azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2adb4b9e92ffc19ce4dec4b79c180695ee4549ef
claudetools/clients/cascades-tucson/docs/migration/phase2-server-prep.md
Howard Enos 6bd416657c sync: auto-sync from HOWARD-HOME at 2026-04-22 17:39:56 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-04-22 17:39:56
2026-04-22 17:39:57 -07:00

274 lines
11 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Step 4: Server Preparation — AD & Shares (~4-6 hours, remote via ScreenConnect)
**No user impact — server-side work only.**
---
## 4a — DNS cleanup
Run `scripts/phase2-dns-cleanup.ps1` on CS-SERVER.
Actions:
- Remove stale A records pointing to old IPs (192.168.0.5, 192.168.2.59, etc.)
- Fix DomainDnsZones/ForestDnsZones records to point to 192.168.2.254
- Enable DNS scavenging (7-day interval)
- Enable aging on cascades.local zone
- Create reverse lookup zones for 192.168.0.0/22 and 10.0.20.0/24
**Verify after:** `nslookup cs-server.cascades.local` should return only 192.168.2.254.
---
## 4b — AD cleanup
Run `scripts/phase2-ad-setup.ps1` on CS-SERVER.
### Security fixes (immediate)
- Remove disabled Monica.Ramirez from **Domain Admins** group
- Disable Haris.Durut (still enabled, no longer employed)
- Rename "Quickboosk acccess" group → "QuickBooks Access"
- Add lauren.hasselman to QuickBooks Access (replaced Jeff Bristol)
### OU cleanup
- Fix misspelled OU: "Managment" → "Management"
- Create OU structure: `Workstations\Staff PCs`
### Security groups (created and populated with members)
| Group | Members |
|-------|---------|
| SG-Management-RW | Meredith.Kuhn, Ashley.Jensen, Megan.Hiatt, Crystal.Rodriguez, Tamra.Matthews, britney.thompson, Veronica.Feller, strozzi, Alyssa.Brooks, lauren.hasselman |
| SG-Sales-RW | Megan.Hiatt, Crystal.Rodriguez, Tamra.Matthews |
| SG-Server-RW | Ashley.Jensen, britney.thompson, Christina.DuPras, Veronica.Feller, Meredith.Kuhn |
| SG-Chat-RW | Ashley.Jensen, britney.thompson, Veronica.Feller |
| SG-Culinary-RW | JD.Martin, Ramon.Castaneda, Alyssa.Brooks |
| SG-IT-RW | howard, sysadmin |
| SG-Receptionist-RW | Cathy.Kingston, Shontiel.Nunn, Ray.Rai, Sebastian.Leon, Michelle.Shestko |
| SG-Directory-RW | Cathy.Kingston, Shontiel.Nunn, Christina.DuPras |
| SG-AllShares-RO | (populated as needed) |
### Account removals (client confirmed)
**Already disabled — delete:**
- Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, jeff.bristol
**Still enabled — disable + delete (not in HR list, former employees):**
- Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, alyssa.brooks, Isabella.Islas, ann.dery
**Keep:** lauren.hasselman (took over Bristol's role as Business Office Director)
### Move computers to Workstations OU
- CRYSTAL-PC, ACCT2-PC, DESKTOP-H6QHRR7, DESKTOP-1ISF081
---
## 4c — Sync data from Synology NAS — DONE 2026-03-07
~~Run `scripts/phase2-sync-synology.ps1` on CS-SERVER.~~
**Synology Drive Client** reinstalled on CS-SERVER and configured for live sync to `D:\Shares\Main`. All Synology shares sync continuously to this location.
**Sync method:** Synology Drive Client (live, ongoing sync)
**Sync destination:** `D:\Shares\Main` on CS-SERVER
**Direction:** Synology → CS-SERVER (one-way)
### Synology shares visible via SMB (2026-03-07 audit)
| Synology Share | Size | Syncing to `D:\Shares\Main` |
|---|---|---|
| `homes` | 228.14 GB | Yes |
| `Public` | 50.15 GB | Yes |
| `SalesDept` | 12.61 GB | Yes |
| `Server` | 1.84 GB | Yes |
| `Management` | 1.4 GB | Yes |
| `chat` | 0 GB (empty) | Yes |
| `home` | 0 GB (empty) | Yes |
**Total:** ~294 GB syncing. D: had 635 GB free — sufficient.
### Shares NOT visible via SMB
| Synology Share | Notes |
|---|---|
| `Activities` | Not shared via SMB — may be internal Synology folder or removed |
| `pacs` | Not shared via SMB — verify on Synology DSM |
| `Sandra Fish` | Not shared via SMB — verify on Synology DSM |
| `web` | Not shared via SMB — verify on Synology DSM |
**Note:** Synology uses local accounts (not AD-joined). Authenticated from CS-SERVER via `net use \\192.168.0.120 /user:admin`.
Already on CS-SERVER (no sync needed): Culinary, IT, Receptionist, directoryshare
`SaleShare` is the old/duplicate folder — ignore it. `SalesDept` is the real one.
---
## 4d — Set up file share permissions (HIPAA: access control + audit)
Run `scripts/phase2-file-shares.ps1` on CS-SERVER (AFTER sync completes).
Creates SMB shares for synced folders and sets NTFS permissions matching Synology access. **HIPAA §164.312(b):** After shares are created, enable Advanced Audit Logging on all PHI-containing shares (Management, Server, homes) to track read/write/delete operations.
**Prerequisite (added 2026-04-22 per `docs/security/hipaa-review-2026-04-22.md` + user-rollout dependency):** Before this script runs, the Synology permission inventory must be captured and translated to AD security group memberships. See `docs/migration/phase4-synology.md` §6.0.16.0.2 for the discovery commands and `docs/migration/synology-permission-inventory.md` (to be created) for the mapping output.
**HIPAA-review additions (must be applied as part of this phase, not deferred):**
- `Set-SmbShare -EncryptData $true` on every share in the table — satisfies Addressable specs §164.312(a)(2)(iv) at-rest and §164.312(e)(2)(ii) in-transit encryption
- NTFS SACL (audit rule) set to audit Success + Failure for ReadData / WriteData / Delete / ChangePermissions on all PHI shares — satisfies Required spec §164.312(b) Audit Controls
- See `phase4-synology.md` §6.0.3 for the exact PowerShell
| Share | NTFS Access | SMB Share |
|---|---|---|
| Management | SG-Management-RW = Modify | `\\CS-SERVER\Management` |
| SalesDept | SG-Sales-RW = Modify | `\\CS-SERVER\SalesDept` |
| Server | SG-Server-RW = Modify | `\\CS-SERVER\Server` |
| chat | SG-Chat-RW = Modify | `\\CS-SERVER\chat` |
| Public | Authenticated Users = Modify | `\\CS-SERVER\Public` |
| Culinary | SG-Culinary-RW = Modify | `\\CS-SERVER\Culinary` (exists) |
| IT | SG-IT-RW = Modify | `\\CS-SERVER\IT` (exists) |
| Receptionist | SG-Receptionist-RW = Modify | `\\CS-SERVER\Receptionist` (exists) |
| directoryshare | SG-Directory-RW = Modify | `\\CS-SERVER\directoryshare` (exists) |
| homes | CREATOR OWNER = Full (subfolder) | `\\CS-SERVER\homes` (ABE enabled) |
All shares also get: Domain Admins = Full Control, SYSTEM = Full Control.
---
## 4e — Set up print server
Run `scripts/phase2-print-server.ps1` on CS-SERVER.
Creates TCP/IP printer ports for each printer. Drivers must be downloaded separately from manufacturer websites and installed manually, then the script can create the shared printers.
| Printer | IP | Driver Source |
|---------|-----|---------------|
| Front Desk - Epson ET-5800 | 192.168.2.147 | epson.com |
| Business Office - Canon MF455DW | 192.168.3.227 | canon.com |
| Marketing - Brother MFC-L8900CDW | 192.168.2.21 | brother.com |
| 206 Health - Brother MFC-L8900CDW | 192.168.1.138 | brother.com |
| MemCare MedTech - Brother MFC-L8900CDW | 192.168.2.53 | brother.com |
| MemCare Director - Canon MF451CDW | 192.168.3.52 | canon.com |
| Kitchen Printer | 192.168.0.121 | _TBD_ |
**Test:** Print a test page from CS-SERVER to each shared printer before deploying via GPO.
---
## 4f — Create GPOs (DO NOT link yet)
### GPO 1: "CSC - Drive Mappings"
User Configuration → Preferences → Drive Maps
| Drive | Path | Targeting |
|-------|------|-----------|
| S: | `\\CS-SERVER\Shares` | All domain users |
| M: | `\\CS-SERVER\Management` | SG-Management-RW members |
| T: | `\\CS-SERVER\SalesDept` | SG-Sales-RW members |
| K: | `\\CS-SERVER\Culinary` | SG-Culinary-RW members |
| I: | `\\CS-SERVER\IT` | SG-IT-RW members |
| R: | `\\CS-SERVER\Receptionist` | SG-Receptionist-RW members |
| P: | `\\CS-SERVER\Public` | All domain users |
Use Item-Level Targeting → Security Group for department-specific drives.
### GPO 2: "CSC - Printer Deployment"
Computer Configuration → Preferences → Printers
Deploy shared printers with Item-Level Targeting by computer name or security group:
- `\\CS-SERVER\FrontDesk-Epson` → Front desk PCs
- `\\CS-SERVER\BizOffice-Canon` → Accounting PCs
- `\\CS-SERVER\Marketing-Brother` → Marketing group
- (etc.)
### GPO 3: "CSC - Security Baseline"
Computer Configuration → Security Settings
| Setting | Value |
|---------|-------|
| Min password length | 12 characters |
| Password complexity | Enabled |
| Max password age | 90 days |
| Password history | 10 |
| Account lockout threshold | 5 attempts |
| Account lockout duration | 30 minutes |
| Lockout counter reset | 30 minutes |
| Screen lock timeout | 15 minutes |
| Windows Firewall | All profiles ON |
### GPO 4: "CSC - Windows Update"
Computer Configuration → Admin Templates → Windows Update
- Auto download + scheduled install
- Schedule: Sundays at 3:00 AM
- No auto-restart with logged-on users
### GPO 6: "CSC - Shared Workstation"
Linked to: `OU=Shared PCs,OU=Workstations,DC=cascades,DC=local`
Applies only to machines in the Shared PCs OU. Uses Item-Level Targeting by computer name so different shared PCs get different printers/drives/mailboxes.
**User Configuration → Preferences → Drive Maps**
| Drive | Path | ILT |
|-------|------|-----|
| R: | `\\CS-SERVER\Receptionist` | Computer Name = [TBD — front desk PC] |
**User Configuration → Preferences → Printers**
| Printer | Set Default | ILT |
|---------|-------------|-----|
| `\\CS-SERVER\FrontDesk-Epson` | Yes | Computer Name = [TBD — front desk PC] |
**User Configuration → Admin Templates → Microsoft Outlook 2016 → Account Settings → Exchange**
| Setting | Value |
|---------|-------|
| Cached Exchange Mode | Disabled (forces Online Mode) |
Online mode prevents shared mailbox data from caching on every shared PC — important when multiple users rotate through the same machine.
**User Configuration → Preferences → Registry**
Auto-mount shared mailbox via registry (only on targeted shared PCs):
| Key Path | Value | Data | ILT |
|----------|-------|------|-----|
| `HKCU\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002` | `001f6610` | `reception@[tenant-domain]` | Computer Name = [TBD] |
> **Note:** The registry path above is a placeholder — the exact profile key varies per installation. The shared mailbox SMTP address depends on the M365 tenant domain (Step 3 blocker). Computer names will be filled in after the onsite visit identifies which PCs are shared.
**Onsite TODO (before this GPO is functional):**
- [ ] Identify shared workstation computer names and roles
- [ ] Move shared PCs into `OU=Shared PCs,OU=Workstations`
- [ ] Fill in ILT computer names above
- [ ] Create shared mailbox in M365 (see Step 4 in shared workstation plan)
- [ ] Document user-to-shared-PC rotation matrix
- [ ] Test: log into shared PC → verify R: drive, default printer, and shared mailbox appear
- [ ] Test: log into normal PC → verify reception drive/printer/mailbox do NOT appear
---
### GPO 5: "CSC - Folder Redirection"
User Configuration → Policies → Windows Settings → Folder Redirection
| Folder | Redirect to | Setting |
|--------|------------|---------|
| Desktop | `\\CS-SERVER\homes\%username%\Desktop` | Basic, create folder |
| Documents | `\\CS-SERVER\homes\%username%\Documents` | Basic, create folder |
| Downloads | `\\CS-SERVER\homes\%username%\Downloads` | Basic, create folder |
Settings:
- Grant user exclusive rights: **Yes**
- Move contents to new location: **Yes** (first time only)
- Policy removal: Leave contents
- Also applies to Windows 10/11
This replaces roaming profiles — user data lives on the server but profiles stay local (fast logon, no corruption issues).
---
## Rollback
- Unlink any GPO from GPMC — takes effect at next `gpupdate`
- DNS records were exported in Step 1
- AD changes can be reverted from Step 1 exports
Reference in New Issue View Git Blame Copy Permalink