sync: auto-sync from HOWARD-HOME at 2026-07-02 09:08:36

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-07-02 09:08:36
This commit is contained in:
2026-07-02 09:09:05 -07:00
parent 3e6f946377
commit 26f47fdd10
4 changed files with 161 additions and 0 deletions

View File

@@ -4,6 +4,7 @@
- [ACG resource map](reference_resource_map.md) — **READ THIS FIRST** when a task references a server/service/tenant/API. What we have access to, how to connect from this machine, per-machine exceptions, gotchas. Points at the detail files below.
- [ALIS (Medtelligent)](reference_alis_medtelligent.md) — Cascades assisted-living EHR. API host api.alisonline.com, community 622; username must be tenant-qualified (howard.enos@cascadestucson). Staff are READ-ONLY via API — create/change staff via web-UI Staff Import .xls. Use the `alis` skill.
- [GuruRMM User Manager](reference_gururmm_user_manager.md) — GuruRMM has a built-in per-agent User Manager tab (reset_password/enable/disable/groups for local+domain+AAD endpoint users; domain users only on a DC via `is_dc`). Use it, NOT raw Set-ADAccountPassword via /rmm. Endpoints: /api/agents/{id}/users + /users/action.
- [RMM map network drive (err67 double-hop)](reference_rmm_map_network_drive.md) — Pushing a persistent mapped drive to a remote share via /rmm user_session fails with err67/1702 (impersonated token = no network cred/double-hop). Plant HKCU:\Network\<drv> keys + cmdkey; mounts at next interactive logon. Immediate visibility needs the live session (ScreenConnect).
- [exchange-op = all-access Exchange tier](feedback_exchange_op_all_access.md) — STOP claiming "no tier can write mail." Exchange Operator app = Exchange Admin role + full_access_as_app + Exchange.ManageAsApp = full all-access (move mail, rules, config, EWS). Default to `exchange-op` for any Exchange write.
- [Tedards tenant facts](reference_tedards_tenant_facts.md) — Bill Tedards law office; tenant `4fcbb1f4…`; bt@/y226@ mailboxes; matter-number filing; UAL ingestion OFF; 9 synced devices; botched-import DUPLICATE folder.
- [Investigator EXO ManageAsApp gap](reference_investigator_exo_manageasapp_gap.md) — Security Investigator app lacks `Exchange.ManageAsApp` (only `full_access_as_app`) so `investigator-exo` 401s on EXO adminapi; use `exchange-op` tier for InvokeCommand.

View File

@@ -0,0 +1,19 @@
---
name: reference_rmm_map_network_drive
description: How to push a persistent mapped network drive to a machine via GuruRMM when net use fails with error 67 (double-hop)
metadata:
type: reference
---
Pushing a **persistent mapped drive** to an endpoint via the GuruRMM agent (`/rmm`) fails when the target share is on a *remote* server:
- Running `net use` in `context: user_session` impersonates the logged-on user, but that WTS-impersonated token has **no network credential** to make the second hop to the file server. Result: `System error 67 (network name cannot be found)` on `net use` and `System error 1702 (binding handle is invalid)` on `net view` — even with explicit `/user:.. <pw>`. This is the "SMB error 67 = RMM artifact" documented in `wiki/clients/cascades-tucson.md` (server + share are healthy; access works in a real interactive session).
**Reliable workaround — plant the map so it mounts at the user's next real logon:**
1. `cmdkey /add:<SERVER> /user:<DOMAIN\user> /pass:<pw>` in `user_session` — this is a *local* write to the user's Credential Manager and DOES succeed.
2. Write the persistent-map registry keys into the user's hive `HKCU:\Network\<DriveLetter>`: `RemotePath` (REG_SZ, `\\SERVER\Share`), `UserName` (REG_SZ, `DOMAIN\user`), `ProviderName` (`Microsoft Windows Network`), `ProviderType` (DWord `131072`), `ConnectionType` (DWord `1`), `DeferFlags` (DWord `4`).
3. At the user's **next interactive logon / reboot**, Windows reconnects the drive silently using the cmdkey credential. It will NOT appear in an already-open session — for immediate visibility, run `net use <D>: "\\SERVER\Share"` in the *live* interactive session (ScreenConnect), not through the RMM agent.
Non-domain-joined (workgroup) endpoints authenticate with `DOMAIN\user` + password saved via cmdkey — the domain account only needs to exist and be reachable, the client PC does not need to be joined.
PowerShell-in-RMM gotcha hit while doing this: a double-quoted string ending in a backslash (`"W:\"`, `"W:\\"`) breaks the parser — use bare path tokens (`Test-Path W:\`) or single quotes. See [[feedback_windows_quote_stripping]].

View File

@@ -0,0 +1,129 @@
# Cascades - Shelby Trozzi "Company Web Docs" share + mapped drive
## User
- **User:** Howard Enos (howard)
- **Machine:** Howard-Home
- **Role:** tech
## Session Summary
Set up file-share access for Shelby Trozzi (MemCare Director) to the "Company Web Docs"
folder on CS-SERVER (Cascades DC). The request was to make `D:\Shares\Public\Company Web Docs`
an SMB share and grant Shelby access so the share could then be mapped as a drive on her
workstation (MDIRECTOR-PC).
Work proceeded via GuruRMM against CS-SERVER (agent resolved live by hostname). A read-only
discovery pass confirmed the folder existed (NTFS = inherited `Everyone:FullControl`), that it
was NOT currently shared (no SMB share pointed at it or at `Public`), and that Shelby already
had a domain account (`CASCADES\Shelby.Trozzi`, enabled). Howard chose the share name
`Company Web Docs` (with spaces) and Read/Write (Change) access. Created the SMB share with
`New-SmbShare` granting `CASCADES\Shelby.Trozzi` Change and `BUILTIN\Administrators` Full — the
share ACL is the effective gate (NTFS left as inherited Everyone:Full), so Shelby's effective
access is Change.
Discovered Shelby had never logged into her domain account (`logonCount = 0`, `lastLogon = never`)
and there was no vaulted password for her. Confirmed her account is in
`OU=Care-Memorycare,OU=Departments` with no `ConsistencyGuid` = NOT Entra-synced, so an on-prem
password reset was safe (would not affect any M365 sign-in). Reset her password (first attempt
`Shelby1173!` was rejected by AD complexity for containing her name; used `Cascades1173!` at
Howard's direction to keep the `1173!` pattern), set never-expires / no change-at-logon, and
vaulted it at `clients/cascades-tucson/shelby-trozzi.sops.yaml`.
Attempted to push the drive map to MDIRECTOR-PC (Win Home, not domain-joined) via RMM
`user_session` context. The map failed with System error 67 (and `net view` with 1702) even with
explicit credentials — the RMM agent's impersonated token has no network credential to reach
CS-SERVER (double-hop; the documented "SMB error 67 RMM artifact"). Worked around it by storing
the credential via `cmdkey` and planting a persistent map in her hive at `HKCU:\Network\W`, which
reconnects at her next interactive logon. Howard then mapped the drive himself in Shelby's live
session (ScreenConnect), confirming it mounted cleanly. Task complete.
## Key Decisions
- **Share name `Company Web Docs` (with spaces), Change access** — Howard's explicit choice via
AskUserQuestion (offered WebDocs/CompanyWebDocs/exact-name and Read vs Read/Write).
- **Gate at the share ACL, leave NTFS untouched** — folder already inherits `Everyone:FullControl`
from `Public`; the new share is the only network path to it, so granting only Shelby + Admins at
the share level limits access without disturbing the `Public` NTFS tree. Effective = Change.
- **On-prem password reset deemed safe** — verified not Entra-synced (no ConsistencyGuid, OU not in
sync scope), so reset does not ripple to M365.
- **Password `Cascades1173!`** — `Shelby1173!` blocked by AD complexity (contains user name); kept
the `1173!` numbers per Howard, swapped name part for `Cascades`.
- **Planted HKCU map + cmdkey instead of live net use** — RMM cannot drive an outbound authenticated
mount from the impersonated session; the registry/cmdkey approach mounts at next logon. Immediate
visibility left to interactive session (Howard did it).
## Problems Encountered
- **RMM dispatch JSON malformed** (hand-escaped nested quotes) → jq parse error on response. Fix:
build payload with `jq -n --arg` per the /rmm skill. Logged --friction.
- **PowerShell parse errors from backslash-before-closing-quote** (`"W:\"`, `"W:\\"`) broke two
dispatches (compile error = nothing ran). Fix: bare path tokens (`Test-Path W:\`) or single quotes.
Logged --friction.
- **AD password complexity rejection** — `Shelby1173!` contained her name; AD blocks names in
passwords regardless of length/symbols. Resolved with `Cascades1173!`.
- **SMB error 67 / RPC 1702 on the map** — RMM `user_session` impersonation double-hop; cannot make
outbound authenticated SMB to CS-SERVER. Resolved via cmdkey + `HKCU:\Network\W` (mounts at logon),
then Howard mapped it interactively. Logged --friction with ref to wiki SMB-error-67 note.
- **Used raw `Set-ADAccountPassword` instead of GuruRMM User Manager** — memory
`reference_gururmm_user_manager` says use the built-in User Manager for domain password resets.
Result correct, not redone; logged --correction.
- **Vault push rejected (non-fast-forward)** — remote had newer auto-sync commits; resolved with
`git pull --rebase` then push.
## Configuration Changes
Created:
- CS-SERVER SMB share `Company Web Docs` -> `D:\Shares\Public\Company Web Docs`
(ACL: `CASCADES\Shelby.Trozzi` Change, `BUILTIN\Administrators` Full).
- `D:/vault` `clients/cascades-tucson/shelby-trozzi.sops.yaml` (encrypted, committed + pushed).
- `.claude/memory/reference_rmm_map_network_drive.md` + MEMORY.md index line.
- MDIRECTOR-PC: `HKCU:\Network\W` persistent map keys (RemotePath/UserName/ProviderType 131072/
ConnectionType 1/DeferFlags 4) + stored credential via `cmdkey /add:CS-SERVER`.
Modified on CS-SERVER:
- `CASCADES\Shelby.Trozzi` password reset; PasswordNeverExpires True; ChangePasswordAtLogon False.
Repo:
- `errorlog.md` — 2 friction + 1 correction entries (via log-skill-error.sh).
- `.claude/current-mode` -> `clients/cascades-tucson`.
## Credentials & Secrets
- **CASCADES\Shelby.Trozzi** — domain login. Password: `Cascades1173!` (set 2026-07-02).
UPN `Shelby.Trozzi@cascadestucson.com`. Never-expires, no change-at-logon. NOT Entra-synced
(on-prem/SMB only, not M365). Vaulted: `clients/cascades-tucson/shelby-trozzi.sops.yaml`.
## Infrastructure & Servers
- **CS-SERVER** — Cascades DC (cascades.local). GuruRMM agent id `c39f1de7-d5b6-45ae-b132-e06977ab1713`
(re-enrolls; resolve live). Reachable on 445 from MDIRECTOR-PC.
- **MDIRECTOR-PC** — Shelby's workstation, Windows Home, NOT domain-joined. GuruRMM agent id
`6b7990aa-edad-41c7-8f2d-5efdcaa41046`. Local user `mdirector-pc\shelby trozzi` (logged in since
6/29/2026). Only C: drive prior to map; W: now mapped.
- **New share UNC:** `\\CS-SERVER\Company Web Docs`.
- GuruRMM API: `http://172.16.3.30:3001` (creds vault `infrastructure/gururmm-server.sops.yaml`).
## Commands & Outputs
- `New-SmbShare -Name "Company Web Docs" -Path "D:\Shares\Public\Company Web Docs" -FullAccess "BUILTIN\Administrators" -ChangeAccess "CASCADES\Shelby.Trozzi"` -> created; ACL verified.
- `Set-ADAccountPassword -Identity Shelby.Trozzi -Reset ...` — first attempt `ADPasswordComplexityException` (1325) on `Shelby1173!`; succeeded with `Cascades1173!` (PasswordLastSet 7/2/2026).
- Map attempt in user_session: `net use W: \\CS-SERVER\Company Web Docs` -> `System error 67`;
`net view \\CS-SERVER` -> `System error 1702 (binding handle is invalid)`; `Test-Path` UNC -> False.
- Fix: `cmdkey /add:CS-SERVER /user:CASCADES\Shelby.Trozzi /pass:...` -> "added successfully";
`HKCU:\Network\W` keys written; `cmdkey /list:CS-SERVER` confirms stored Domain Password cred.
- Howard mapped W: himself interactively afterward — mounted cleanly.
## Pending / Incomplete Tasks
- None. Share live, access granted, password vaulted, drive mapped and confirmed by Howard.
- Future: additional users needing this share -> grant via `Grant-SmbShareAccess -Name "Company Web Docs"`.
- Standing follow-up (unchanged): MDIRECTOR-PC is Win Home; domain join still blocked until Pro.
## Reference Information
- Vault: `clients/cascades-tucson/shelby-trozzi.sops.yaml`
- Memory: `.claude/memory/reference_rmm_map_network_drive.md`
- Wiki: `wiki/clients/cascades-tucson.md` (SMB-error-67 RMM-artifact note; Access section)
- #dev-alerts message ids: 1522266883636854804 (share), 1522269030394626152 (pw reset),
1522270727368343682 (drive map).
- RMM command ids: share `df903ca8`, pw reset `86ef25a6`, map plant `dec3d11c`.

View File

@@ -21,10 +21,22 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure ·
2026-07-02 | GURU-BEAST-ROG | self-check/registry-trim | [friction] trimmed skill registry locally while GURU-5070 shipped the same trim upstream; auto-sync merge raced my uncommitted edits (transient UU state, stale 15777 reading mid-merge); fix: check coord / claim a lock before fleet-wide harness edits [ctx: ref=coord-locks]
2026-07-02 | Howard-Home | rmm/user-manager | [correction] reset Shelby.Trozzi domain password with raw Set-ADAccountPassword via /rmm; memory reference_gururmm_user_manager says use the built-in GuruRMM User Manager (reset_password action, is_dc) instead. [ctx: ref=reference_gururmm_user_manager]
2026-07-02 | Howard-Home | rmm/powershell | [friction] PowerShell parse errors from backslash-before-closing-quote ("W:" and "W:\") in RMM payloads; wasted 2 dispatches. Fix: use bare path tokens (Test-Path W:) or single-quotes, never a quoted string ending in a backslash.
2026-07-02 | Howard-Home | rmm/powershell | [friction] net use via RMM user_session to remote CS-SERVER failed err67/1702 (impersonated token has no network credential = double-hop); documented as 'SMB error 67 RMM artifact'. Fix: plant HKCU:Network<drv> keys + cmdkey; drive mounts at next interactive logon. [ctx: ref=wiki/clients/cascades-tucson SMB-error-67]
2026-07-02 | Howard-Home | rmm/bash | [friction] hand-escaped nested JSON payload for /api/agents/command; server rejected + jq parse-errored the response. Fix: build payload with jq -n --arg (skill already mandates this for multi-line scripts). [ctx: ref=rmm.md-multiline-heredoc]
2026-07-02 | Howard-Home | rmm/inventory | [friction] censused ARP as SYSTEM reading HKCU (=SYSTEM profile), missed per-user installs + falsely concluded no programs removed; must enumerate all HKU* user hives
2026-07-02 | GURU-5070 | bash/env | [friction] referenced $RMM/$TOKEN from prior Bash call; env does not persist between calls - re-auth inline [ctx: ref=CLAUDE.md shell-env rule]
2026-07-02 | GURU-5070 | cargo/windows-msvc-linker | [friction] cargo check on GURU-5070 fails 'linker link.exe not found' (MSVC linker not on PATH / vcvars64.bat not found under VS roots) - blocks local server typecheck; memory reference_guru5070_rust_toolchain claims MSVC present. Build on the pipeline/Linux host instead. [ctx: ref=reference_guru5070_rust_toolchain host=GURU-5070]
2026-07-01 | Howard-Home | rmm/powershell | [friction] interpolated string "$i:..." parsed as drive-qualified variable (InvalidVariableReferenceWithDrive) -> use ${i}; cost one round-trip dispatch
2026-07-01 | GURU-5070 | bash/msys-pathconv | [friction] cmd.exe /c from Git-bash: MSYS converted /c to C: and opened an interactive cmd (2min timeout); use powershell.exe directly or MSYS_NO_PATHCONV=1 [ctx: ref=msys-path-conversion-family]
2026-07-01 | GURU-5070 | bash/jq-windows | [friction] jq --rawfile with /dev/stdin fails on Windows jq (no /proc); build JSON from a shell var with jq -n --arg instead