azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-05-21 14:41:10

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-21 14:41:10
This commit is contained in:
Howard Enos
2026-05-21 14:41:12 -07:00
parent 7ce0fa2145
commit 09cd134861
1 changed files with 54 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
clients/cascades-tucson/session-logs/2026-05-21-session.md
View File

@@ -82,6 +82,60 @@ curl -s -X POST "https://computerguru.syncromsp.com/api/v1/tickets/110680053/com
---
## Update: ~21:30 PT — RECEPTIONIST-PC planning, frontdesk@ M365 audit, CA/MFA review, licensing gap
### Session Summary
Planned the RECEPTIONIST-PC / front desk migration. Reviewed machine info from Syncro: RECEPTIONIST-PC is a Lenovo ThinkCentre M90a on WORKGROUP (not domain-joined), running Windows 11 Pro 26200, local user `RECEPTIONIST-PC\Front Desk`, IP 10.0.20.102. GuruRMM agent was installed on the machine during this session. Share permissions for both the Receptionist share and the directoryshare were granted to the frontdesk user by Howard.
Reviewed the Entra CA and M365 configuration to understand how the frontdesk account fits into the existing migration plan. Queried the Graph API using the Tenant Admin SP and confirmed that `frontdesk@cascadestucson.com` exists as a cloud-only licensed user (display name "Front Desk", account enabled, Member type, not synced from on-prem AD). The account was not visible in initial searches because the display name is two words ("Front Desk") not "FrontDesk". No `receptionist@cascadestucson.com` account exists.
Identified a significant licensing gap: the Business Standard subscription (O365_BUSINESS_PREMIUM SKU) is suspended, but 31 users — including frontdesk@ — still have their license assigned to it. The Business Premium subscription (SPB SKU) is active with 34 purchased seats and only 3 consumed (pilot.test, MDMS service account, one other), leaving 31 seats available. All 31 affected users need their license assignment switched from the suspended Business Standard SKU to the active Business Premium SKU. This does not block the PC migration but is a time-sensitive M365 task.
Confirmed the Named Location (`CascadesTrustedLocation`, id `061c6b06-b980-40de-bff9-6a50a4071f6f`) is already created with both Cascades WAN IPs (`72.211.21.217/32` and `184.191.143.62/32`). The active all-users-MFA CA policy already has `excludeLocations: AllTrusted`, meaning MFA is already bypassed for all users signing in from the Cascades office network. No additional CA policy is needed for the frontdesk account. The three caregiver CA policies remain in Report-only mode scoped to SG-Caregivers-Pilot only.
Discussed the GPO ILT issue: the FrontDesk printer and R: Receptionist drive are currently ILT'd to OU=Resident Services, which would also push to Courtesy Patrol and the RS Director who don't need them. Recommended switching both ILT rules to `FilterGroup: CASCADES\SG-FrontDesk` (the group already exists with 0 members). This change needs to be made to the Printers.xml and Drives.xml in SYSVOL before the GPOs go live at Phase 3.
### Key Decisions
- Keep `frontdesk@cascadestucson.com` as a licensed user (not converting to shared mailbox yet) so it can serve as the domain sign-in identity for RECEPTIONIST-PC. Shared mailbox conversion deferred to Phase 5 when individual receptionist accounts are set up.
- Use `SG-FrontDesk` (existing, 0 members) as the ILT filter for FrontDesk printer and R: drive instead of OU=Resident Services. This prevents Courtesy Patrol and RS Director from receiving resources intended for front desk only.
- Scanner (Canon imageRunner C478iF in copy room) scans to `\\CS-SERVER\Receptionist` via an existing stored credential. No changes to scanner config at this time — the share is already in place and the scanner is working. Credential migration to a dedicated service account is deferred to Phase 5.
- Do not modify the directoryshare's existing permissions structure — add only a new ACE for the frontdesk user. Non-domain users are still accessing it and existing ACEs must not be disturbed.
- Machine will be ProfWiz-migrated (local profile to domain account) when domain join happens. No data loss approach.
### Configuration Changes
- RECEPTIONIST-PC: GuruRMM agent installed (agent ID to be confirmed in next session via GuruRMM API)
- Receptionist share (D:\Shares\Receptionist) + directoryshare: frontdesk user permissions granted by Howard on CS-SERVER
- No other changes made this session
### Credentials & Secrets
- `frontdesk@cascadestucson.com` / `sccssccs#3` — M365 user password; also the local Windows login for `RECEPTIONIST-PC\Front Desk`
- **Vault obligation:** this credential is not yet vaulted — create `clients/cascades-tucson/frontdesk-user.sops.yaml` in next session
### Infrastructure & Servers
- RECEPTIONIST-PC: Lenovo ThinkCentre M90a (11CDS0DC00), serial MJ0KQHNP, Win 11 Pro 26200, IP 10.0.20.102, MAC 98:59:7A:B0:06:58, WORKGROUP
- Local user: `RECEPTIONIST-PC\Front Desk` (password sccssccs#3)
- frontdesk@cascadestucson.com: cloud-only, enabled, Business Standard (suspended SKU — needs Business Premium reassignment)
- Named Location: `CascadesTrustedLocation` id `061c6b06-b980-40de-bff9-6a50a4071f6f` (72.211.21.217/32 + 184.191.143.62/32)
- Business Premium SKU (SPB `cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46`): 34 purchased, 31 available
- Business Standard SKU (O365_BUSINESS_PREMIUM `f245ecc8-75af-4f8e-b61f-27d8114de5f3`): SUSPENDED, 31 users still assigned
### Pending / Incomplete Tasks
1. Vault `frontdesk@cascadestucson.com` credential: `clients/cascades-tucson/frontdesk-user.sops.yaml`
2. Relicense 31 users from suspended Business Standard → active Business Premium (time-sensitive)
3. Update CSC - Printer Deployment GPO: FrontDesk ILT from OU=Resident Services → SG-FrontDesk
4. Update CSC - Drive Mappings GPO: R: ILT from OU=Resident Services → SG-FrontDesk
5. Add receptionist users (Cathy.Kingston, Kyla.QuickTiffany, Michelle.Shestko) to SG-FrontDesk when ready
6. RECEPTIONIST-PC: confirm GuruRMM agent ID via API
7. RECEPTIONIST-PC: domain join using Phase 3 template + ProfWiz (local Front Desk profile → FrontDesk domain account)
8. Create AD account for frontdesk in a synced OU with UPN frontdesk@cascadestucson.com (so Entra Connect soft-matches to existing cloud account)
9. Vault the frontdesk credential once vaulted, update migration plan
## Reference Information
- Migration master plan: `C:\Users\Howard\.claude\plans\wise-discovering-panda.md`