Files
claudetools/clients/cascades-tucson/docs/REMAINING-WORK-PLAN.md
Howard Enos 563ff9e8fa sync: auto-sync from HOWARD-HOME at 2026-06-25 21:21:56
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-25 21:21:56
2026-06-25 21:23:24 -07:00

232 lines
15 KiB
Markdown

# Cascades of Tucson — Remaining Work Plan (to completion)
> Consolidated execution plan tying the open Syncro tickets to the broader migration
> workstreams (workstations -> domain, users/departments, HIPAA caregiver lockdown).
> Built 2026-06-24 (Howard) from a live AD+RMM diff. Companion to `PROJECT_STATE.md`
> and `wiki/clients/cascades-tucson.md` (current truth, compiled 2026-06-23).
> Goal: finish the migration quickly by working it as one sequenced plan.
---
## Live snapshot — domain-join inventory (2026-06-24, AD vs RMM diff)
**Domain (`cascades.local`) — joined staff workstations (12):**
ACCT2-PC, CRYSTAL-PC, DESKTOP-DLTAGOI (Sharon/LE), DESKTOP-F94M8UT, DESKTOP-H6QHRR7,
DESKTOP-N5G1ROO (Chris Knight), DESKTOP-ROK7VNM, DESKTOP-U2DHAP0 (Ashley),
ASSISTNURSE-PC, NURSESTATION-PC, RECEPTIONIST-PC, MEGAN.
(Plus infra: CS-SERVER = DC, CS-QB = QB VM. Stale AD objects to clean: DESKTOP-1ISF081 (last logon 2025-03), AZUREADSSOACC is the Seamless-SSO object — leave.)
**In RMM but NOT domain-joined — still to migrate (~17):**
| Machine | User / role | Plan |
|---|---|---|
| ASSISTMAN-PC | Meredith Kuhn (on LOCAL acct `meredithk`) | Domain-join + migrate her to `cascades\Meredith.Kuhn` |
| ANN-PC | (verify user) | Join + OU + drives |
| DESKTOP-LPOPV30 | (verify) | Join + OU + drives |
| DESKTOP-MD6UQI3 | (verify, offline) | Join + OU + drives |
| MAINTENANCE-PC | Maintenance | Join -> OU=Maintenance |
| MDIRECTOR-PC | Shelby Trozzi (MC Director) | Join -> OU=Care-Memorycare |
| MEMRECEPT-PC | MC reception (shared) | Join -> OU=Shared PCs |
| NurseAssist | (distinct from ASSISTNURSE-PC) | Join or retire-as-dupe — verify |
| SALES4-PC | Sales | Join -> OU=Marketing |
| LAPTOP-8P7HDSEI | (verify) | Join or caregiver path |
| Health-Services-Director | vs AD `HEALTH-SERVICES` | Verify dup/rename before acting |
| **CHEF-PC** | Culinary (Chef JD) | **Ticket #32254** — reinstall Windows, THEN join -> OU=Culinary |
| DESKTOP-TRCIEJA | Lupe Sanchez | EOL — **replace machine** (decision 2026-06-18), join the replacement |
| DESKTOP-KQSL232 | Lois Lane | Resistant to migration; coordinate via John Trozzi |
| CascadesProxess | Proxess access-control appliance | Likely leave un-joined — verify it's an appliance |
| Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8, Laptop4 | Caregiver shared laptops | Join via the **Caregiver Devices** path (Workstream 3), not the staff path |
**OU structure (built):** `OU=Departments` -> Administrative, Marketing, Care-Assisted Living
(+ Nurses), Care-Memorycare, Culinary, Housekeeping, Life Enrichment, Maintenance, Resident
Services, Transportation, Caregivers. `OU=Workstations` -> Staff PCs, Shared PCs,
`OU=Caregiver Devices` (under Staff PCs). Groups in `OU=Groups`.
---
## Workstream 1 — Workstation domain migration
**Goal:** every staff PC on `cascades.local` + GuruRMM + correct dept OU + mapped dept drives;
retire per-PC Synology Drive Client.
**Per-machine runbook** (scripts in `docs/migration/scripts/`):
1. `phase3-pre-join-verify.ps1` (OneDrive KFM unlinked, no poisoned shell folders, name OK)
2. `phase3-join-domain.ps1` -> join `cascades.local`
3. `phase3-post-join-verify.ps1`
4. Move computer object into the correct **department OU**
5. Confirm GuruRMM agent still checks in; migrate the user profile/data
6. Map department drives (Workstream 2); uninstall Synology Drive Client; delete local cache once clean
7. Log the change
**Tickets in this workstream:** #32194 (deploy spare machine for new hire — join + enroll + AD acct),
#32254 (Chef-PC reinstall then join).
### Device readiness audit (2026-06-24, live probe of 15 un-joined online machines)
| Machine | User | Edition | Readiness |
|---|---|---|---|
| DESKTOP-LPOPV30 | Karen Rossini | Win11 Pro | READY |
| MAINTENANCE-PC | Bruce Miller | Win11 Pro WS | READY |
| LAPTOP-E0STJJE8 | caregiver | Win11 Pro WS | READY (caregiver path) |
| ASSISTMAN-PC | Meredith Kuhn | Win11 Pro | pending reboot |
| ANN-PC | christina | Win11 Enterprise | pending reboot |
| Laptop2 | caregiver | Win11 Pro | pending reboot |
| CHEF-PC | Ramon Castaneda | Win11 Pro | do #32254 reinstall first |
| LAPTOP-8P7HDSEI | User | **Win10 Home** | BLOCKED: Home->Pro + OneDrive KFM ON |
| MDIRECTOR-PC | Shelby Trozzi | **Win11 Home** | BLOCKED: Home->Pro + reboot |
| MEMRECEPT-PC | memfrtdesk | **Win10 Home** | BLOCKED: Home->Pro + reboot |
| NurseAssist | Veronica | **Win11 Home** | BLOCKED: Home->Pro + KFM ON + reboot |
| SALES4-PC | Tamra (departing) | **Win11 Home** | BLOCKED: Home->Pro; Tamra leaving — repurpose? |
| LAPTOP-DRQ5L558 | caregiver | Win11 Pro WS | BLOCKED: off-network (public DNS, no DC reach) |
| DESKTOP-TRCIEJA | Lupe Sanchez | Win11 Pro | SKIP — EOL, being replaced |
| Health-Services-Director | Lois Lane | Win11 Pro WS | already domain-joined (= AD `HEALTH-SERVICES`) |
**Prep blockers / decisions (2026-06-24):**
- **5 machines on Windows Home cannot domain-join** until upgraded to Pro (need license keys):
LAPTOP-8P7HDSEI, MDIRECTOR-PC, MEMRECEPT-PC, NurseAssist, SALES4-PC. **Howard handling the
Home->Pro upgrades himself, ONSITE** (decision 2026-06-25).
- *2026-06-25 live re-check: the 6PM cron `ad0a56a9` never completed — all 5 still `EditionID=Core`
(Home), Licensed on Home keys, none half-upgraded. ProductName reads "Windows 10 Home" even on the
Win11 boxes (stale registry string) — trust EditionID, not ProductName.*
- **DONE 2026-06-25 (~8:45 PM, remotely via RMM, no users logged in):** the 3 online Home boxes
upgraded Home->Pro. Process: `changepk.exe /productkey <generic Pro key>` flips Core->Professional
(as SYSTEM it does NOT auto-reboot; registry vs licensing go out of sync — **reboot once to finalize**),
then activate. Results:
- **MDIRECTOR-PC** -> Professional, **self-activated FREE via a built-in Pro digital entitlement**
(no MAK used, no charge). READY to domain-join.
- **MEMRECEPT-PC** + **LAPTOP-8P7HDSEI** -> activated with the ACG MAK
(`infrastructure/windows-pro-mak`). NOTE: the MAK is a **Pro for Workstations** MAK — `/ipk` retargets
the edition to `ProfessionalWorkstation` (higher SKU, fine for domain join), `/dli` = Licensed,
VOLUME_MAK channel. **2 MAK counts consumed -> bill 2x $99 = $198 to Cascades** (line items name each
machine). MEMRECEPT needed an `/ato` retry (first attempt hit transient `0x8004FE92`).
- **Still pending:** NurseAssist (OFFLINE — and flagged as a possible dupe of `Assistnurse-pc`, verify
before upgrading) and SALES4-PC (bypassed — Tamra departing, repurpose TBD).
- Next step for the 3 upgraded boxes = **domain-join** (they now read `EditionID=Professional`/PfW).
- **OneDrive KFM ON** (unlink before folder-redirect GPO): LAPTOP-8P7HDSEI, NurseAssist.
- **Pending reboots + KFM unlinks: held for onsite** (Howard) — disruptive to clear remotely.
- **LAPTOP-DRQ5L558** is off the Cascades network (8.8.8.8/1.1.1.1 DNS, no DC reachability) —
must be on-site/on-LAN before any join.
- Note: the legacy `phase3-pre-join-verify.ps1` hardcodes the DC at `192.168.2.254`; clients
actually reach it at `192.168.2.248` (the `.254` NIC is the Hyper-V vEthernet and does not
cleanly serve domain SMB) — update the script's target before reuse.
- Pro/Enterprise + internal machines are READY to join once reboots are cleared onsite:
DESKTOP-LPOPV30, MAINTENANCE-PC, ASSISTMAN-PC, ANN-PC, LAPTOP-E0STJJE8, Laptop2 (+ CHEF-PC after #32254).
---
## Workstream 2 — Users, departments & file-share access
**Goal:** every user in the right OU + `SG-*-RW` group; department drives mapped per the
access matrix; Synology retired as primary.
- Shares already created on CS-SERVER (`D:\Shares\...`): Management, Sales/SalesDept, Server,
Accounting, Culinary, Activities, directoryshare, IT, Receptionist, **Executive (NEW — Ashley+Meredith)**.
Confirm ALdocs/WebDocs/LifeEnrichment exist + NTFS per the matrix.
- Populate `SG-*-RW` groups per `docs/migration/share-access-matrix-2026-04-23.md`.
- Map dept drives per user via GPP/logon script (Receptionist drive = machine+user scoped, Tower desk only).
- **Close out the matrix open questions** (per-user interviews): Lois Lane, Karen Rossini, Susan Hicks,
John Trozzi, Lupe Sanchez, Shelby Trozzi, Matt Brooks, Christine Nyanzunda; `pacs`/Clinical-PHI
create-or-retire; `web` retire.
**Tickets:** #32193 (Executive restricted share — **DONE 2026-06-24**, E: mapped both machines),
#32230 (Karen Rossini -> ALDOCS on Synology — **recheck when she's in**, she was out 2026-06-24).
---
## Workstream 3 — HIPAA caregiver lockdown — GO-LIVE (highest value, mostly built)
Everything is built + validated on the pilot (NURSESTATION + pilot.test). Go-live = flip from
test scope to real caregivers, one device at a time. (Detail: wiki "Entra Access Architecture".)
1. Swap GPO `CSC - Caregiver Workstation` security filter `SG-Caregivers-Test` -> `SG-Caregivers`.
2. CA allow-list policy `1b7fd025`: test group `SG-Caregivers-DeviceTest` -> `SG-Caregivers`; disable the compliance-block policy `ede985e2`.
3. Move each caregiver machine into `OU=Caregiver Devices` + `SG-PC-MainTower`/`SG-PC-MemoryCare`
one at a time: Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8, ASSISTNURSE-PC, NURSESTATION-PC (+ verify NurseAssist/Laptop4).
4. ALIS email-match the 38 caregivers + medtechs (ALIS staff Email = Entra UPN); turn off ALIS-native 2FA per user.
5. Lower ALIS app session timeout 20 -> 15 min (Howard, ALIS admin).
6. **Reboot NURSESTATION-PC** to activate + verify the device-lockdown GPO (lock @3min, 90s warn, sign-out @15min).
---
## Workstream 4 — M365
- **Relicense 31 users Business Standard -> Business Premium** (Standard is SUSPENDED — time-sensitive).
- Create break-glass accounts (`breakglass1/2-csc@`) + enroll FIDO2 YubiKeys.
- Build audit retention (Log Analytics 90d + Storage 6yr) in `rg-audit-cascadestucson`.
---
## Workstream 5 — Server / infrastructure
- **Cloud backup (MSP360 -> ACG-backup): VERIFIED running 2026-06-24** (last run Success, 0 failed, 575 GB baseline in cloud, incrementals working). Still confirm it is image/bare-metal/system-state (looks file-level) + set retention. [GATE for any drive work]
- **CS-SERVER RAID -- CORRECTED 2026-06-24: HEALTHY, not degraded** (live OMSA: both mirrors Ok, all 5 disks Online, all LEDs green; the 6/15 degraded self-recovered). **NO emergency drive swap.** 1:0:4 = global hot spare (do not remove). **Planned** reliability upgrade: replace the 2 consumer 320 GB drives (esp. flaky WD 0:0:3) with the 2x enterprise SSD **already purchased**, on a scheduled window w/ confirmed image/system-state backup. **[WARN] PSU redundancy lost** -- one PSU not delivering, check onsite. Service Tag 9MQFTK1. Real fix = DC migration off the 16-yr-old R610.
- Clean up old-MSP agent sprawl (Datto RMM/CentraStage + Datto EDR/Infocyte) thrashing the spindle.
- Synology -> backup-only (Team Folder migration of the real shares; close the workgroup/Kerberos quirk).
- Rotate the Synology signin-portal credential (was committed plaintext historically).
---
## Workstream 6 — Network (mostly complete)
- **CSC ENT device-island consolidation (phones + Helpany on 5 GHz)** — repurpose CSC ENT as a
**5 GHz-only WPA2 PPSK** SSID and consolidate BOTH the Poly voice handsets (-> VLAN 30) and the
Helpany "Paul" radar sensors (-> new VLAN 40) onto it, separated at the VLAN layer. Gets both
off congested 2.4 GHz; keeps WPA2-only gear isolated so CSCNet can later move to WPA3/WiFi7/6GHz.
Supersedes the standalone "Voice 5 GHz lock" item below and the earlier "delete CSC ENT" idea
(deleting it would orphan the Pauls). Both vendors can move their devices remotely once we
provide the network. **Onsite gate: verify per-room 5 GHz coverage before the band flip**
(steel walls; weak-5GHz devices stay on 2.4). Full design + sequence:
`docs/network/csc-ent-device-island-plan.md`.
- Build VLAN 40 (Helpany, egress-only to `*.sedimentum.com` + snapcraft/ubuntu) on pfSense.
- Enable PPSK on CSC ENT: key `Ftfd85710#` -> VLAN 40 (Pauls keep SSID+key, not reprogrammed);
new voice key -> VLAN 30 (phones re-pointed by Howard/Richard).
- Flip CSC ENT to 5 GHz-only (`apply-wlan.sh ... bands 5g`) in a coordinated window; pilot a few
phones + Pauls, then full rollout.
- Helpany = Sandro Cilurzo / Eugenie Nicoud; Poly = Richard Turner (Vertical).
- **PREREQUISITE (live 2026-06-24): CSC ENT has 149 clients, only 68 are Helpany.** ~79 non-Helpany
devices must be evacuated first — 14 staff PCs (domain mig), 11 printers, **11 DIRECTV + 11
resident IoT/TV + 15 personal phones + 17 unknown (resident-facing — need help reconnecting)**.
~51 are on 2.4 GHz and would drop on a 5 GHz-only flip. Per-device inventory + resident
help-list: `docs/network/csc-ent-client-inventory-2026-06-24.md`. TODO: pull `stat/alluser`
for offline resident TVs; identify the 17 unknowns + generic phones with John Trozzi.
- **#32319** WiFi Room 343 — relocate a floor-2/4 AP for coverage (unifi-wifi skill, site `va6iba3v`).
- **#32342** Copy Room switch — install + adopt into UniFi.
- ~25 switch ports linked at 100 Mbps but gig-capable (cabling/NIC sweep).
- *(Superseded)* Voice 5 GHz lock — now folded into the CSC ENT consolidation above (single
dedicated 5 GHz network for phones + sensors, not just a phone-side band lock).
---
## Workstream 7 — Onsite peripheral
- **#32370** eFax setup (Karen & Christin) + portable scanner on both machines.
---
## Suggested sequence (fastest path)
1. **Today's onsite batch (Howard, on-site):** #32342 (Copy Room switch), #32319 (Room 343 AP),
#32370 (eFax + scanner), #32194 (spare machine for new hire), #32254 (Chef-PC reinstall+join);
#32230 (Karen -> ALDOCS) once she's in. **While onsite: verify per-room 5 GHz coverage** for the
CSC ENT device-island consolidation (Workstream 6) so the band flip can be scheduled with the
vendors.
2. **Caregiver lockdown go-live** (Workstream 3) — remote, highest HIPAA value, just needs the flip + per-device moves.
3. **M365 relicense 31 users** (Workstream 4) — time-sensitive.
4. **Backup verify -> RAID replacement** (Workstream 5) — critical single-DC risk.
5. **Remaining staff domain joins + dept drives** (Workstreams 1+2) — batch the ~17 un-joined PCs, OU + drives per machine.
6. Network tail (Vertical 5 GHz, 100 Mbps ports) + M365 break-glass/audit retention.
---
## Open Syncro tickets -> workstream map
| Ticket | Workstream | Status |
|---|---|---|
| #32193 Executive restricted share | 2 | **DONE 2026-06-24** (E: both machines, billed 0.5h block) |
| #32194 spare machine for new hire | 1 | Open — onsite |
| #32230 Karen -> ALDOCS | 2 | Open — recheck when she's in |
| #32254 Chef-PC reinstall | 1 | Open — onsite (then domain-join) |
| #32319 WiFi Room 343 | 6 | Open — onsite |
| #32342 Copy Room switch | 6 | Open — onsite |
| #32370 eFax + scanner | 7 | Open — onsite |