azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
67e0f8df20a7f718869d339aeac5a01774e1d96d
claudetools/.claude/memory/feedback_cascades.md
Howard Enos 2029fa5429 sync: auto-sync from HOWARD-HOME at 2026-06-09 10:33:12 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-09 10:33:12
2026-06-09 10:33:25 -07:00

3.1 KiB
Raw Blame History

name, description, type
name description type
Cascades-specific operational rules (folder redirect, security groups) Two active rules for Cascades work — (1) folder redirection (fdeploy) needs subfolders pre-created before first logon or it caches a failure forever; recovery via fix-shell-redirect.ps1; (2) always ASK which security group(s) a new user goes into — never auto-derive from OU. Root-cause / incident detail in project_cascades_history.md. feedback

Current-state context: project_cascades. Root cause / incident detail: project_cascades_history.

1. Folder redirection — pre-create subfolders BEFORE first logon

UPDATE 2026-06-08: the real reason every machine needed the manual workaround was a misnamed GPO config file (fdeploy1.ini instead of fdeploy.ini) — native FR was DOA tenant-wide. Now fixed; native FR redirects all 5 folders on first logon. Full detail: reference_cascades_fr_gpo_fix. Still pre-create the home folder before first logon (below). The fix-shell-redirect.ps1 workaround should no longer be needed for new users — if it ever is again, check that the GPO still has a valid fdeploy.ini first.

fdeploy caches failures and never retries if subfolders don't exist at first logon. "No changes detected" = stuck forever without manual intervention.

Mandatory order for every new user:

  1. Create AD user.
  2. Run New-HomeFolder -Username "<sam>" on CS-SERVER — creates root + Desktop / Documents / Downloads / Music / Pictures subfolders with correct ACL.
  3. Add user to SG-FolderRedirect.
  4. THEN first domain logon.

Recovery (fdeploy already cached a failure):

  • Run clients/cascades-tucson/scripts/fix-shell-redirect.ps1 via GuruRMM on the client while the user is logged in.
  • Script sets both GUID-based and legacy-name registry keys (Personal, My Music, My Pictures) in HKU\<SID>.
  • Folders must already exist on server — script doesn't create them.
  • User logs off and on to pick up changes.

Why both GUID and legacy keys: Downloads has no legacy-name key (GUID alone suffices); Documents / Music / Pictures have both, and Windows reads the legacy key for the actual shell folder — GUID alone is insufficient.

2. ASK which security group(s) a new user goes into — never auto-derive

When creating or being asked to create any Cascades user account (AD or M365), always ask the user which security group(s) the new account should be a member of. Include it explicitly in the creation preview/confirmation alongside name, UPN, and OU — do not assume from OU, department, or job title.

Why: Howard explicitly declined an OU=CaregiversSG-Caregivers auto-mirror script (2026-05-14). Security-group membership controls access and CA-policy coverage; he wants that to stay a deliberate, reviewed decision per user, never automated.

OU placement is mechanical (controls Entra Connect sync scope); group membership is an access-control decision and must be made consciously.

Caregivers example: account goes in OU=Caregivers (sync scope) AND must be deliberately added to SG-Caregivers (CA policy coverage) — two separate, intentional steps; neither auto-derived from the other.

Reference in New Issue View Git Blame Copy Permalink