azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
470a8e7eb1253eea8b9cd48ace21ebd33c48e2f2
claudetools/.claude/memory/feedback_cascades.md
Howard Enos bd5e977b6e sync: auto-sync from HOWARD-HOME at 2026-06-10 13:15:14 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-10 13:15:14
2026-06-10 13:15:27 -07:00

48 lines
3.9 KiB
Markdown
Raw Blame History

---
name: Cascades-specific operational rules (folder redirect, security groups)
description: Active rules for Cascades work — (1) folder redirection (fdeploy) needs subfolders pre-created before first logon or it caches a failure forever; recovery via fix-shell-redirect.ps1; (2) always ASK which security group(s) a new user goes into — never auto-derive from OU; (3) do NOT lock down the legacy Main\Company Web Docs\Accounting (Everyone:Full) folder — still in active use. Root-cause / incident detail in project_cascades_history.md.
type: feedback
---
Current-state context: [[project_cascades]]. Root cause / incident detail: [[project_cascades_history]].
---
## 1. Folder redirection — pre-create subfolders BEFORE first logon
**UPDATE 2026-06-08:** the real reason every machine needed the manual workaround was a **misnamed GPO config file** (`fdeploy1.ini` instead of `fdeploy.ini`) — native FR was DOA tenant-wide. Now fixed; native FR redirects all 5 folders on first logon. Full detail: [[reference_cascades_fr_gpo_fix]]. Still pre-create the home folder before first logon (below). The `fix-shell-redirect.ps1` workaround should no longer be needed for new users — if it ever is again, check that the GPO still has a valid `fdeploy.ini` first.
fdeploy caches failures and never retries if subfolders don't exist at first logon. "No changes detected" = stuck forever without manual intervention.
**Mandatory order for every new user:**
1. Create AD user.
2. Run `New-HomeFolder -Username "<sam>"` on **CS-SERVER** — creates root + Desktop / Documents / Downloads / Music / Pictures subfolders with correct ACL.
3. Add user to `SG-FolderRedirect`.
4. THEN first domain logon.
**Recovery (fdeploy already cached a failure):**
- Run `clients/cascades-tucson/scripts/fix-shell-redirect.ps1` via GuruRMM on the client **while the user is logged in**.
- Script sets both GUID-based and legacy-name registry keys (`Personal`, `My Music`, `My Pictures`) in `HKU\<SID>`.
- Folders must already exist on server — script doesn't create them.
- User logs off and on to pick up changes.
Why both GUID and legacy keys: Downloads has no legacy-name key (GUID alone suffices); Documents / Music / Pictures have both, and Windows reads the legacy key for the actual shell folder — GUID alone is insufficient.
---
## 2. ASK which security group(s) a new user goes into — never auto-derive
When creating or being asked to create any Cascades user account (AD or M365), always ask the user **which security group(s)** the new account should be a member of. Include it explicitly in the creation preview/confirmation alongside name, UPN, and OU — do not assume from OU, department, or job title.
**Why:** Howard explicitly declined an `OU=Caregivers``SG-Caregivers` auto-mirror script (2026-05-14). Security-group membership controls access and CA-policy coverage; he wants that to stay a deliberate, reviewed decision per user, never automated.
OU placement is mechanical (controls Entra Connect sync scope); group membership is an access-control decision and must be made consciously.
**Caregivers example:** account goes in `OU=Caregivers` (sync scope) AND must be deliberately added to `SG-Caregivers` (CA policy coverage) — two separate, intentional steps; neither auto-derived from the other.
---
## 3. Do NOT lock down the legacy `Main\Company Web Docs\Accounting` folder
The accounting folder under the Synology-Drive-synced tree (`D:\Shares\Main\Company Web Docs\Accounting`, `Everyone:FullControl`) stays as-is — Howard confirmed 2026-06-10 the team is **still actively using it**. Do not scope/tighten its ACL or "clean it up" as a HIPAA hardening step, even though the wide-open Everyone:Full looks like an obvious target. The 2026-06-09 scan-to-folder build deliberately created a *separate* clean share (`\\CS-SERVER\AcctDept``D:\Shares\Accounting`) rather than reusing this folder; that is the lockdown story, and the legacy folder is intentionally left untouched.
Reference in New Issue View Git Blame Copy Permalink