13 KiB
Cascades — Printer / VLAN 20 Migration Map (GPO planning)
Living reference for the migration of staff machines + printers off the flat old LAN
("CSC ENT", 192.168.0.0/22) onto Staff VLAN 20 (10.0.20.0/24, "CSCNET") and the eventual
printer GPO build. Started 2026-06-30 (Howard). Last reconciled to LIVE state 2026-07-01
(full GuruRMM fleet IP pull + CS-SERVER Get-Printer/Get-PrinterPort + TCP reachability).
STATE AT A GLANCE (live 2026-07-01)
- Machines: essentially migrated. 22 online hosts are on VLAN 20 (10.0.20.x). Only CS-SERVER (stays on the LAN by design) + 6 stragglers (ASSISTMAN-PC, CascadesProxess, Laptop2, NurseAssist, 2 roaming laptops) remain on 192.168.x. See "Machine migration status" below.
- Printer shares: lagging — 4 of 15 repointed. Only FrontDesk, BusinessOffice, LifeEnrichment, MCReception point at 10.0.20.x. The other 11 CS-SERVER print shares still target old-LAN printer IPs. (Server-share printing still WORKS for those — CS-SERVER is on the old LAN and reaches them fine — but the printer hardware hasn't been moved onto VLAN 20 yet.)
- All 7 VLAN20 printer targets reachable from CS-SERVER on 9100 (incl. .74, the MCMedTech target that the share hasn't been repointed to yet). Gateway 10.0.20.1 pings.
- GPO: not fleet-live. Point-and-Print GPO is built but scoped to one pilot box; the silent new-driver-install gap is still open (reboot vs pre-stage drivers — decision pending). See "PILOT RESULT" below.
How the GPO needs to be built (two layers)
- Point-and-Print policy (computer GPO, fleet-wide) — REQUIRED prerequisite or any
GPO-pushed printer fails (PrintService event 513 / error 0xBCB) for standard users.
Set on
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers:RestrictDriverInstallationToAdministrators=0; subkeyPointAndPrint:Restricted=1, TrustedServers=1, ServerList=CS-SERVER, InForest=0,NoWarningNoElevationOnInstall=1, UpdatePromptSettings=2(scopes silent driver install to CS-SERVER only). Caregiver machines already have this — that's why their printer GPO works. GPOCSC - Point and Print (CS-SERVER){BFAB721A-513D-4C14-8255-DEB1D4266830}is BUILT but scoped to DESKTOP-H6QHRR7 only (see PILOT RESULT). - Printer deployment — GPP Printers / Deployed Printers mapping
\\CS-SERVER\<share>to the right users/OU/room. Existing GPOCSC - Life Enrichment Printersstill points at OLD share nameRecRoom-Canon— repoint.CSC - Printer Deploymentis disabled/empty (do not use).
Driver trap: Canon MF741/743/751 are UFR II only — PCL6 produces Error #822 (spools, never
prints). Any GPO/share for those Canons MUST use Canon Generic Plus UFR II V250 (INF cnlb0ma64.inf).
NOTE: MCDirector (Canon MF751CDW) and Kitchen/ExecDirector (Canon MF743CDW) shares are
currently on PCL6 on the server — they will hit Error #822 and need the UFR II driver when touched.
Printer share inventory — CS-SERVER (live 2026-07-01)
All shares Shared=True, Published=False. "VLAN20?" = does the port point at 10.0.20.x yet.
| Share | Model | Port host IP | VLAN20? | Driver (on server) | Action |
|---|---|---|---|---|---|
FrontDesk |
Epson ET-5800 | 10.0.20.221 | YES | EPSON ET-5800 Series | DONE. Add to GPO. |
BusinessOffice |
Brother MFC-L8900CDW | 10.0.20.220 | YES | Brother Generic Jpeg Type2 | DONE (now reachable; was powered-off 6/30). Add to GPO. |
LifeEnrichment |
Canon MF741CDW | 10.0.20.94 | YES | Canon Generic Plus UFR II V250 | DONE. Repoint CSC - Life Enrichment Printers GPO RecRoom-Canon->LifeEnrichment. |
MCReception |
Epson ET-5800 | 10.0.20.78 | YES | EPSON ET-5800 Series | DONE (share now on .78). Client-side setup on MEMRECEPT-PC still TBD. |
MCMedTech |
Brother (L8900CDW) | 192.168.2.53 | NO — STALE | Brother Generic Jpeg Type2 | REPOINT to 10.0.20.74 (target is LIVE + reachable). Caregiver GPO deploys this share. |
NursesPrinter |
Brother MFC-L8900CDW | 192.168.2.75 | NO | Brother Generic Jpeg Type2 | Re-IP to VLAN20 + repoint. Caregiver GPO default printer. |
HealthServices |
Konica Minolta C368 | 192.168.1.138 | NO | KONICA MINOLTA Universal PCL | Re-IP to VLAN20 + repoint. Caregiver GPO. |
MCDirector |
Canon MF751CDW | 192.168.3.52 | NO | Canon Generic Plus PCL6 | Re-IP + repoint; switch to UFR II (MF751 = UFR II only). Caregiver GPO. |
CopyRoom |
Canon | 192.168.2.230 | NO | Canon Generic Plus PCL6 | Re-IP + repoint; verify model/PDL. Caregiver GPO default fallback. |
Kitchen |
Canon MF743CDW | 192.168.3.232 | NO | Canon Generic Plus PCL6 | Kitchen printer (with chefs). Re-IP + repoint; UFR II. Separate from Dining .228. |
CulinaryChef |
Brother MFC-9330CDW | 192.168.3.88 | NO | Brother Generic Jpeg Type2 | Likely redundant with the Chef direct-IP printer (.236 on CHEF-PC). Verify same device -> retire or repoint. |
Accounting |
Canon MF455DW | 192.168.3.227 | NO | Canon Generic Plus PCL6 | Re-IP + repoint (verify PDL; MF455 supports PCL). |
AdminOffice |
Brother MFC-9340CDW | 192.168.2.145 | NO | Brother Generic Jpeg Type2 | Re-IP + repoint. |
ExecDirector |
Canon MF743CDW | 192.168.2.67 | NO | Canon Generic Plus PCL6 | Re-IP + repoint; UFR II (MF743). |
SalesMarketing |
Brother MFC-L8900CDW | 192.168.3.44 | NO | Brother Generic Jpeg Type2 | Re-IP + repoint. |
Progress: 4 / 15 shares on VLAN 20. 11 remain on old-LAN IPs.
Direct-IP printers (workgroup machines — no CS-SERVER share)
| Printer | Model | IP (VLAN20) | Machine | User(s) | Status |
|---|---|---|---|---|---|
| Dining Room Manager | Canon MF743CDW | 10.0.20.228 | DESKTOP-MD6UQI3 (workgroup) | dining manager (Alyssa) | DONE direct-IP (UFR II), default. Domain-join -> move to \\CS-SERVER\<share> + GPO. |
| Chef Office | Brother MFC-9330CDW | 10.0.20.236 | CHEF-PC (workgroup) | chef / JD Martin (USB stays default) | DONE direct-IP machine-wide. Domain-join -> GPO. May correspond to stale CulinaryChef server share (.88) — reconcile. |
MedTech (also MCMedTech) |
Brother MFC-L8900CDW | 10.0.20.74 | RECEPTIONIST-PC (memcare box) + DESKTOP-LPOPV30 | memory care; karen rossini | DONE direct-IP machine-wide on both; server MCMedTech share still needs repoint to .74. |
Machine migration status — VLAN 20 (live 2026-07-01)
On VLAN 20 (10.0.20.x) — 22 online hosts: ACCT2-PC (.209), ANN-PC (.218), ASSISTNURSE-PC (.181), CHEF-PC (.232, workgroup), CRYSTAL-PC (.205), DESKTOP-DLTAGOI (.72, sharon.edwards), DESKTOP-H6QHRR7 (.235, Lauren — P&P pilot box), DESKTOP-LPOPV30 (.100, karen), DESKTOP-MD6UQI3 (.222, workgroup, Alyssa), DESKTOP-N5G1ROO (.183, Chris Knight), DESKTOP-ROK7VNM (.223, susan.hicks), DESKTOP-TRCIEJA (.184, Lupe — slated for replacement), Health-Services-Director (.178), LAPTOP-DRQ5L558 (.237, caregiver device), MAINTENANCE-PC (.96), MDIRECTOR-PC (.71, Shelby Trozzi), MEMRECEPT-PC (.97, workgroup, memfrtdesk), NURSESTATION-PC (.180, caregiver device), RECEPTIONIST-PC frontdesk box (.102, S/N MJ0KQHNP), RECEPTIONIST-PC memcare box (.68, S/N MJ0KQH4R — pending MEMCARE-STATION rename), SALES4-PC (.203), megan (.202).
Still on old LAN (192.168.x):
- CS-SERVER (192.168.2.248 / .254) — DC + print server, stays on the LAN by design.
- ASSISTMAN-PC (192.168.2.38, Meredith Kuhn) — known watch-host, not migrated.
- CascadesProxess (192.168.2.178), Laptop2 (192.168.2.118), NurseAssist (192.168.3.254), LAPTOP-8P7HDSEI (192.168.3.101, roaming), LAPTOP-E0STJJE8 (192.168.3.9, roaming).
Offline (last-known IP from DC DNS): DESKTOP-F94M8UT (10.0.20.171, was on VLAN20 — Alma's old box), DESKTOP-U2DHAP0 (192.168.3.37, Ashley — old LAN, seen 2026-07-01), DESKTOP-KQSL232 (decommissioned), Laptop4 (no DNS record).
Current GPO state (live-inspected 2026-06-30)
- NO GPO sets the Point-and-Print policy (missing Layer 1; explains the 513 / 0xBCB failures).
CSC - Point and Print (CS-SERVER)was built to fill this but is pilot-scoped only. - Printer deployment is via User-side GPP Printers, linked per-department OU:
- CSC - Caregiver Workstation -> OU
Departments/Caregivers(ComputerSettingsDisabled). Deploys 6 shares (action=Update):NursesPrinter,HealthServices,MCMedTech,MCReception,MCDirector,CopyRoom; defaults = NursesPrinter + MCMedTech (default=1, no item-level targeting parsed). NOTE: 5 of these 6 shares still point at old-LAN IPs (only MCReception is on VLAN20) — repointing them is what actually moves the caregiver fleet's printers onto VLAN 20. - CSC - Life Enrichment Printers -> OU
Departments/Life Enrichment. Deploys ONE printer\\CS-SERVER\RecRoom-Canon— STALE share name; nowLifeEnrichment. - CSC - Reception Workstation Policy -> OU
Workstations/Staff PCs. Registry only, no printers. - CSC - Printer Deployment -> not linked, empty. Dead — ignore.
- CSC - Caregiver Workstation -> OU
- AD OU structure in play:
Departments/{Caregivers, Life Enrichment},Workstations/Staff PCs.
Target-state design + action list
Layer 1 — Point-and-Print policy (fleet-wide computer GPO). CSC - Point and Print (CS-SERVER) exists; broaden its link/filter to all staff/department workstation OUs once the silent-install gap below is resolved.
Layer 2 — per-department printer GPOs (existing pattern, User GPP Printers). To add a printer: department GPO -> User Config -> Preferences -> Control Panel -> Printers -> Shared Printer item, action=Update/Create, path \\CS-SERVER\<share>, + default + item-level targeting as needed.
Immediate fixes (priority order):
- Resolve the silent-install gap (see PILOT RESULT): decide reboot-test vs pre-stage-drivers, then take the P&P GPO fleet-live.
- Repoint the 5 stale caregiver-GPO shares to VLAN20 as those printers get re-IP'd:
MCMedTech-> 10.0.20.74 (target already live — do this now),NursesPrinter(.75),HealthServices(.138),MCDirector(.52, +UFR II),CopyRoom(.230). This is the highest-leverage remaining printer work. - REPOINT
CSC - Life Enrichment PrintersRecRoom-Canon->LifeEnrichment. - Re-IP + repoint the remaining old-LAN shares:
Kitchen(+UFR II),Accounting,AdminOffice,ExecDirector(+UFR II),SalesMarketing. - Reconcile
CulinaryChef(192.168.3.88) vs the Chef direct-IP (.236) — retire the redundant share if same device. - Confirm caregiver default-printer item-level targeting (Nurses vs MCMedTech by location group).
- Domain-join the workgroup machines (DESKTOP-MD6UQI3, CHEF-PC, MEMRECEPT-PC, MEMCARE-STATION, DESKTOP-LPOPV30) -> move to GPO-deployed
\\CS-SERVER\<share>.
PILOT RESULT (2026-06-30) — still the open blocker
Created CSC - Point and Print (CS-SERVER), scoped (security filter) to ONE machine
DESKTOP-H6QHRR7 (Lauren Hasselman, Staff PCs OU), linked, gpupdate. The policy registry
landed correctly via GPO. BUT the in-session test still PROMPTED for a printer whose driver
was NOT already local (front-desk Epson), even after a spooler restart — the driver did not install.
The earlier LE-machine "silent" maps only worked because that driver was already present.
Conclusion: the P&P policy is necessary but NOT sufficient to make a brand-new driver install
silent in a running session. Likely: RestrictDriverInstallationToAdministrators=0 needs a reboot
(CVE-2021-34527 mitigation) and/or v3 (non-package) drivers still elevate.
Two reliable paths (decide):
- Reboot-dependent: test — reboot a machine, then confirm a new-driver map is silent.
- Pre-stage drivers (recommended): deploy each printer's driver machine-wide (computer GPO startup script installing from CS-SERVER as SYSTEM). GPP connection then attaches to an already-present driver -> always silent, no reboot/P&P-install dependency.
State: GPO scoped to DESKTOP-H6QHRR7 only (harmless; not fleet-live). NOT rolled out.
Machine rename TODO
- RECEPTIONIST-PC (Memory Care box, S/N MJ0KQH4R, 10.0.20.68, agent 57f19e17) ->
MEMCARE-STATIONrename was STAGED 2026-06-30 but NOT YET APPLIED (live 2026-07-01 still reports RECEPTIONIST-PC) — needs the reboot. The OTHER RECEPTIONIST-PC (frontdesk, S/N MJ0KQHNP, 10.0.20.102) is the real front desk.
Notes
- Server-share printing works even while a printer is still on the old-LAN IP (CS-SERVER is on the old LAN and reaches it). Re-IP'ing printers to 10.0.20.x is about VLAN isolation, not print function.
- Workgroup machines get direct-IP local printers until domain-joined, then switch to
GPO-deployed
\\CS-SERVER\<share>. - Some Brother shares use the generic "Brother Generic Jpeg Type2 Class Driver", not a model-specific driver (BusinessOffice, MCMedTech, NursesPrinter, CulinaryChef, AdminOffice, SalesMarketing).
- Detailed how-to + pfSense routing fix:
.claude/memory/project_cascades_vlan20_migration_routing.mdand session logclients/cascades-tucson/session-logs/2026-06/2026-06-30-howard-vlan20-printer-migration.md.