Files
claudetools/clients/cascades-tucson/docs/printer-gpo-map.md
Howard Enos 9e78a153f3 sync: auto-sync from HOWARD-HOME at 2026-07-01 13:22:23
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-07-01 13:22:23
2026-07-01 13:24:58 -07:00

13 KiB

Cascades — Printer / VLAN 20 Migration Map (GPO planning)

Living reference for the migration of staff machines + printers off the flat old LAN ("CSC ENT", 192.168.0.0/22) onto Staff VLAN 20 (10.0.20.0/24, "CSCNET") and the eventual printer GPO build. Started 2026-06-30 (Howard). Last reconciled to LIVE state 2026-07-01 (full GuruRMM fleet IP pull + CS-SERVER Get-Printer/Get-PrinterPort + TCP reachability).

STATE AT A GLANCE (live 2026-07-01)

  • Machines: essentially migrated. 22 online hosts are on VLAN 20 (10.0.20.x). Only CS-SERVER (stays on the LAN by design) + 6 stragglers (ASSISTMAN-PC, CascadesProxess, Laptop2, NurseAssist, 2 roaming laptops) remain on 192.168.x. See "Machine migration status" below.
  • Printer shares: lagging — 4 of 15 repointed. Only FrontDesk, BusinessOffice, LifeEnrichment, MCReception point at 10.0.20.x. The other 11 CS-SERVER print shares still target old-LAN printer IPs. (Server-share printing still WORKS for those — CS-SERVER is on the old LAN and reaches them fine — but the printer hardware hasn't been moved onto VLAN 20 yet.)
  • All 7 VLAN20 printer targets reachable from CS-SERVER on 9100 (incl. .74, the MCMedTech target that the share hasn't been repointed to yet). Gateway 10.0.20.1 pings.
  • GPO: not fleet-live. Point-and-Print GPO is built but scoped to one pilot box; the silent new-driver-install gap is still open (reboot vs pre-stage drivers — decision pending). See "PILOT RESULT" below.

How the GPO needs to be built (two layers)

  1. Point-and-Print policy (computer GPO, fleet-wide) — REQUIRED prerequisite or any GPO-pushed printer fails (PrintService event 513 / error 0xBCB) for standard users. Set on HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers: RestrictDriverInstallationToAdministrators=0; subkey PointAndPrint: Restricted=1, TrustedServers=1, ServerList=CS-SERVER, InForest=0, NoWarningNoElevationOnInstall=1, UpdatePromptSettings=2 (scopes silent driver install to CS-SERVER only). Caregiver machines already have this — that's why their printer GPO works. GPO CSC - Point and Print (CS-SERVER) {BFAB721A-513D-4C14-8255-DEB1D4266830} is BUILT but scoped to DESKTOP-H6QHRR7 only (see PILOT RESULT).
  2. Printer deployment — GPP Printers / Deployed Printers mapping \\CS-SERVER\<share> to the right users/OU/room. Existing GPO CSC - Life Enrichment Printers still points at OLD share name RecRoom-Canon — repoint. CSC - Printer Deployment is disabled/empty (do not use).

Driver trap: Canon MF741/743/751 are UFR II only — PCL6 produces Error #822 (spools, never prints). Any GPO/share for those Canons MUST use Canon Generic Plus UFR II V250 (INF cnlb0ma64.inf). NOTE: MCDirector (Canon MF751CDW) and Kitchen/ExecDirector (Canon MF743CDW) shares are currently on PCL6 on the server — they will hit Error #822 and need the UFR II driver when touched.

Printer share inventory — CS-SERVER (live 2026-07-01)

All shares Shared=True, Published=False. "VLAN20?" = does the port point at 10.0.20.x yet.

Share Model Port host IP VLAN20? Driver (on server) Action
FrontDesk Epson ET-5800 10.0.20.221 YES EPSON ET-5800 Series DONE. Add to GPO.
BusinessOffice Brother MFC-L8900CDW 10.0.20.220 YES Brother Generic Jpeg Type2 DONE (now reachable; was powered-off 6/30). Add to GPO.
LifeEnrichment Canon MF741CDW 10.0.20.94 YES Canon Generic Plus UFR II V250 DONE. Repoint CSC - Life Enrichment Printers GPO RecRoom-Canon->LifeEnrichment.
MCReception Epson ET-5800 10.0.20.78 YES EPSON ET-5800 Series DONE (share now on .78). Client-side setup on MEMRECEPT-PC still TBD.
MCMedTech Brother (L8900CDW) 192.168.2.53 NO — STALE Brother Generic Jpeg Type2 REPOINT to 10.0.20.74 (target is LIVE + reachable). Caregiver GPO deploys this share.
NursesPrinter Brother MFC-L8900CDW 192.168.2.75 NO Brother Generic Jpeg Type2 Re-IP to VLAN20 + repoint. Caregiver GPO default printer.
HealthServices Konica Minolta C368 192.168.1.138 NO KONICA MINOLTA Universal PCL Re-IP to VLAN20 + repoint. Caregiver GPO.
MCDirector Canon MF751CDW 192.168.3.52 NO Canon Generic Plus PCL6 Re-IP + repoint; switch to UFR II (MF751 = UFR II only). Caregiver GPO.
CopyRoom Canon 192.168.2.230 NO Canon Generic Plus PCL6 Re-IP + repoint; verify model/PDL. Caregiver GPO default fallback.
Kitchen Canon MF743CDW 192.168.3.232 NO Canon Generic Plus PCL6 Kitchen printer (with chefs). Re-IP + repoint; UFR II. Separate from Dining .228.
CulinaryChef Brother MFC-9330CDW 192.168.3.88 NO Brother Generic Jpeg Type2 Likely redundant with the Chef direct-IP printer (.236 on CHEF-PC). Verify same device -> retire or repoint.
Accounting Canon MF455DW 192.168.3.227 NO Canon Generic Plus PCL6 Re-IP + repoint (verify PDL; MF455 supports PCL).
AdminOffice Brother MFC-9340CDW 192.168.2.145 NO Brother Generic Jpeg Type2 Re-IP + repoint.
ExecDirector Canon MF743CDW 192.168.2.67 NO Canon Generic Plus PCL6 Re-IP + repoint; UFR II (MF743).
SalesMarketing Brother MFC-L8900CDW 192.168.3.44 NO Brother Generic Jpeg Type2 Re-IP + repoint.

Progress: 4 / 15 shares on VLAN 20. 11 remain on old-LAN IPs.

Direct-IP printers (workgroup machines — no CS-SERVER share)

Printer Model IP (VLAN20) Machine User(s) Status
Dining Room Manager Canon MF743CDW 10.0.20.228 DESKTOP-MD6UQI3 (workgroup) dining manager (Alyssa) DONE direct-IP (UFR II), default. Domain-join -> move to \\CS-SERVER\<share> + GPO.
Chef Office Brother MFC-9330CDW 10.0.20.236 CHEF-PC (workgroup) chef / JD Martin (USB stays default) DONE direct-IP machine-wide. Domain-join -> GPO. May correspond to stale CulinaryChef server share (.88) — reconcile.
MedTech (also MCMedTech) Brother MFC-L8900CDW 10.0.20.74 RECEPTIONIST-PC (memcare box) + DESKTOP-LPOPV30 memory care; karen rossini DONE direct-IP machine-wide on both; server MCMedTech share still needs repoint to .74.

Machine migration status — VLAN 20 (live 2026-07-01)

On VLAN 20 (10.0.20.x) — 22 online hosts: ACCT2-PC (.209), ANN-PC (.218), ASSISTNURSE-PC (.181), CHEF-PC (.232, workgroup), CRYSTAL-PC (.205), DESKTOP-DLTAGOI (.72, sharon.edwards), DESKTOP-H6QHRR7 (.235, Lauren — P&P pilot box), DESKTOP-LPOPV30 (.100, karen), DESKTOP-MD6UQI3 (.222, workgroup, Alyssa), DESKTOP-N5G1ROO (.183, Chris Knight), DESKTOP-ROK7VNM (.223, susan.hicks), DESKTOP-TRCIEJA (.184, Lupe — slated for replacement), Health-Services-Director (.178), LAPTOP-DRQ5L558 (.237, caregiver device), MAINTENANCE-PC (.96), MDIRECTOR-PC (.71, Shelby Trozzi), MEMRECEPT-PC (.97, workgroup, memfrtdesk), NURSESTATION-PC (.180, caregiver device), RECEPTIONIST-PC frontdesk box (.102, S/N MJ0KQHNP), RECEPTIONIST-PC memcare box (.68, S/N MJ0KQH4R — pending MEMCARE-STATION rename), SALES4-PC (.203), megan (.202).

Still on old LAN (192.168.x):

  • CS-SERVER (192.168.2.248 / .254) — DC + print server, stays on the LAN by design.
  • ASSISTMAN-PC (192.168.2.38, Meredith Kuhn) — known watch-host, not migrated.
  • CascadesProxess (192.168.2.178), Laptop2 (192.168.2.118), NurseAssist (192.168.3.254), LAPTOP-8P7HDSEI (192.168.3.101, roaming), LAPTOP-E0STJJE8 (192.168.3.9, roaming).

Offline (last-known IP from DC DNS): DESKTOP-F94M8UT (10.0.20.171, was on VLAN20 — Alma's old box), DESKTOP-U2DHAP0 (192.168.3.37, Ashley — old LAN, seen 2026-07-01), DESKTOP-KQSL232 (decommissioned), Laptop4 (no DNS record).

Current GPO state (live-inspected 2026-06-30)

  • NO GPO sets the Point-and-Print policy (missing Layer 1; explains the 513 / 0xBCB failures). CSC - Point and Print (CS-SERVER) was built to fill this but is pilot-scoped only.
  • Printer deployment is via User-side GPP Printers, linked per-department OU:
    • CSC - Caregiver Workstation -> OU Departments/Caregivers (ComputerSettingsDisabled). Deploys 6 shares (action=Update): NursesPrinter, HealthServices, MCMedTech, MCReception, MCDirector, CopyRoom; defaults = NursesPrinter + MCMedTech (default=1, no item-level targeting parsed). NOTE: 5 of these 6 shares still point at old-LAN IPs (only MCReception is on VLAN20) — repointing them is what actually moves the caregiver fleet's printers onto VLAN 20.
    • CSC - Life Enrichment Printers -> OU Departments/Life Enrichment. Deploys ONE printer \\CS-SERVER\RecRoom-CanonSTALE share name; now LifeEnrichment.
    • CSC - Reception Workstation Policy -> OU Workstations/Staff PCs. Registry only, no printers.
    • CSC - Printer Deployment -> not linked, empty. Dead — ignore.
  • AD OU structure in play: Departments/{Caregivers, Life Enrichment}, Workstations/Staff PCs.

Target-state design + action list

Layer 1 — Point-and-Print policy (fleet-wide computer GPO). CSC - Point and Print (CS-SERVER) exists; broaden its link/filter to all staff/department workstation OUs once the silent-install gap below is resolved.

Layer 2 — per-department printer GPOs (existing pattern, User GPP Printers). To add a printer: department GPO -> User Config -> Preferences -> Control Panel -> Printers -> Shared Printer item, action=Update/Create, path \\CS-SERVER\<share>, + default + item-level targeting as needed.

Immediate fixes (priority order):

  1. Resolve the silent-install gap (see PILOT RESULT): decide reboot-test vs pre-stage-drivers, then take the P&P GPO fleet-live.
  2. Repoint the 5 stale caregiver-GPO shares to VLAN20 as those printers get re-IP'd: MCMedTech -> 10.0.20.74 (target already live — do this now), NursesPrinter (.75), HealthServices (.138), MCDirector (.52, +UFR II), CopyRoom (.230). This is the highest-leverage remaining printer work.
  3. REPOINT CSC - Life Enrichment Printers RecRoom-Canon -> LifeEnrichment.
  4. Re-IP + repoint the remaining old-LAN shares: Kitchen (+UFR II), Accounting, AdminOffice, ExecDirector (+UFR II), SalesMarketing.
  5. Reconcile CulinaryChef (192.168.3.88) vs the Chef direct-IP (.236) — retire the redundant share if same device.
  6. Confirm caregiver default-printer item-level targeting (Nurses vs MCMedTech by location group).
  7. Domain-join the workgroup machines (DESKTOP-MD6UQI3, CHEF-PC, MEMRECEPT-PC, MEMCARE-STATION, DESKTOP-LPOPV30) -> move to GPO-deployed \\CS-SERVER\<share>.

PILOT RESULT (2026-06-30) — still the open blocker

Created CSC - Point and Print (CS-SERVER), scoped (security filter) to ONE machine DESKTOP-H6QHRR7 (Lauren Hasselman, Staff PCs OU), linked, gpupdate. The policy registry landed correctly via GPO. BUT the in-session test still PROMPTED for a printer whose driver was NOT already local (front-desk Epson), even after a spooler restart — the driver did not install. The earlier LE-machine "silent" maps only worked because that driver was already present.

Conclusion: the P&P policy is necessary but NOT sufficient to make a brand-new driver install silent in a running session. Likely: RestrictDriverInstallationToAdministrators=0 needs a reboot (CVE-2021-34527 mitigation) and/or v3 (non-package) drivers still elevate.

Two reliable paths (decide):

  1. Reboot-dependent: test — reboot a machine, then confirm a new-driver map is silent.
  2. Pre-stage drivers (recommended): deploy each printer's driver machine-wide (computer GPO startup script installing from CS-SERVER as SYSTEM). GPP connection then attaches to an already-present driver -> always silent, no reboot/P&P-install dependency.

State: GPO scoped to DESKTOP-H6QHRR7 only (harmless; not fleet-live). NOT rolled out.

Machine rename TODO

  • RECEPTIONIST-PC (Memory Care box, S/N MJ0KQH4R, 10.0.20.68, agent 57f19e17) -> MEMCARE-STATION rename was STAGED 2026-06-30 but NOT YET APPLIED (live 2026-07-01 still reports RECEPTIONIST-PC) — needs the reboot. The OTHER RECEPTIONIST-PC (frontdesk, S/N MJ0KQHNP, 10.0.20.102) is the real front desk.

Notes

  • Server-share printing works even while a printer is still on the old-LAN IP (CS-SERVER is on the old LAN and reaches it). Re-IP'ing printers to 10.0.20.x is about VLAN isolation, not print function.
  • Workgroup machines get direct-IP local printers until domain-joined, then switch to GPO-deployed \\CS-SERVER\<share>.
  • Some Brother shares use the generic "Brother Generic Jpeg Type2 Class Driver", not a model-specific driver (BusinessOffice, MCMedTech, NursesPrinter, CulinaryChef, AdminOffice, SalesMarketing).
  • Detailed how-to + pfSense routing fix: .claude/memory/project_cascades_vlan20_migration_routing.md and session log clients/cascades-tucson/session-logs/2026-06/2026-06-30-howard-vlan20-printer-migration.md.