal | Security | 0 | 2024-08-28 | Members of this group can read event logs from local machine

Group Policy Creator Owners | Global | Security | 1 | 2024-08-28 | Members in this group can modify group policy for the domain

Guests | DomainLocal | Security | 2 | 2024-08-28 | Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted

Hyper-V Administrators | DomainLocal | Security | 0 | 2024-08-28 | Members of this group have complete and unrestricted access to all features of Hyper-V.

IIS_IUSRS | DomainLocal | Security | 0 | 2024-08-28 | Built-in group used by Internet Information Services.

Incoming Forest Trust Builders | DomainLocal | Security | 0 | 2024-08-28 | Members of this group can create incoming, one-way trusts to this forest

Key Admins | Global | Security | 0 | 2024-08-28 | Members of this group can perform administrative actions on key objects within the domain.

KitchenAdmin | Global | Security | 0 | 2025-12-11 | 

MemoryCareDepartment | Global | Security | 0 | 2025-12-11 | 

Network Configuration Operators | DomainLocal | Security | 0 | 2024-08-28 | Members in this group can have some administrative privileges to manage configuration of networking features

Performance Log Users | DomainLocal | Security | 0 | 2024-08-28 | Members of this group may schedule logging of performance counters, enable trace providers, and collect event traces both locally and via remote access to this computer

Performance Monitor Users | DomainLocal | Security | 0 | 2024-08-28 | Members of this group can access performance counter data locally and remotely

Pre-Windows 2000 Compatible Access | DomainLocal | Security | 1 | 2024-08-28 | A backward compatibility group which allows read access on all users and groups in the domain

Print Operators | DomainLocal | Security | 0 | 2024-08-28 | Members can administer printers installed on domain controllers

Protected Users | Global | Security | 0 | 2024-08-28 | Members of this group are afforded additional protections against authentication security threats. See http://go.microsoft.com/fwlink/?LinkId=298939 for more information.

QuickBooks Access | DomainLocal | Security | 3 | 2024-10-25 | 

RAS and IAS Servers | DomainLocal | Security | 0 | 2024-08-28 | Servers in this group can access remote access properties of users

RDS Endpoint Servers | DomainLocal | Security | 2 | 2024-08-28 | Servers in this group run virtual machines and host sessions where users RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. RD Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group.

RDS Management Servers | DomainLocal | Security | 2 | 2024-08-28 | Servers in this group can perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group.

RDS Remote Access Servers | DomainLocal | Security | 1 | 2024-08-28 | Servers in this group enable users of RemoteApp programs and personal virtual desktops access to these resources. In Internet-facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers used in the deployment need to be in this group.

Read-only Domain Controllers | Global | Security | 0 | 2024-08-28 | Members of this group are Read-Only Domain Controllers in the domain

Remote Desktop Users | DomainLocal | Security | 1 | 2024-08-28 | Members in this group are granted the right to logon remotely

Remote Management Users | DomainLocal | Security | 0 | 2024-08-28 | Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.

Replicator | DomainLocal | Security | 0 | 2024-08-28 | Supports file replication in a domain

Roaming | Global | Security | 0 | 2025-03-18 | 

Schema Admins | Universal | Security | 1 | 2024-08-28 | Designated administrators of the schema

Server Operators | DomainLocal | Security | 0 | 2024-08-28 | Members can administer domain servers

Storage Replica Administrators | DomainLocal | Security | 0 | 2024-08-28 | Members of this group have complete and unrestricted access to all features of Storage Replica.

Terminal Server License Servers | DomainLocal | Security | 0 | 2024-08-28 | Members of this group can update user accounts in Active Directory with information about license issuance, for the purpose of tracking and reporting TS Per User CAL usage

Users | DomainLocal | Security | 6 | 2024-08-28 | Users are prevented from making accidental or intentional system-wide changes and can run most applications

Windows Authorization Access Group | DomainLocal | Security | 1 | 2024-08-28 | Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects



Security groups our rollout plan assumes (checking existence):

   [MISSING] SG-External-Signin-Allowed (needs creation)

   [MISSING] SG-Caregivers (needs creation)

   [MISSING] SG-FrontDesk (needs creation)

   [MISSING] SG-CourtesyPatrol (needs creation)

   [MISSING] SG-Drivers (needs creation)

   [MISSING] SG-Management-RW (needs creation)

   [MISSING] SG-Sales-RW (needs creation)

   [MISSING] SG-Culinary-RW (needs creation)

   [MISSING] SG-IT-RW (needs creation)

   [MISSING] SG-Receptionist-RW (needs creation)

   [MISSING] SG-Directory-RW (needs creation)

   [MISSING] SG-Server-RW (needs creation)

   [MISSING] SG-Chat-RW (needs creation)

   [MISSING] SG-Office-PHI-External (needs creation)

   [MISSING] SG-Office-PHI-Internal (needs creation)

   [MISSING] SG-CA-BreakGlass (needs creation)



============================================================================

== 9. Computers (for sync scope decision)

============================================================================

Total computer accounts: 8

Enabled:  8

Disabled: 0



Computer | OS | Enabled | LastLogon

---

ACCT2-PC | Windows 11 Pro for Workstations | True | 2026-04-22

CRYSTAL-PC | Windows 11 Pro | True | 2026-04-16

CS-QB | Windows 10 Pro | True | 2026-04-16

CS-SERVER | Windows Server 2019 Standard | True | 2026-04-22

DESKTOP-1ISF081 | Windows 10 Pro | True | 2025-03-22

DESKTOP-DLTAGOI | Windows 11 Pro for Workstations | True | 2026-04-13

DESKTOP-H6QHRR7 | Windows 11 Pro for Workstations | True | 2026-04-13

DESKTOP-ROK7VNM | Windows 11 Pro for Workstations | True | 2026-04-13



============================================================================

== 10. Existing Entra Connect / MSOL account check

============================================================================

[OK] No MSOL_* accounts in AD (clean install target)



============================================================================

== 11. Recycle Bin + deleted objects

============================================================================

AD Recycle Bin enabled: True

Deleted objects (sample of 10):

   - Deleted Objects deletedFrom=''

   - Lupe Sanchez
DEL:7234271e-68da-467e-aa9f-b505ec62e06f deletedFrom='CN=Users,DC=cascades,DC=local'

   - Anna Pitzlin
DEL:e0a3ddf4-a062-494a-9ca3-d4887acea4d9 deletedFrom='CN=Users,DC=cascades,DC=local'

   - Nela Durut-Azizi
DEL:744b63c4-c4d0-4740-b5b9-a864ac4a6e64 deletedFrom='CN=Users,DC=cascades,DC=local'

   - Haris Durut
DEL:7b8e8152-2f9b-481f-8776-33a1949c95b5 deletedFrom='CN=Users,DC=cascades,DC=local'

   - Jodi Ramstack
DEL:831930f5-0d71-403a-8360-7ffcc6ec3a62 deletedFrom='CN=Users,DC=cascades,DC=local'

   - Monica Ramirez
DEL:23bbc7b2-43c2-4db8-a8f7-97a93f48272e deletedFrom='CN=Users,DC=cascades,DC=local'

   - Nuria Diaz
DEL:11f586e9-ea83-4db5-aa74-cca5696abbcf deletedFrom='CN=Users,DC=cascades,DC=local'

   - Cathy Reece
DEL:c10591da-72ee-4074-9b50-1d004bc46eb2 deletedFrom='CN=Users,DC=cascades,DC=local'

   - Kelly Wallace
DEL:1940c00c-6382-449b-be19-8460e74b8317 deletedFrom='CN=Users,DC=cascades,DC=local'



============================================================================

== 12. DNS / DC connectivity (sync path)

============================================================================

--- Key outbound hostnames (already verified clean in readiness check, re-verify):

   [OK] login.microsoftonline.com -> 

   [OK] login.windows.net -> 

   [OK] adminwebservice.microsoftonline.com -> 



============================================================================

== 13. DC health quick recheck

============================================================================

(Any entries above mean a dcdiag warning/failure; otherwise silent = all pass.)



============================================================================

== 14. NTP time sync (re-verify)

============================================================================

Source: time.nist.gov,0x8 

System.Object[]



============================================================================

== Done

============================================================================

Completed at 04/22/2026 19:55:54