diff --git a/clients/cascades-tucson/session-logs/2026-06/2026-06-10-howard-meredith-locked-word-doc.md b/clients/cascades-tucson/session-logs/2026-06/2026-06-10-howard-meredith-locked-word-doc.md new file mode 100644 index 0000000..e0d5fa1 --- /dev/null +++ b/clients/cascades-tucson/session-logs/2026-06/2026-06-10-howard-meredith-locked-word-doc.md @@ -0,0 +1,69 @@ +# Cascades — Meredith locked Word doc (stale Office lock files) + 0.5h remote billing + +## User +- **User:** Howard Enos (howard) +- **Machine:** Howard-Home +- **Role:** tech + +## Session Summary + +Meredith Kuhn at Cascades reported that "Employee General Training Signature Page.docx" on the `\\cascadesds\Public\Company Web Docs\Staff Trainings` share showed "locked for editing by her," with no one actually in the file. Confirmed `cascadesds` is the Synology NAS (192.168.0.120), not CS-SERVER. + +Investigated via GuruRMM. CS-SERVER (running as SYSTEM/machine account) could not authenticate to the Synology `Public` share — expected, given the known NAS workgroup/Kerberos mismatch documented in the wiki. Switched the execution point to Meredith's own machine, ASSISTMAN-PC (agent `cf86fa5e-96a2-494d-9cb1-8be22a518ad0`), where she was actively logged in (`meredithk`, console session since 6/8). Ran a read-only listing in her `user_session` context, which reaches the share with her credentials. + +Root cause: stale Word owner/lock files. The hidden `~$ployee General Training Signature Page.docx` owner file (162 bytes, dated 7/12/2024) was orphaned in the folder — Word reads that `~$…` file to display "locked for editing by [name]," so a ~2-year-old leftover produced a permanent false lock. The folder held five such orphaned 2024 owner files (General, Competency, Training, and two Disaster Drill docs). The real document was healthy (opened, not read-only). With the user's go-ahead (all 5), deleted all five `~$` owner files via Meredith's session and verified the folder clean. + +Howard separately confirmed the Synology shows no one accessing the file after a reboot, corroborating the stale-lock diagnosis. Billed the work as 0.5h remote on a new Cascades ticket (#32403), bundling a second item Howard handled this morning — sending the admin password to John at 7:40 AM — under the same charge per his instruction. Cascades is a prepaid block customer; invoice netted $0.00 and the block decremented 56.75 → 56.25h. Saved this session log. + +## Key Decisions + +- Used ASSISTMAN-PC (Meredith's PC) in `user_session` context rather than CS-SERVER as SYSTEM — the Synology Public share isn't reachable from the domain-joined server's machine account (workgroup/Kerberos), but Meredith's own token reaches it exactly as she does. +- Rebuilt the UNC path from `[char]92` char codes inside PowerShell so no literal backslash had to survive the bash → jq → agent → powershell transport (an earlier probe lost a backslash, `\\cascadesds` → `\cascadesds`, and resolved against C:). +- Deleted all 5 orphaned 2024 owner files (not just the General one) — all clearly stale, and the other four would throw the same false lock on their docs. +- Billed remote labor product 1190473 at its live rate ($150); rate is cosmetic for a prepaid customer (invoice $0, block debits by quantity 0.5h). +- Left ticket contact blank (standing Cascades rule — Meredith is the recurring wrong default). + +## Problems Encountered + +- CS-SERVER as SYSTEM returned `Test-Path` False on the share — not a real reachability conclusion at first because the UNC path had a backslash stripped in transport. Re-tested with char-code path construction; confirmed it's a genuine auth limitation (machine account can't reach the non-domain NAS), so pivoted to ASSISTMAN-PC user_session. + +## Configuration Changes + +- Deleted 5 stale Word owner files on `\\cascadesds\Public\Company Web Docs\Staff Trainings`: + - `~$ployee General Training Signature Page.docx` + - `~$ployee Competency Training Signature Page.docx` + - `~$ployee Training Signature Page.docx` + - `~$saster Drill Signature Page.docx` + - `~$saster Drill Template and Signature Page.docx` +- No repo file changes beyond this session log. + +## Credentials & Secrets + +- No credential was used or captured for the fix — the RMM agent ran in Meredith's session via SYSTEM/WTS impersonation. +- Meredith Kuhn has **no vault entry**; her login password is not on file and Howard does not have it. Not created (no password available). Options if needed later: AD reset on CS-SERVER via RMM, then vault. +- The admin password sent to John at 7:40 AM was handled by Howard outside this session; not recorded here. + +## Infrastructure & Servers + +- `cascadesds` = Synology NAS, 192.168.0.120 (DSM :5000). Legacy file storage; hosts the `Public` share. Workgroup "CASCADES" → Kerberos auth failures from domain-joined machines (so SYSTEM on CS-SERVER cannot reach it). +- ASSISTMAN-PC (Meredith Kuhn) — GuruRMM agent `cf86fa5e-96a2-494d-9cb1-8be22a518ad0`, online, `meredithk` console session since 6/8/2026. +- CS-SERVER — GuruRMM agent `c39f1de7-d5b6-45ae-b132-e06977ab1713`, 192.168.2.254 (DC/file/Hyper-V). + +## Commands & Outputs + +- RMM owner-file listing (user_session, ASSISTMAN-PC) found `~$ployee General Training Signature Page.docx` (162 B, 7/12/2024) + 4 more 2024 owner files; target doc healthy (150073 B, LastWrite 7/12/2024, not read-only). +- Delete command (`cmd:636e2541`) → "DELETED" x5, verify "(none remain - clean)". +- Syncro: ticket #32403 (id 112502876), line item id 42810122 (0.5h @ $150), invoice id 1650638663 total $0.00, status Invoiced; prepay 56.75 → 56.25. + +## Pending / Incomplete Tasks + +- Tell Meredith to fully close Word, then reopen the doc — should open editable with no lock prompt. If it still shows locked after a clean close/reopen, it would indicate a live SMB handle on the NAS (clear via Synology DSM → File Services / Resource Monitor). Howard's post-reboot check (no one accessing the file) indicates this is resolved. +- No Meredith vault entry; create only if a password becomes available. + +## Reference Information + +- Share/file: `\\cascadesds\Public\Company Web Docs\Staff Trainings\Employee General Training Signature Page.docx` +- Syncro ticket: #32403 — https://computerguru.syncromsp.com/tickets/112502876 +- Syncro invoice: 1650638663 ($0.00, 0.5 prepay applied) +- Cascades customer id: 20149445 (prepay 56.25h after this bill) +- RMM dispatch alerts: `cmd:636e2541` (delete); Syncro alert posted to #bot-alerts