Mike Swanson
0c000109dc
Compressed memory store 104 -> 71 files via four passes: - Syncro: 19 scattered feedback_syncro_* files merged into 3 rule files (api/billing/workflow) + an on-demand feedback_syncro_history.md for incident detail, quotes, and tech/product ID tables. - Four near-duplicate merges: Howard paste-safety, Pluto build server, Howard backend deferral, IX server access (ssh+tailscale). - Per-cluster rule/state/history split applied to GuruConnect (2->1), Dataforth (3->2), Cascades (7->3), GuruRMM (13->3). - New reference_resource_map.md: single auto-loaded cheatsheet for "do I have access to X and how do I connect from this machine?" - MEMORY.md rewritten to match the new layout. Health: broken backlinks 8->7, overlap clusters 12->5, orphans 17->0.
2.6 KiB
name, description, type
| name | description | type |
|---|---|---|
| Cascades-specific operational rules (folder redirect, security groups) | Two active rules for Cascades work — (1) folder redirection (fdeploy) needs subfolders pre-created before first logon or it caches a failure forever; recovery via fix-shell-redirect.ps1; (2) always ASK which security group(s) a new user goes into — never auto-derive from OU. Root-cause / incident detail in project_cascades_history.md. | feedback |
Current-state context: project_cascades. Root cause / incident detail: project_cascades_history.
1. Folder redirection — pre-create subfolders BEFORE first logon
fdeploy caches failures and never retries if subfolders don't exist at first logon. "No changes detected" = stuck forever without manual intervention.
Mandatory order for every new user:
- Create AD user.
- Run
New-HomeFolder -Username "<sam>"on CS-SERVER — creates root + Desktop / Documents / Downloads / Music / Pictures subfolders with correct ACL. - Add user to
SG-FolderRedirect. - THEN first domain logon.
Recovery (fdeploy already cached a failure):
- Run
clients/cascades-tucson/scripts/fix-shell-redirect.ps1via GuruRMM on the client while the user is logged in. - Script sets both GUID-based and legacy-name registry keys (
Personal,My Music,My Pictures) inHKU\<SID>. - Folders must already exist on server — script doesn't create them.
- User logs off and on to pick up changes.
Why both GUID and legacy keys: Downloads has no legacy-name key (GUID alone suffices); Documents / Music / Pictures have both, and Windows reads the legacy key for the actual shell folder — GUID alone is insufficient.
2. ASK which security group(s) a new user goes into — never auto-derive
When creating or being asked to create any Cascades user account (AD or M365), always ask the user which security group(s) the new account should be a member of. Include it explicitly in the creation preview/confirmation alongside name, UPN, and OU — do not assume from OU, department, or job title.
Why: Howard explicitly declined an OU=Caregivers → SG-Caregivers auto-mirror script (2026-05-14). Security-group membership controls access and CA-policy coverage; he wants that to stay a deliberate, reviewed decision per user, never automated.
OU placement is mechanical (controls Entra Connect sync scope); group membership is an access-control decision and must be made consciously.
Caregivers example: account goes in OU=Caregivers (sync scope) AND must be deliberately added to SG-Caregivers (CA policy coverage) — two separate, intentional steps; neither auto-derived from the other.