claudetools/clients/cascades-tucson/CONTEXT.md

Cascades of Tucson — Client Context

Last updated: 2026-04-17 (Howard)

Identity

• Business: Cascades of Tucson (senior living community)
• Syncro customer ID: 20149445
• Primary contact: Meredith Kuhn — meredith.kuhn@cascadestucson.com — (520) 886-3171
• Location: 201 N Jessica Ave, Tucson AZ 85710

Full contact list + Wi-Fi, KPAX, M365 admin, UniFi hardware MACs, GoDaddy are in the Syncro customer notes field for 20149445.

Infrastructure

Resource	Address	Vault path
pfSense firewall	192.168.0.1	clients/cascades-tucson/pfsense-firewall.sops.yaml
Synology NAS cascadesds	192.168.0.120:5000 (DSM)	clients/cascades-tucson/synology-cascadesds.sops.yaml
CS-SERVER (DC + file server)	reachable at 192.168.2.254 from the Wi-Fi-2 subnet on DLTAGOI; domain cascades.local	clients/cascades-tucson/cs-server.sops.yaml
svc-audit-upload	service account for Syncro audit upload to AuditDrop$ share	clients/cascades-tucson/svc-audit-upload.sops.yaml
\\CS-SERVER\homes	file share at D:\Homes; per-user subfolders for folder redirection. Domain Users: Change. Domain Admins: Full. EncryptData currently false — HIPAA workitem to flip on.	—

GuruRMM

• Client: Cascades of Tucson (code CASC, id 42e1b0e3-f8b7-4fc5-86bd-06bdbb073b7f)
• Site: CascadesTucson (code GOLD-MOON-4620, id c157c399-82d3-4581-979a-b9fad70f4fef)
• Agent enrollment key: encrypted at clients/cascades-tucson/gururmm-site-main.sops.yaml (shown once by the API; do not regenerate unless compromised — agents using the current key keep working on regeneration only if the server rotates atomically)

Agents currently enrolled

Hostname	Role	Agent ID
DESKTOP-DLTAGOI	Life Enrichment test workstation (Sharon Edwards)	0ed72c1c-40c7-4bd4-afed-e0bcb198936f
CS-SERVER	Domain controller / file server	6766e973-e703-47c1-be56-76950290f87c

Agent deployment (ScreenConnect)

$u='https://rmm-api.azcomputerguru.com/downloads/gururmm-agent-windows-amd64-latest.exe';
$d='C:\Windows\Temp\gururmm-agent.exe';
Invoke-WebRequest $u -UseBasicParsing -OutFile $d;
& $d install --server-url 'wss://rmm-api.azcomputerguru.com/ws' --api-key 'grmm_3gGYreG0u_QCvt5v3lDVKwLhZDAzF4On'

Run via ScreenConnect Commands tab (SYSTEM context). Agent heartbeats within ~60 seconds.

Active project — folder redirection GPO rollout

Goal: HIPAA-compliant user data storage. Everyone's Documents/Downloads/Desktop/Pictures on \\CS-SERVER\homes\<username>\, driven by per-OU folder redirection GPOs.

Status: pattern validated on one user (Sharon Edwards in Life Enrichment). Documents + Downloads successfully redirecting through GPO CSC - Folder Redirection (LE) ({889BE7BE-202E-4153-89AD-B5DB62A52D25}). Explorer sidebar working. Detailed journey in session-logs/2026-04-17-howard-cascades-onboarding-and-folder-redirection.md.

Next: second LE machine end-to-end tomorrow, then Desktop + other folders, then matching GPOs for other departments.

Known traps

• Every ProfWiz-migrated user has potentially poisoned User Shell Folders pointing at C:\Windows\system32\config\systemprofile\.... Check first, clean before testing redirection. Script: scripts/hive-cleanup-shellfolders.ps1.
• GPMC on Server 2019/2022 writes fdeploy1.ini incorrectly when adding + modifying entries in the same editor session. Workaround: one folder per save, close/reopen editor between adds.
• Explorer sidebar uses the KnownFolder GUID form ({FDD39AD0-...} for Documents, {374DE290-...} for Downloads), not legacy names. CSE may set only the legacy name — manually mirror to the GUID form if sidebar doesn't resolve. Script: scripts/fix-live-shellfolders.ps1.
• Some machines have Documents/Desktop in OneDrive (Known Folder Move). Don't apply the GPO until OneDrive KFM is unlinked and data is migrated back to local — otherwise data leaves OneDrive's scope and may be orphaned.

GPO backups

On CS-SERVER: C:\GPO-Backups\pre-fix-20260417-221701\ — broken-state backup ID 9c6ff7c9-0942-4cfb-b4a5-936913a3da87. Restore-GPO -BackupId 9c6ff7c9-... -Path C:\GPO-Backups\pre-fix-20260417-221701 -TargetGuid 889be7be-202e-4153-89ad-b5db62a52d25 to roll back.