claudetools/clients/cascades-tucson/docs/billing-log.md

Cascades — Work Log / Billing Record

Session 1 — 2026-03-06 (Remote)

Focus: Initial audit, data gathering, documentation buildout

Time	Task	Details
	Initial server audit	Gathered systeminfo, AD users/computers/groups, DNS records, installed software, Hyper-V VMs, listening ports, disk info from CS-SERVER
	Network audit	Reviewed pfSense config (interfaces, firewall rules, VLANs, DHCP), UniFi APs/switches/SSIDs
	ARP/DHCP dump	Captured 802 ARP entries, 624 DHCP leases, identified all devices on network
	Printer inventory	Documented all printers with IPs, MACs, models, status
	Workstation inventory	Documented all PCs on INTERNAL and LAN with MACs, status, domain join state
	MDIRECTOR-PC audit	Gathered OS info (Win10 Home), users, network config via ScreenConnect
	Synology audit	Documented shares, storage capacity, permission report
	Full documentation buildout	Created/updated all .md files: overview, network/, servers/, security/, migration/
	Migration plan	Created phased migration plan with runbooks and PowerShell scripts
	CLAUDE.md	Created repo-level guidance file for AI tooling

---

Session 2 — 2026-03-06 (Remote)

Focus: Guest WiFi isolation, DNS fixes, security hardening

Time	Task	Details
	Guest WiFi isolation	Created VLAN 50 on pfSense (igc1.50, 10.0.50.1/24), DHCP scope, 4 firewall rules, UniFi Guest network, reassigned Guest SSID
	RFC1918 alias	Created firewall alias CORRECTION (Session 6): Never actually created. Using built-in _private4_ alias instead.
	CS-SERVER DNS client fix	Changed DNS servers from pfSense+8.8.8.8 to 127.0.0.1+192.168.0.1, verified
	Stale DNS cleanup	Removed 9 stale records, added 3 correct records (@ → 192.168.2.254, DomainDnsZones, ForestDnsZones)
	pfSense domain overrides	Added cascades.local + _msdcs.cascades.local → 192.168.2.254
	Reverse lookup zones	Created 5 zones (0/1/2/3.168.192 + 20.0.10.in-addr.arpa)
	DNS scavenging	Enabled server-level scavenging (7-day), zone aging on cascades.local
	Documentation updates	Updated all affected .md files to reflect changes

---

Session 3 — 2026-03-07 (Remote)

Focus: Backup setup, config exports, quick fixes, network diagnostics

Time	Task	Details
	CS-SERVER DNS forwarder verified	Confirmed forwarder is 192.168.0.1 (item G)
	CS-SERVER timezone fixed	Changed from Pacific to Arizona (UTC-07:00, no DST) to match pfSense
	Room 218 DHCP fixed	Changed range end from 10.2.18.2 to 10.2.18.14 in pfSense
	Room 130 firewall rule deleted	Removed disabled TCP PASS rule from Room130 interface
	pfSense config exported	Downloaded XML config (with and without RRD data), saved to D:\Shares\IT\Backups\pfSense\
	Synology Active Backup for Business	Installed on Synology — BLOCKED: requires Btrfs, NAS is ext4. Cannot use ABB. Will use Windows Server Backup instead.
	Synology Drive Client	Reinstalled on CS-SERVER, configured live sync to D:\Shares\Main (all Synology shares)
	Synology share audit	Enumerated shares via SMB: homes (228 GB), Public (50 GB), SalesDept (13 GB), Server (2 GB), Management (1.4 GB), chat (0), home (0). Total ~294 GB. 4 shares (Activities, pacs, Sandra Fish, web) not visible via SMB.
	ARP flapping investigation	Analyzed pfSense ARP logs, found 5 IP conflicts
	LG TV ARP conflict fixed	TV was dual-connected (WiFi + ethernet). Disabled ethernet port on 1st Floor USW Port 18. Flapping resolved.
	Brother printer conflict identified	192.168.2.53 — printer dual-connected (WiFi + ethernet). Needs onsite fix.
	Minor ARP conflicts triaged	Room 307, Room 130, iPhone MAC randomization — low priority, noted for onsite
	AD/DNS/Permissions exported	Exported users, computers, groups, domain admins, DNS records, zones, forwarders, SMB shares, GPOs to D:\Shares\IT\Backups\
	AD export analysis	Identified: 3 non-IT users in Domain Admins, 12 accounts to remove, 3 undocumented GPOs from Dec 2025, most users never logged in
	GPO report export + analysis	Exported full GPO report (Get-GPOReport -All). Reviewed all 6 GPOs: 3 Dec 2025 GPOs (CopyRoomPrinter, Nurses-Kiosk, MemCareMedTechPrinter) are completely empty — no settings, no links. Found account lockout disabled (threshold=0) in Default Domain Policy.
	Session planning	Created session3 runbook, phase0-remote-checks.ps1 script
	Documentation updates	Updated issue log (6 issues resolved), AD docs, backup docs, migration docs, session log

---

Session 4 — 2026-03-07 (Remote)

Focus: AD OU structure cleanup planning + script creation

Time	Task	Details
	AD OU structure audit	Identified 10 duplicate root-level department OUs, 3 empty root OUs (Managment, MemCare, Sales), 20 misplaced accounts in CN=Users
	phase2-ou-cleanup.ps1	Created script: audit root OUs (confirm empty + no GP links), delete 13 root-level OUs, delete/disable stale CN=Users accounts, flag Lupe.Sanchez duplicate
	phase2-ad-setup.ps1 updated	Added prerequisite note for OU cleanup, CS-QB exclusion comment
	active-directory.md updated	Added current vs target OU structure, CN=Users placement plan, 4 new issues (root OUs, CN=Users, CN=Computers, Lupe.Sanchez)
	Issue log updated	Added 2 issues: root-level OU junk, Lupe.Sanchez duplicate

---

Session 5 — 2026-03-08 (Remote)

Focus: M365 tenant audit, AD↔M365 identity mapping, shared workstation GPO design

Time	Task	Details
	M365 tenant documented	Tenant: cascadestucson.com, ID: 207fa277-..., domain: cascadestucson.com, admin: Sandra Fish (admin@NETORGFT4257522.onmicrosoft.com)
	User export analysis	Exported 51 M365 users, cross-referenced against 46 AD accounts. Built full AD↔M365 mapping.
	Identity mapping	24 AD accounts matched to M365. 13 AD users have no M365. 2 M365 users (nick pavloff, Kristiana Dowse) not in AD.
	License audit	Business Standard 34/34 (0 available). 12 role-based accounts wasting licenses (~$150/mo). Entra ID P2 (1, Sandra Fish).
	Shared mailbox audit	4 shared mailboxes: 3 former employees (Anna Pitzlin, Jeff Bristol, Nela Durut-Azizi) + Fax Cascades
	External guest audit	6 guest accounts: 3 personal emails (jensen, dupras, rossini), 2 Howard accounts (1 typo "howaed"), 1 external partner (Debora Morris)
	Name mismatch found	Tamra Johnson (AD) → tamra.matthews@ (M365) — married name not updated in AD
	Shared workstation GPO	Added SharedComputers OU to phase2-ad-setup.ps1, GPO 6 design to phase2-server-prep.md, updated AD target OU tree
	cloud/m365.md	Fully populated from blank template — tenant info, licensing, full AD↔M365 mapping, shared mailboxes, issues
	11 new issues logged	License exhaustion, role-account waste, Tamra name mismatch, 13 unmapped AD users, nick pavloff, Kristiana Dowse, Sandra Fish admin, former employee mailboxes, howaed typo, no Entra Connect

---

Session 6 — 2026-03-09 (Remote + Onsite Data)

Focus: Onsite data entry, printer inventory, AD quick fixes

Time	Task	Details
	Printer inventory update	Full onsite printer data entered — 15 printers documented with models, SNs, IPs, users, locations. Resolved 6 previously unidentified printers.
	Name changes documented	Tamra.Johnson→Matthews, Alyssa.Shestko→Brooks confirmed. Michelle.Shestko→Brooks pending. Updated all docs and scripts.
	Remove Monica.Ramirez from Domain Admins (IMPLEMENTED)	Removed disabled account from DA group
	Delete 3 empty GPOs (IMPLEMENTED)	Deleted CopyRoomPrinter, Nurses-Kiosk, MemCareMedTechPrinter — all empty, no links
	Fix account lockout policy (IMPLEMENTED)	Set lockout threshold to 5 attempts, 30 min duration/observation window
	Rename QuickBooks group (IMPLEMENTED)	Fixed "Quickboosk acccess" → "QuickBooks Access"
	pfSense aliases created	Server_IPs (192.168.2.254), NAS_IP (192.168.0.120) created. Printer_IPs, AD_Ports, Print_Ports created then removed — not needed.
	Firewall strategy revised	Original plan: scoped INTERNAL→LAN rules for each resource. Revised: move all PCs and printers to INTERNAL VLAN 20 (same subnet), then lock down after migration. Simpler, fewer rules needed.
	RFC1918 alias correction	Documented as created in Session 2 but was never actually created. Using built-in _private4_ alias instead.
	ASSISTNURSE-PC upgraded to Win11 Pro (IMPLEMENTED)	Upgraded from Windows Home to Windows 11 Pro using product key — enables domain join

---

Session 7 — 2026-03-11 (Onsite)

Focus: Quick wins — Guest WiFi test, kitchen thermal printer inventory, printer doc corrections

Time	Task	Details
	Guest WiFi isolation tested (VERIFIED)	Connected to Guest SSID, got 10.0.50.x IP. Fixed DHCP: changed DNS to 8.8.8.8/1.1.1.1, cleared domain name (was cascades.local). Internet works, cannot ping CS-SERVER or access shares — isolation confirmed.
	Guest DHCP DNS fix (IMPLEMENTED)	GUEST DHCP scope was handing out pfSense DNS + cascades.local domain. Blocked by firewall rules (block all private IPs). Changed to public DNS 8.8.8.8/1.1.1.1, cleared domain name.
	Kitchen thermal printer inventory (DONE)	2 printers: Bistro — Epson TM-T88VII (M371A) at 192.168.2.207, Kitchen cooks — Epson TM-U220IIB (M384B) at 10.0.20.225. Both ethernet, both receive orders from 9 iPads.
	"Port 8 Epson" mystery resolved	Previously unaccounted 192.168.2.207 is the Bistro thermal printer
	MemCare printer corrections	Room 615 printer (192.168.2.53) is WiFi-only with static IP, NOT dual-connected. MemCare Reception needs dummy switch replaced with UniFi. Added room numbers (615, 603).
	Nick Pavloff clarification	M365 account is for Synology admin only. Plan: change Synology admin email to another account, then delete Nick's M365 to free license.
	Bistro dummy switch identified	Bistro has a non-managed switch splitting connection for thermal printer, CC, and other devices. Plan: replace with UniFi switch, set ports to VLAN 20 (CSCNet). Same situation as MemCare reception.
	Bistro printer VLAN move planned	Bistro Epson TM-T88VII (192.168.2.207) to be moved to CSCNet (VLAN 20) once UniFi switch installed. Test iPad printing after move — cooks printer already on CSCNet (10.0.20.225) so iPads likely already route there.

---

Onsite / Remote — Migration Tasks

PC Migration (Phase 1.4) — Move to CSCNet WiFi

Connect each PC to CSCNet, forget CSC ENT, verify connectivity.

PC	Current IP	User(s)	Status
RECEPTIONIST-PC	192.168.2.17	CJ, Christina, Kyla, Tiffany	[ ]
RECEPTIONIST-PC (2nd)	192.168.3.187	Receptionist	[ ]
ASSISTMAN-PC	192.168.2.38	Assistant Manager	[ ]
ASSISTNURSE-PC	192.168.2.153	Assist Nurse	[ ] WiFi — upgraded to Win11 Pro, move to CSCNet later
NURSESTATION-PC	192.168.3.135	Nurse Station	[ ]
MEMRECEPT-PC	192.168.3.41	MemCare Reception	[ ]
ANN-PC	192.168.3.252	Ann	[ ]
MDIRECTOR-PC	192.168.3.20	Shelby Trozzi	[ ] Needs Pro upgrade first
DESKTOP-LPOPV30	192.168.2.250	Unknown	[ ]
DESKTOP-U2DHAP0	192.168.3.37	Unknown	[ ]
DESKTOP-TRCIEJA	192.168.3.93	Unknown	[ ]
DESKTOP-DLTAGOI	192.168.3.133	Unknown	[ ]
DESKTOP-ROK7VNM	192.168.3.148	Unknown	[ ]
DESKTOP-MD6UQI3	192.168.3.208	Unknown	[ ]

Printer Migration (Phase 1.5) — Change switch port to VLAN 20

Requires: identify switch port, change VLAN, DHCP reservation, update PCs.

Printer	Current IP	Users	Status
Chef Brother	192.168.3.88	Chef	[ ]
Kitchen Manager Canon	192.168.3.232	Alyssa	[ ]
Meredith's Canon	192.168.2.67	Meredith	[ ]
MemCare Director Canon	192.168.3.52	Shelby	[ ]
MemCare Nurse Brother	192.168.2.53	MemCare nurses	[ ]
Room 103 Brother	192.168.2.145	Ashley, Christina	[ ]
Room 132 Canon	192.168.3.211	Sharon, Susan	[ ]
Room 217 Sales Brother	192.168.3.44	Sales team	[ ]
Room 206 Bizhub	192.168.1.138	Health Services	[ ]
Accounting Canon	192.168.3.227	Lauren	[ ]
Front Desk Epson	192.168.2.147	4 users	[ ]
Copy Room Canon	192.168.2.230	Everyone	[ ] LAST
MemCare Reception Epson	—	MemCare Recept	[ ] Needs hardwire first

Other Onsite Tasks

Task	Details
Test Guest WiFi isolation	Connect to Guest SSID, verify 10.0.50.x IP, no LAN access DONE 2026-03-11
Identify unknown devices	DESKTOP-1ISF081, DESKTOP-KQSL232, DESKTOP-VAVKCIM
User-to-machine mapping	Document who uses each PC for GPO targeting
MDIRECTOR-PC Pro upgrade	Install Windows 10 Pro upgrade key
SALES4-PC status	Locate or confirm decommissioned
Two RECEPTIONIST-PCs	Determine which is primary
9 offline APs	Check PoE, cables, re-adopt
Room 307 ARP conflict	Check if still occurring

---

Outstanding Work — Prioritized

Priority 1: CRITICAL

• Set up backup — Windows Server Backup to Synology SMB share (ABB blocked by ext4)
• Remove Monica.Ramirez from Domain Admins — DONE 2026-03-09

Priority 2: HIGH (security)

• Create firewall aliases — Server_IPs and NAS_IP created. Others not needed (printers moving to INTERNAL VLAN). DONE 2026-03-09
• Replace INTERNAL firewall rules — deferred until after all devices migrated to VLAN 20
• Disable floating rule #4 + add scoped room internet rule — deferred until post-migration
• Remove Meredith.Kuhn and John.Trozzi from Domain Admins — DONE 2026-04-13
• Review 3 undocumented GPOs — REVIEWED: all 3 are empty (no settings, no links). Delete in Phase 2.2.
• Delete 3 empty GPOs (CopyRoomPrinter, Nurses-Kiosk, MemCareMedTechPrinter) — DONE 2026-03-09
• Fix account lockout policy — Set to 5 attempts / 30 min lockout — DONE 2026-03-09

Priority 3: MEDIUM (cleanup)

• Delete VLAN 10 from UniFi
• Disable/delete 12 stale AD accounts — DONE 2026-04-13 (13 accounts deleted)
• Remove unused server roles (NPS, RDS)
• Create DHCP reservation for LG TV WiFi MAC (e0:85:4d:4d:f0:3e → 192.168.2.148)
• Fix Brother printer dual-connection (onsite) — NOT an issue. 192.168.2.53 is WiFi-only with static IP. DONE 2026-03-11

Priority 4: Phase 2+ (AD/server prep)

• Run phase2-ou-cleanup.ps1 — audit + delete 13 root-level OUs, clean CN=Users accounts — DONE 2026-04-13 (manual commands)
• Run phase2-ad-setup.ps1 — security fixes, Workstations OU (incl. Shared PCs), security groups, computer moves — Partially DONE 2026-04-13 (Workstations OU created, DA cleaned, UPNs updated. Security groups + computer moves still pending)
• Set up file share permissions on CS-SERVER
• Create GPOs (drive maps, printers, security baseline, updates, folder redirection, shared workstation)
• Domain-join non-domain machines
• Synology retirement + backup-only repurpose

Priority 5: M365 Cleanup

• Convert 12 role-based accounts to shared mailboxes — accounting@, frontdesk@, hr@, security@, memcarereceptionist@, boadmin@, accountingassistant@, Training@, Kitchenipad@, medtech@, nurse@, transportation@. Frees 12 licenses ($150/mo)
• Delete nick pavloff M365 account — account was only for Synology admin. Change Synology admin email to another account first, then delete to free license.
• Update Tamra.Johnson → Tamra.Matthews in AD — DONE 2026-04-13
• Delete Kristiana Dowse M365 account — HR confirmed not current employee (2026-03-10). Frees 1 license.
• Delete "howaed" guest account — typo duplicate of howard@azcomputerguru.com
• Delete Anna Pitzlin & Nela Durut-Azizi shared mailboxes — HR confirmed OK to delete (were forwarded to Meredith, no longer needed). Jeff Bristol still pending.
• Review Sandra Fish global admin — previous owner still holds the only global admin. Create break-glass admin?
• Install Entra Connect — planned for CS-SERVER, AD cleanup complete, UPNs updated. Blocked on: M365 shared mailbox conversions
• Determine if AD users need M365 — HR confirmed all current employees (2026-03-10). Roles: Front Desk/Courtesy Patrol, MC Front Desk, Transportation, Housekeeping. Do they need email? Free licenses first via role account cleanup.

Priority 6: Audit Findings (2026-03-10)

Doc fixes:

• Fix Room 206 printers in phase2-print-server.ps1 — Added Bizhub C368 + 206 Nurse Station Brother as separate entries — DONE
• Fix firewall.md post-migration rules — changed "RFC1918" to _private4_ — DONE
• Fix dhcp.md Room 218 — marked as FIXED 2026-03-07 — DONE
• Fix dhcp.md printer 192.168.2.53 — updated to online with MAC — DONE
• Fix step3-switch-ports.md — Added Bizhub C368 + 206 Nurse Station — DONE
• Fix RFC1918 alias entry in Session 2 billing record — corrected — DONE
• Standardize "MemCare MedTech" printer naming across all docs — DONE

Resolved with Howard's input:

• Duplicate Alyssa accounts — Resolved: Alyssa.Shestko renamed to Alyssa.Brooks, lowercase duplicate deleted — DONE 2026-04-13
• SALES4-PC — Active, used by Tamra Matthews. Was just offline during audit. Updated overview.md. — DONE
• Azure docs — No Azure services. M365 + GoDaddy web hosting only. Updated cloud/azure.md. — DONE

Needs onsite / separate session:

• M365 email audit — SPF, DKIM, DMARC, MX records all TBD
• Synology shares "pacs" and "web" — purpose unknown (may contain PHI)
• CS-SERVER ports 5504, 6783, 8019 — unidentified listeners
• Room 339 interface — may be disabled in pfSense
• 9 offline APs — need physical investigation
• Kitchen thermal printer inventory — 2 printers: Bistro TM-T88VII (192.168.2.207), Kitchen TM-U220IIB (10.0.20.225). DONE 2026-03-11
• Verify ALIS BAA — ask management if signed BAA exists with go-alis.com
• Sign Microsoft BAA — M365 Admin → Settings → Org Settings → Security & Privacy → HIPAA BAA
• Enable MFA — Security Defaults in Entra ID (free, 5 min to enable)

Onsite Visit Additions (from M365 audit)

• Identify shared workstation computer names for GPO 6 targeting
• Confirm nick pavloff's department and PC assignment
• Ask about Kristiana Dowse — current or former? HR confirmed DELETE (2026-03-10)
• Map user-to-shared-PC rotation matrix for shared mailbox permissions

---

Session 8 — 2026-03-20 (Remote)

Focus: Audit script deployment, GitHub hosting, ScreenConnect Toolbox setup

Time	Task	Details
	Audit script updates	Removed .txt transcript output (JSON only), added hostname to filenames (HOSTNAME_audit_DATE.json)
	Script self-relaunch fix	Changed -Verb RunAs to -NoNewWindow -WindowStyle Hidden for silent ScreenConnect execution
	GitHub repo created	Created public repo Howweird/msp-audit-scripts with server_audit.ps1, workstation_audit.ps1, README.md
	ScreenConnect Toolbox commands	Built commands for: server audit, workstation audit, clear C:\Temp. Documented ScreenConnect 80-char line limit.
	ScreenConnect line-wrapping fix	Discovered ScreenConnect silently truncates long lines (~120 chars). Rewrote all commands with URLs in variables, short lines. Added rules to CLAUDE.md.

---

Session 9 — 2026-03-20/21/22 (Remote)

Focus: Full fleet audit, security remediation, Windows upgrades

Time	Task	Details
	Full fleet audit	Ran server + workstation audits on 19 machines (1 server, 18 workstations) via ScreenConnect Toolbox
	Workstation inventory created	Created cascades/workstations.md — full hardware, OS, users, software, security findings for all 18 workstations
	Documentation updates	Updated cs-server.md (security findings, disk usage, software, share permissions), active-directory.md (functional levels, new users, login activity), antivirus.md (deployment status for all 19 endpoints), hipaa.md (11 new gaps), overview.md (workstation table with audit data)
	Master issue tracker	Built combined issue tracker (42 items) merging audit findings with all prior issue log entries, organized by severity
	Pro key applied to 4 machines	ANN-PC, DESKTOP-DLTAGOI, MAINTENANCE-PC, MDIRECTOR-PC — Win 11 Home → Pro via changepk ScreenConnect command
	RDP disabled on 2 machines	ASSISTMAN-PC and DESKTOP-U2DHAP0 — were exposed without NLA
	AD Recycle Bin enabled	Was off — deleted objects were unrecoverable
	MachineAccountQuota set to 0	Was 10 — any domain user could join machines
	RestrictAnonymous set to 1	Was 0 — null sessions allowed on CS-SERVER
	Stale printer ports cleaned	Ran cleanup script on all 18 workstations — removed orphan TCP/IP ports
	AutoPatch + Win 11 upgrade pushed	Created PSWindowsUpdate scheduled tasks on 15 machines (overnight, auto-stop 5AM). Skipped CS-SERVER, RECEPTIONIST-PC, MEMRECEPT-PC
	Win 11 upgrade assistant	Pushed to eligible Win 10 machines: DESKTOP-LPOPV30, NURSESTATION-PC, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8. Also 25H2 upgrade for CRYSTAL-PC, DESKTOP-U2DHAP0, LAPTOP2
	ScreenConnect Toolbox expanded	Added commands for: auto-patch, auto-patch+upgrade, stop updates at 5AM, Pro key push, stale printer port cleanup
	Network analysis	Identified DNS misconfiguration (15 machines pointing to pfSense instead of CS-SERVER), cross-subnet routing issues, printer port IP mismatches
	DirecTV VLAN issue documented	Older DirecTV boxes can't connect to VLAN networks — must join CSC ENT first for update, then move to CSCNet
	Pro key documented	Volume license key added to root CLAUDE.md with usage log tracking requirement

---

Session 10 — 2026-04-13 (Onsite + Remote)

Focus: Workstation upgrades, domain joins, printer setup, AD cleanup, Entra Connect planning, MDM planning

Workstation Upgrades & Domain Joins

Task	Details
DESKTOP-DLTAGOI — Pro upgrade + domain join	Upgraded Win 11 Home → Pro (manual key — PowerShell method caused Enterprise). Joined to cascades.local.
DESKTOP-DLTAGOI — User setup	Created domain user Sharon.Edwards (Life Enrichment Assistant). Removed local accounts: casadmin201, rootadmin, local "Sharon Edwards". Disabled system accounts.
DESKTOP-DLTAGOI — Printer cleanup	Removed all Brother printers. Added Copy Room printer manually.
DESKTOP-ROK7VNM — Pro upgrade + domain join	New machine (not in previous audit). Upgraded to Pro (manual key). Joined to cascades.local.
DESKTOP-ROK7VNM — User setup	Created domain user Susan.Hicks (Life Enrichment Director). Removed local accounts: casadmin201, nick, SusanH, Megan Wicker.
MAINTENANCE-PC — Pro upgrade	Upgraded Win 11 Home → Pro (manual key). Domain join pending.
MAINTENANCE-PC — Disk cleanup	Cleared SoftwareDistribution, temp files, DISM component cleanup, deleted nick user profile.
Pro key issue documented	PowerShell changepk method from Session 9 caused Enterprise edition on some machines. Manual key entry through Settings is the correct method.

Printer Work

Task	Details
Room 132 Canon MF741CDW — Factory reset	Printer was locked out (System Manager ID/PIN unknown). Factory reset successful.
Room 132 Canon — Moved to INTERNAL VLAN	Connected to CSCNet WiFi, set static IP 10.0.20.94. Previously was 192.168.3.211 on LAN.
Print server planning	Planned GPO-based printer deployment via CS-SERVER print server. Print Services role check needed. Naming convention: Floor-Room-Model (e.g. 1F-132-RecRoom-Canon).

AD Cleanup (on CS-SERVER)

Task	Details
Deleted 13 stale accounts	Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez (disabled/former). Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, Isabella.Islas, ann.dery (not on HR roster). alyssa.brooks (lowercase duplicate). Lupe.Sanchez (duplicate of Guadalupe). jeff.bristol (replaced by Lauren).
Renamed 5 accounts	Tamra.Johnson → Tamra.Matthews, Alyssa.Shestko → Alyssa.Brooks, Guadalupe.Sanchez → Lupe.Sanchez, strozzi → Shelby.Trozzi, Christopher.Holik → Christopher.Holick
Removed non-IT from Domain Admins	Removed Meredith.Kuhn and John.Trozzi. Only Administrator and sysadmin remain.
Deleted root-level duplicate OUs	13 empty root-level OUs (confirmed already deleted from previous session).
Created Workstations OU	OU=Workstations with sub-OUs: Staff PCs, Shared PCs.
Added UPN suffix	Added cascadestucson.com as UPN suffix to AD forest.
Updated all 33 user UPNs	Changed from @cascades.local to @cascadestucson.com for Entra Connect SSO readiness.
Created Kyla.QuickTiffany account	New Resident Services Receptionist. Placed in OU=Resident Services.
Full HR roster imported	All 32 employees documented with positions, departments, and shared email group assignments.

Print Server & GPO Setup

Task	Details
Removed Roaming share	Deleted D:\Roaming and SMB share — unused, replaced by Folder Redirection
Created homes share	D:\Homes shared as \CS-SERVER\homes — Domain Admins full, Domain Users change. For Folder Redirection.
RecRoom Canon added to print server	Added printer port TCP_10.0.20.94, shared as "RecRoom-Canon" using Canon Generic Plus PCL6 driver
CSC - Life Enrichment Printers GPO	Created and linked to OU=Life Enrichment. RecRoom Canon deployed via Print Management (per user).
CSC - Folder Redirection GPO	Created and linked to OU=Departments. GPMC Folder Redirection extension broken on CS-SERVER — fdeploy.ini not being created. Worked around using GP Preferences > Registry to set shell folder paths (Desktop, Documents, Downloads → \CS-SERVER\homes%USERNAME%).
Folder Redirection verified	Tested with Sharon.Edwards — Desktop redirects to \CS-SERVER\homes\sharon.edwards\Desktop. Documents and Downloads also configured.
Moved 6 PCs to Staff PCs OU	ACCT2-PC, CRYSTAL-PC, DESKTOP-H6QHRR7, DESKTOP-1ISF081, DESKTOP-DLTAGOI, DESKTOP-ROK7VNM moved to OU=Staff PCs,OU=Workstations. CS-QB left in CN=Computers.
Data migration slow	Robocopy to server limited by Sharon's 72 Mbps WiFi (~8 MB/s). Server storage is two PERC RAID virtual disks (300GB C: + 1.1TB D:), likely spinning SAS. Consider SSD upgrade + hardwiring PCs for speed.

Planning & Documentation

Task	Details
Entra Connect SSO plan	Documented full plan in cloud/m365.md — prerequisites, install steps, sync scope. Enables single sign-on: AD login → Office/Edge/Outlook auto-activate.
M365 license optimization	Planned conversion of 12 role-based accounts to shared mailboxes. 10 staff (drivers, receptionists, courtesy patrol) get AD + SSO but no paid license. Saves ~$137.50/month (11 licenses freed).
ManageEngine MDM	Account created. Will manage employee Android phones (HIPAA compliance) + 9 kitchen iPads (lockdown/kiosk mode). Created security/mdm.md.
Len's Auto Brokerage (LAB)	New client folder created. Documented lab-server (Server 2008 SP2, EOL) and DESKTOP-BMBTQLI (HPE MicroServer Gen10 Plus v2, current server). RDP troubleshooting on Server 2008 — CredSSP incompatibility.

Billing Summary — Session 10

Category	Items
Workstation upgrades (Pro key + domain join)	3 machines (DLTAGOI, ROK7VNM, MAINTENANCE-PC)
User setup + local account cleanup	3 machines
Printer reset + VLAN move + print server	1 printer factory reset, moved to INTERNAL VLAN, added to print server, deployed via GPO
AD cleanup	13 accounts deleted, 5 renamed, 2 removed from Domain Admins, OU cleanup, UPN migration, 1 new account created
GPO setup	2 GPOs created (Life Enrichment Printers, Folder Redirection). Folder Redirection working via GP Preferences workaround.
File server setup	Homes share created, Roaming share removed, 6 PCs moved to Staff PCs OU
Infrastructure planning	Entra Connect SSO, M365 license optimization, MDM setup
New client setup	Len's Auto Brokerage — folder + initial docs + RDP troubleshooting

Session 10b — 2026-04-14 (Remote + Onsite)

Focus: Continued Life Enrichment setup, GPO troubleshooting, OneDrive cleanup

Task	Details
Narrowed Folder Redirection GPO	Moved link from OU=Departments to OU=Life Enrichment only. Roll out dept by dept.
Susan.Hicks OneDrive cleanup	ProfWiz migrated old SusanH profile with OneDrive folder redirection. Fixed shell folders (Desktop, Documents, Downloads, Videos, Pictures, Attachments) back to local %USERPROFILE% paths. Uninstalled OneDrive.
Printer GPO troubleshooting	Print Management "Deploy with Group Policy" not saving to SYSVOL (same broken GPMC issue as Folder Redirection). Fixed using GP Preferences > Shared Printer instead — \CS-SERVER\RecRoom-Canon. Printers.xml confirmed in SYSVOL.
Susan data migration	Robocopy of Susan's data to \CS-SERVER\homes in progress — slow due to WiFi.

Session 10c — 2026-04-14 (Remote)

Focus: M365 admin cleanup, MDM planning, ALIS SSO research, proposal

Task	Details
Sandra Fish admin removed	Revoked global admin, blocked sign-in, removed P2 license. sysadmin@cascadestucson.com is now sole global admin.
Entra P2 license freed	1 P2 license available for Conditional Access testing when ready.
ALIS SSO confirmed	ALIS supports Microsoft Entra SSO (Azure AD / Office 365). Requires App Registration in Azure Portal + ALIS App Store config. Users must have matching email in ALIS and Entra.
M365 Business Premium proposal	Created formal proposal at cascades/proposals/m365-premium-upgrade.md. Net savings of $56.50/mo after shared mailbox cleanup. Covers Intune, Conditional Access, Defender, DLP.
MDM plan documented	Full 7-phase ManageEngine MDM rollout plan in security/mdm.md. 25 shared Android phones + 9 kitchen iPads.
Folder Redirection GPO narrowed	Moved from OU=Departments to OU=Life Enrichment only. Roll out dept by dept.
Susan Hicks OneDrive cleanup	Fixed shell folders pointing to old OneDrive paths after ProfWiz migration. Uninstalled OneDrive.

Session 10d — 2026-04-14 (Remote, extended diagnostic — inconclusive)

Focus: Try to make Folder Redirection work natively and retire the GP Preferences Registry hack.

Task	Details
SYSVOL health verified	dcdiag /test:sysvolcheck passed, SYSVOL permissions correct, writable as admin
FR extension registration confirmed	gPCUserExtensionNames on the old GPO correctly lists {25537BA6-77A8-11D2-9B6C-0000F8080861} (FR CSE)
NTFS on D:\Homes hardened	Removed BUILTIN\Users ReadAndExecute inheritance to subfolders/files — was allowing cross-user read of redirected PHI (HIPAA violation). Scoped to "This folder only". CREATOR OWNER Full Control still inherits so each user owns their own home folder.
First diagnosis (WRONG)	Initially thought GPMC on CS-SERVER was writing FR config to the wrong location (User\Documents & Settings\fdeploy1.ini with FullPath= + Flags=1231). Hypothesized a broken legacy ADMX template.
RSAT installed + tested	Installed RSAT GPMC on Sharon.Edwards' Win11 PC (Add-WindowsCapability -Online -Name "Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0"). Recreated CSC - Folder Redirection (LE) GPO from RSAT.
First diagnosis disproven	RSAT wrote to the same path as CS-SERVER's GPMC (User\Documents & Settings\fdeploy1.ini with FullPath=). Two independent tools writing identical files = that IS the correct modern format. The "Documents & Settings" subfolder and FullPath= syntax are NOT legacy — they're normal modern FR layout. The original GPO was broken simply because the save was incomplete (empty fdeploy.ini, stub fdeploy1.ini with Flags=4 and no FullPath).
New GPO linked, old unlinked	CSC - Folder Redirection (LE) linked to OU=Life Enrichment; CSC - Folder Redirection unlinked from OU=Life Enrichment (GPO itself kept as 1-week rollback).
FR refuses to commit on Sharon	At Sharon's logon, FR CSE fires, logs event 1006 "Documents has to be redirected" with correct path+flags, logs event 1001 "extension finished". No event 1013 (success), no error events. User Shell Folders\Personal stays at C:\Users\Sharon Edwards\Documents. Multiple logon cycles don't help. gpupdate /force doesn't help. Permissions verified (Sharon has FullControl, write test succeeds). Target path reachable. FR history key (HKCU\...\History\{25537BA6-...}) still references OLD unlinked GPO; key is SYSTEM-protected, can't clear from user context.
Investigation parked	Howard wants to avoid the registry hack as the answer. Captured leading hypothesis + research search terms in plan file C:\Users\howar\.claude\plans\immutable-imagining-spring.md.
Documented	Revised servers/cs-server.md "Known Admin Issues" section to correct the earlier wrong theories and accurately describe the silent-no-commit symptom.

Where We Left Off (2026-04-14 — Session end, investigation parked)

Leading hypothesis (needs confirmation via research): The FR policy has "Grant user exclusive rights" enabled (Flags=1231 bit 0x1). When the target folder \\CS-SERVER\homes\sharon.edwards\Documents already exists with a non-Sharon owner (sysadmin created it during the original registry-hack migration, and we re-created it manually during tonight's diagnostic), FR can't rewrite the folder's ACL to Sharon-only. Documented FR quirk: logs intent via 1006, silently aborts without logging to Operational channel. This matches our exact fingerprint (1006 fires, 1013 never fires, zero errors).

Fast sanity-check for next session (read-only):

(Get-Acl "D:\Homes\sharon.edwards\Documents").Owner

If owner is anything other than CASCADES\sharon.edwards, hypothesis strongly supported.

Search terms Howard will research:

1. Primary: Folder Redirection "has to be redirected" event 1006 no 1013 silent no error
2. Hypothesis-driven: Folder Redirection "Grant the user exclusive rights" existing folder silently fails ownership
3. Fallback: Folder Redirection Windows 10 event 1001 finished but folder not redirected registry

If hypothesis confirmed — next steps:

1. takeown /F "D:\Homes\sharon.edwards\Documents" /A then icacls ... /setowner "CASCADES\sharon.edwards" /T
2. Clear FR history from elevated context via HKU\<SID>
3. Sharon log off + on, verify event 1013 fires and Documents redirects
4. If successful, script this across all LE users' homes folders

If hypothesis wrong — secondary paths to try:

• Enable FR verbose debug logging (HKLM\...\Diagnostics\FdeployDebugLevel=0x10), read %windir%\debug\usermode\fdeploy.log for the real skip reason
• Test FR on a brand-new user with no profile history to rule out profile corruption
• If still blocked, fall back to GP Preferences Registry for Documents (as already deployed for Desktop) — documented workaround, not the end state

Current Sharon state (unchanged tonight):

• Desktop: \\CS-SERVER\homes\Sharon.Edwards\Desktop (working, via original registry hack — no FR involvement)
• Documents: C:\Users\Sharon Edwards\Documents (local, FR failed to redirect)
• Downloads: C:\Users\Sharon Edwards\Downloads (local)

Phase D HIPAA hardening (still pending, after FR is working):

• Set-SmbShare -Name homes -EncryptData $true -Force (SMB encryption in transit)
• Enable file access auditing on D:\Homes (§164.312(b) Audit Controls)
• VSS + daily shadow copies on D: (§164.308(a)(7) Contingency Plan)
• Backup D:\Homes to Synology via Windows Server Backup

Phase D HIPAA hardening (after FR is working):

• Set-SmbShare -Name homes -EncryptData $true -Force (SMB encryption in transit)
• Enable file access auditing on D:\Homes (§164.312(b) Audit Controls)
• VSS + daily shadow copies on D: (§164.308(a)(7) Contingency Plan)
• Backup D:\Homes to Synology via Windows Server Backup
• Manually set NTFS permissions on D:\Homes (commands ready, not yet run):
  • CREATOR OWNER: full access to own folder only
  • Domain Users: can create subfolder, cannot access others
  • Domain Admins: full access
  • Lock down existing sharon.edwards and susan.hicks folders

D:\Homes NTFS permissions (not yet run):

icacls D:\Homes /inheritance:d
icacls D:\Homes /remove "BUILTIN\Users"
icacls D:\Homes /grant "CASCADES\Domain Admins:(OI)(CI)F"
icacls D:\Homes /grant "CREATOR OWNER:(OI)(CI)F"
icacls D:\Homes /grant "CASCADES\Domain Users:(CI)(AD)(RD)"

Data migration script ready (not yet run):

• Copy-only test version (robocopy /L for dry run, remove /L for real copy)
• Move version (robocopy /MOVE) for production
• Run on each user's machine while logged in as them

Other pending:

• Printer GPO: RecRoom Canon added via GP Preferences. Needs gpupdate + re-login test on Sharon/Susan machines.
• Copy Room printer: Not yet added to print server or GPO.
• MAINTENANCE-PC: Pro upgraded, domain join + local account cleanup still pending.
• ANN-PC, MDIRECTOR-PC: Check for Enterprise edition from PowerShell Pro key push.
• M365: Sandra removed. Shared mailbox conversions pending. Entra Connect pending. Sign BAA. 23 licensed users confirmed.
• MDM: ManageEngine Phase 1 tenant setup in progress. 25 shared Android phones + 9 kitchen iPads.
• ALIS SSO: Confirmed Entra support. Needs App Registration in Azure Portal.
• Business Premium proposal: cascades/proposals/m365-premium-upgrade.md — net -$56.50/mo.
• Len's: RDP to Server 2008 still failing (CredSSP).
• Server storage: Likely spinning SAS in Dell R610 — evaluate SSD upgrade.