sync: auto-sync from HOWARD-HOME at 2026-07-01 15:12:14

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-07-01 15:12:14
This commit is contained in:
2026-07-01 15:12:45 -07:00
parent c3aeef60fb
commit 282c4af8cc

View File

@@ -0,0 +1,161 @@
## User
- **User:** Howard Enos (howard)
- **Machine:** Howard-Home
- **Role:** tech
## Session Summary
Processed the client's updated caretaker list for Cascades of Tucson against the live AD
caregiver roster (CS-SERVER via RMM, read-only pull first). The client's 40-entry list mapped
1:1 onto the 40 enabled accounts in `OU=Caregivers` — no unknowns either direction. Howard's
decisions (in-session prompts): full offboard of the 7 marked "no longer with us", keep
`c.lassey` and disable the `t.lassey-assiakoley` duplicate (client confirmed Tele Sepopo
Lassey Assiakoley = Celia Lassey), move Zeke Huerta out of `SG-Caregivers` (front desk now),
leave Christine Nyanzunda out (frontline-only rule stands; she keeps her existing
`christine.nyanzunda` account), and create 4 new caretakers.
Executed via RMM on CS-SERVER: disabled 8 accounts (7 leavers + Lassey dup) with descriptions,
removed all 8 + e.huerta from `SG-Caregivers`, created a.vallejo / j.munezero / n.cota /
k.robinson in `OU=Caregivers` + `SG-Caregivers` with forced-change temp passwords, triggered
Entra Connect delta sync. Graph side (user-manager tier): usageLocation=US + Business Premium
on the 4 new (two-pass for propagation lag), removed SPB from the 8 offboarded. Verified: 8
disabled + 0 licenses; 4 new licensed; SG-Caregivers = 35; SPB 45 enabled / 41 consumed
(4 free). Temp passwords vaulted + DM'd to Howard.
Second phase: Howard asked to make sure the caretakers can actually log in on the phones.
Verified the full chain and found TWO blockers the pilot had masked: (1) `Require MFA for all
users` excluded only the stale `SG-Caregivers-Pilot` group (the known wiki bug) — live
caretakers would be MFA-prompted with no way to satisfy it; (2) `CSC - Block caregivers on
non-compliant device` targeted `SG-Caregivers` while the CSC-* phones report noncompliant in
Intune (and no Windows device is Intune-managed), so every device was blocked. pilot.test had
worked only because it sits in `SG-Caregivers-DeviceTest`, which the compliance-block excludes
and the allow-list targets.
Howard's ruling: interim posture = ALL caretakers may use desktops AND phones (on-network
only); keep a phones-only tracking list and lock that cohort down to phones near the end of
the rollout. Applied with tenant-admin tier: added `SG-Caregivers` (8b8d9222) to the
MFA-for-all excludeGroups (break-glass excludeUsers + Directory-Sync excludeRole preserved),
disabled the compliance-block policy. Allow-list policy left test-scoped. Verified the
off-network block end-to-end at Howard's request: enabled, block, all apps/client types,
includes SG-Caregivers, excludes only the Cascades named location (two /32 egress IPs
72.211.21.217 + 184.191.143.62) and the 2 break-glass accounts — offsite credential use is
dead, on-site is password-only with 8h sign-in frequency.
## Key Decisions
- **Full offboard of 7 leavers** (Mendoza, Tate, Fierros, Williford, K. Flores, Baker,
Kariuki): disable + SG-remove + license reclaim. All were already ALIS-Discharged/absent
and had never logged in.
- **Lassey duplicate: keep `c.lassey`**, disable `t.lassey-assiakoley` + reclaim its license.
Client note resolved the 6/4 open question (Tele = Celia).
- **Huerta: SG-Caregivers removal ONLY, no OU move.** Entra Connect sync scope covers ONLY
OU=Caregivers / OU=Groups / OU=Caregiver Devices — moving him to any other OU would delete
his cloud object. OU move deferred until Administrative OU enters sync scope. He now falls
under MFA-for-all and needs Authenticator registration.
- **Nyanzunda left out of SG-Caregivers** — Howard reaffirmed the 6/30 frontline-only rule
despite the client listing her as a caretaker to add.
- **Interim CA posture (Howard, overriding the 6/24 hold):** caretakers allowed on desktops +
phones, on-network only. Rationale: under compliance-block nothing was compliant so
caretakers were blocked on ALL devices anyway; flipping loses nothing. Phones-only lockdown
deferred to end of rollout with a tracked list.
- **MFA-for-all exclude fix kept the stale pilot-group exclude** — remove at pilot cleanup.
## Problems Encountered
- **PowerShell filter quoting via bash→JSON→PS:** `-Filter "X -eq \"$var\""` inside a bash
single-quoted block delivers literal `\"` to PowerShell → ParameterBindingException. Fixed
by writing `:$var:` placeholders and `${SCRIPT//:/\'}` substitution to inject PS single
quotes.
- **Graph propagation lag (known from 6/30):** n.cota license assign failed with "invalid
usage location" seconds after the usageLocation PATCH; k.robinson failed with "no available
licenses" before the 8 removals released seats. Both succeeded on retry after ~45s.
licenseDetails read also lagged ~30s behind a successful assign.
- **CA policy PATCH read-back lag:** compliance-block still read `enabled` immediately after
a 204 disable; consistent ~20s later.
- **Intune managedDevices $filter query returned empty** while an unfiltered $top query
returned Android devices fine — used the raw read instead.
## Configuration Changes
- **AD (CS-SERVER, cascades.local), RMM cmd b5329b71:**
- Disabled + SG-removed: b.mendoza, c.tate, d.fierros, g.williford, k.flores, m.baker,
m.kariuki, t.lassey-assiakoley (descriptions stamped 2026-07-01).
- e.huerta removed from SG-Caregivers (enabled, OU unchanged, description stamped).
- Created in OU=Caregivers + SG-Caregivers: a.vallejo, j.munezero, n.cota, k.robinson
(UPN/mail = sam@cascadestucson.com, ChangePasswordAtLogon, PasswordNeverExpires=false).
- SG-Caregivers: 40 → 35 members. Entra Connect delta sync triggered.
- **M365 (tenant 207fa277-e9d8-4eb7-ada1-1064d2221498):**
- 4 new: usageLocation=US + Business Premium (SPB cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46).
- 8 offboarded: SPB removed. Pool now 45 enabled / 41 consumed.
- CA `Require MFA for all users` (7e87a1c7-4836-49df-8769-c4cccadd9dbe): excludeGroups now
[0674f0bc (pilot, stale), 8b8d9222 (SG-Caregivers)]; excludeUsers (2 break-glass) and
excludeRoles (d29b2b05 Directory Sync) preserved.
- CA `CSC - Block caregivers on non-compliant device` (ede985e2): state → disabled.
- **Repo:** `clients/cascades-tucson/reports/2026-07-01-caretaker-roster-update.md` (new),
`clients/cascades-tucson/docs/cloud/caretaker-phones-only-list.md` (new, 35-row tracking
table), `wiki/clients/cascades-tucson.md` (compliance-block line + MFA-bug line updated to
reflect 7/1 state).
## Credentials & Secrets
- **New caregiver AD temp passwords (4), forced-change at first login, hybrid PHS (= M365/
phone sign-in):** a.vallejo=Sunrise4827, j.munezero=Meadow9153, n.cota=Harbor2764,
k.robinson=Willow6398. Vaulted: `clients/cascades-tucson/caregiver-temp-passwords-2026-07-01.sops.yaml`
(keys = sAMAccountName; retrieve with `vault get`, NOT get-field — dotted keys). DM'd to
Howard (Discord msg 1521981205443117116). Vault repo pushed (4bf5c14).
- Tokens used: GuruRMM admin (vault `infrastructure/gururmm-server.sops.yaml`), Graph tiers
investigator / user-manager / tenant-admin via
`remediation-tool/scripts/get-token.sh <tenant> <tier>` with `VAULT_ROOT_ENV="D:/vault"`.
## Infrastructure & Servers
- CS-SERVER agent c39f1de7-d5b6-45ae-b132-e06977ab1713 (resolve live; changes on re-enroll).
- M365 tenant cascadestucson.com 207fa277-e9d8-4eb7-ada1-1064d2221498; SPB SKU cbdc14ab.
- SG-Caregivers cloud group 8b8d9222-5d71-419a-936d-56d895c6c332 (on-prem synced; 35 members).
- Entra Connect sync scope (verified live): ONLY OU=Caregivers, OU=Groups, OU=Caregiver
Devices — nothing else syncs; OU moves out of scope delete cloud objects.
- Named location "Cascades" 061c6b06-b980-40de-bff9-6a50a4071f6f = 72.211.21.217/32 +
184.191.143.62/32 (trusted). If the facility WAN IP changes, caretakers fail closed on-site.
- CA policy ids: MFA-for-all 7e87a1c7; off-network block e35614e1 (enabled); compliance-block
ede985e2 (DISABLED 7/1); 8h sign-in frequency 7d491c7a (enabled); allow-list 1b7fd025
(enabled, TEST group db5849ec only). Break-glass excludeUsers: 471b13dc..., e20f7f21....
- pilot.test groups: SG-Caregivers-DeviceTest (db5849ec) + SG-Caregivers-Test (eee4e9b2) —
NOT in SG-Caregivers-Pilot (0674f0bc) and not in SG-Caregivers.
## Commands & Outputs
- Roster pull: RMM cmd bf80962c (OU=Caregivers 42 objects = 40 enabled + pilot.test +
disabled n.castro; SG-Caregivers 40).
- Recon: cmd 3e543898 (OU list, sync scope, e.huerta) + b32ad9bc (name conflicts — all 4 new
sams free, no surname matches).
- Batch write: cmd b5329b71 — all 13 operations OK, SG=35, delta sync triggered.
- Post-change AD state: cmd 5d3fa209 — all 35 Enabled=True, Locked=False, PwExpired=True
(expected: forced-change).
- Graph verify: 8 offboarded accountEnabled=false licenses=0; 4 new SPB; cloud group
count=35 with all 4 new hires present.
- CA patches: both HTTP 204; verified post-propagation.
## Pending / Incomplete Tasks
- **ALIS records** for the 3 brand-new hires (Munezero, Cota, Robinson) — need job roles
(Certified vs Resident Caregiver / Med Tech) before building the import .xls (`alis` skill
`build-import`). Vallejo already in ALIS — set her staff Email = a.vallejo@cascadestucson.com.
ALIS Email=UPN sweep for the rest is still with Howard (6/30 pending item).
- **Huerta MFA registration** (Authenticator) — he is now under MFA-for-all with no
registered method. Also his OU move awaits Administrative OU entering sync scope.
- **Phones-only lockdown (end of rollout):** fill the phones-only column in
`docs/cloud/caretaker-phones-only-list.md` with the client, then scope a phones-only block
(CSC-* device filter) to that cohort. Do NOT re-enable ede985e2 (superseded).
- **Pilot cleanup (unchanged):** delete pilot.test, remove SG-Caregivers-Pilot exclude from
MFA-for-all, delete pilot/test groups, clean howard.enos account.
- Notify client that Nyanzunda already has an account and was intentionally not added to the
caregiver group; Kariuki ALIS dup records (429856/429858) still need dedupe if she returns.
## Reference Information
- Report: `clients/cascades-tucson/reports/2026-07-01-caretaker-roster-update.md`
- Phones-only list: `clients/cascades-tucson/docs/cloud/caretaker-phones-only-list.md`
- Prior context: 6/29 caretaker crosscheck + 6/30 phone-SSO onboarding session logs (2026-06/)
- RMM command ids: bf80962c, 3e543898, b32ad9bc, b5329b71, 5d3fa209
- Discord: temp-password DM 1521981205443117116; #dev-alerts CA-change post 1521994546400067805
- Syncro customer 20149445 (Cascades of Tucson)