diff --git a/clients/cascades-tucson/scripts/add-caregiver-accounts-2026-05-18.ps1 b/clients/cascades-tucson/scripts/add-caregiver-accounts-2026-05-18.ps1 new file mode 100644 index 0000000..a8c76cc --- /dev/null +++ b/clients/cascades-tucson/scripts/add-caregiver-accounts-2026-05-18.ps1 @@ -0,0 +1,106 @@ +# Cascades of Tucson -- Add 4 new caregiver accounts (2026-05-18) +# Run on: CS-SERVER as a domain admin +# OU: OU=Caregivers,OU=Departments,DC=cascades,DC=local +# +# Net-new hires identified from updated HR roster (employees.xlsx, 2026-05-18). +# Creates accounts and immediately adds to SG-Caregivers. +# +# Name notes: +# t.lassey-assiakoley -- "Tele Sepopo Lassey Assiakoley". Compound first AND last name. +# t.lassey was unavailable (Celia Lassey). Hyphenated form chosen. +# Personal email: sepopolassey@gmail.com + +$OU = "OU=Caregivers,OU=Departments,DC=cascades,DC=local" +$Domain = "cascadestucson.com" +$Group = "SG-Caregivers" +$TempPassword = ConvertTo-SecureString "Cascades2026!" -AsPlainText -Force + +$NewCaregivers = @( + @{ First="Luriz"; Last="Fuster"; Sam="l.fuster"; Title="AL Caregiver" }, + @{ First="Tele Sepopo"; Last="Lassey Assiakoley"; Sam="t.lassey-assiakoley"; Title="AL Caregiver" }, + @{ First="Shontiel"; Last="Nunn"; Sam="s.nunn"; Title="AL Caregiver" }, + @{ First="Diana"; Last="Fierros"; Sam="d.fierros"; Title="MC Caregiver" } +) + +$created = 0 +$failed = 0 +$skipped = 0 + +Write-Host "=== Creating accounts ===" +foreach ($c in $NewCaregivers) { + $displayName = "$($c.First) $($c.Last)" + $upn = "$($c.Sam)@$Domain" + + if (Get-ADUser -Filter "SamAccountName -eq '$($c.Sam)'" -ErrorAction SilentlyContinue) { + Write-Host "[SKIP] $displayName already exists ($($c.Sam))" + $skipped++ + continue + } + + try { + New-ADUser ` + -Name $displayName ` + -GivenName $c.First ` + -Surname $c.Last ` + -SamAccountName $c.Sam ` + -UserPrincipalName $upn ` + -Path $OU ` + -AccountPassword $TempPassword ` + -Enabled $true ` + -ChangePasswordAtLogon $false ` + -PasswordNeverExpires $true + + Write-Host "[OK] $displayName -- $upn" + $created++ + } + catch { + Write-Host "[ERROR] $displayName -- $_" + $failed++ + } +} + +Write-Host "" +Write-Host ("Accounts: {0} created, {1} failed, {2} skipped" -f $created, $failed, $skipped) + +Write-Host "" +Write-Host "=== Adding to $Group ===" + +$added = 0 +$sgFailed = 0 +$sgSkipped = 0 + +foreach ($c in $NewCaregivers) { + $user = Get-ADUser -Filter "SamAccountName -eq '$($c.Sam)'" -ErrorAction SilentlyContinue + if (-not $user) { + Write-Host "[SKIP] $($c.Sam) -- not found in AD (account creation may have failed)" + $sgSkipped++ + continue + } + + $inGroup = Get-ADGroupMember -Identity $Group -ErrorAction SilentlyContinue | + Where-Object { $_.SamAccountName -eq $c.Sam } + + if ($inGroup) { + Write-Host "[SKIP] $($c.Sam) -- already in $Group" + $sgSkipped++ + continue + } + + try { + Add-ADGroupMember -Identity $Group -Members $c.Sam + Write-Host "[OK] $($c.Sam) -- added to $Group" + $added++ + } + catch { + Write-Host "[ERROR] $($c.Sam) -- $_" + $sgFailed++ + } +} + +Write-Host "" +Write-Host ("SG-Caregivers: {0} added, {1} failed, {2} skipped" -f $added, $sgFailed, $sgSkipped) +Write-Host "" +Write-Host "Next: force Entra Connect delta sync on CS-SERVER:" +Write-Host " Start-ADSyncSyncCycle -PolicyType Delta" +Write-Host "" +Write-Host "After sync (~30 min), M365 will provision Exchange mailboxes for all 4 accounts." diff --git a/clients/cascades-tucson/scripts/create-alma-montt-2026-05-18.ps1 b/clients/cascades-tucson/scripts/create-alma-montt-2026-05-18.ps1 new file mode 100644 index 0000000..2bdfdb1 --- /dev/null +++ b/clients/cascades-tucson/scripts/create-alma-montt-2026-05-18.ps1 @@ -0,0 +1,58 @@ +# Cascades of Tucson -- Create Alma Montt AD account +# Date: 2026-05-18 Ticket: #109316879 +# Run on: CS-SERVER as a domain admin +# +# Alma Montt -- Administrative staff (role TBD on ticket) +# SamAccountName follows non-caregiver convention: FirstName.LastName +# Force password change at next logon -- admin staff set their own passwords. +# +# After account is created and Entra Connect syncs (~30 min), assign a +# Business Standard license in M365 Admin to activate the mailbox. +# Credential delivery to Meredith/Alma is a manual step. + +$OU = "OU=Administrative,OU=Departments,DC=cascades,DC=local" +$Domain = "cascadestucson.com" +$TempPassword = ConvertTo-SecureString "Cascades2026!" -AsPlainText -Force + +$Sam = "Alma.Montt" +$First = "Alma" +$Last = "Montt" +$DisplayName = "Alma Montt" +$UPN = "$Sam@$Domain" + +if (Get-ADUser -Filter "SamAccountName -eq '$Sam'" -ErrorAction SilentlyContinue) { + Write-Host "[SKIP] $DisplayName already exists ($Sam)" + exit 0 +} + +try { + New-ADUser ` + -Name $DisplayName ` + -GivenName $First ` + -Surname $Last ` + -SamAccountName $Sam ` + -UserPrincipalName $UPN ` + -Path $OU ` + -AccountPassword $TempPassword ` + -Enabled $true ` + -ChangePasswordAtLogon $true ` + -PasswordNeverExpires $false + + Write-Host "[OK] $DisplayName created" + Write-Host " SamAccountName : $Sam" + Write-Host " UPN : $UPN" + Write-Host " OU : $OU" + Write-Host " Temp password : Cascades2026!" +} +catch { + Write-Host "[ERROR] $_" + exit 1 +} + +Write-Host "" +Write-Host "Next steps:" +Write-Host " 1. Force Entra Connect delta sync: Start-ADSyncSyncCycle -PolicyType Delta" +Write-Host " 2. Confirm account appears in M365 admin (~30 min after sync)" +Write-Host " 3. Assign Business Standard license in M365 admin" +Write-Host " 4. Deliver credentials to Alma / Meredith" +Write-Host " 5. Close ticket #109316879" diff --git a/clients/cascades-tucson/scripts/terminate-n-castro-2026-05-18.ps1 b/clients/cascades-tucson/scripts/terminate-n-castro-2026-05-18.ps1 new file mode 100644 index 0000000..276c496 --- /dev/null +++ b/clients/cascades-tucson/scripts/terminate-n-castro-2026-05-18.ps1 @@ -0,0 +1,80 @@ +# Cascades of Tucson -- Terminate Niel Castro (n.castro) +# Date: 2026-05-18 +# Run on: CS-SERVER as a domain admin +# Run M365 steps separately via Graph / Exchange Online +# +# Reason: confirmed departed per updated HR roster (employees.xlsx, 2026-05-18) +# Account was created 2026-05-16 -- no M365 license was assigned, but account +# may have synced to Entra via Entra Connect. Block sign-in on both layers. +# +# Follows: docs/security/termination-procedures.md + +$Sam = "n.castro" +$UPN = "n.castro@cascadestucson.com" +$Group = "SG-Caregivers" + +Write-Host "=== AD: Disable $Sam ===" + +$user = Get-ADUser -Filter "SamAccountName -eq '$Sam'" -ErrorAction SilentlyContinue +if (-not $user) { + Write-Host "[ERROR] $Sam not found in AD -- nothing to do" + exit 1 +} + +# Disable account +try { + Disable-ADAccount -Identity $Sam + Write-Host "[OK] $Sam disabled" +} +catch { + Write-Host "[ERROR] Disable-ADAccount: $_" +} + +# Remove from SG-Caregivers +$inGroup = Get-ADGroupMember -Identity $Group -ErrorAction SilentlyContinue | + Where-Object { $_.SamAccountName -eq $Sam } + +if ($inGroup) { + try { + Remove-ADGroupMember -Identity $Group -Members $Sam -Confirm:$false + Write-Host "[OK] $Sam removed from $Group" + } + catch { + Write-Host "[ERROR] Remove-ADGroupMember: $_" + } +} +else { + Write-Host "[SKIP] $Sam was not in $Group" +} + +# Update description +try { + Set-ADUser -Identity $Sam -Description "TERMINATED 2026-05-18" + Write-Host "[OK] Description updated" +} +catch { + Write-Host "[ERROR] Set-ADUser description: $_" +} + +Write-Host "" +Write-Host "=== M365 steps (run separately in Exchange Online / Graph) ===" +Write-Host "" +Write-Host "1. Block sign-in:" +Write-Host " Update-MgUser -UserId '$UPN' -AccountEnabled:`$false" +Write-Host "" +Write-Host "2. Revoke active sessions:" +Write-Host " Invoke-MgInvalidateAllUserRefreshToken -UserId '$UPN'" +Write-Host " -- or --" +Write-Host " Revoke-MgUserSignInSession -UserId '$UPN'" +Write-Host "" +Write-Host "3. If mailbox exists -- check first:" +Write-Host " Get-Mailbox -Identity '$UPN' -ErrorAction SilentlyContinue" +Write-Host " If found:" +Write-Host " Set-Mailbox -Identity '$UPN' -Type Shared" +Write-Host " Set-Mailbox -Identity '$UPN' -HiddenFromAddressListsEnabled `$true" +Write-Host " (License already unlicensed -- no license removal step needed)" +Write-Host "" +Write-Host "4. Force Entra Connect delta sync so the disable propagates to cloud:" +Write-Host " Start-ADSyncSyncCycle -PolicyType Delta" +Write-Host "" +Write-Host "5. Log in docs/issues/log.md -- termination date 2026-05-18, performed by Howard" diff --git a/clients/cascades-tucson/session-logs/2026-05-18-howard-caregiver-reconciliation-and-new-accounts.md b/clients/cascades-tucson/session-logs/2026-05-18-howard-caregiver-reconciliation-and-new-accounts.md new file mode 100644 index 0000000..02a1ba9 --- /dev/null +++ b/clients/cascades-tucson/session-logs/2026-05-18-howard-caregiver-reconciliation-and-new-accounts.md @@ -0,0 +1,156 @@ +# Cascades of Tucson — Caregiver Reconciliation and New Account Provisioning + +**Date:** 2026-05-18 +**Syncro tickets:** #32214 (Entra setup — In Progress), #109316879 (New user — Alma Montt) + +## User +- **User:** Howard Enos (howard) +- **Machine:** Howard-Home +- **Role:** tech + +--- + +## Session Summary + +Howard provided an updated HR roster (`C:\Users\Howard\Desktop\employees.xlsx`) containing 137 employees across all departments. The file was parsed via PowerShell COM object and compared against the 37 caregiver accounts created on 2026-05-16 to identify new hires, terminations, and role changes. + +Reconciliation produced four new caregiver accounts to create and six existing accounts to review. Howard confirmed Niel Castro as departed, Celia Lassey and Patricia Sandoval-Beck as still employed but reclassified to med tech (no longer in the caregiver CA policy group), and the remaining three (Kasey Flores, Gloria Williford, Mary Kariuki) on hold pending further confirmation. Shontiel Nunn was identified as having a dual-account situation — old `Shontiel.Nunn` under Resident Services plus the new `s.nunn` caregiver account — and was left intact pending a machine-usage check. + +All account operations were executed remotely via the GuruRMM agent on CS-SERVER (`6766e973-e703-47c1-be56-76950290f87c`) using `POST /api/agents/:id/command`. Four new caregiver accounts were created in `OU=Caregivers` and added to `SG-Caregivers`. Alma Montt (ticket #109316879) was created in `OU=Administrative`. Niel Castro's account was disabled and removed from `SG-Caregivers`. Celia Lassey and Patricia Sandoval-Beck were removed from `SG-Caregivers` while remaining in `OU=Caregivers` for Entra Connect sync continuity. + +Entra Connect delta syncs were kicked after each batch. When Alma Montt failed to appear in M365 after two delta syncs, a full sync (`PolicyType Initial`) was run. Her account still had not propagated to M365 by end of session. A background task (`b7ko9bnd9`) is polling M365 and will assign her an SPB (Microsoft 365 Business Premium) license automatically once she appears. The tenant has no Business Standard SKU — only SPB (31 seats available) was available. + +--- + +## Key Decisions + +- **`t.lassey-assiakoley` UPN** — `t.lassey` would collide with `c.lassey` (Celia Lassey). Hyphenated compound form chosen to preserve the full surname per CONTEXT.md convention. +- **c.lassey and p.sandoval-beck: remove from SG-Caregivers, keep in OU=Caregivers** — Both are now med techs per Howard's confirmation. Removing from SG-Caregivers drops them from caregiver CA policies. Keeping in OU=Caregivers preserves Entra Connect sync so they get M365 accounts. SG-MedTech does not exist yet (deferred item); no replacement group assigned. +- **Shontiel.Nunn old account preserved** — Old `Shontiel.Nunn` (Resident Services, FirstName.LastName format) is a separate AD account from the new `s.nunn` (Caregivers). Old account kept until Howard confirms it is not in active use on a machine. +- **SPB license for Alma Montt** — Howard initially requested Business Standard. Tenant has no Business Standard SKU; only SPB (Business Premium) is available. Howard approved SPB. +- **GuruRMM for remote execution** — CS-SERVER is not reachable via SSH or WinRM from Howard-Home. Tailscale does not include CS-SERVER. GuruRMM agent (`6766e973-e703-47c1-be56-76950290f87c`) used as the execution path via `http://172.16.3.30:3001`. + +--- + +## Problems Encountered + +- **GuruRMM server outage mid-session** — The GuruRMM API at `172.16.3.30:3001` went offline while the first caregiver script was running (command timed out server-side). Server recovered within ~3 minutes. Script was resubmitted; idempotent skip logic prevented duplicate accounts. +- **GuruRMM prepends `-OutputEncoding UTF8 -Command` to inline commands** — One-liners submitted as `command_type: powershell` had this prefix prepended, causing them to fail. Workaround: prefix all inline commands with a `# comment` line so the error lands on the comment and execution continues. +- **Alma Montt not appearing in M365 after delta sync** — Two delta syncs (`PolicyType Delta`) did not push her account to M365. Connector space confirmed she was not yet in the sync engine's object space. A full sync (`PolicyType Initial`) was run; M365 provisioning was still pending at end of session. Background task assigned to auto-assign license on appearance. +- **ScreenConnect API auth failures** — Attempted to use the ScreenConnect REST API extension (`2d558935-686a-4bd0-9991-07539f5fe749`) as an alternate execution path before finding GuruRMM. Multiple auth header formats tried (Basic, CTRLAuthHeader). All failed with 404/500. GuruRMM proved to be the correct path. + +--- + +## Configuration Changes + +**Scripts created:** +- `clients/cascades-tucson/scripts/add-caregiver-accounts-2026-05-18.ps1` — creates 4 new caregiver accounts + adds to SG-Caregivers +- `clients/cascades-tucson/scripts/create-alma-montt-2026-05-18.ps1` — creates Alma Montt in OU=Administrative +- `clients/cascades-tucson/scripts/terminate-n-castro-2026-05-18.ps1` — disables n.castro, removes from SG-Caregivers, prints M365 cleanup steps + +**AD changes made (via GuruRMM on CS-SERVER):** + +| Account | SAM | Action | +|---|---|---| +| Luriz Fuster | `l.fuster` | Created in OU=Caregivers, added to SG-Caregivers | +| Tele Sepopo Lassey Assiakoley | `t.lassey-assiakoley` | Created in OU=Caregivers, added to SG-Caregivers | +| Shontiel Nunn | `s.nunn` | Created in OU=Caregivers, added to SG-Caregivers | +| Diana Fierros | `d.fierros` | Created in OU=Caregivers, added to SG-Caregivers | +| Alma Montt | `Alma.Montt` | Created in OU=Administrative; temp pw, must change at login | +| Niel Castro | `n.castro` | Disabled; removed from SG-Caregivers; description set to "TERMINATED 2026-05-18" | +| Celia Lassey | `c.lassey` | Removed from SG-Caregivers (now med tech) | +| Patricia Sandoval-Beck | `p.sandoval-beck` | Removed from SG-Caregivers (now med tech) | + +--- + +## Credentials & Secrets + +**New accounts — temp password:** `Cascades2026!` (PasswordNeverExpires=$true for caregivers; ChangePasswordAtLogon=$true for Alma Montt) + +**GuruRMM API auth used:** +- Login endpoint: `http://172.16.3.30:3001/api/auth/login` +- Admin email: `claude-api@azcomputerguru.com` +- Credentials in vault: `infrastructure/gururmm-server.sops.yaml` → `credentials.admin-email` / `credentials.admin-password` + +--- + +## Infrastructure & Servers + +| Resource | Detail | +|---|---| +| CS-SERVER agent ID | `6766e973-e703-47c1-be56-76950290f87c` | +| GuruRMM API (internal) | `http://172.16.3.30:3001` | +| Cascades tenant ID | `207fa277-e9d8-4eb7-ada1-1064d2221498` | +| Entra Connect | Running on CS-SERVER; full sync run at ~01:30 UTC 2026-05-19 | +| SPB SKU ID | `cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46` (31 seats available) | + +--- + +## Commands & Outputs + +**GuruRMM command execution pattern:** +```bash +JWT=$(curl -s -X POST "http://172.16.3.30:3001/api/auth/login" \ + -H "Content-Type: application/json" \ + -d "{\"email\":\"claude-api@azcomputerguru.com\",\"password\":\"ClaudeAPI2026!@#\"}" | jq -r '.token') + +PAYLOAD=$(jq -n --rawfile cmd "/path/to/script.ps1" '{"command_type":"powershell","command":$cmd}') +RESP=$(curl -s -X POST "http://172.16.3.30:3001/api/agents/$AGENT/command" \ + -H "Authorization: Bearer $JWT" -H "Content-Type: application/json" -d "$PAYLOAD") +CMD_ID=$(echo "$RESP" | jq -r '.command_id') +# Poll: GET /api/commands/$CMD_ID until status != "running" +``` + +**Caregiver script output:** +``` +=== Creating accounts === +[OK] Luriz Fuster -- l.fuster@cascadestucson.com +[OK] Tele Sepopo Lassey Assiakoley -- t.lassey-assiakoley@cascadestucson.com +[OK] Shontiel Nunn -- s.nunn@cascadestucson.com +[OK] Diana Fierros -- d.fierros@cascadestucson.com +Accounts: 4 created, 0 failed, 0 skipped +SG-Caregivers: 4 added, 0 failed, 0 skipped +``` + +**Castro termination output:** +``` +[OK] n.castro disabled +[OK] n.castro removed from SG-Caregivers +[OK] Description updated +``` + +**Entra sync:** `Start-ADSyncSyncCycle -PolicyType Initial` returned `Success` + +**GuruRMM one-liner workaround:** +```powershell +# Must prefix inline commands with a comment line: +# Entra sync +Start-ADSyncSyncCycle -PolicyType Delta | Out-String +# Without the comment, the -OutputEncoding UTF8 -Command prefix injected by the agent fails the entire command. +``` + +--- + +## Pending / Incomplete Tasks + +| Item | Status | Notes | +|---|---|---| +| Alma Montt SPB license | **In progress** — background task `b7ko9bnd9` polling | Will assign `cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46` once account appears in M365 | +| Alma Montt — deliver credentials to Meredith | Pending | Temp pw: `Cascades2026!`, must change at first login | +| Close ticket #109316879 | Pending | Wait for license confirmation | +| n.castro — M365 block sign-in | Pending | Account likely unlicensed; run `Update-MgUser -UserId n.castro@cascadestucson.com -AccountEnabled:$false` to be safe | +| Shontiel.Nunn old account | On hold | Keep until Howard confirms not in active use on a machine | +| k.flores, g.williford, m.kariuki | On hold | Not in new HR list; keep accounts until employment status confirmed | +| SG-MedTech / SG-CCG groups | Deferred | Create when ALIS licensing tiers confirmed | +| Entra Connect sync for Alma | Pending | Account not in M365 at end of session; full sync ran; may need more time | + +--- + +## Reference Information + +- Syncro ticket #32214 — Entra setup (In Progress) +- Syncro ticket #109316879 — New user Alma Montt (Update comment posted, internal-only) +- HR source: `C:\Users\Howard\Desktop\employees.xlsx` (137 employees, 2026-05-18) +- Caregiver account creation doc: `clients/cascades-tucson/session-logs/2026-05-16-howard-caregiver-ad-account-creation.md` +- AD structure reference: `clients/cascades-tucson/docs/servers/active-directory.md` +- GuruRMM API memory: `.claude/memory/reference_gururmm_api.md`