Files
claudetools/clients/cascades-tucson/docs/REMAINING-WORK-PLAN.md
Howard Enos 4a63b583b7 sync: auto-sync from HOWARD-HOME at 2026-06-25 11:42:29
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-25 11:42:29
2026-06-25 11:42:58 -07:00

14 KiB

Cascades of Tucson — Remaining Work Plan (to completion)

Consolidated execution plan tying the open Syncro tickets to the broader migration workstreams (workstations -> domain, users/departments, HIPAA caregiver lockdown). Built 2026-06-24 (Howard) from a live AD+RMM diff. Companion to PROJECT_STATE.md and wiki/clients/cascades-tucson.md (current truth, compiled 2026-06-23). Goal: finish the migration quickly by working it as one sequenced plan.


Live snapshot — domain-join inventory (2026-06-24, AD vs RMM diff)

Domain (cascades.local) — joined staff workstations (12): ACCT2-PC, CRYSTAL-PC, DESKTOP-DLTAGOI (Sharon/LE), DESKTOP-F94M8UT, DESKTOP-H6QHRR7, DESKTOP-N5G1ROO (Chris Knight), DESKTOP-ROK7VNM, DESKTOP-U2DHAP0 (Ashley), ASSISTNURSE-PC, NURSESTATION-PC, RECEPTIONIST-PC, MEGAN. (Plus infra: CS-SERVER = DC, CS-QB = QB VM. Stale AD objects to clean: DESKTOP-1ISF081 (last logon 2025-03), AZUREADSSOACC is the Seamless-SSO object — leave.)

In RMM but NOT domain-joined — still to migrate (~17):

Machine User / role Plan
ASSISTMAN-PC Meredith Kuhn (on LOCAL acct meredithk) Domain-join + migrate her to cascades\Meredith.Kuhn
ANN-PC (verify user) Join + OU + drives
DESKTOP-LPOPV30 (verify) Join + OU + drives
DESKTOP-MD6UQI3 (verify, offline) Join + OU + drives
MAINTENANCE-PC Maintenance Join -> OU=Maintenance
MDIRECTOR-PC Shelby Trozzi (MC Director) Join -> OU=Care-Memorycare
MEMRECEPT-PC MC reception (shared) Join -> OU=Shared PCs
NurseAssist (distinct from ASSISTNURSE-PC) Join or retire-as-dupe — verify
SALES4-PC Sales Join -> OU=Marketing
LAPTOP-8P7HDSEI (verify) Join or caregiver path
Health-Services-Director vs AD HEALTH-SERVICES Verify dup/rename before acting
CHEF-PC Culinary (Chef JD) Ticket #32254 — reinstall Windows, THEN join -> OU=Culinary
DESKTOP-TRCIEJA Lupe Sanchez EOL — replace machine (decision 2026-06-18), join the replacement
DESKTOP-KQSL232 Lois Lane Resistant to migration; coordinate via John Trozzi
CascadesProxess Proxess access-control appliance Likely leave un-joined — verify it's an appliance
Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8, Laptop4 Caregiver shared laptops Join via the Caregiver Devices path (Workstream 3), not the staff path

OU structure (built): OU=Departments -> Administrative, Marketing, Care-Assisted Living (+ Nurses), Care-Memorycare, Culinary, Housekeeping, Life Enrichment, Maintenance, Resident Services, Transportation, Caregivers. OU=Workstations -> Staff PCs, Shared PCs, OU=Caregiver Devices (under Staff PCs). Groups in OU=Groups.


Workstream 1 — Workstation domain migration

Goal: every staff PC on cascades.local + GuruRMM + correct dept OU + mapped dept drives; retire per-PC Synology Drive Client.

Per-machine runbook (scripts in docs/migration/scripts/):

  1. phase3-pre-join-verify.ps1 (OneDrive KFM unlinked, no poisoned shell folders, name OK)
  2. phase3-join-domain.ps1 -> join cascades.local
  3. phase3-post-join-verify.ps1
  4. Move computer object into the correct department OU
  5. Confirm GuruRMM agent still checks in; migrate the user profile/data
  6. Map department drives (Workstream 2); uninstall Synology Drive Client; delete local cache once clean
  7. Log the change

Tickets in this workstream: #32194 (deploy spare machine for new hire — join + enroll + AD acct), #32254 (Chef-PC reinstall then join).

Device readiness audit (2026-06-24, live probe of 15 un-joined online machines)

Machine User Edition Readiness
DESKTOP-LPOPV30 Karen Rossini Win11 Pro READY
MAINTENANCE-PC Bruce Miller Win11 Pro WS READY
LAPTOP-E0STJJE8 caregiver Win11 Pro WS READY (caregiver path)
ASSISTMAN-PC Meredith Kuhn Win11 Pro pending reboot
ANN-PC christina Win11 Enterprise pending reboot
Laptop2 caregiver Win11 Pro pending reboot
CHEF-PC Ramon Castaneda Win11 Pro do #32254 reinstall first
LAPTOP-8P7HDSEI User Win10 Home BLOCKED: Home->Pro + OneDrive KFM ON
MDIRECTOR-PC Shelby Trozzi Win11 Home BLOCKED: Home->Pro + reboot
MEMRECEPT-PC memfrtdesk Win10 Home BLOCKED: Home->Pro + reboot
NurseAssist Veronica Win11 Home BLOCKED: Home->Pro + KFM ON + reboot
SALES4-PC Tamra (departing) Win11 Home BLOCKED: Home->Pro; Tamra leaving — repurpose?
LAPTOP-DRQ5L558 caregiver Win11 Pro WS BLOCKED: off-network (public DNS, no DC reach)
DESKTOP-TRCIEJA Lupe Sanchez Win11 Pro SKIP — EOL, being replaced
Health-Services-Director Lois Lane Win11 Pro WS already domain-joined (= AD HEALTH-SERVICES)

Prep blockers / decisions (2026-06-24):

  • 5 machines on Windows Home cannot domain-join until upgraded to Pro (need license keys): LAPTOP-8P7HDSEI, MDIRECTOR-PC, MEMRECEPT-PC, NurseAssist, SALES4-PC. Howard handling the Home->Pro upgrades himself, ONSITE (decision 2026-06-25).
    • 2026-06-25 live re-check: the 6PM cron ad0a56a9 never completed — all 5 still EditionID=Core (Home), Licensed on Home keys, none half-upgraded. Remote job abandoned; Howard doing them onsite. Next step for these 5 = domain-join once they read EditionID=Professional. ProductName reads "Windows 10 Home" even on the Win11 boxes (stale registry string) — trust EditionID, not ProductName.
  • OneDrive KFM ON (unlink before folder-redirect GPO): LAPTOP-8P7HDSEI, NurseAssist.
  • Pending reboots + KFM unlinks: held for onsite (Howard) — disruptive to clear remotely.
  • LAPTOP-DRQ5L558 is off the Cascades network (8.8.8.8/1.1.1.1 DNS, no DC reachability) — must be on-site/on-LAN before any join.
  • Note: the legacy phase3-pre-join-verify.ps1 hardcodes the DC at 192.168.2.254; clients actually reach it at 192.168.2.248 (the .254 NIC is the Hyper-V vEthernet and does not cleanly serve domain SMB) — update the script's target before reuse.
  • Pro/Enterprise + internal machines are READY to join once reboots are cleared onsite: DESKTOP-LPOPV30, MAINTENANCE-PC, ASSISTMAN-PC, ANN-PC, LAPTOP-E0STJJE8, Laptop2 (+ CHEF-PC after #32254).

Workstream 2 — Users, departments & file-share access

Goal: every user in the right OU + SG-*-RW group; department drives mapped per the access matrix; Synology retired as primary.

  • Shares already created on CS-SERVER (D:\Shares\...): Management, Sales/SalesDept, Server, Accounting, Culinary, Activities, directoryshare, IT, Receptionist, Executive (NEW — Ashley+Meredith). Confirm ALdocs/WebDocs/LifeEnrichment exist + NTFS per the matrix.
  • Populate SG-*-RW groups per docs/migration/share-access-matrix-2026-04-23.md.
  • Map dept drives per user via GPP/logon script (Receptionist drive = machine+user scoped, Tower desk only).
  • Close out the matrix open questions (per-user interviews): Lois Lane, Karen Rossini, Susan Hicks, John Trozzi, Lupe Sanchez, Shelby Trozzi, Matt Brooks, Christine Nyanzunda; pacs/Clinical-PHI create-or-retire; web retire.

Tickets: #32193 (Executive restricted share — DONE 2026-06-24, E: mapped both machines), #32230 (Karen Rossini -> ALDOCS on Synology — recheck when she's in, she was out 2026-06-24).


Workstream 3 — HIPAA caregiver lockdown — GO-LIVE (highest value, mostly built)

Everything is built + validated on the pilot (NURSESTATION + pilot.test). Go-live = flip from test scope to real caregivers, one device at a time. (Detail: wiki "Entra Access Architecture".)

  1. Swap GPO CSC - Caregiver Workstation security filter SG-Caregivers-Test -> SG-Caregivers.
  2. CA allow-list policy 1b7fd025: test group SG-Caregivers-DeviceTest -> SG-Caregivers; disable the compliance-block policy ede985e2.
  3. Move each caregiver machine into OU=Caregiver Devices + SG-PC-MainTower/SG-PC-MemoryCare one at a time: Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8, ASSISTNURSE-PC, NURSESTATION-PC (+ verify NurseAssist/Laptop4).
  4. ALIS email-match the 38 caregivers + medtechs (ALIS staff Email = Entra UPN); turn off ALIS-native 2FA per user.
  5. Lower ALIS app session timeout 20 -> 15 min (Howard, ALIS admin).
  6. Reboot NURSESTATION-PC to activate + verify the device-lockdown GPO (lock @3min, 90s warn, sign-out @15min).

Workstream 4 — M365

  • Relicense 31 users Business Standard -> Business Premium (Standard is SUSPENDED — time-sensitive).
  • Create break-glass accounts (breakglass1/2-csc@) + enroll FIDO2 YubiKeys.
  • Build audit retention (Log Analytics 90d + Storage 6yr) in rg-audit-cascadestucson.

Workstream 5 — Server / infrastructure

  • Cloud backup (MSP360 -> ACG-backup): VERIFIED running 2026-06-24 (last run Success, 0 failed, 575 GB baseline in cloud, incrementals working). Still confirm it is image/bare-metal/system-state (looks file-level) + set retention. [GATE for any drive work]
  • CS-SERVER RAID -- CORRECTED 2026-06-24: HEALTHY, not degraded (live OMSA: both mirrors Ok, all 5 disks Online, all LEDs green; the 6/15 degraded self-recovered). NO emergency drive swap. 1:0:4 = global hot spare (do not remove). Planned reliability upgrade: replace the 2 consumer 320 GB drives (esp. flaky WD 0:0:3) with the 2x enterprise SSD already purchased, on a scheduled window w/ confirmed image/system-state backup. [WARN] PSU redundancy lost -- one PSU not delivering, check onsite. Service Tag 9MQFTK1. Real fix = DC migration off the 16-yr-old R610.
  • Clean up old-MSP agent sprawl (Datto RMM/CentraStage + Datto EDR/Infocyte) thrashing the spindle.
  • Synology -> backup-only (Team Folder migration of the real shares; close the workgroup/Kerberos quirk).
  • Rotate the Synology signin-portal credential (was committed plaintext historically).

Workstream 6 — Network (mostly complete)

  • CSC ENT device-island consolidation (phones + Helpany on 5 GHz) — repurpose CSC ENT as a 5 GHz-only WPA2 PPSK SSID and consolidate BOTH the Poly voice handsets (-> VLAN 30) and the Helpany "Paul" radar sensors (-> new VLAN 40) onto it, separated at the VLAN layer. Gets both off congested 2.4 GHz; keeps WPA2-only gear isolated so CSCNet can later move to WPA3/WiFi7/6GHz. Supersedes the standalone "Voice 5 GHz lock" item below and the earlier "delete CSC ENT" idea (deleting it would orphan the Pauls). Both vendors can move their devices remotely once we provide the network. Onsite gate: verify per-room 5 GHz coverage before the band flip (steel walls; weak-5GHz devices stay on 2.4). Full design + sequence: docs/network/csc-ent-device-island-plan.md.
    • Build VLAN 40 (Helpany, egress-only to *.sedimentum.com + snapcraft/ubuntu) on pfSense.
    • Enable PPSK on CSC ENT: key Ftfd85710# -> VLAN 40 (Pauls keep SSID+key, not reprogrammed); new voice key -> VLAN 30 (phones re-pointed by Howard/Richard).
    • Flip CSC ENT to 5 GHz-only (apply-wlan.sh ... bands 5g) in a coordinated window; pilot a few phones + Pauls, then full rollout.
    • Helpany = Sandro Cilurzo / Eugenie Nicoud; Poly = Richard Turner (Vertical).
    • PREREQUISITE (live 2026-06-24): CSC ENT has 149 clients, only 68 are Helpany. ~79 non-Helpany devices must be evacuated first — 14 staff PCs (domain mig), 11 printers, 11 DIRECTV + 11 resident IoT/TV + 15 personal phones + 17 unknown (resident-facing — need help reconnecting). ~51 are on 2.4 GHz and would drop on a 5 GHz-only flip. Per-device inventory + resident help-list: docs/network/csc-ent-client-inventory-2026-06-24.md. TODO: pull stat/alluser for offline resident TVs; identify the 17 unknowns + generic phones with John Trozzi.
  • #32319 WiFi Room 343 — relocate a floor-2/4 AP for coverage (unifi-wifi skill, site va6iba3v).
  • #32342 Copy Room switch — install + adopt into UniFi.
  • ~25 switch ports linked at 100 Mbps but gig-capable (cabling/NIC sweep).
  • (Superseded) Voice 5 GHz lock — now folded into the CSC ENT consolidation above (single dedicated 5 GHz network for phones + sensors, not just a phone-side band lock).

Workstream 7 — Onsite peripheral

  • #32370 eFax setup (Karen & Christin) + portable scanner on both machines.

Suggested sequence (fastest path)

  1. Today's onsite batch (Howard, on-site): #32342 (Copy Room switch), #32319 (Room 343 AP), #32370 (eFax + scanner), #32194 (spare machine for new hire), #32254 (Chef-PC reinstall+join); #32230 (Karen -> ALDOCS) once she's in. While onsite: verify per-room 5 GHz coverage for the CSC ENT device-island consolidation (Workstream 6) so the band flip can be scheduled with the vendors.
  2. Caregiver lockdown go-live (Workstream 3) — remote, highest HIPAA value, just needs the flip + per-device moves.
  3. M365 relicense 31 users (Workstream 4) — time-sensitive.
  4. Backup verify -> RAID replacement (Workstream 5) — critical single-DC risk.
  5. Remaining staff domain joins + dept drives (Workstreams 1+2) — batch the ~17 un-joined PCs, OU + drives per machine.
  6. Network tail (Vertical 5 GHz, 100 Mbps ports) + M365 break-glass/audit retention.

Open Syncro tickets -> workstream map

Ticket Workstream Status
#32193 Executive restricted share 2 DONE 2026-06-24 (E: both machines, billed 0.5h block)
#32194 spare machine for new hire 1 Open — onsite
#32230 Karen -> ALDOCS 2 Open — recheck when she's in
#32254 Chef-PC reinstall 1 Open — onsite (then domain-join)
#32319 WiFi Room 343 6 Open — onsite
#32342 Copy Room switch 6 Open — onsite
#32370 eFax + scanner 7 Open — onsite