azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2adb4b9e92ffc19ce4dec4b79c180695ee4549ef
claudetools/clients/cascades-tucson/docs/migration/phase2-server-prep.md
Howard Enos 6bd416657c sync: auto-sync from HOWARD-HOME at 2026-04-22 17:39:56 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-04-22 17:39:56
2026-04-22 17:39:57 -07:00

11 KiB
Raw Blame History

Step 4: Server Preparation — AD & Shares (~4-6 hours, remote via ScreenConnect)

No user impact — server-side work only.

4a — DNS cleanup

Run scripts/phase2-dns-cleanup.ps1 on CS-SERVER.

Actions:

  • Remove stale A records pointing to old IPs (192.168.0.5, 192.168.2.59, etc.)
  • Fix DomainDnsZones/ForestDnsZones records to point to 192.168.2.254
  • Enable DNS scavenging (7-day interval)
  • Enable aging on cascades.local zone
  • Create reverse lookup zones for 192.168.0.0/22 and 10.0.20.0/24

Verify after: nslookup cs-server.cascades.local should return only 192.168.2.254.

4b — AD cleanup

Run scripts/phase2-ad-setup.ps1 on CS-SERVER.

Security fixes (immediate)

  • Remove disabled Monica.Ramirez from Domain Admins group
  • Disable Haris.Durut (still enabled, no longer employed)
  • Rename "Quickboosk acccess" group → "QuickBooks Access"
  • Add lauren.hasselman to QuickBooks Access (replaced Jeff Bristol)

OU cleanup

  • Fix misspelled OU: "Managment" → "Management"
  • Create OU structure: Workstations\Staff PCs

Security groups (created and populated with members)

Group Members
SG-Management-RW Meredith.Kuhn, Ashley.Jensen, Megan.Hiatt, Crystal.Rodriguez, Tamra.Matthews, britney.thompson, Veronica.Feller, strozzi, Alyssa.Brooks, lauren.hasselman
SG-Sales-RW Megan.Hiatt, Crystal.Rodriguez, Tamra.Matthews
SG-Server-RW Ashley.Jensen, britney.thompson, Christina.DuPras, Veronica.Feller, Meredith.Kuhn
SG-Chat-RW Ashley.Jensen, britney.thompson, Veronica.Feller
SG-Culinary-RW JD.Martin, Ramon.Castaneda, Alyssa.Brooks
SG-IT-RW howard, sysadmin
SG-Receptionist-RW Cathy.Kingston, Shontiel.Nunn, Ray.Rai, Sebastian.Leon, Michelle.Shestko
SG-Directory-RW Cathy.Kingston, Shontiel.Nunn, Christina.DuPras
SG-AllShares-RO (populated as needed)

Account removals (client confirmed)

Already disabled — delete:

  • Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, jeff.bristol

Still enabled — disable + delete (not in HR list, former employees):

  • Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, alyssa.brooks, Isabella.Islas, ann.dery

Keep: lauren.hasselman (took over Bristol's role as Business Office Director)

Move computers to Workstations OU

  • CRYSTAL-PC, ACCT2-PC, DESKTOP-H6QHRR7, DESKTOP-1ISF081

4c — Sync data from Synology NAS — DONE 2026-03-07

Run scripts/phase2-sync-synology.ps1 on CS-SERVER.

Synology Drive Client reinstalled on CS-SERVER and configured for live sync to D:\Shares\Main. All Synology shares sync continuously to this location.

Sync method: Synology Drive Client (live, ongoing sync) Sync destination: D:\Shares\Main on CS-SERVER Direction: Synology → CS-SERVER (one-way)

Synology shares visible via SMB (2026-03-07 audit)

Synology Share Size Syncing to D:\Shares\Main
homes 228.14 GB Yes
Public 50.15 GB Yes
SalesDept 12.61 GB Yes
Server 1.84 GB Yes
Management 1.4 GB Yes
chat 0 GB (empty) Yes
home 0 GB (empty) Yes

Total: ~294 GB syncing. D: had 635 GB free — sufficient.

Shares NOT visible via SMB

Synology Share Notes
Activities Not shared via SMB — may be internal Synology folder or removed
pacs Not shared via SMB — verify on Synology DSM
Sandra Fish Not shared via SMB — verify on Synology DSM
web Not shared via SMB — verify on Synology DSM

Note: Synology uses local accounts (not AD-joined). Authenticated from CS-SERVER via net use \\192.168.0.120 /user:admin.

Already on CS-SERVER (no sync needed): Culinary, IT, Receptionist, directoryshare

SaleShare is the old/duplicate folder — ignore it. SalesDept is the real one.

4d — Set up file share permissions (HIPAA: access control + audit)

Run scripts/phase2-file-shares.ps1 on CS-SERVER (AFTER sync completes).

Creates SMB shares for synced folders and sets NTFS permissions matching Synology access. HIPAA §164.312(b): After shares are created, enable Advanced Audit Logging on all PHI-containing shares (Management, Server, homes) to track read/write/delete operations.

Prerequisite (added 2026-04-22 per docs/security/hipaa-review-2026-04-22.md + user-rollout dependency): Before this script runs, the Synology permission inventory must be captured and translated to AD security group memberships. See docs/migration/phase4-synology.md §6.0.16.0.2 for the discovery commands and docs/migration/synology-permission-inventory.md (to be created) for the mapping output.

HIPAA-review additions (must be applied as part of this phase, not deferred):

  • Set-SmbShare -EncryptData $true on every share in the table — satisfies Addressable specs §164.312(a)(2)(iv) at-rest and §164.312(e)(2)(ii) in-transit encryption
  • NTFS SACL (audit rule) set to audit Success + Failure for ReadData / WriteData / Delete / ChangePermissions on all PHI shares — satisfies Required spec §164.312(b) Audit Controls
  • See phase4-synology.md §6.0.3 for the exact PowerShell
Share NTFS Access SMB Share
Management SG-Management-RW = Modify \\CS-SERVER\Management
SalesDept SG-Sales-RW = Modify \\CS-SERVER\SalesDept
Server SG-Server-RW = Modify \\CS-SERVER\Server
chat SG-Chat-RW = Modify \\CS-SERVER\chat
Public Authenticated Users = Modify \\CS-SERVER\Public
Culinary SG-Culinary-RW = Modify \\CS-SERVER\Culinary (exists)
IT SG-IT-RW = Modify \\CS-SERVER\IT (exists)
Receptionist SG-Receptionist-RW = Modify \\CS-SERVER\Receptionist (exists)
directoryshare SG-Directory-RW = Modify \\CS-SERVER\directoryshare (exists)
homes CREATOR OWNER = Full (subfolder) \\CS-SERVER\homes (ABE enabled)

All shares also get: Domain Admins = Full Control, SYSTEM = Full Control.

4e — Set up print server

Run scripts/phase2-print-server.ps1 on CS-SERVER.

Creates TCP/IP printer ports for each printer. Drivers must be downloaded separately from manufacturer websites and installed manually, then the script can create the shared printers.

Printer IP Driver Source
Front Desk - Epson ET-5800 192.168.2.147 epson.com
Business Office - Canon MF455DW 192.168.3.227 canon.com
Marketing - Brother MFC-L8900CDW 192.168.2.21 brother.com
206 Health - Brother MFC-L8900CDW 192.168.1.138 brother.com
MemCare MedTech - Brother MFC-L8900CDW 192.168.2.53 brother.com
MemCare Director - Canon MF451CDW 192.168.3.52 canon.com
Kitchen Printer 192.168.0.121 TBD

Test: Print a test page from CS-SERVER to each shared printer before deploying via GPO.

4f — Create GPOs (DO NOT link yet)

GPO 1: "CSC - Drive Mappings"

User Configuration → Preferences → Drive Maps

Drive Path Targeting
S: \\CS-SERVER\Shares All domain users
M: \\CS-SERVER\Management SG-Management-RW members
T: \\CS-SERVER\SalesDept SG-Sales-RW members
K: \\CS-SERVER\Culinary SG-Culinary-RW members
I: \\CS-SERVER\IT SG-IT-RW members
R: \\CS-SERVER\Receptionist SG-Receptionist-RW members
P: \\CS-SERVER\Public All domain users

Use Item-Level Targeting → Security Group for department-specific drives.

GPO 2: "CSC - Printer Deployment"

Computer Configuration → Preferences → Printers

Deploy shared printers with Item-Level Targeting by computer name or security group:

  • \\CS-SERVER\FrontDesk-Epson → Front desk PCs
  • \\CS-SERVER\BizOffice-Canon → Accounting PCs
  • \\CS-SERVER\Marketing-Brother → Marketing group
  • (etc.)

GPO 3: "CSC - Security Baseline"

Computer Configuration → Security Settings

Setting Value
Min password length 12 characters
Password complexity Enabled
Max password age 90 days
Password history 10
Account lockout threshold 5 attempts
Account lockout duration 30 minutes
Lockout counter reset 30 minutes
Screen lock timeout 15 minutes
Windows Firewall All profiles ON

GPO 4: "CSC - Windows Update"

Computer Configuration → Admin Templates → Windows Update

  • Auto download + scheduled install
  • Schedule: Sundays at 3:00 AM
  • No auto-restart with logged-on users

GPO 6: "CSC - Shared Workstation"

Linked to: OU=Shared PCs,OU=Workstations,DC=cascades,DC=local

Applies only to machines in the Shared PCs OU. Uses Item-Level Targeting by computer name so different shared PCs get different printers/drives/mailboxes.

User Configuration → Preferences → Drive Maps

Drive Path ILT
R: \\CS-SERVER\Receptionist Computer Name = [TBD — front desk PC]

User Configuration → Preferences → Printers

Printer Set Default ILT
\\CS-SERVER\FrontDesk-Epson Yes Computer Name = [TBD — front desk PC]

User Configuration → Admin Templates → Microsoft Outlook 2016 → Account Settings → Exchange

Setting Value
Cached Exchange Mode Disabled (forces Online Mode)

Online mode prevents shared mailbox data from caching on every shared PC — important when multiple users rotate through the same machine.

User Configuration → Preferences → Registry

Auto-mount shared mailbox via registry (only on targeted shared PCs):

Key Path Value Data ILT
HKCU\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 001f6610 reception@[tenant-domain] Computer Name = [TBD]

Note: The registry path above is a placeholder — the exact profile key varies per installation. The shared mailbox SMTP address depends on the M365 tenant domain (Step 3 blocker). Computer names will be filled in after the onsite visit identifies which PCs are shared.

Onsite TODO (before this GPO is functional):

  • Identify shared workstation computer names and roles
  • Move shared PCs into OU=Shared PCs,OU=Workstations
  • Fill in ILT computer names above
  • Create shared mailbox in M365 (see Step 4 in shared workstation plan)
  • Document user-to-shared-PC rotation matrix
  • Test: log into shared PC → verify R: drive, default printer, and shared mailbox appear
  • Test: log into normal PC → verify reception drive/printer/mailbox do NOT appear

GPO 5: "CSC - Folder Redirection"

User Configuration → Policies → Windows Settings → Folder Redirection

Folder Redirect to Setting
Desktop \\CS-SERVER\homes\%username%\Desktop Basic, create folder
Documents \\CS-SERVER\homes\%username%\Documents Basic, create folder
Downloads \\CS-SERVER\homes\%username%\Downloads Basic, create folder

Settings:

  • Grant user exclusive rights: Yes
  • Move contents to new location: Yes (first time only)
  • Policy removal: Leave contents
  • Also applies to Windows 10/11

This replaces roaming profiles — user data lives on the server but profiles stay local (fast logon, no corruption issues).

Rollback

  • Unlink any GPO from GPMC — takes effect at next gpupdate
  • DNS records were exported in Step 1
  • AD changes can be reverted from Step 1 exports
Reference in New Issue View Git Blame Copy Permalink