azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
de8d2decdbcd922b275496286331fecfd48435a2
claudetools/clients/cascades-tucson/docs/servers/active-directory.md
Howard Enos 90d4f386aa sync: auto-sync from HOWARD-HOME at 2026-04-22 16:38:05 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-04-22 16:38:05
2026-04-22 16:38:06 -07:00

19 KiB
Raw Blame History

Active Directory — cascades.local

Domain Info (audit 2026-03-20)

  • Domain: cascades.local (NetBIOS: CASCADES)
  • Forest Functional Level: Windows2016Forest
  • Domain Functional Level: Windows2016Domain
  • Domain Controllers: CS-SERVER (192.168.2.254) — ONLY DC (all FSMO roles)
  • Sites: Default-First-Site-Name
  • No trusts configured

AD Users (42 total — 40 enabled, 2 disabled) — cleaned 2026-04-13

New since last doc update: Allison Reibschied (2026-03-13), Lauren Hasselman (2026-02-26)

Enabled Accounts — HR Roster (updated 2026-04-13)

Name SamAccountName Position Department Shared Email Notes
Administrator Administrator Built-in
localadmin localadmin Local admin
Sysadmin sysadmin System admin
Howard Dax howard Home Office Administrative first.last@ MSP technician
Meredith Kuhn Meredith.Kuhn Executive Director Administrative first.last@
John Trozzi John.Trozzi Maintenance Director Maintenance first.last@ PC: MAINTENANCE-PC
Lupe Sanchez Lupe.Sanchez Housekeeping Director Housekeeping first.last@ Renamed from Guadalupe.Sanchez, duplicate deleted (2026-04-13)
Megan Hiatt Megan.Hiatt Sales Director Marketing first.last@, Sales@
Crystal Rodriguez Crystal.Rodriguez Sales Associate Marketing first.last@, Sales@ PC: CRYSTAL-PC
Tamra Matthews Tamra.Matthews Move-In Coordinator Marketing first.last@ Renamed from Tamra.Johnson (2026-04-13)
Lois Lane Lois.Lane Health Services Director Care, Assisted Living first.last@, Nurses@
Christina DuPras Christina.DuPras Resident Services Director Resident Services first.last@
Christine Nyanzunda Christine.Nyanzunda Memory Care Admin Assistant Care, Memory Care first.last@
Susan Hicks Susan.Hicks Life Enrichment Director Life Enrichment first.last@ PC: DESKTOP-ROK7VNM
Ashley Jensen Ashley.Jensen Assistant Executive Director Administrative first.last@, Accounting@
Veronica Feller Veronica.Feller Care, Assisted Living Aide Care, Assisted Living first.last@
Sebastian Leon Sebastian.Leon RS Courtesy Patrol Resident Services Frontdesk@, Courtesypatrol@
JD Martin JD.Martin Culinary Director Culinary first.last@
Alyssa Brooks Alyssa.Brooks Dining Manager Culinary first.last@ Renamed from Alyssa.Shestko, duplicate deleted (2026-04-13)
Matt Brooks Matt.Brooks Memory Care Receptionist Maintenance first.last@ Dept says Maintenance (HR data)
Ramon Castaneda Ramon.Castaneda Kitchen Manager Culinary first.last@
Michelle Shestko Michelle.Shestko Resident Services Receptionist Resident Services MC Front Desk
Sharon Edwards Sharon.Edwards Life Enrichment Assistant Life Enrichment first.last@ PC: DESKTOP-DLTAGOI
Britney Thompson britney.thompson Memory Care Nurse Care, Assisted Living first.last@, Nurses@ DEPARTED 2026-04-22 per John — disable account + harvest license
Shelby Trozzi Shelby.Trozzi Memory Care Director Care, Memory Care first.last@ Renamed from strozzi (2026-04-13)
Karen Rossini karen.rossini Health Services Manager Care, Assisted Living first.last@, Nurses@ lowercase SamAccountName
Sheldon Gardfrey Sheldon.Gardfrey RS Courtesy Patrol Resident Services Frontdesk@, Courtesypatrol@
Cathy Kingston Cathy.Kingston Resident Services Receptionist Resident Services Frontdesk@
Shontiel Nunn Shontiel.Nunn Resident Services Receptionist Resident Services Frontdesk@
Ray Rai Ray.Rai RS Courtesy Patrol Resident Services Frontdesk@
Richard Adams Richard.Adams Driver Transportation Transportation@ 2026-04-22: disable — drivers no longer get IT access
Julian Crim Julian.Crim Driver Transportation Transportation@ 2026-04-22: disable — drivers no longer get IT access
Christopher Holick Christopher.Holick Driver Transportation Transportation@ Fixed from Holik (2026-04-13). 2026-04-22: disable — drivers no longer get IT access
Lauren Hasselman lauren.hasselman Business Office Director Administrative first.last@, Accounting@ Replaced Jeff Bristol. lowercase SamAccountName
Allison Reibschied Allison.Reibschied Accounting Assistant Administrative first.last@ Added 2026-03-13. PC: ACCT2-PC
QBDataServiceUser34 QBDataServiceUser34 QuickBooks service account
Culinary Culinary Generic department account — replace Phase 5
RECEPTIONIST Receptionist Generic role account — replace Phase 5
saleshare saleshare Shared sales resource — replace Phase 5
directoryshare directoryshare Shared directory resource — replace Phase 5

Not in AD — Needs Account Created

Name Position Department Shared Email Notes
Kyla Quick Tiffany Resident Services Receptionist Resident Services Frontdesk@ New — needs AD + M365 account

Accounts Deleted (2026-04-13 cleanup)

Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, Isabella.Islas, ann.dery, alyssa.brooks (duplicate), Lupe.Sanchez (duplicate), jeff.bristol

Disabled Accounts (2) — cleaned 2026-04-13

Name SamAccountName Notes
Guest Guest Built-in — correct to leave disabled
krbtgt krbtgt Built-in Kerberos — correct to leave disabled. Password 569+ days old — needs rotation

Domain-Joined Computers (8)

OU=Domain Controllers

Computer Role
CS-SERVER Primary DC, File Server, Hyper-V host

CN=Computers (default)

Computer Role
CS-QB Hyper-V VM — VoIP server

OU=Staff PCs,OU=Workstations (moved 2026-04-13)

Computer User Role
ACCT2-PC Allison Reibschied Accounting
CRYSTAL-PC Crystal Rodriguez Sales Associate
DESKTOP-H6QHRR7 Sylvia Cuen Staff workstation
DESKTOP-1ISF081 TBD Unknown — needs identification
DESKTOP-DLTAGOI Sharon Edwards Life Enrichment Assistant
DESKTOP-ROK7VNM Susan Hicks Life Enrichment Director

Missing from AD (listed in overview but NOT domain-joined)

  • SALES4-PC — Sales workstation (10.0.20.203) — NOT in AD
  • CHEF-PC — Kitchen workstation (10.0.20.232) — NOT in AD
  • MDIRECTOR-PC — MemCare Director (192.168.3.20) — NOT in AD
  • DESKTOP-KQSL232 — Unknown (10.0.20.227) — NOT in AD

These 4 machines are on the network but not domain-joined. They may be workgroup machines or were never joined to the domain.

Organizational Units

Current State (pre-cleanup)

cascades.local
├── Builtin (system)
├── Computers (default container) ← 5 PCs here: ACCT2-PC, CRYSTAL-PC, CS-QB, DESKTOP-1ISF081, DESKTOP-H6QHRR7
├── Users (default container) ← 20 accounts dumped here (system + stale + needs placement)
├── Domain Controllers
│   └── CS-SERVER
├── Managment              ← MISSPELLED, empty — DELETE
├── Sales                  ← empty — DELETE
├── MemCare                ← empty — DELETE
├── Administrative         ← ROOT DUPLICATE of Departments\Administrative — DELETE
├── Care-Assisted Living   ← ROOT DUPLICATE — DELETE
├── Care-Memorycare        ← ROOT DUPLICATE — DELETE
├── Culinary               ← ROOT DUPLICATE — DELETE
├── Housekeeping           ← ROOT DUPLICATE — DELETE
├── Life Enrichment        ← ROOT DUPLICATE — DELETE
├── Maintenance            ← ROOT DUPLICATE — DELETE
├── Marketing              ← ROOT DUPLICATE — DELETE
├── Resident Services      ← ROOT DUPLICATE — DELETE
├── Transportation         ← ROOT DUPLICATE — DELETE
└── Departments
    ├── Administrative (6 users)
    ├── Care-Assisted Living (4 users)
    │   └── Nurses (sub-OU, empty)
    ├── Care-Memorycare (2 users)
    ├── Culinary (4 users)
    ├── Housekeeping (1 user)
    ├── Life Enrichment (2 users)
    ├── Maintenance (2 users)
    ├── Marketing (4 users)
    ├── Resident Services (7 users)
    └── Transportation (3 users)

Target State (after cleanup — Phase 2.1 + 2.2)

cascades.local
├── Builtin (system)
├── Computers (default container) ← CS-QB stays here (VM, not staff PC)
├── Users (default container) ← system/service accounts only
├── Domain Controllers
│   └── CS-SERVER
├── Workstations           ← NEW
│   ├── Staff PCs          ← NEW — CRYSTAL-PC, ACCT2-PC, DESKTOP-H6QHRR7, DESKTOP-1ISF081, DESKTOP-DLTAGOI, DESKTOP-ROK7VNM
│   └── Shared PCs         ← NEW — shared/rotation workstations (GPO: CSC - Shared Workstation)
└── Departments
    ├── Administrative (6 users)
    ├── Care-Assisted Living (4 users)
    │   └── Nurses (sub-OU)
    ├── Care-Memorycare (2 users)
    ├── Culinary (4 users)
    ├── Housekeeping (1 user)
    ├── Life Enrichment (2 users)
    ├── Maintenance (2 users)
    ├── Marketing (4 users)
    ├── Resident Services (7 users)
    └── Transportation (3 users)

Cleanup Scripts

  • migration/scripts/phase2-ou-cleanup.ps1 — Audit + delete 13 root-level OUs, handle CN=Users accounts
  • migration/scripts/phase2-ad-setup.ps1 — Security fixes, create Workstations OU, security groups, move computers

Group Policy (as of 2026-03-07 export)

GPOs exist but effectiveness is limited since most PCs aren't domain-joined.

GPO Created Modified Settings Notes
Default Domain Policy Aug 2024 Mar 2026 Password: 7-char min, 42-day max, complexity on, 24 history. Lockout: 5 attempts / 30 min (fixed 2026-03-09). Kerberos defaults. OK
Default Domain Controllers Policy Aug 2024 Oct 2024 IIS app pool audit rights, print operator driver loading. Standard. OK
Power Options Jul 2025 Jul 2025 "Cascades Default" power plan: never sleep/hibernate, display off 15 min (plugged in) / 10 min (battery), password on wake. Reasonable — keep
CopyRoomPrinter Dec 2025 Dec 2025 EMPTY DELETED 2026-03-09
Nurses-Kiosk Dec 2025 Dec 2025 EMPTY DELETED 2026-03-09
MemCareMedTechPrinter Dec 2025 Dec 2025 EMPTY DELETED 2026-03-09

GPO Review (2026-03-07): All 3 Dec 2025 GPOs are completely empty shells — no computer or user settings, not linked to any OU. Safe to delete with zero impact. The Default Domain Policy has account lockout disabled (threshold = 0), allowing unlimited password brute-force attempts — this needs to be fixed in the security baseline GPO.

RDS Licensing

  • Mode: NotConfigured
  • License Servers: None
  • RDS roles are installed on CS-SERVER (Connection Broker, Session Host, Web Access) but licensing is NOT configured.
  • Compliance risk: Windows Server allows a 120-day grace period for RDS without licensing. After that, connections may be refused. Since the server was installed 8/4/2024 (~19 months ago), the grace period has long expired. RDS may be running in non-compliant mode.

Existing AD Groups (Custom)

Group Members Notes
QuickBooks Access Meredith.Kuhn, Megan.Hiatt, Ashley.Jensen, lauren.hasselman Renamed from "Quickboosk acccess" on 2026-03-09
Roaming (empty) Old roaming profile attempt — unused
MemoryCareDepartment (empty) Never populated
KitchenAdmin (empty) Never populated

Migration Plan — AD Changes (Phase 2.2 + 2.6 + 3)

See migration/phase2-server-prep.md and migration/scripts/phase2-ad-setup.ps1.

Security Fixes (immediate)

  • Remove disabled Monica.Ramirez from Domain Admins (security risk)
  • Disable Haris.Durut (still enabled, not employed)
  • Fix "Quickboosk acccess" → "QuickBooks Access"
  • Add lauren.hasselman to QuickBooks Access (replaced Jeff Bristol)

OU Changes

  • DELETE 10 root-level duplicate OUs (Administrative, Care-Assisted Living, Care-Memorycare, Culinary, Housekeeping, Life Enrichment, Maintenance, Marketing, Resident Services, Transportation) — duplicates of Departments sub-OUs
  • DELETE 3 empty root-level OUs (Managment, MemCare, Sales) — unused
  • Create: OU=Workstations,DC=cascades,DC=local
  • Create: OU=Staff PCs,OU=Workstations,DC=cascades,DC=local

Security Groups (created with members from Synology permission mapping)

Group Members
SG-Management-RW Meredith.Kuhn, Ashley.Jensen, Megan.Hiatt, Crystal.Rodriguez, Tamra.Matthews, britney.thompson, Veronica.Feller, strozzi, Alyssa.Brooks, lauren.hasselman
SG-Sales-RW Megan.Hiatt, Crystal.Rodriguez, Tamra.Matthews
SG-Server-RW Ashley.Jensen, britney.thompson, Christina.DuPras, Veronica.Feller, Meredith.Kuhn
SG-Chat-RW Ashley.Jensen, britney.thompson, Veronica.Feller
SG-Culinary-RW JD.Martin, Ramon.Castaneda, Alyssa.Brooks
SG-IT-RW howard, sysadmin
SG-Receptionist-RW Cathy.Kingston, Shontiel.Nunn, Ray.Rai, Sebastian.Leon, Michelle.Shestko
SG-Directory-RW Cathy.Kingston, Shontiel.Nunn, Christina.DuPras
SG-AllShares-RO (populated as needed)

Account Removals (client confirmed)

Already disabled — delete: Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, jeff.bristol

Enabled but not in HR — disable + delete: Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, alyssa.brooks, Isabella.Islas, ann.dery

Keep: lauren.hasselman (replaced Bristol as Business Office Director)

CN=Users — HR Verified (2026-03-10)

HR (Meredith) responded. All accounts resolved:

Account Enabled Last Logon Action
Lupe.Sanchez Yes Never Keep — confirmed same person as Guadalupe.Sanchez (M365: lupe.sanchez@). Merge or delete duplicate
Receptionist Yes 2/22/2026 Shared account — keep until Phase 5 replacement
directoryshare Yes 2/26/2026 Shared/service account — keep until Phase 5 replacement

Confirmed DELETE by HR:

  • Anna.Pitzlin (disabled) — was forwarded to Meredith, OK to delete now
  • Nela.Durut-Azizi (disabled) — was forwarded to Meredith, OK to delete now
  • Jodi.Ramstack (disabled)
  • Monica.Ramirez (disabled, already removed from Domain Admins)
  • Kristiana.Dowse — M365 only, not in AD. Delete M365 account + remove license

Already confirmed for removal (not current employees, never logged in): Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, Isabella.Islas, ann.dery, alyssa.brooks (lowercase duplicate)

System/service accounts staying in CN=Users: Administrator, Guest, krbtgt, localadmin, sysadmin, QBDataServiceUser34

Domain Join (Phase 3)

Join these PCs to cascades.local in OU=Staff PCs,OU=Workstations:

  • DESKTOP-KQSL232 (first)
  • CHEF-PC
  • SALES4-PC
  • MDIRECTOR-PC (last)

GPOs to Create (Phase 2.6)

  1. CSC - Drive Mappings — S:, M:, T:, K:, I:, R:, P: with item-level targeting
  2. CSC - Printer Deployment — Deploy printers by OU/group targeting (Life Enrichment first: 1F-132-RecRoom-Canon + CopyRoom)
  3. CSC - Security Baseline — 12-char passwords, complexity, lockout 5/30, screen lock 15 min
  4. CSC - Windows Update — Auto download, Sundays 3 AM, no auto-restart
  5. CSC - Folder Redirection — Desktop, Documents, Downloads → \\CS-SERVER\homes\%username%\
  6. CSC - Shared Workstation — Linked to Shared PCs OU; ILT by computer name for reception drive (R:), front desk printer, Outlook online mode, shared mailbox auto-mount. Blocked on: M365 tenant details, onsite PC identification.

Entra Connect (Phase 2.7 — NEW)

  • Install Entra Connect on CS-SERVER for AD → M365 sync + SSO
  • BLOCKED ON: AD cleanup (renames, deletions, duplicate resolution) must complete first
  • See cloud/m365.md → "Entra Connect — SSO Setup Plan" for full prerequisites and steps
  • Enables: single sign-on, one password, auto Office/Edge activation per user, roaming experience without roaming profiles

Shared Account Replacement (Phase 5)

Replace Culinary, Receptionist, saleshare, directoryshare with security group access.

Domain Admins (from 2026-03-07 export)

Account Status Action Needed
Administrator Enabled OK (built-in)
Meredith.Kuhn Enabled REMOVE — administrative staff, not IT
John.Trozzi Enabled REMOVE — maintenance, not IT
Monica.Ramirez Disabled REMOVED 2026-03-09
sysadmin Enabled OK (IT account)

Login Activity (audit 2026-03-20)

Only 12 of 49 enabled accounts have ever logged in. Most staff have never used their AD accounts because their PCs aren't domain-joined.

Account Last Logon Notes
sysadmin 2026-03-16
QBDataServiceUser34 2026-03-14 QuickBooks service
Allison.Reibschied 2026-03-13 NEW — Administrative
lauren.hasselman 2026-03-12 Business Office Director
Administrator 2026-03-11
Receptionist 2026-03-11 Shared account
directoryshare 2026-03-10 Shared account
localadmin 2026-03-09
Crystal.Rodriguez 2026-03-09 CRYSTAL-PC
Culinary 2026-02-20 Shared account
saleshare 2025-12-08 Shared account
Christina.DuPras 2026-01-06
Monica.Ramirez 2024-11-04 Disabled

37 enabled accounts have NEVER logged in — most have never set a password either.

Issues Found

  1. Only 6 computers domain-joined — At least 4 known staff PCs are NOT in AD. (Migration Phase 3 will fix)
  2. 3 GPOs from Dec 2025 undocumented — CopyRoomPrinter, Nurses-Kiosk, MemCareMedTechPrinter. Need to review settings and linkage. Previous MSP or sysadmin created these.
  3. RDS licensing not configured — Compliance risk, grace period expired ~17 months ago. (Phase 5 decision)
  4. 12 accounts to remove — 5 disabled + 7 former employees still enabled. (Phase 2.1/2.2)
  5. 4 shared/generic accounts (Culinary, Receptionist, saleshare, directoryshare) — To be replaced. (Phase 5)
  6. Monica.Ramirez (disabled) still in Domain Admins — Security risk, fix immediately. (Phase 2.2)
  7. Meredith.Kuhn and John.Trozzi in Domain Admins — Non-IT staff should not be DAs. (Phase 2.2)
  8. "Managment" OU misspelled — To be deleted (empty). (Phase 2.1)
  9. "Quickboosk acccess" group typo — To be fixed. (Phase 2.2)
  10. 13 junk root-level OUs — 10 duplicate department OUs + Managment + MemCare + Sales, all empty. Delete in Phase 2.1.
  11. 20 accounts in CN=Users — Mix of system, stale, and misplaced. Clean up in Phase 2.1.
  12. 5 computers in CN=Computers — Move 4 staff PCs to Workstations OU. CS-QB stays. (Phase 2.2)
  13. Lupe.Sanchez — In CN=Users, possible duplicate of Guadalupe.Sanchez (Housekeeping). Flag for onsite review.
Reference in New Issue View Git Blame Copy Permalink