14 KiB
Cascades of Tucson — Remaining Work Plan (to completion)
Consolidated execution plan tying the open Syncro tickets to the broader migration workstreams (workstations -> domain, users/departments, HIPAA caregiver lockdown). Built 2026-06-24 (Howard) from a live AD+RMM diff. Companion to
PROJECT_STATE.mdandwiki/clients/cascades-tucson.md(current truth, compiled 2026-06-23). Goal: finish the migration quickly by working it as one sequenced plan.
Live snapshot — domain-join inventory (2026-06-24, AD vs RMM diff)
Domain (cascades.local) — joined staff workstations (12):
ACCT2-PC, CRYSTAL-PC, DESKTOP-DLTAGOI (Sharon/LE), DESKTOP-F94M8UT, DESKTOP-H6QHRR7,
DESKTOP-N5G1ROO (Chris Knight), DESKTOP-ROK7VNM, DESKTOP-U2DHAP0 (Ashley),
ASSISTNURSE-PC, NURSESTATION-PC, RECEPTIONIST-PC, MEGAN.
(Plus infra: CS-SERVER = DC, CS-QB = QB VM. Stale AD objects to clean: DESKTOP-1ISF081 (last logon 2025-03), AZUREADSSOACC is the Seamless-SSO object — leave.)
In RMM but NOT domain-joined — still to migrate (~17):
| Machine | User / role | Plan |
|---|---|---|
| ASSISTMAN-PC | Meredith Kuhn (on LOCAL acct meredithk) |
Domain-join + migrate her to cascades\Meredith.Kuhn |
| ANN-PC | (verify user) | Join + OU + drives |
| DESKTOP-LPOPV30 | (verify) | Join + OU + drives |
| DESKTOP-MD6UQI3 | (verify, offline) | Join + OU + drives |
| MAINTENANCE-PC | Maintenance | Join -> OU=Maintenance |
| MDIRECTOR-PC | Shelby Trozzi (MC Director) | Join -> OU=Care-Memorycare |
| MEMRECEPT-PC | MC reception (shared) | Join -> OU=Shared PCs |
| NurseAssist | (distinct from ASSISTNURSE-PC) | Join or retire-as-dupe — verify |
| SALES4-PC | Sales | Join -> OU=Marketing |
| LAPTOP-8P7HDSEI | (verify) | Join or caregiver path |
| Health-Services-Director | vs AD HEALTH-SERVICES |
Verify dup/rename before acting |
| CHEF-PC | Culinary (Chef JD) | Ticket #32254 — reinstall Windows, THEN join -> OU=Culinary |
| DESKTOP-TRCIEJA | Lupe Sanchez | EOL — replace machine (decision 2026-06-18), join the replacement |
| DESKTOP-KQSL232 | Lois Lane | Resistant to migration; coordinate via John Trozzi |
| CascadesProxess | Proxess access-control appliance | Likely leave un-joined — verify it's an appliance |
| Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8, Laptop4 | Caregiver shared laptops | Join via the Caregiver Devices path (Workstream 3), not the staff path |
OU structure (built): OU=Departments -> Administrative, Marketing, Care-Assisted Living
(+ Nurses), Care-Memorycare, Culinary, Housekeeping, Life Enrichment, Maintenance, Resident
Services, Transportation, Caregivers. OU=Workstations -> Staff PCs, Shared PCs,
OU=Caregiver Devices (under Staff PCs). Groups in OU=Groups.
Workstream 1 — Workstation domain migration
Goal: every staff PC on cascades.local + GuruRMM + correct dept OU + mapped dept drives;
retire per-PC Synology Drive Client.
Per-machine runbook (scripts in docs/migration/scripts/):
phase3-pre-join-verify.ps1(OneDrive KFM unlinked, no poisoned shell folders, name OK)phase3-join-domain.ps1-> joincascades.localphase3-post-join-verify.ps1- Move computer object into the correct department OU
- Confirm GuruRMM agent still checks in; migrate the user profile/data
- Map department drives (Workstream 2); uninstall Synology Drive Client; delete local cache once clean
- Log the change
Tickets in this workstream: #32194 (deploy spare machine for new hire — join + enroll + AD acct), #32254 (Chef-PC reinstall then join).
Device readiness audit (2026-06-24, live probe of 15 un-joined online machines)
| Machine | User | Edition | Readiness |
|---|---|---|---|
| DESKTOP-LPOPV30 | Karen Rossini | Win11 Pro | READY |
| MAINTENANCE-PC | Bruce Miller | Win11 Pro WS | READY |
| LAPTOP-E0STJJE8 | caregiver | Win11 Pro WS | READY (caregiver path) |
| ASSISTMAN-PC | Meredith Kuhn | Win11 Pro | pending reboot |
| ANN-PC | christina | Win11 Enterprise | pending reboot |
| Laptop2 | caregiver | Win11 Pro | pending reboot |
| CHEF-PC | Ramon Castaneda | Win11 Pro | do #32254 reinstall first |
| LAPTOP-8P7HDSEI | User | Win10 Home | BLOCKED: Home->Pro + OneDrive KFM ON |
| MDIRECTOR-PC | Shelby Trozzi | Win11 Home | BLOCKED: Home->Pro + reboot |
| MEMRECEPT-PC | memfrtdesk | Win10 Home | BLOCKED: Home->Pro + reboot |
| NurseAssist | Veronica | Win11 Home | BLOCKED: Home->Pro + KFM ON + reboot |
| SALES4-PC | Tamra (departing) | Win11 Home | BLOCKED: Home->Pro; Tamra leaving — repurpose? |
| LAPTOP-DRQ5L558 | caregiver | Win11 Pro WS | BLOCKED: off-network (public DNS, no DC reach) |
| DESKTOP-TRCIEJA | Lupe Sanchez | Win11 Pro | SKIP — EOL, being replaced |
| Health-Services-Director | Lois Lane | Win11 Pro WS | already domain-joined (= AD HEALTH-SERVICES) |
Prep blockers / decisions (2026-06-24):
- 5 machines on Windows Home cannot domain-join until upgraded to Pro (need license keys):
LAPTOP-8P7HDSEI, MDIRECTOR-PC, MEMRECEPT-PC, NurseAssist, SALES4-PC. Howard handling the
Home->Pro upgrades himself, ONSITE (decision 2026-06-25).
- 2026-06-25 live re-check: the 6PM cron
ad0a56a9never completed — all 5 stillEditionID=Core(Home), Licensed on Home keys, none half-upgraded. Remote job abandoned; Howard doing them onsite. Next step for these 5 = domain-join once they readEditionID=Professional. ProductName reads "Windows 10 Home" even on the Win11 boxes (stale registry string) — trust EditionID, not ProductName.
- 2026-06-25 live re-check: the 6PM cron
- OneDrive KFM ON (unlink before folder-redirect GPO): LAPTOP-8P7HDSEI, NurseAssist.
- Pending reboots + KFM unlinks: held for onsite (Howard) — disruptive to clear remotely.
- LAPTOP-DRQ5L558 is off the Cascades network (8.8.8.8/1.1.1.1 DNS, no DC reachability) — must be on-site/on-LAN before any join.
- Note: the legacy
phase3-pre-join-verify.ps1hardcodes the DC at192.168.2.254; clients actually reach it at192.168.2.248(the.254NIC is the Hyper-V vEthernet and does not cleanly serve domain SMB) — update the script's target before reuse. - Pro/Enterprise + internal machines are READY to join once reboots are cleared onsite: DESKTOP-LPOPV30, MAINTENANCE-PC, ASSISTMAN-PC, ANN-PC, LAPTOP-E0STJJE8, Laptop2 (+ CHEF-PC after #32254).
Workstream 2 — Users, departments & file-share access
Goal: every user in the right OU + SG-*-RW group; department drives mapped per the
access matrix; Synology retired as primary.
- Shares already created on CS-SERVER (
D:\Shares\...): Management, Sales/SalesDept, Server, Accounting, Culinary, Activities, directoryshare, IT, Receptionist, Executive (NEW — Ashley+Meredith). Confirm ALdocs/WebDocs/LifeEnrichment exist + NTFS per the matrix. - Populate
SG-*-RWgroups perdocs/migration/share-access-matrix-2026-04-23.md. - Map dept drives per user via GPP/logon script (Receptionist drive = machine+user scoped, Tower desk only).
- Close out the matrix open questions (per-user interviews): Lois Lane, Karen Rossini, Susan Hicks,
John Trozzi, Lupe Sanchez, Shelby Trozzi, Matt Brooks, Christine Nyanzunda;
pacs/Clinical-PHI create-or-retire;webretire.
Tickets: #32193 (Executive restricted share — DONE 2026-06-24, E: mapped both machines), #32230 (Karen Rossini -> ALDOCS on Synology — recheck when she's in, she was out 2026-06-24).
Workstream 3 — HIPAA caregiver lockdown — GO-LIVE (highest value, mostly built)
Everything is built + validated on the pilot (NURSESTATION + pilot.test). Go-live = flip from test scope to real caregivers, one device at a time. (Detail: wiki "Entra Access Architecture".)
- Swap GPO
CSC - Caregiver Workstationsecurity filterSG-Caregivers-Test->SG-Caregivers. - CA allow-list policy
1b7fd025: test groupSG-Caregivers-DeviceTest->SG-Caregivers; disable the compliance-block policyede985e2. - Move each caregiver machine into
OU=Caregiver Devices+SG-PC-MainTower/SG-PC-MemoryCareone at a time: Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8, ASSISTNURSE-PC, NURSESTATION-PC (+ verify NurseAssist/Laptop4). - ALIS email-match the 38 caregivers + medtechs (ALIS staff Email = Entra UPN); turn off ALIS-native 2FA per user.
- Lower ALIS app session timeout 20 -> 15 min (Howard, ALIS admin).
- Reboot NURSESTATION-PC to activate + verify the device-lockdown GPO (lock @3min, 90s warn, sign-out @15min).
Workstream 4 — M365
- Relicense 31 users Business Standard -> Business Premium (Standard is SUSPENDED — time-sensitive).
- Create break-glass accounts (
breakglass1/2-csc@) + enroll FIDO2 YubiKeys. - Build audit retention (Log Analytics 90d + Storage 6yr) in
rg-audit-cascadestucson.
Workstream 5 — Server / infrastructure
- Cloud backup (MSP360 -> ACG-backup): VERIFIED running 2026-06-24 (last run Success, 0 failed, 575 GB baseline in cloud, incrementals working). Still confirm it is image/bare-metal/system-state (looks file-level) + set retention. [GATE for any drive work]
- CS-SERVER RAID -- CORRECTED 2026-06-24: HEALTHY, not degraded (live OMSA: both mirrors Ok, all 5 disks Online, all LEDs green; the 6/15 degraded self-recovered). NO emergency drive swap. 1:0:4 = global hot spare (do not remove). Planned reliability upgrade: replace the 2 consumer 320 GB drives (esp. flaky WD 0:0:3) with the 2x enterprise SSD already purchased, on a scheduled window w/ confirmed image/system-state backup. [WARN] PSU redundancy lost -- one PSU not delivering, check onsite. Service Tag 9MQFTK1. Real fix = DC migration off the 16-yr-old R610.
- Clean up old-MSP agent sprawl (Datto RMM/CentraStage + Datto EDR/Infocyte) thrashing the spindle.
- Synology -> backup-only (Team Folder migration of the real shares; close the workgroup/Kerberos quirk).
- Rotate the Synology signin-portal credential (was committed plaintext historically).
Workstream 6 — Network (mostly complete)
- CSC ENT device-island consolidation (phones + Helpany on 5 GHz) — repurpose CSC ENT as a
5 GHz-only WPA2 PPSK SSID and consolidate BOTH the Poly voice handsets (-> VLAN 30) and the
Helpany "Paul" radar sensors (-> new VLAN 40) onto it, separated at the VLAN layer. Gets both
off congested 2.4 GHz; keeps WPA2-only gear isolated so CSCNet can later move to WPA3/WiFi7/6GHz.
Supersedes the standalone "Voice 5 GHz lock" item below and the earlier "delete CSC ENT" idea
(deleting it would orphan the Pauls). Both vendors can move their devices remotely once we
provide the network. Onsite gate: verify per-room 5 GHz coverage before the band flip
(steel walls; weak-5GHz devices stay on 2.4). Full design + sequence:
docs/network/csc-ent-device-island-plan.md.- Build VLAN 40 (Helpany, egress-only to
*.sedimentum.com+ snapcraft/ubuntu) on pfSense. - Enable PPSK on CSC ENT: key
Ftfd85710#-> VLAN 40 (Pauls keep SSID+key, not reprogrammed); new voice key -> VLAN 30 (phones re-pointed by Howard/Richard). - Flip CSC ENT to 5 GHz-only (
apply-wlan.sh ... bands 5g) in a coordinated window; pilot a few phones + Pauls, then full rollout. - Helpany = Sandro Cilurzo / Eugenie Nicoud; Poly = Richard Turner (Vertical).
- PREREQUISITE (live 2026-06-24): CSC ENT has 149 clients, only 68 are Helpany. ~79 non-Helpany
devices must be evacuated first — 14 staff PCs (domain mig), 11 printers, 11 DIRECTV + 11
resident IoT/TV + 15 personal phones + 17 unknown (resident-facing — need help reconnecting).
~51 are on 2.4 GHz and would drop on a 5 GHz-only flip. Per-device inventory + resident
help-list:
docs/network/csc-ent-client-inventory-2026-06-24.md. TODO: pullstat/alluserfor offline resident TVs; identify the 17 unknowns + generic phones with John Trozzi.
- Build VLAN 40 (Helpany, egress-only to
- #32319 WiFi Room 343 — relocate a floor-2/4 AP for coverage (unifi-wifi skill, site
va6iba3v). - #32342 Copy Room switch — install + adopt into UniFi.
- ~25 switch ports linked at 100 Mbps but gig-capable (cabling/NIC sweep).
- (Superseded) Voice 5 GHz lock — now folded into the CSC ENT consolidation above (single dedicated 5 GHz network for phones + sensors, not just a phone-side band lock).
Workstream 7 — Onsite peripheral
- #32370 eFax setup (Karen & Christin) + portable scanner on both machines.
Suggested sequence (fastest path)
- Today's onsite batch (Howard, on-site): #32342 (Copy Room switch), #32319 (Room 343 AP), #32370 (eFax + scanner), #32194 (spare machine for new hire), #32254 (Chef-PC reinstall+join); #32230 (Karen -> ALDOCS) once she's in. While onsite: verify per-room 5 GHz coverage for the CSC ENT device-island consolidation (Workstream 6) so the band flip can be scheduled with the vendors.
- Caregiver lockdown go-live (Workstream 3) — remote, highest HIPAA value, just needs the flip + per-device moves.
- M365 relicense 31 users (Workstream 4) — time-sensitive.
- Backup verify -> RAID replacement (Workstream 5) — critical single-DC risk.
- Remaining staff domain joins + dept drives (Workstreams 1+2) — batch the ~17 un-joined PCs, OU + drives per machine.
- Network tail (Vertical 5 GHz, 100 Mbps ports) + M365 break-glass/audit retention.
Open Syncro tickets -> workstream map
| Ticket | Workstream | Status |
|---|---|---|
| #32193 Executive restricted share | 2 | DONE 2026-06-24 (E: both machines, billed 0.5h block) |
| #32194 spare machine for new hire | 1 | Open — onsite |
| #32230 Karen -> ALDOCS | 2 | Open — recheck when she's in |
| #32254 Chef-PC reinstall | 1 | Open — onsite (then domain-join) |
| #32319 WiFi Room 343 | 6 | Open — onsite |
| #32342 Copy Room switch | 6 | Open — onsite |
| #32370 eFax + scanner | 7 | Open — onsite |