azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d0b98f769ea97f103e85d48e3fa3fa42e45f577d
claudetools/clients/cascades-tucson/session-logs/2026-05-22-session.md
Howard Enos fa4ac2ea37 sync: auto-sync from HOWARD-HOME at 2026-05-22 15:40:30 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-22 15:40:30
2026-05-22 15:40:34 -07:00

11 KiB
Raw Blame History

Cascades of Tucson — Session Log 2026-05-22

User

  • User: Howard Enos (howard)
  • Machine: Howard-Home
  • Role: tech
  • Session span: 2026-05-22, afternoon/evening

Session Summary

This session continued the Cascades of Tucson department-by-department domain migration (Syncro #110680053), picking up from the previous session where NURSESTATION-PC folder redirection had just been resolved. The session covered five main areas: cascadesDS authentication investigation, GPO ILT fixes for RECEPTIONIST-PC prep, Ashley Jensen's machine migration, RECEPTIONIST-PC domain join, and cascades migration plan documentation.

The cascadesDS Synology NAS authentication failure for the Nurses account was investigated. Root cause was identified as a workgroup name collision — cascadesDS workgroup is "CASCADES" which matches the AD domain short name, causing domain-joined Windows machines to send domain (Kerberos/NTLM) credentials that the non-domain-joined Synology rejects. Three options were evaluated: domain-joining the Synology, creating a temporary local account, or moving ALDocs to CS-SERVER. Since cascadesDS has many legacy local accounts set up by prior IT and is slated to become a backup device, all options were deferred. Howard will move ALDocs to CS-SERVER when ready, at which point the Synology authentication problem becomes moot.

Two GPO ILT fixes were applied to CS-SERVER ahead of RECEPTIONIST-PC's domain join. The FrontDesk printer (in CSC - Printer Deployment GPO) and R: drive mapping (in CSC - Drive Mappings GPO) both had Item-Level Targeting set to OU=Resident Services — which would have incorrectly pushed these to Courtesy Patrol and RS Director. Both were changed to FilterGroup: CASCADES\SG-FrontDesk. Both GPT.ini versions were bumped (65536 → 131072).

Ashley Jensen (DESKTOP-U2DHAP0, OU=Administrative, accountant) was domain-joined using ProfWiz. Server-side prep was completed: D:\Homes\Ashley.Jensen with all five subfolders created on CS-SERVER, Ashley.Jensen added to SG-FolderRedirect. The domain join succeeded but folder redirection did not apply correctly — the Desktop partially redirected but Explorer did not reflect the new path even after logoff/logon. Howard moved folders manually. The exact cause of the redirection failure was not fully diagnosed; this remains an ongoing issue across multiple machines on this migration.

RECEPTIONIST-PC was domain-joined successfully via ProfWiz, migrating the local RECEPTIONIST-PC\Front Desk profile to CASCADES\frontdesk. Post-join server-side steps were completed: RECEPTIONIST-PC$ moved from CN=Computers to OU=Staff PCs,OU=Workstations; added to SG-Reception-PCs; frontdesk added to SG-FrontDesk; CSC - Reception Workstation Policy GPO linked to OU=Staff PCs,OU=Workstations. The loopback Replace mode on this GPO means folder redirection is suppressed for RECEPTIONIST-PC by design — no folder redirect issues expected here.

Key Decisions

  • cascadesDS domain join deferred: Joining the NAS to the domain would break migration from it to CS-SERVER — the NAS has many legacy local accounts and will be repurposed as a backup device. Decided to defer until ALDocs is moved to CS-SERVER.
  • FrontDesk printer and R: drive ILTs changed to group-based filter: Changed from OU=Resident Services to SG-FrontDesk before RECEPTIONIST-PC domain join to prevent GPO from incorrectly deploying these resources to other RS users when Phase 3 GPOs are broadly linked.
  • RECEPTIONIST-PC uses loopback Replace — no folder redirection: By design. The CSC - Reception Workstation Policy GPO suppresses per-user folder redirection so any domain user sitting at the receptionist desk gets the reception configuration (Q:, W:, FrontDesk printer) regardless of their home department.
  • Ashley Jensen folder redirection not retried: After failed attempt, Howard moved folders manually. The failure mode (Desktop partially redirected but not reflected in Explorer after logoff/logon) is not yet fully diagnosed.

Problems Encountered

  • cascadesDS auth failure root cause: Workgroup "CASCADES" = AD domain short name. Domain-joined machines send domain credentials; Synology rejects them. Deferred — NAS being phased out.
  • GPT.ini version collision (Drive Mappings / Printer Deployment): Both GPOs had Version=65536 (only user version set). Bumped to 131072 after XML edits. jq --arg used to safely pass Windows paths through JSON encoding after multiple backslash escaping failures with other approaches.
  • Printers.xml FrontDesk match failed with -eq: $_.name -eq "\\CS-SERVER\FrontDesk" returned null despite the name appearing correct in diagnostics. Switched to -like "*FrontDesk*" with -notlike "*NursesPrinter*" guard. Exact cause (possible encoding difference) not determined.
  • new-home-folder.ps1 not on CS-SERVER: Script exists in claudetools repo but was not deployed to CS-SERVER. Ran the function inline in the GuruRMM command instead. Note: the script path C:\scripts\new-home-folder.ps1 does not exist on CS-SERVER.
  • Ashley Jensen folder redirection failure: GPO fired (Desktop was partially redirected) but Explorer showed old path after logoff/logon. Howard moved folders manually. Cause not diagnosed.
  • Ashley Jensen logged into local account after first ProfWiz attempt: Logged into local account instead of domain account — profile migration did not complete. System restore performed, ProfWiz re-run.

Configuration Changes

  • C:\Windows\SYSVOL\sysvol\cascades.local\Policies\{82fcc33c-8ea2-43ca-8d9b-bfebd17a297f}\User\Preferences\Drives\Drives.xml — R: drive ILT changed from OU=Resident Services to FilterGroup CASCADES\SG-FrontDesk
  • C:\Windows\SYSVOL\sysvol\cascades.local\Policies\{82fcc33c-8ea2-43ca-8d9b-bfebd17a297f}\GPT.INI — Version 65536 → 131072
  • C:\Windows\SYSVOL\sysvol\cascades.local\Policies\{9f5e71de-f2b0-421f-b3e4-0f07913fffd3}\User\Preferences\Printers\Printers.xml — FrontDesk printer ILT changed from OU=Resident Services to FilterGroup CASCADES\SG-FrontDesk
  • C:\Windows\SYSVOL\sysvol\cascades.local\Policies\{9f5e71de-f2b0-421f-b3e4-0f07913fffd3}\GPT.INI — Version 65536 → 131072
  • D:\Homes\Ashley.Jensen\ — created on CS-SERVER with Desktop, Documents, Downloads, Music, Pictures subfolders and correct ACL
  • AD: Ashley.Jensen added to SG-FolderRedirect
  • AD: RECEPTIONIST-PC$ moved from CN=Computers to OU=Staff PCs,OU=Workstations,DC=cascades,DC=local
  • AD: RECEPTIONIST-PC$ added to SG-Reception-PCs
  • AD: frontdesk added to SG-FrontDesk
  • GPO: CSC - Reception Workstation Policy (GUID={A94116C2-078E-4343-8EA4-DFA6B377F0F8}) linked to OU=Staff PCs,OU=Workstations,DC=cascades,DC=local
  • clients/cascades-tucson/session-logs/2026-05-22-session.md — created (this file)
  • C:\Users\Howard\.claude\plans\wise-discovering-panda.md — updated save point, checklist, Known Issues section added for cascadesDS

Credentials & Secrets

  • Ashley Jensen domain account: CASCADES\Ashley.Jensen / Fall2025!
  • Ashley Jensen local (pre-join): ScarlettSky18*
  • Vault: clients/cascades-tucson/accountant-pc.sops.yaml
  • frontdesk domain account: CASCADES\frontdesk / sccssccs#3 (vault: clients/cascades-tucson/frontdesk-user.sops.yaml)
  • cascadesDS admin: admin / r3tr0gradE99# (vault: existing entry)

Infrastructure & Servers

Host Role IP / Notes
CS-SERVER AD DC, file server, print server 192.168.2.254
cascadesDS Synology NAS 192.168.0.120, port 5000 (DSM), workgroup=CASCADES
RECEPTIONIST-PC Receptionist workstation 10.0.20.102, MAC 98:59:7A:B0:06:58, now domain-joined
DESKTOP-U2DHAP0 Ashley Jensen's workstation Domain-joined, GuruRMM agent installed
NURSESTATION-PC Nurses station Domain-joined, folder redirection complete

GPO GUIDs:

  • CSC - Drive Mappings: {82fcc33c-8ea2-43ca-8d9b-bfebd17a297f}
  • CSC - Printer Deployment: {9f5e71de-f2b0-421f-b3e4-0f07913fffd3}
  • CSC - Reception Workstation Policy: {A94116C2-078E-4343-8EA4-DFA6B377F0F8}

AD Groups updated:

  • SG-FrontDesk: frontdesk
  • SG-Reception-PCs: RECEPTIONIST-PC$
  • SG-FolderRedirect: Crystal.Rodriguez, Ashley.Jensen, Zachary.Nelson, Nurses

Commands & Outputs

# GPO GUIDs (run on CS-SERVER)
Import-Module GroupPolicy
(Get-GPO -Name "CSC - Drive Mappings").Id.ToString()   # 82fcc33c-8ea2-43ca-8d9b-bfebd17a297f
(Get-GPO -Name "CSC - Printer Deployment").Id.ToString() # 9f5e71de-f2b0-421f-b3e4-0f07913fffd3

# Move RECEPTIONIST-PC to correct OU
Move-ADObject -Identity "CN=RECEPTIONIST-PC,CN=Computers,DC=cascades,DC=local" -TargetPath "OU=Staff PCs,OU=Workstations,DC=cascades,DC=local"

# Add computer to SG-Reception-PCs
Add-ADGroupMember -Identity "SG-Reception-PCs" -Members (Get-ADComputer -Identity "RECEPTIONIST-PC")

# Link Reception Workstation Policy GPO
New-GPLink -Name "CSC - Reception Workstation Policy" -Target "OU=Staff PCs,OU=Workstations,DC=cascades,DC=local" -LinkEnabled Yes

# Ashley Jensen home folder — inline (script not deployed to CS-SERVER)
$Username = "Ashley.Jensen"; $path = "D:\Homes\$Username"
New-Item -ItemType Directory -Path $path -Force | Out-Null
# ... (full function in clients/cascades-tucson/scripts/new-home-folder.ps1)

Pending / Incomplete Tasks

  • Ashley Jensen (DESKTOP-U2DHAP0): Folder redirection incomplete. Howard moved folders manually. Verify Desktop/Documents/Downloads point to \CS-SERVER\Homes\Ashley.Jensen. Home folder and SG-FolderRedirect are configured server-side.
  • RECEPTIONIST-PC: Verify gpupdate picks up CSC - Reception Workstation Policy — Q: and W: drives should map, FrontDesk printer should deploy on next login.
  • cascadesDS → nurses: Map \cascadesDS\Server for nurses user (ALDocs) — deferred until data moved to CS-SERVER.
  • NURSESTATION-PC: Auto-lock GPO (HIPAA, ~10 min idle).
  • Nurses credential vault: clients/cascades-tucson/nurses-shared.sops.yaml (password: Nurse8863171!) — not yet created.
  • Lauren Hasselman: OneDrive data move + New-HomeFolder + SG-FolderRedirect + machine domain join.
  • Entra Connect: Add cascadestucson.com UPN suffix, change Administrative OU UPNs, add OU=Administrative to sync scope.
  • Phase 3 machines: DESKTOP-KQSL232, CHEF-PC, SALES4-PC, MDIRECTOR-PC domain joins.
  • M365 licensing: Relicense 31 users Business Standard → Business Premium (time-sensitive, 31 SPB seats free).
  • new-home-folder.ps1 deployment: Script should be deployed to CS-SERVER (e.g., C:\scripts) so it can be dot-sourced rather than run inline via GuruRMM.

Reference Information

  • Syncro ticket: https://computerguru.syncromsp.com/tickets/110680053
  • Migration plan: C:\Users\Howard\.claude\plans\wise-discovering-panda.md
  • GuruRMM CS-SERVER agent ID: 6766e973-e703-47c1-be56-76950290f87c
  • GuruRMM DESKTOP-U2DHAP0 agent: confirmed installed, ID not recorded
  • Cascades vault entries: clients/cascades-tucson/ in vault repo
  • fdeploy1.ini path: C:\Windows\SYSVOL\sysvol\cascades.local\Policies\{512B43A4-F049-4CE5-BFAC-860AD13E92BE}\User\Documents & Settings\fdeploy1.ini (Flags now 187)
Reference in New Issue View Git Blame Copy Permalink