1.7 KiB
1.7 KiB
name, description, metadata
| name | description | metadata | ||
|---|---|---|---|---|
| Cascades scan-to-folder uses the svc-scan account | At Cascades, every scanner→network-folder (scan-to-SMB) setup reuses the single svc-scan AD service account — never create a per-printer/per-folder scan account. Grant svc-scan Modify on the new scan folder and use cascades\svc-scan (NTLMv2) in the device profile. |
|
Current-state context: project_cascades. Full setup detail lives in the wiki (Patterns -> File Shares & Scan-to-Folder).
Rule (Howard, 2026-06-09): When setting up any scanner / MFP to scan to a network folder at Cascades, reuse the svc-scan AD service account — do NOT create a new scan account per printer or per folder.
Why: One least-privilege, vaulted credential to manage/rotate instead of credentials scattered across many device configs; keeps the stored-in-device credential low-blast-radius and auditable.
How to apply:
- Grant
CASCADES\svc-scanModify on the new scan destination folder (the dropbox subfolder only — least privilege). - In the device's Scan-to-Network profile: Username
cascades\svc-scan, Auth Method NTLMv2, password from vaultclients/cascades-tucson/svc-scan.sops.yaml(credentials.password). - Use the server IP (e.g.
\\192.168.2.254\...) not the hostname — VLAN-20 printers may not resolveCS-SERVER. - Remember CS-SERVER cannot reach VLAN-20 printer web UIs (pfSense blocks main-LAN→VLAN20); configure the device from a VLAN-20 PC or onsite. Printer→CS-SERVER:445 is open.
svc-scan: AD account on CS-SERVER (CN=Users, PasswordNeverExpires, CannotChangePassword). First use: Accounting Brother MFC-L8900CDW (10.0.20.220) → \\CS-SERVER\AcctDept\Scans, 2026-06-09.