azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from Mikes-MacBook-Air.local at 2026-06-07 12:59:13

Browse Source 
Author: Mike Swanson
Machine: Mikes-MacBook-Air.local
Timestamp: 2026-06-07 12:59:13
This commit is contained in:
Mike Swanson
2026-06-07 12:59:14 -07:00
parent b848e34a8e
commit 0210d66b40
6 changed files with 788 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

285
clients/wolkin-law/session-logs/2026-06-07-mike-zerotier-setup.md Normal file
View File

@@ -0,0 +1,285 @@
# Wolkin Law - ZeroTier VPN Setup for Remote Access
## User
- **User:** Mike Swanson (mike)
- **Machine:** Mikes-MacBook-Air
- **Role:** admin
## Session Summary
Deployed ZeroTier mesh VPN to connect Wolkin Law's office PC (FRONT) with Julie's remote laptop (RSW-Laptop) for file sharing and remote access. Removed existing Tailscale installation from both machines and installed ZeroTier 1.16.2, joining network 17d709436c834c9b. FRONT received IP 10.147.19.199 and RSW-Laptop received 10.147.19.54. Added bidirectional hosts file entries for name resolution between the machines.
Created julie user accounts on both machines with matching M365 credentials. Discovered critical GuruRMM bug where password setting commands (PowerShell Set-LocalUser, net user in both PowerShell and CMD contexts) complete with exit 0 but fail to actually set passwords. User manually set passwords via ScreenConnect using identical commands which worked successfully. Documented the bug in memory with HIGH priority flag for investigation. Made julie an Administrator on the laptop for full system access.
Configured SMB file sharing over the ZeroTier mesh network. Discovered FRONT's desktop is redirected to OneDrive. Created shares for three folders (Scans at C:\Scans, Forms and Pleadings in OneDrive\Desktop), granted julie NTFS permissions on all three, and mapped persistent network drives (S:, F:, P:) on the laptop. Created desktop shortcuts initially pointing to drive letters, later updated to UNC paths using the FRONT hostname for better resilience. Initiated Office 365 and Adobe Creative Cloud Desktop installations on the laptop.
Granted julie@rswolkin.com FullAccess permissions to robert@rswolkin.com's M365 mailbox using the ComputerGuru Exchange Operator app via the remediation tool. Enabled AutoMapping so Robert's mailbox will appear automatically in Julie's Outlook. Investigated printer sharing for the RICOH network printer (172.17.110.110) but encountered access denied errors from the laptop. Deferred printer access for later investigation after choosing to fix sharing over ZeroTier rather than routing the entire office subnet through the mesh.
## Key Decisions
- **ZeroTier over Tailscale**: Switched from Tailscale to ZeroTier for the peer-to-peer VPN connection per user preference
- **Hostname-based UNC paths**: Updated desktop shortcuts to use \\FRONT\ hostname instead of drive letters for better resilience if mapped drives disconnect or IPs change
- **Administrator access for julie**: Made julie a full Administrator on the laptop rather than standard user to simplify access and troubleshooting
- **AutoMapping enabled**: Enabled AutoMapping for mailbox delegation so Robert's mailbox appears automatically in Julie's Outlook without manual configuration
- **Printer sharing vs routing**: Chose Option 2 (fix printer sharing over ZeroTier) instead of Option 1 (route entire 172.17.0.0/16 office subnet) for security and simplicity
- **Deferred printer troubleshooting**: Postponed printer access investigation to focus on completing file sharing and mailbox access first
## Problems Encountered
### GuruRMM Password Setting Commands Fail Silently
**Problem**: All password setting commands via GuruRMM return exit 0 and "The command completed successfully" but passwords don't actually get set. Tested:
- PowerShell: `Set-LocalUser -Name "julie" -Password $securePassword`
- PowerShell: `net user julie Jaylen0607!`
- CMD (shell type): `net user julie Jaylen0607!`
All three methods failed. `net user julie` showed "Password required: No" and authentication with the password failed.
**Resolution**: User manually set passwords via ScreenConnect using `net user julie Jaylen0607!` which worked. Both GuruRMM and ScreenConnect run commands as SYSTEM, ruling out privilege issues. The bug is specific to GuruRMM agent's process spawning mechanism. Documented in `.claude/memory/feedback_rmm_password_limitation.md` with HIGH priority flag.
**Workaround**: Use ScreenConnect for password operations until GuruRMM agent bug is fixed.
### Forms and Pleadings Folders Access Denied
**Problem**: After creating SMB shares and mapping drives, `Test-Path F:\` and `Test-Path P:\` returned False with access denied errors.
**Cause**: NTFS permissions weren't granted on the OneDrive-redirected folders. Share permissions alone weren't sufficient.
**Resolution**: Granted julie full NTFS permissions on both folders using `Get-Acl`/`Set-Acl` with FileSystemAccessRule for FullControl with ContainerInherit and ObjectInherit flags.
### Scans Folder Access Denied
**Problem**: After Forms/Pleadings fix worked, user reported Scans folder showed "You don't currently have access to this folder."
**Cause**: C:\Scans (not in OneDrive) didn't have NTFS permissions for julie, only share permissions.
**Resolution**: Applied same NTFS permission grant to C:\Scans.
### Drive Mapping Timeout
**Problem**: Attempted to remap drives from IP addresses (10.147.19.199) to hostname (FRONT) but command timed out after 30 seconds.
**Resolution**: Remapped drives later using hostname with a longer timeout (60 seconds). All three drives mapped successfully with persistent connections.
### Desktop Shortcuts Stopped Working
**Problem**: User reported desktop shortcuts suddenly didn't work.
**Cause**: Network drives (S:, F:, P:) had disconnected and weren't mapped.
**Resolution**: Remapped all three drives using `net use` with `/persistent:yes` flag and FRONT hostname. Updated desktop shortcuts to use UNC paths (\\FRONT\...) instead of drive letters for better resilience.
### RICOH Printer Access Denied
**Problem**: Shared RICOH printer from FRONT as "RICOH" but laptop couldn't access it (Test-Path returned access denied).
**Cause**: Investigation incomplete. The RICOH PCL6 UniversalDriver connects to network printer at 172.17.110.110 on office LAN. Printer sharing permissions may need additional configuration or the issue may be related to credential passthrough over ZeroTier.
**Status**: Deferred for later investigation. User prioritized completing file sharing and mailbox access first.
## Configuration Changes
### Files Created
- `.claude/memory/feedback_rmm_password_limitation.md` - Documented GuruRMM password setting bug
- `clients/wolkin-law/session-logs/2026-06-07-mike-zerotier-setup.md` - This session log
### Files Modified
- `.claude/memory/MEMORY.md` - Added index entry for RMM password limitation
### Windows Registry/System Changes (FRONT)
- Uninstalled Tailscale 1.98.4
- Installed ZeroTier 1.16.2
- Joined ZeroTier network 17d709436c834c9b (assigned 10.147.19.199)
- Added hosts file entry: `10.147.19.54 RSW-Laptop`
- Created SMB share: Forms → C:\Users\Owner\OneDrive\Desktop\Forms
- Created SMB share: Pleadings → C:\Users\Owner\OneDrive\Desktop\Pleading Forms and Filing
- Shared printer: RICOH (RICOH PCL6 UniversalDriver V4.33)
- Granted NTFS permissions: FRONT\julie FullControl on C:\Scans, Forms, Pleadings
### Windows Registry/System Changes (RSW-Laptop)
- Uninstalled Tailscale 1.98.4
- Installed ZeroTier 1.16.2
- Joined ZeroTier network 17d709436c834c9b (assigned 10.147.19.54)
- Added hosts file entry: `10.147.19.199 FRONT`
- Created local user: julie (Administrator group)
- Mapped network drives:
- S: → \\FRONT\Scans (persistent)
- F: → \\FRONT\Forms (persistent)
- P: → \\FRONT\Pleadings (persistent)
- Created desktop shortcuts:
- Scans.lnk → \\FRONT\Scans
- Forms.lnk → \\FRONT\Forms
- Pleading Forms and Filing.lnk → \\FRONT\Pleadings
- Started Microsoft 365 installation (Office Deployment Tool, O365BusinessRetail, 64-bit, silent)
- Started Adobe Creative Cloud Desktop installation (silent)
### M365 Tenant Changes (rswolkin.com / ceb6dbe7-82c8-4d8f-9c6b-49aa26208e9b)
- Granted julie@rswolkin.com FullAccess to robert@rswolkin.com mailbox (AutoMapping enabled)
## Credentials & Secrets
### Local Accounts
- **julie** (both machines): `Jaylen0607!` (matches M365 password)
- User is Administrator on RSW-Laptop
### M365 Accounts
- **julie@rswolkin.com**: `Jaylen0607!` (for Office 365 sign-in)
- **robert@rswolkin.com**: `Alissa16$!` (for Adobe Creative Cloud sign-in)
### ZeroTier Network
- **Network ID**: `17d709436c834c9b`
- **FRONT Node ID**: `0c00b9917a`
- **RSW-Laptop Node ID**: `2a497be947`
## Infrastructure & Servers
### Machines
- **FRONT**: Office PC, Windows, ZeroTier IP 10.147.19.199
- **RSW-Laptop**: Remote laptop, Windows, ZeroTier IP 10.147.19.54
### Network Configuration
- **ZeroTier Network**: 17d709436c834c9b
- **Hosts file entries**: Bidirectional (FRONT ↔ RSW-Laptop)
- **Office printer**: RICOH at 172.17.110.110 (Standard TCP/IP Port 9100)
### M365 Tenant
- **Domain**: rswolkin.com
- **Tenant ID**: ceb6dbe7-82c8-4d8f-9c6b-49aa26208e9b
### SMB Shares (from FRONT)
- **\\FRONT\Scans** → C:\Scans
- **\\FRONT\Forms** → C:\Users\Owner\OneDrive\Desktop\Forms
- **\\FRONT\Pleadings** → C:\Users\Owner\OneDrive\Desktop\Pleading Forms and Filing
- **\\FRONT\RICOH** → RICOH PCL6 UniversalDriver V4.33 (printer share)
## Commands & Outputs
### ZeroTier Installation
```powershell
$zt_url = "https://download.zerotier.com/dist/ZeroTier%20One.msi"
$installer = "$env:TEMP\zerotier-one.msi"
Invoke-WebRequest -Uri $zt_url -OutFile $installer -UseBasicParsing
Start-Process msiexec.exe -ArgumentList "/i `"$installer`" /qn" -Wait
& "C:\Program Files (x86)\ZeroTier\One\zerotier-cli.bat" join 17d709436c834c9b
```
Output (FRONT):
```
200 join OK
200 info 0c00b9917a 1.16.2 ONLINE
200 listnetworks 17d709436c834c9b ... OK_PRIVATE 10.147.19.199/24
```
### Hosts File Entries
```powershell
# On FRONT
Add-Content -Path "C:\Windows\System32\drivers\etc\hosts" -Value "`n# ZeroTier - Wolkin laptop`n10.147.19.54 RSW-Laptop"
# On RSW-Laptop
Add-Content -Path "C:\Windows\System32\drivers\etc\hosts" -Value "`n# ZeroTier - Office PC`n10.147.19.199 FRONT"
```
### Drive Mapping
```cmd
net use S: \\FRONT\Scans /user:FRONT\julie Jaylen0607! /persistent:yes
net use F: \\FRONT\Forms /user:FRONT\julie Jaylen0607! /persistent:yes
net use P: \\FRONT\Pleadings /user:FRONT\julie Jaylen0607! /persistent:yes
```
Output:
```
The command completed successfully.
Status Local Remote Network
-------------------------------------------------------------------------------
OK F: \\FRONT\Forms Microsoft Windows Network
OK P: \\FRONT\Pleadings Microsoft Windows Network
OK S: \\FRONT\Scans Microsoft Windows Network
```
### M365 Mailbox Permission
```bash
# Via remediation tool with Exchange Operator app
curl -X POST "https://outlook.office365.com/adminapi/beta/$TENANT_ID/InvokeCommand" \
-H "Authorization: Bearer $TOKEN" \
-d '{"CmdletInput":{"CmdletName":"Add-MailboxPermission","Parameters":{"Identity":"robert@rswolkin.com","User":"julie@rswolkin.com","AccessRights":"FullAccess","InheritanceType":"All","AutoMapping":true}}}'
```
Response:
```json
{
"AccessRights": ["FullAccess"],
"Deny": "False",
"InheritanceType": "All",
"User": "S-1-5-21-3469244227-2178789719-3906049723-52332070",
"Identity": "Robert Wolkin",
"IsInherited": false,
"IsValid": true
}
```
### GuruRMM Password Bug Examples
All returned exit 0 but failed to actually set passwords:
```powershell
# PowerShell Set-LocalUser - FAILED
Set-LocalUser -Name "julie" -Password (ConvertTo-SecureString "Jaylen0607!" -AsPlainText -Force)
# PowerShell net user - FAILED
net user julie Jaylen0607!
# CMD net user - FAILED (via command_type: "shell")
net user julie Jaylen0607!
```
ScreenConnect (same command as SYSTEM) - WORKED:
```cmd
net user julie Jaylen0607!
```
## Pending / Incomplete Tasks
### High Priority
1. **Fix GuruRMM password setting bug** - Commands return exit 0 but passwords don't set. Affects both PowerShell and CMD execution contexts. ScreenConnect works with identical commands. Investigation needed on GuruRMM Windows agent process spawning code.
### Medium Priority
2. **Fix RICOH printer access** - Printer is shared from FRONT as "RICOH" but laptop gets access denied. Need to investigate printer share permissions and credential passthrough over ZeroTier.
3. **Verify Office 365 and Adobe installations** - Both installations were started but running in background when session ended. Verify completion status and test functionality.
4. **Test mailbox access** - Verify julie can access Robert's mailbox in Outlook after AutoMapping propagates (5-15 minutes).
### Low Priority
5. **Test file share access from Julie's user session** - All testing was done from SYSTEM context. Verify julie can actually access the shares when logged in.
6. **Document ZeroTier network in wiki** - Add ZeroTier network configuration and node IDs to Wolkin Law wiki article.
## Reference Information
### GuruRMM Agent IDs
- **FRONT**: `04765560-3e8a-46e5-a507-c5f5f4ead6eb`
- **RSW-Laptop**: `043fd673-35a2-4d3d-8f91-ed73ce70cc1e`
### Command IDs (for reference)
- ZeroTier installation FRONT: Various
- ZeroTier installation laptop: Various
- Hosts file FRONT: `9f3fc33a-590a-4e94-8ced-519b1f0a139d`
- Hosts file laptop: `042f7eda-187a-4d9b-baeb-2f6aab0d9b08`
- Drive mapping (final): `a16553df-0131-4dec-ba36-65248e185b25`
- Desktop shortcuts update: `f441a9d9-488c-4db8-9387-6fa68fe63a9c`
- Julie admin access: `638355c6-1dc6-45b9-88da-48e84581a415`
### Vault Paths
- GuruRMM API credentials: `infrastructure/gururmm-server.sops.yaml`
- Exchange Operator app: `msp-tools/computerguru-exchange-operator.sops.yaml`
### Software Versions
- ZeroTier: 1.16.2
- Tailscale (removed): 1.98.4
- Office Deployment Tool: 17830-20162
- Adobe Creative Cloud Desktop: 6.0.0.660
### URLs
- ZeroTier MSI: https://download.zerotier.com/dist/ZeroTier%20One.msi
- Office Deployment Tool: https://download.microsoft.com/download/2/7/A/27AF1BE6-DD20-4CB4-B154-EBAB8A7D4A7E/officedeploymenttool_17830-20162.exe
- Adobe CC Desktop: https://ccmdl.adobe.com/AdobeProducts/KCCC/CCD/6_0/win64/ACCCx6_0_0_660.exe