sync: auto-sync from HOWARD-HOME at 2026-07-02 09:08:36

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-07-02 09:08:36
This commit is contained in:
2026-07-02 09:09:05 -07:00
parent 3e6f946377
commit 26f47fdd10
4 changed files with 161 additions and 0 deletions

View File

@@ -0,0 +1,129 @@
# Cascades - Shelby Trozzi "Company Web Docs" share + mapped drive
## User
- **User:** Howard Enos (howard)
- **Machine:** Howard-Home
- **Role:** tech
## Session Summary
Set up file-share access for Shelby Trozzi (MemCare Director) to the "Company Web Docs"
folder on CS-SERVER (Cascades DC). The request was to make `D:\Shares\Public\Company Web Docs`
an SMB share and grant Shelby access so the share could then be mapped as a drive on her
workstation (MDIRECTOR-PC).
Work proceeded via GuruRMM against CS-SERVER (agent resolved live by hostname). A read-only
discovery pass confirmed the folder existed (NTFS = inherited `Everyone:FullControl`), that it
was NOT currently shared (no SMB share pointed at it or at `Public`), and that Shelby already
had a domain account (`CASCADES\Shelby.Trozzi`, enabled). Howard chose the share name
`Company Web Docs` (with spaces) and Read/Write (Change) access. Created the SMB share with
`New-SmbShare` granting `CASCADES\Shelby.Trozzi` Change and `BUILTIN\Administrators` Full — the
share ACL is the effective gate (NTFS left as inherited Everyone:Full), so Shelby's effective
access is Change.
Discovered Shelby had never logged into her domain account (`logonCount = 0`, `lastLogon = never`)
and there was no vaulted password for her. Confirmed her account is in
`OU=Care-Memorycare,OU=Departments` with no `ConsistencyGuid` = NOT Entra-synced, so an on-prem
password reset was safe (would not affect any M365 sign-in). Reset her password (first attempt
`Shelby1173!` was rejected by AD complexity for containing her name; used `Cascades1173!` at
Howard's direction to keep the `1173!` pattern), set never-expires / no change-at-logon, and
vaulted it at `clients/cascades-tucson/shelby-trozzi.sops.yaml`.
Attempted to push the drive map to MDIRECTOR-PC (Win Home, not domain-joined) via RMM
`user_session` context. The map failed with System error 67 (and `net view` with 1702) even with
explicit credentials — the RMM agent's impersonated token has no network credential to reach
CS-SERVER (double-hop; the documented "SMB error 67 RMM artifact"). Worked around it by storing
the credential via `cmdkey` and planting a persistent map in her hive at `HKCU:\Network\W`, which
reconnects at her next interactive logon. Howard then mapped the drive himself in Shelby's live
session (ScreenConnect), confirming it mounted cleanly. Task complete.
## Key Decisions
- **Share name `Company Web Docs` (with spaces), Change access** — Howard's explicit choice via
AskUserQuestion (offered WebDocs/CompanyWebDocs/exact-name and Read vs Read/Write).
- **Gate at the share ACL, leave NTFS untouched** — folder already inherits `Everyone:FullControl`
from `Public`; the new share is the only network path to it, so granting only Shelby + Admins at
the share level limits access without disturbing the `Public` NTFS tree. Effective = Change.
- **On-prem password reset deemed safe** — verified not Entra-synced (no ConsistencyGuid, OU not in
sync scope), so reset does not ripple to M365.
- **Password `Cascades1173!`** — `Shelby1173!` blocked by AD complexity (contains user name); kept
the `1173!` numbers per Howard, swapped name part for `Cascades`.
- **Planted HKCU map + cmdkey instead of live net use** — RMM cannot drive an outbound authenticated
mount from the impersonated session; the registry/cmdkey approach mounts at next logon. Immediate
visibility left to interactive session (Howard did it).
## Problems Encountered
- **RMM dispatch JSON malformed** (hand-escaped nested quotes) → jq parse error on response. Fix:
build payload with `jq -n --arg` per the /rmm skill. Logged --friction.
- **PowerShell parse errors from backslash-before-closing-quote** (`"W:\"`, `"W:\\"`) broke two
dispatches (compile error = nothing ran). Fix: bare path tokens (`Test-Path W:\`) or single quotes.
Logged --friction.
- **AD password complexity rejection** — `Shelby1173!` contained her name; AD blocks names in
passwords regardless of length/symbols. Resolved with `Cascades1173!`.
- **SMB error 67 / RPC 1702 on the map** — RMM `user_session` impersonation double-hop; cannot make
outbound authenticated SMB to CS-SERVER. Resolved via cmdkey + `HKCU:\Network\W` (mounts at logon),
then Howard mapped it interactively. Logged --friction with ref to wiki SMB-error-67 note.
- **Used raw `Set-ADAccountPassword` instead of GuruRMM User Manager** — memory
`reference_gururmm_user_manager` says use the built-in User Manager for domain password resets.
Result correct, not redone; logged --correction.
- **Vault push rejected (non-fast-forward)** — remote had newer auto-sync commits; resolved with
`git pull --rebase` then push.
## Configuration Changes
Created:
- CS-SERVER SMB share `Company Web Docs` -> `D:\Shares\Public\Company Web Docs`
(ACL: `CASCADES\Shelby.Trozzi` Change, `BUILTIN\Administrators` Full).
- `D:/vault` `clients/cascades-tucson/shelby-trozzi.sops.yaml` (encrypted, committed + pushed).
- `.claude/memory/reference_rmm_map_network_drive.md` + MEMORY.md index line.
- MDIRECTOR-PC: `HKCU:\Network\W` persistent map keys (RemotePath/UserName/ProviderType 131072/
ConnectionType 1/DeferFlags 4) + stored credential via `cmdkey /add:CS-SERVER`.
Modified on CS-SERVER:
- `CASCADES\Shelby.Trozzi` password reset; PasswordNeverExpires True; ChangePasswordAtLogon False.
Repo:
- `errorlog.md` — 2 friction + 1 correction entries (via log-skill-error.sh).
- `.claude/current-mode` -> `clients/cascades-tucson`.
## Credentials & Secrets
- **CASCADES\Shelby.Trozzi** — domain login. Password: `Cascades1173!` (set 2026-07-02).
UPN `Shelby.Trozzi@cascadestucson.com`. Never-expires, no change-at-logon. NOT Entra-synced
(on-prem/SMB only, not M365). Vaulted: `clients/cascades-tucson/shelby-trozzi.sops.yaml`.
## Infrastructure & Servers
- **CS-SERVER** — Cascades DC (cascades.local). GuruRMM agent id `c39f1de7-d5b6-45ae-b132-e06977ab1713`
(re-enrolls; resolve live). Reachable on 445 from MDIRECTOR-PC.
- **MDIRECTOR-PC** — Shelby's workstation, Windows Home, NOT domain-joined. GuruRMM agent id
`6b7990aa-edad-41c7-8f2d-5efdcaa41046`. Local user `mdirector-pc\shelby trozzi` (logged in since
6/29/2026). Only C: drive prior to map; W: now mapped.
- **New share UNC:** `\\CS-SERVER\Company Web Docs`.
- GuruRMM API: `http://172.16.3.30:3001` (creds vault `infrastructure/gururmm-server.sops.yaml`).
## Commands & Outputs
- `New-SmbShare -Name "Company Web Docs" -Path "D:\Shares\Public\Company Web Docs" -FullAccess "BUILTIN\Administrators" -ChangeAccess "CASCADES\Shelby.Trozzi"` -> created; ACL verified.
- `Set-ADAccountPassword -Identity Shelby.Trozzi -Reset ...` — first attempt `ADPasswordComplexityException` (1325) on `Shelby1173!`; succeeded with `Cascades1173!` (PasswordLastSet 7/2/2026).
- Map attempt in user_session: `net use W: \\CS-SERVER\Company Web Docs` -> `System error 67`;
`net view \\CS-SERVER` -> `System error 1702 (binding handle is invalid)`; `Test-Path` UNC -> False.
- Fix: `cmdkey /add:CS-SERVER /user:CASCADES\Shelby.Trozzi /pass:...` -> "added successfully";
`HKCU:\Network\W` keys written; `cmdkey /list:CS-SERVER` confirms stored Domain Password cred.
- Howard mapped W: himself interactively afterward — mounted cleanly.
## Pending / Incomplete Tasks
- None. Share live, access granted, password vaulted, drive mapped and confirmed by Howard.
- Future: additional users needing this share -> grant via `Grant-SmbShareAccess -Name "Company Web Docs"`.
- Standing follow-up (unchanged): MDIRECTOR-PC is Win Home; domain join still blocked until Pro.
## Reference Information
- Vault: `clients/cascades-tucson/shelby-trozzi.sops.yaml`
- Memory: `.claude/memory/reference_rmm_map_network_drive.md`
- Wiki: `wiki/clients/cascades-tucson.md` (SMB-error-67 RMM-artifact note; Access section)
- #dev-alerts message ids: 1522266883636854804 (share), 1522269030394626152 (pw reset),
1522270727368343682 (drive map).
- RMM command ids: share `df903ca8`, pw reset `86ef25a6`, map plant `dec3d11c`.