232 lines
15 KiB
Markdown
232 lines
15 KiB
Markdown
# Cascades of Tucson — Remaining Work Plan (to completion)
|
|
|
|
> Consolidated execution plan tying the open Syncro tickets to the broader migration
|
|
> workstreams (workstations -> domain, users/departments, HIPAA caregiver lockdown).
|
|
> Built 2026-06-24 (Howard) from a live AD+RMM diff. Companion to `PROJECT_STATE.md`
|
|
> and `wiki/clients/cascades-tucson.md` (current truth, compiled 2026-06-23).
|
|
> Goal: finish the migration quickly by working it as one sequenced plan.
|
|
|
|
---
|
|
|
|
## Live snapshot — domain-join inventory (2026-06-24, AD vs RMM diff)
|
|
|
|
**Domain (`cascades.local`) — joined staff workstations (12):**
|
|
ACCT2-PC, CRYSTAL-PC, DESKTOP-DLTAGOI (Sharon/LE), DESKTOP-F94M8UT, DESKTOP-H6QHRR7,
|
|
DESKTOP-N5G1ROO (Chris Knight), DESKTOP-ROK7VNM, DESKTOP-U2DHAP0 (Ashley),
|
|
ASSISTNURSE-PC, NURSESTATION-PC, RECEPTIONIST-PC, MEGAN.
|
|
(Plus infra: CS-SERVER = DC, CS-QB = QB VM. Stale AD objects to clean: DESKTOP-1ISF081 (last logon 2025-03), AZUREADSSOACC is the Seamless-SSO object — leave.)
|
|
|
|
**In RMM but NOT domain-joined — still to migrate (~17):**
|
|
|
|
| Machine | User / role | Plan |
|
|
|---|---|---|
|
|
| ASSISTMAN-PC | Meredith Kuhn (on LOCAL acct `meredithk`) | Domain-join + migrate her to `cascades\Meredith.Kuhn` |
|
|
| ANN-PC | (verify user) | Join + OU + drives |
|
|
| DESKTOP-LPOPV30 | (verify) | Join + OU + drives |
|
|
| DESKTOP-MD6UQI3 | (verify, offline) | Join + OU + drives |
|
|
| MAINTENANCE-PC | Maintenance | Join -> OU=Maintenance |
|
|
| MDIRECTOR-PC | Shelby Trozzi (MC Director) | Join -> OU=Care-Memorycare |
|
|
| MEMRECEPT-PC | MC reception (shared) | Join -> OU=Shared PCs |
|
|
| NurseAssist | (distinct from ASSISTNURSE-PC) | Join or retire-as-dupe — verify |
|
|
| SALES4-PC | Sales | Join -> OU=Marketing |
|
|
| LAPTOP-8P7HDSEI | (verify) | Join or caregiver path |
|
|
| Health-Services-Director | vs AD `HEALTH-SERVICES` | Verify dup/rename before acting |
|
|
| **CHEF-PC** | Culinary (Chef JD) | **Ticket #32254** — reinstall Windows, THEN join -> OU=Culinary |
|
|
| DESKTOP-TRCIEJA | Lupe Sanchez | EOL — **replace machine** (decision 2026-06-18), join the replacement |
|
|
| DESKTOP-KQSL232 | Lois Lane | Resistant to migration; coordinate via John Trozzi |
|
|
| CascadesProxess | Proxess access-control appliance | Likely leave un-joined — verify it's an appliance |
|
|
| Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8, Laptop4 | Caregiver shared laptops | Join via the **Caregiver Devices** path (Workstream 3), not the staff path |
|
|
|
|
**OU structure (built):** `OU=Departments` -> Administrative, Marketing, Care-Assisted Living
|
|
(+ Nurses), Care-Memorycare, Culinary, Housekeeping, Life Enrichment, Maintenance, Resident
|
|
Services, Transportation, Caregivers. `OU=Workstations` -> Staff PCs, Shared PCs,
|
|
`OU=Caregiver Devices` (under Staff PCs). Groups in `OU=Groups`.
|
|
|
|
---
|
|
|
|
## Workstream 1 — Workstation domain migration
|
|
|
|
**Goal:** every staff PC on `cascades.local` + GuruRMM + correct dept OU + mapped dept drives;
|
|
retire per-PC Synology Drive Client.
|
|
|
|
**Per-machine runbook** (scripts in `docs/migration/scripts/`):
|
|
1. `phase3-pre-join-verify.ps1` (OneDrive KFM unlinked, no poisoned shell folders, name OK)
|
|
2. `phase3-join-domain.ps1` -> join `cascades.local`
|
|
3. `phase3-post-join-verify.ps1`
|
|
4. Move computer object into the correct **department OU**
|
|
5. Confirm GuruRMM agent still checks in; migrate the user profile/data
|
|
6. Map department drives (Workstream 2); uninstall Synology Drive Client; delete local cache once clean
|
|
7. Log the change
|
|
|
|
**Tickets in this workstream:** #32194 (deploy spare machine for new hire — join + enroll + AD acct),
|
|
#32254 (Chef-PC reinstall then join).
|
|
|
|
### Device readiness audit (2026-06-24, live probe of 15 un-joined online machines)
|
|
|
|
| Machine | User | Edition | Readiness |
|
|
|---|---|---|---|
|
|
| DESKTOP-LPOPV30 | Karen Rossini | Win11 Pro | READY |
|
|
| MAINTENANCE-PC | Bruce Miller | Win11 Pro WS | READY |
|
|
| LAPTOP-E0STJJE8 | caregiver | Win11 Pro WS | READY (caregiver path) |
|
|
| ASSISTMAN-PC | Meredith Kuhn | Win11 Pro | pending reboot |
|
|
| ANN-PC | christina | Win11 Enterprise | pending reboot |
|
|
| Laptop2 | caregiver | Win11 Pro | pending reboot |
|
|
| CHEF-PC | Ramon Castaneda | Win11 Pro | do #32254 reinstall first |
|
|
| LAPTOP-8P7HDSEI | User | **Win10 Home** | BLOCKED: Home->Pro + OneDrive KFM ON |
|
|
| MDIRECTOR-PC | Shelby Trozzi | **Win11 Home** | BLOCKED: Home->Pro + reboot |
|
|
| MEMRECEPT-PC | memfrtdesk | **Win10 Home** | BLOCKED: Home->Pro + reboot |
|
|
| NurseAssist | Veronica | **Win11 Home** | BLOCKED: Home->Pro + KFM ON + reboot |
|
|
| SALES4-PC | Tamra (departing) | **Win11 Home** | BLOCKED: Home->Pro; Tamra leaving — repurpose? |
|
|
| LAPTOP-DRQ5L558 | caregiver | Win11 Pro WS | BLOCKED: off-network (public DNS, no DC reach) |
|
|
| DESKTOP-TRCIEJA | Lupe Sanchez | Win11 Pro | SKIP — EOL, being replaced |
|
|
| Health-Services-Director | Lois Lane | Win11 Pro WS | already domain-joined (= AD `HEALTH-SERVICES`) |
|
|
|
|
**Prep blockers / decisions (2026-06-24):**
|
|
- **5 machines on Windows Home cannot domain-join** until upgraded to Pro (need license keys):
|
|
LAPTOP-8P7HDSEI, MDIRECTOR-PC, MEMRECEPT-PC, NurseAssist, SALES4-PC. **Howard handling the
|
|
Home->Pro upgrades himself, ONSITE** (decision 2026-06-25).
|
|
- *2026-06-25 live re-check: the 6PM cron `ad0a56a9` never completed — all 5 still `EditionID=Core`
|
|
(Home), Licensed on Home keys, none half-upgraded. ProductName reads "Windows 10 Home" even on the
|
|
Win11 boxes (stale registry string) — trust EditionID, not ProductName.*
|
|
- **DONE 2026-06-25 (~8:45 PM, remotely via RMM, no users logged in):** the 3 online Home boxes
|
|
upgraded Home->Pro. Process: `changepk.exe /productkey <generic Pro key>` flips Core->Professional
|
|
(as SYSTEM it does NOT auto-reboot; registry vs licensing go out of sync — **reboot once to finalize**),
|
|
then activate. Results:
|
|
- **MDIRECTOR-PC** -> Professional, **self-activated FREE via a built-in Pro digital entitlement**
|
|
(no MAK used, no charge). READY to domain-join.
|
|
- **MEMRECEPT-PC** + **LAPTOP-8P7HDSEI** -> activated with the ACG MAK
|
|
(`infrastructure/windows-pro-mak`). NOTE: the MAK is a **Pro for Workstations** MAK — `/ipk` retargets
|
|
the edition to `ProfessionalWorkstation` (higher SKU, fine for domain join), `/dli` = Licensed,
|
|
VOLUME_MAK channel. **2 MAK counts consumed -> bill 2x $99 = $198 to Cascades** (line items name each
|
|
machine). MEMRECEPT needed an `/ato` retry (first attempt hit transient `0x8004FE92`).
|
|
- **Still pending:** NurseAssist (OFFLINE — and flagged as a possible dupe of `Assistnurse-pc`, verify
|
|
before upgrading) and SALES4-PC (bypassed — Tamra departing, repurpose TBD).
|
|
- Next step for the 3 upgraded boxes = **domain-join** (they now read `EditionID=Professional`/PfW).
|
|
- **OneDrive KFM ON** (unlink before folder-redirect GPO): LAPTOP-8P7HDSEI, NurseAssist.
|
|
- **Pending reboots + KFM unlinks: held for onsite** (Howard) — disruptive to clear remotely.
|
|
- **LAPTOP-DRQ5L558** is off the Cascades network (8.8.8.8/1.1.1.1 DNS, no DC reachability) —
|
|
must be on-site/on-LAN before any join.
|
|
- Note: the legacy `phase3-pre-join-verify.ps1` hardcodes the DC at `192.168.2.254`; clients
|
|
actually reach it at `192.168.2.248` (the `.254` NIC is the Hyper-V vEthernet and does not
|
|
cleanly serve domain SMB) — update the script's target before reuse.
|
|
- Pro/Enterprise + internal machines are READY to join once reboots are cleared onsite:
|
|
DESKTOP-LPOPV30, MAINTENANCE-PC, ASSISTMAN-PC, ANN-PC, LAPTOP-E0STJJE8, Laptop2 (+ CHEF-PC after #32254).
|
|
|
|
---
|
|
|
|
## Workstream 2 — Users, departments & file-share access
|
|
|
|
**Goal:** every user in the right OU + `SG-*-RW` group; department drives mapped per the
|
|
access matrix; Synology retired as primary.
|
|
|
|
- Shares already created on CS-SERVER (`D:\Shares\...`): Management, Sales/SalesDept, Server,
|
|
Accounting, Culinary, Activities, directoryshare, IT, Receptionist, **Executive (NEW — Ashley+Meredith)**.
|
|
Confirm ALdocs/WebDocs/LifeEnrichment exist + NTFS per the matrix.
|
|
- Populate `SG-*-RW` groups per `docs/migration/share-access-matrix-2026-04-23.md`.
|
|
- Map dept drives per user via GPP/logon script (Receptionist drive = machine+user scoped, Tower desk only).
|
|
- **Close out the matrix open questions** (per-user interviews): Lois Lane, Karen Rossini, Susan Hicks,
|
|
John Trozzi, Lupe Sanchez, Shelby Trozzi, Matt Brooks, Christine Nyanzunda; `pacs`/Clinical-PHI
|
|
create-or-retire; `web` retire.
|
|
|
|
**Tickets:** #32193 (Executive restricted share — **DONE 2026-06-24**, E: mapped both machines),
|
|
#32230 (Karen Rossini -> ALDOCS on Synology — **recheck when she's in**, she was out 2026-06-24).
|
|
|
|
---
|
|
|
|
## Workstream 3 — HIPAA caregiver lockdown — GO-LIVE (highest value, mostly built)
|
|
|
|
Everything is built + validated on the pilot (NURSESTATION + pilot.test). Go-live = flip from
|
|
test scope to real caregivers, one device at a time. (Detail: wiki "Entra Access Architecture".)
|
|
|
|
1. Swap GPO `CSC - Caregiver Workstation` security filter `SG-Caregivers-Test` -> `SG-Caregivers`.
|
|
2. CA allow-list policy `1b7fd025`: test group `SG-Caregivers-DeviceTest` -> `SG-Caregivers`; disable the compliance-block policy `ede985e2`.
|
|
3. Move each caregiver machine into `OU=Caregiver Devices` + `SG-PC-MainTower`/`SG-PC-MemoryCare`
|
|
one at a time: Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8, ASSISTNURSE-PC, NURSESTATION-PC (+ verify NurseAssist/Laptop4).
|
|
4. ALIS email-match the 38 caregivers + medtechs (ALIS staff Email = Entra UPN); turn off ALIS-native 2FA per user.
|
|
5. Lower ALIS app session timeout 20 -> 15 min (Howard, ALIS admin).
|
|
6. **Reboot NURSESTATION-PC** to activate + verify the device-lockdown GPO (lock @3min, 90s warn, sign-out @15min).
|
|
|
|
---
|
|
|
|
## Workstream 4 — M365
|
|
|
|
- **Relicense 31 users Business Standard -> Business Premium** (Standard is SUSPENDED — time-sensitive).
|
|
- Create break-glass accounts (`breakglass1/2-csc@`) + enroll FIDO2 YubiKeys.
|
|
- Build audit retention (Log Analytics 90d + Storage 6yr) in `rg-audit-cascadestucson`.
|
|
|
|
---
|
|
|
|
## Workstream 5 — Server / infrastructure
|
|
|
|
- **Cloud backup (MSP360 -> ACG-backup): VERIFIED running 2026-06-24** (last run Success, 0 failed, 575 GB baseline in cloud, incrementals working). Still confirm it is image/bare-metal/system-state (looks file-level) + set retention. [GATE for any drive work]
|
|
- **CS-SERVER RAID -- CORRECTED 2026-06-24: HEALTHY, not degraded** (live OMSA: both mirrors Ok, all 5 disks Online, all LEDs green; the 6/15 degraded self-recovered). **NO emergency drive swap.** 1:0:4 = global hot spare (do not remove). **Planned** reliability upgrade: replace the 2 consumer 320 GB drives (esp. flaky WD 0:0:3) with the 2x enterprise SSD **already purchased**, on a scheduled window w/ confirmed image/system-state backup. **[WARN] PSU redundancy lost** -- one PSU not delivering, check onsite. Service Tag 9MQFTK1. Real fix = DC migration off the 16-yr-old R610.
|
|
- Clean up old-MSP agent sprawl (Datto RMM/CentraStage + Datto EDR/Infocyte) thrashing the spindle.
|
|
- Synology -> backup-only (Team Folder migration of the real shares; close the workgroup/Kerberos quirk).
|
|
- Rotate the Synology signin-portal credential (was committed plaintext historically).
|
|
|
|
---
|
|
|
|
## Workstream 6 — Network (mostly complete)
|
|
|
|
- **CSC ENT device-island consolidation (phones + Helpany on 5 GHz)** — repurpose CSC ENT as a
|
|
**5 GHz-only WPA2 PPSK** SSID and consolidate BOTH the Poly voice handsets (-> VLAN 30) and the
|
|
Helpany "Paul" radar sensors (-> new VLAN 40) onto it, separated at the VLAN layer. Gets both
|
|
off congested 2.4 GHz; keeps WPA2-only gear isolated so CSCNet can later move to WPA3/WiFi7/6GHz.
|
|
Supersedes the standalone "Voice 5 GHz lock" item below and the earlier "delete CSC ENT" idea
|
|
(deleting it would orphan the Pauls). Both vendors can move their devices remotely once we
|
|
provide the network. **Onsite gate: verify per-room 5 GHz coverage before the band flip**
|
|
(steel walls; weak-5GHz devices stay on 2.4). Full design + sequence:
|
|
`docs/network/csc-ent-device-island-plan.md`.
|
|
- Build VLAN 40 (Helpany, egress-only to `*.sedimentum.com` + snapcraft/ubuntu) on pfSense.
|
|
- Enable PPSK on CSC ENT: key `Ftfd85710#` -> VLAN 40 (Pauls keep SSID+key, not reprogrammed);
|
|
new voice key -> VLAN 30 (phones re-pointed by Howard/Richard).
|
|
- Flip CSC ENT to 5 GHz-only (`apply-wlan.sh ... bands 5g`) in a coordinated window; pilot a few
|
|
phones + Pauls, then full rollout.
|
|
- Helpany = Sandro Cilurzo / Eugenie Nicoud; Poly = Richard Turner (Vertical).
|
|
- **PREREQUISITE (live 2026-06-24): CSC ENT has 149 clients, only 68 are Helpany.** ~79 non-Helpany
|
|
devices must be evacuated first — 14 staff PCs (domain mig), 11 printers, **11 DIRECTV + 11
|
|
resident IoT/TV + 15 personal phones + 17 unknown (resident-facing — need help reconnecting)**.
|
|
~51 are on 2.4 GHz and would drop on a 5 GHz-only flip. Per-device inventory + resident
|
|
help-list: `docs/network/csc-ent-client-inventory-2026-06-24.md`. TODO: pull `stat/alluser`
|
|
for offline resident TVs; identify the 17 unknowns + generic phones with John Trozzi.
|
|
- **#32319** WiFi Room 343 — relocate a floor-2/4 AP for coverage (unifi-wifi skill, site `va6iba3v`).
|
|
- **#32342** Copy Room switch — install + adopt into UniFi.
|
|
- ~25 switch ports linked at 100 Mbps but gig-capable (cabling/NIC sweep).
|
|
- *(Superseded)* Voice 5 GHz lock — now folded into the CSC ENT consolidation above (single
|
|
dedicated 5 GHz network for phones + sensors, not just a phone-side band lock).
|
|
|
|
---
|
|
|
|
## Workstream 7 — Onsite peripheral
|
|
|
|
- **#32370** eFax setup (Karen & Christin) + portable scanner on both machines.
|
|
|
|
---
|
|
|
|
## Suggested sequence (fastest path)
|
|
|
|
1. **Today's onsite batch (Howard, on-site):** #32342 (Copy Room switch), #32319 (Room 343 AP),
|
|
#32370 (eFax + scanner), #32194 (spare machine for new hire), #32254 (Chef-PC reinstall+join);
|
|
#32230 (Karen -> ALDOCS) once she's in. **While onsite: verify per-room 5 GHz coverage** for the
|
|
CSC ENT device-island consolidation (Workstream 6) so the band flip can be scheduled with the
|
|
vendors.
|
|
2. **Caregiver lockdown go-live** (Workstream 3) — remote, highest HIPAA value, just needs the flip + per-device moves.
|
|
3. **M365 relicense 31 users** (Workstream 4) — time-sensitive.
|
|
4. **Backup verify -> RAID replacement** (Workstream 5) — critical single-DC risk.
|
|
5. **Remaining staff domain joins + dept drives** (Workstreams 1+2) — batch the ~17 un-joined PCs, OU + drives per machine.
|
|
6. Network tail (Vertical 5 GHz, 100 Mbps ports) + M365 break-glass/audit retention.
|
|
|
|
---
|
|
|
|
## Open Syncro tickets -> workstream map
|
|
|
|
| Ticket | Workstream | Status |
|
|
|---|---|---|
|
|
| #32193 Executive restricted share | 2 | **DONE 2026-06-24** (E: both machines, billed 0.5h block) |
|
|
| #32194 spare machine for new hire | 1 | Open — onsite |
|
|
| #32230 Karen -> ALDOCS | 2 | Open — recheck when she's in |
|
|
| #32254 Chef-PC reinstall | 1 | Open — onsite (then domain-join) |
|
|
| #32319 WiFi Room 343 | 6 | Open — onsite |
|
|
| #32342 Copy Room switch | 6 | Open — onsite |
|
|
| #32370 eFax + scanner | 7 | Open — onsite |
|