diff --git a/wiki/clients/rednour.md b/wiki/clients/rednour.md index 8ffc10c4..774e8b82 100644 --- a/wiki/clients/rednour.md +++ b/wiki/clients/rednour.md @@ -9,11 +9,14 @@ sources: - clients/rednour/reports/2026-06-01-carla-password-set.md - clients/rednour/reports/2026-06-02-carrie-emma-display-name-stale-pin.md - clients/rednour/session-logs/2026-06-02-session.md + - clients/rednour/session-logs/2026-06/2026-06-25-howard-nick-smb-share-and-mac-rmm.md + - clients/rednour/session-logs/2026-06/2026-06-26-howard-nick-mac-rmm-rootcause.md + - clients/rednour/session-logs/2026-06/2026-06-29-howard-nick-mac-rmm-install-attempt.md - clients/rednour/session-logs/2026-06/2026-06-29-howard-legalasst-zip-hang-wp5-win11.md - - session-logs/2026-05-31-mike-rednour-and-claudetools-infra.md - clients/rednour/onboarding-baselines/FRONTDESKRECEPT-20260529T195614.md - clients/rednour/onboarding-baselines/LEGALASST-20260529T200647.md - clients/rednour/onboarding-baselines/REDNOURCARRIEVI-20260529T202250.md + - session-logs/2026-05-31-mike-rednour-and-claudetools-infra.md --- # Rednour Law Offices @@ -22,9 +25,12 @@ sources: - **Business type:** Law firm (Arizona) - **Syncro Customer ID:** 1224246 -- **Billing model:** Time and materials [billing rate unverified — not stated in session logs] -- **Contract status:** Active MSP client -- **Primary ticket:** Syncro #32343 (id 111409967) — M365 onboarding + email account changes. Status: Resolved. URL: https://computerguru.syncromsp.com/tickets/111409967 +- **Contract type:** Break-fix / time-and-materials (prepaid hours: 0) +- **Recurring line:** ~$59.09/mo (small managed/hosting line) +- **Labor rate:** (verify — recent labor invoices suggest ~$150-175/hr) +- **Managed asset count:** 4 (per Syncro) +- **Active open tickets:** None as of 2026-06-29 +- **Primary historical ticket:** Syncro #32343 (id 111409967) — M365 onboarding + email account changes. Status: Invoiced. URL: https://computerguru.syncromsp.com/tickets/111409967 ## Contacts @@ -32,11 +38,13 @@ sources: |---|---|---|---|---| | Carrie Rednour | Owner / attorney; M365 Global Admin | crednour@rednourlaw.com, sysadmin@rednourlaw.com | a0fc8517-1c2a-4d72-b774-c0d5c929167a | sysadmin@ is an alias on the same account; communicates via text with Mike directly | | Carla Skinner | Legal assistant / employee | carla@rednourlaw.com | 93074d1a-6db2-4794-8f7d-c84a619e4494 | Renamed from Emma on 2026-05-31; emma@ + dgarcia@ + alee@ aliases retained by design (see below) | -| Nick Pafford | Employee | npafford@rednourlaw.com, nick@rednourlaw.com | fe859088-bcbc-49dc-aaea-4c6e68f7d5bb | nick@ added as alias on 2026-05-31; SMB share access set up 2026-06-25 (local `nick` on REDNOURCARRIEVI -> `Documents`); on an Apple Silicon Mac (RMM enrollment pending fix) | +| Nick Pafford | Employee | npafford@rednourlaw.com, nick@rednourlaw.com | fe859088-bcbc-49dc-aaea-4c6e68f7d5bb | nick@ added as alias on 2026-05-31; SMB share access set up 2026-06-25 (local `nick` on REDNOURCARRIEVI -> `Documents`); on an Apple Silicon Mac (GuruRMM enrollment pending — installer runs but agent does not enroll; fix staged) | | receptionist | Shared mailbox | receptionist@rednourlaw.com | — | No personal contact; 34 contacts in mailbox as of 2026-06-02 sweep | System recipient: DiscoverySearchMailbox (Exchange system object — not a user). +**Nick's Mac (ScreenConnect name `DUXs-Mac-Studio`):** Apple Mac Studio, Mac13,1, Apple M1 Max (arm64), macOS 26.5.1, serial F6QR2PN2R6. Confirm this is Nick's box before enrolling (name suggests a "Dux" user). + ## Infrastructure ### Network @@ -47,13 +55,13 @@ System recipient: DiscoverySearchMailbox (Exchange system object — not a user) ### Workstations (GuruRMM enrolled) -All three machines were enrolled by 2026-05-29. Onboarding diagnostic grade: RED across the board (foreign agents, patch gaps — see open items). +All three machines were enrolled by 2026-05-29. Onboarding diagnostic grade: RED across the board (foreign agents, patch gaps — see open items). As of 2026-06-29 the GuruRMM fleet shows them as FrontDeskReception, LegalAsst, rednourcarrievirt (agent display names may differ from Windows hostnames; `rednourcarrievirt` is the current network/SMB name for Carrie's box, formerly REDNOURCARRIEVI). | Hostname | Model | CPU | RAM | OS | IP | Agent ID | Grade | |---|---|---|---|---|---|---|---| | FRONTDESKRECEPT | Dell OptiPlex 3080 | i5-10505 6c/12t | 15.8 GB | Win 11 Pro build 26200 | 192.168.10.115 | 04765560-3e8a-46e5-a507-c5f5f4ead6eb | RED | | LEGALASST | Generic OEM | AMD Ryzen 3 3200G 4c/4t | 5.9 GB | Win 10 Pro build 19045 | 192.168.10.213 | 18825ea7-df58-47bb-b492-822cb16fb5ec | RED | -| REDNOURCARRIEVI | Generic OEM | i3-9100 4c/4t | 7.7 GB | Win 10 Pro build 19045 | 192.168.10.194 | 8e4e2221-7e2a-4a6f-9eda-864568539961 | RED | +| REDNOURCARRIEVI (rednourcarrievirt) | Generic OEM | i3-9100 4c/4t | 7.7 GB | Win 10 Pro build 19045 | 192.168.10.194 | 8e4e2221-7e2a-4a6f-9eda-864568539961 | RED | **Common issues across all three at onboarding:** - ScreenConnect (ConnectWise Control) running — prior MSP remote-access agent, not yet removed @@ -63,41 +71,51 @@ All three machines were enrolled by 2026-05-29. Onboarding diagnostic grade: RED **LEGALASST additional:** - Win 10 22H2 (build 19045) — EOL since 2025-10-14; no longer receives security patches -- 43 days uptime, reboot pending +- 43 days uptime at baseline; reboot pending - Local admins include stale accounts `Ale` and `Emma` (pre-rename artifact) +- Active local account: `emma`; profile: `C:\Users\Ale`; OneDrive: `carla@rednourlaw.com` +- Leftover `SyncroLive.Agent.Runner` still running as of 2026-06-29 +- AMD GPU driver 31.0.12027.9001 (2023-03-29); 7-Zip 26.02 installed 2026-06-29 at `C:\Program Files\7-Zip\` +- Mapped drives (user `emma`): X: `\\rednourcarrievirt\Time Matters Shared Files`, Y: `\\rednourcarrievirt\Timeslips`, Z: `\\rednourcarrievirt\Documents` — Status OK as of 2026-06-29 +- SFC ran 2026-06-29, repaired corruption (0 unrepairable); repair pending reboot to load -**REDNOURCARRIEVI additional:** +**REDNOURCARRIEVI (rednourcarrievirt) additional:** - Win 10 22H2 (build 19045) — EOL since 2025-10-14 - Defender real-time protection OFF + antimalware service not running at baseline (critical) - Datto RMM running — prior MSP agent, not yet removed -- C: drive at 11.7% free (54.4 GB of 465.1 GB) -- Last hotfix: 2025-12-20 (severely behind on patches as of 2026-05-29) +- C: drive at 11.7% free (54.4 GB of 465.1 GB) at baseline +- Last hotfix at baseline: KB5072653 (2025-12-20 — severely behind) - 151 installed programs, 19 non-MS scheduled tasks — elevated attack surface +- RDP enabled without NLA at baseline +- Time source: local CMOS clock (not NTP) at baseline **FRONTDESKRECEPT additional:** - BitLocker off on OS volume -- 2 pending Windows updates +- 2 pending Windows updates at baseline - Local admin account `guru` present (ACG account, expected) ### File Shares (workgroup, peer-to-peer) -REDNOURCARRIEVI (192.168.10.194 LAN / 10.147.17.253 ZeroTier) hosts the firm's shared files as peer-to-peer SMB shares (no server, no AD): +REDNOURCARRIEVI / rednourcarrievirt (192.168.10.194 LAN / 10.147.17.253 ZeroTier) hosts the firm's shared files as peer-to-peer SMB shares (no server, no AD): - **`Documents`** -> `C:\Users\Carrie\Documents` — the primary working share (also exposed redundantly as `ShareName`, same path). Mac/PC clients authenticate with a **local Windows account** on the box. -- Local accounts with access to Documents: `Carrie`, `emma` (legacy local account, actively used — unrelated to the M365 Emma->Carla rename), `localadmin`, and **`nick`** (added 2026-06-25 for Nick Pafford; share Change + NTFS Modify; cred vaulted `clients/rednour/nick-smb-rednourcarrievi.sops.yaml`). +- Local accounts with access to Documents: `Carrie`, `emma` (legacy local account, actively used — unrelated to the M365 Emma->Carla rename), `localadmin`, and **`nick`** (added 2026-06-25 for Nick Pafford; share Change + NTFS Modify; cred vaulted at `clients/rednour/nick-smb-rednourcarrievi.sops.yaml`). - Other shares present: `Time Matters Shared Files`, `Timeslips`, `Program Files sage`, `Users`, `New folder`. **Security note:** several are over-broad (`Everyone=Full` on `Program Files`/`Users`/`Time Matters`) — cleanup candidate. - Mac mount string: `smb://192.168.10.194/Documents`. ### GuruRMM Site - **Site name:** Main Office -- **Enrollment key vault path:** `clients/rednour/` (enrollment key GREEN-FALCON-7214 in vault per index entry) +- **Site code:** GREEN-FALCON-7214 +- **Site UUID:** `c7f5787c-8e71-45b3-841f-fa52436f7d26` +- **Client UUID:** `85f7cff4-d4db-48a8-b477-b8788122a361` +- **Enrollment key vault path:** `clients/rednour/gururmm-site-main.sops.yaml` ## Cloud / M365 - **Tenant domain:** rednourlaw.com - **Tenant ID:** `4a4ca18a-f516-478b-99da-2e0722c5dc18` -- **Onboarded to ComputerGuru MSP suite:** 2026-05-31 (bootstrapped by Mike during Emma→Carla rename session) +- **Onboarded to ComputerGuru MSP suite:** 2026-05-31 (bootstrapped by Mike during Emma->Carla rename session) ### MSP Service Principals @@ -123,14 +141,18 @@ All five ComputerGuru SPs are fully consented as of 2026-05-31: | receptionist | receptionist@rednourlaw.com | — | 34 contacts in mailbox | | DiscoverySearchMailbox | (system) | — | Exchange system object | -**Carla's retained aliases:** The mailbox mailNickname was historically `dgarcia` (prior employee Garcia → passed to Emma → now Carla). Both `dgarcia@` and `alee@` were kept by operator's explicit choice on 2026-05-31. The `emma@` alias was kept so mail to emma@ continues to reach Carla. Revisit only if the firm requests decommissioning of these addresses. +**Carla's retained aliases:** The mailbox mailNickname was historically `dgarcia` (prior employee Garcia -> passed to Emma -> now Carla). Both `dgarcia@` and `alee@` were kept by operator's explicit choice on 2026-05-31. The `emma@` alias was kept so mail to emma@ continues to reach Carla. Revisit only if the firm requests decommissioning of these addresses. ## Syncro - **Customer:** Rednour Law Offices, id `1224246` -- **Primary ticket:** #32343 (id 111409967), Status: Resolved - - 0.5h remote labor (line item 42654682, $75.00, non-taxable, attributed to Mike user_id 1735) — not yet invoiced as of 2026-05-31; pending final close-out after Nick's shared-drive piece +- **Contract type:** Break-fix / T&M; prepaid hours: 0; recurring ~$59.09/mo +- **Managed asset count:** 4 +- **Primary ticket:** #32343 (id 111409967), Status: Invoiced + - 0.5h remote labor (line item 42654682, $75.00, non-taxable, attributed to Mike user_id 1735) — on the existing invoice - Comments: 415513323 (hidden/internal), 415514647 (customer-visible), 416427937 (internal — 2026-06-02 follow-up contact fix) + - Additional onsite labor from 2026-06-25 SMB share work deferred by Howard; Syncro supports multiple invoices per ticket +- **[WARNING] Plaintext local-account passwords in Syncro customer notes** (carrie, ale accounts). These are being vaulted separately — vault migration pending. Do not use Syncro notes as the authoritative credential source. ## History @@ -138,7 +160,7 @@ All five ComputerGuru SPs are fully consented as of 2026-05-31: Three workstations enrolled in GuruRMM site "Main Office": FRONTDESKRECEPT, LEGALASST, REDNOURCARRIEVI. Onboarding diagnostic baselines captured (all graded RED). Prior MSP agents (ScreenConnect, Splashtop, Syncro, Datto RMM on Carrie's machine) still present — not yet removed. -### 2026-05-31 — M365 onboarding + Emma → Carla rename +### 2026-05-31 — M365 onboarding + Emma -> Carla rename **Syncro ticket #32343.** Operator: Mike Swanson. @@ -157,7 +179,7 @@ Carla's account password set administratively via Graph User Manager app at clie ### 2026-06-02 — Stale pinned contact fix (Carrie's mailbox) -Carrie reported inbound mail from Carla still showed "Emma - Rednour Law". Server-side state was correct; root cause was a leftover pinned contact (`IPF.Contact.MOC.QuickContacts`) in Carrie's own mailbox mapping `emma@rednourlaw.com` → display name "Emma - Rednour Law". Because `emma@` is a live proxy alias on Carla's mailbox, Outlook resolved Carla's new mail to this stale pin. +Carrie reported inbound mail from Carla still showed "Emma - Rednour Law". Server-side state was correct; root cause was a leftover pinned contact (`IPF.Contact.MOC.QuickContacts`) in Carrie's own mailbox mapping `emma@rednourlaw.com` -> display name "Emma - Rednour Law". Because `emma@` is a live proxy alias on Carla's mailbox, Outlook resolved Carla's new mail to this stale pin. Fix: deleted the pin via EWS (`ExchangeImpersonation` of crednour@rednourlaw.com using Exchange Operator SP `full_access_as_app`; `DeleteItem` with `MoveToDeletedItems` — recoverable). Graph contacts call (403) confirmed no `Contacts.Read` scope in any suite app; EWS was the correct path. @@ -174,53 +196,49 @@ No time billed on this follow-up per Mike's standing rule (never log time withou ### 2026-06-25 — SMB share access for Nick Pafford + Mac RMM enrollment attempt -**Operator: Howard Enos.** Resolved the long-deferred shared-drive access for Nick. The "shared drive" turned out to be the **`Documents` SMB share on REDNOURCARRIEVI** (`C:\Users\Carrie\Documents`); identified via `Get-SmbShare` across all three workstations. It was previously reached only through the local `emma` account. +**Operator: Howard Enos.** Resolved the long-deferred shared-drive access for Nick. The "shared drive" turned out to be the **`Documents` SMB share on REDNOURCARRIEVI** (`C:\Users\Carrie\Documents`); identified via `Get-SmbShare` across all three GuruRMM-enrolled workstations. It was previously reached only through the local `emma` account. -Created a dedicated standard local account **`nick`** on REDNOURCARRIEVI (PasswordNeverExpires), granted **share = Change** and **NTFS = Modify** on the Documents folder. Credential vaulted at `clients/rednour/nick-smb-rednourcarrievi.sops.yaml`. Nick's Mac (Apple Silicon) mounts `smb://192.168.10.194/Documents` (Finder Cmd+K, `nick` + keychain-saved password; auto-reconnect via Login Items). Share confirmed working onsite. +Created a dedicated standard local account **`nick`** on REDNOURCARRIEVI (PasswordNeverExpires), granted **share = Change** and **NTFS = Modify** on the Documents folder. Credential vaulted at `clients/rednour/nick-smb-rednourcarrievi.sops.yaml`. Nick's Mac (Apple Silicon) was confirmed mounting `smb://192.168.10.194/Documents` (Finder Cmd+K, `nick` + keychain-saved password) and working onsite. -**GuruRMM macOS enrollment FAILED** on Nick's Apple Silicon Mac (site Main, `GREEN-FALCON-7214`). Server serves the agent fine (HTTP 200, 3.96 MB single-arch aarch64). Working hypothesis: the served binary is **unsigned**, so Apple Silicon SIGKILLs it (`agent/build-macos.sh` = unsigned cross-compile; `agent/build-macos-signed.sh` exists with Mike's Developer ID + notarization but is likely not what the server publishes). Fix path: publish the signed+notarized binary, or ad-hoc `codesign -s -` the binary inside the macOS install script. Deferred — Howard had only a limited ScreenConnect support session; "we will get the RMM installed" later. +**GuruRMM macOS enrollment FAILED** on Nick's Apple Silicon Mac (site Main, `GREEN-FALCON-7214`). Server serves the agent fine (HTTP 200, 3.96 MB single-arch aarch64). Initial working hypothesis was that the served binary was unsigned (SIGKILL on Apple Silicon). Fix path flagged; deferred for further diagnosis. **Return visit pending:** phone + printer setup at Rednour; may require running a new wire or installing a switch. -Operational note: PowerShell `Set-Acl` ACL propagation down Carrie's large Documents tree exceeded the RMM command timeout (twice), and since stdout is dropped on timeout a randomly-generated password was lost each time — generate passwords locally so they survive a timeout (logged to errorlog). +Operational note: PowerShell `Set-Acl` ACL propagation down Carrie's large Documents tree exceeded the RMM command timeout (twice), and since stdout is dropped on timeout a randomly-generated password was lost each time. Resolution was to generate the password locally (injected via placeholder) and apply the NTFS ACE with `icacls` (no `/T`). + +### 2026-06-26 — Mac RMM enrollment root-cause analysis (offline diagnosis) + +**Operator: Howard Enos** (pre-staging before onsite visit). Nick's Mac was offline in ScreenConnect. All diagnosis done from the repo and the RMM server endpoints. + +**Disproved the "unsigned binary" hypothesis.** Parsed the Mach-O load commands of the served arm64 binary directly: it carries an `LC_CODE_SIGNATURE` with the adhoc flag set (linker-inserted ad-hoc signature, identifier `gururmm_agent-51a9f25b57c13649`). An ad-hoc-signed arm64 binary satisfies Apple Silicon's AMFI and runs — the SIGKILL/unsigned theory was wrong. All six linked dylibs are stock system frameworks. + +**Real root cause found in source:** The server's enrollment endpoint (`server/src/api/enroll.rs`, line 29) types `EnrollRequest.site_id` as `uuid::Uuid` — it requires a UUID. The macOS install script (`/install/GREEN-FALCON-7214/macos`) writes the site **code** string `GREEN-FALCON-7214` into `/usr/local/etc/gururmm/site.plist` as `site_id`. The agent reads that and POSTs `site_id: "GREEN-FALCON-7214"` to `/api/enroll`, which fails UUID deserialization (HTTP 422) — enrollment retries forever, agent never connects. The "file not found" symptom Howard observed is a secondary effect: `config.rs::default_config_path()` has no macOS branch, so a manual `gururmm-agent run` with no readable plist falls back to the Linux path `/etc/gururmm/config.toml` (does not exist on macOS). + +**Correct site UUID for Rednour Main:** `c7f5787c-8e71-45b3-841f-fa52436f7d26` (confirmed via RMM API). The `.pkg` postinstall hardcodes `d008c7d4-...` which belongs to a different/test site — do not use. + +**Fix staged:** a self-contained Terminal paste-block was delivered to Howard's Discord DMs that installs the agent, writes `site.plist` with the UUID (not the code), writes the LaunchDaemon, reloads, and verifies. Per Howard's instruction, the wiki, coord todo 6f2d22be, and Mike were NOT updated pending onsite verification. + +### 2026-06-29 — Mac RMM install attempt (still not enrolling) + +**Operator: Howard Enos** (onsite at Rednour). Provided Nick the macOS `curl | sudo bash` one-liner (`/install/GREEN-FALCON-7214/macos`). Verified the binary is arm64 Mach-O before handoff. Nick (or someone at the Mac) ran the installer and it reported success. Fleet checks repeated 3x — no macOS agent appeared under Rednour Law Offices. The install script ran the original (unpatched) path and wrote the site CODE (not UUID) to `site.plist`, so the agent retries enrollment forever without connecting. Howard is no longer onsite and does not have the user's Mac password. + +Mike was flagged via Discord DM (message_id 1521264675965374656) that the macOS installer has an enrollment issue; asked whether he has another M1/Apple Silicon Mac to test. Next step: run foreground `sudo /usr/local/bin/gururmm-agent` on the Mac to capture the connect/enroll error, and overwrite `site.plist` with the UUID fix. + +**Install page note:** The public install page `/install/GREEN-FALCON-7214` shows only Windows and Linux download buttons — no Mac button. The macOS path is the `curl | sudo bash` one-liner at `/install/GREEN-FALCON-7214/macos`. ### 2026-06-29 — LEGALASST (legal assistant / "Emma") explorer hang on .zip + WordPerfect 5 save error; Win11 upgrade planned -**Operator: Howard Enos** (reported via Carrie). The legal assistant's workstation -**LEGALASST** (Carla Skinner's box; active local account `emma`, profile `C:\Users\Ale`, -OneDrive `carla@rednourlaw.com`) repeatedly hung explorer when opening files. Diagnosed live -over GuruRMM (agent `18825ea7-df58-47bb-b492-822cb16fb5ec`). +**Operator: Howard Enos** (reported via Carrie). The legal assistant's workstation **LEGALASST** (Carla Skinner's box; active local account `emma`, profile `C:\Users\Ale`, OneDrive `carla@rednourlaw.com`) repeatedly hung explorer when opening files. Diagnosed live over GuruRMM (agent `18825ea7-df58-47bb-b492-822cb16fb5ec`). -- **explorer HANGS, not crashes** — AppHang Event 1002 (no Event 1000 / faulting module); - ~10 in 3h on 2026-06-29, continuing after a 10:52 reboot. -- **Root cause: the built-in Windows Compressed Folders handler** (explorer's zip-as-folder - namespace). Symptom narrowed to **opening `.zip` only** (Word/PDF/folders fine), and the - failing zip is **local (desktop)** — not OneDrive, not a network share. `zipfldr.dll` is - intact + validly signed, so the hang is environmental, not a corrupt handler DLL. -- **Ruled out:** Adobe shell extensions (blocked/tested via the Microsoft `Shell Extensions\ - Blocked` list, no change, reverted); AMD Vega driver (only non-MS DLLs in explorer, but - zero TDR events); OneDrive (overlay not even loaded, sync healthy); remapped drives X/Y/Z → - `\\rednourcarrievirt` (Status OK, SMB healthy); `.NET Runtime 1022` "profiling API attach" - (201 events but no `COR_PROFILER` set — benign noise). -- **SFC** (run by Howard) found and repaired corruption (0 unrepairable) — repair pending a - reboot to load. -- **Workaround:** Howard installed **7-Zip 26.02** (`C:\Program Files\7-Zip\7zFM.exe`); it - opens the zips fine (bypasses explorer's zip namespace). Howard to set 7-Zip as default for - `.zip` (and `.7z`/`.rar`, currently unassociated). `.zip` had no UserChoice; 7-Zip only - registered a `7-Zip.iso` ProgId on install. -- **Second issue (same machine): WordPerfect 5 "not enough free space" on save** regardless - of save location, despite Howard verifying ample free space. Leading hypothesis: legacy/ - DOS-era WordPerfect free-space miscalculation on large-capacity volumes (free-space value - overflows → false "disk full"). App-level; **the OS upgrade will not fix it**. Mitigate via - DOSBox or a SUBST'd small-capacity save target. Exact WP version/edition (DOS 5.1 vs - Windows) to be confirmed. -- **Plan: upgrade LEGALASST to Windows 11** — expected to resolve the zip-handler hang by - rebuilding the shell/system files (also applies the SFC repair). Verify by opening a local - `.zip` with the *built-in* handler post-upgrade. If the hang persists, next lead is Defender - archive-scan + cloud (MAPS) lookup stalling the shell. +- **explorer HANGS, not crashes** — AppHang Event 1002 (no Event 1000 / faulting module); ~10 in 3h on 2026-06-29, continuing after a 10:52 reboot. +- **Root cause: the built-in Windows Compressed Folders handler** (explorer's zip-as-folder namespace). Symptom narrowed to **opening `.zip` only** (Word/PDF/folders fine), and the failing zip is **local (desktop)** — not OneDrive, not a network share. `zipfldr.dll` is intact + validly signed, so the hang is environmental, not a corrupt handler DLL. +- **Ruled out:** Adobe shell extensions (blocked/tested via the Microsoft `Shell Extensions\Blocked` list, no change, reverted); AMD Vega driver (only non-MS DLLs in explorer, but zero TDR events); OneDrive (overlay not even loaded, sync healthy); remapped drives X/Y/Z -> `\\rednourcarrievirt` (Status OK, SMB healthy); `.NET Runtime 1022` "profiling API attach" (201 events but no `COR_PROFILER` set — benign noise). +- **SFC** (run by Howard) found and repaired corruption (0 unrepairable) — repair pending a reboot to load. +- **Workaround:** Howard installed **7-Zip 26.02** (`C:\Program Files\7-Zip\7zFM.exe`); it opens the zips fine (bypasses explorer's zip namespace). Howard to set 7-Zip as default for `.zip` (and `.7z`/`.rar`, currently unassociated). `.zip` had no UserChoice; 7-Zip only registered a `7-Zip.iso` ProgId on install. +- **Second issue (same machine): WordPerfect 5 "not enough free space" on save** regardless of save location, despite Howard verifying ample free space. Leading hypothesis: legacy/DOS-era WordPerfect free-space miscalculation on large-capacity volumes (free-space value overflows -> false "disk full"). App-level; **the OS upgrade will not fix it**. Mitigate via DOSBox or a SUBST'd small-capacity save target. Exact WP version/edition (DOS 5.1 vs Windows) to be confirmed. +- **Plan: upgrade LEGALASST to Windows 11** — expected to resolve the zip-handler hang by rebuilding the shell/system files (also applies the SFC repair). Verify by opening a local `.zip` with the *built-in* handler post-upgrade. If the hang persists, next lead is Defender archive-scan + cloud (MAPS) lookup stalling the shell. -All diagnostic changes were reverted (Adobe/7-Zip Blocked-list test entries removed; an -orphaned RMM diagnostic process killed) — the box was left clean. +All diagnostic changes were reverted (Adobe/7-Zip Blocked-list test entries removed; an orphaned RMM diagnostic process killed) — the box was left clean. ## Patterns & Known Issues @@ -229,22 +247,15 @@ orphaned RMM diagnostic process killed) — the box was left clean. - **Stale-pin shadowing pattern:** `IPF.Contact.MOC.QuickContacts` folder entries override the GAL for display-name resolution in Outlook/Teams. If any user reports a renamed sender still showing the old name, run the EWS contact-folder sweep against that user's mailbox. - **emma@ alias is live by design.** Mail to emma@rednourlaw.com routes to Carla Skinner. Do not remove unless the firm explicitly requests it. - **No MDE license — skip Defender tier.** Defender Add-on is consented but ATP endpoints 650052. Do not attempt Defender-tier calls for this tenant. -- **Prior MSP agents still installed.** ScreenConnect, Splashtop, and Syncro on all workstations; Datto RMM on REDNOURCARRIEVI. Not yet remediated as of 2026-06-02. -- **macOS RMM agent won't run on Apple Silicon if unsigned.** The site-code installer serves an unsigned aarch64 binary; Apple Silicon SIGKILLs unsigned Mach-O. Until the server publishes a signed/notarized build (`build-macos-signed.sh`), Apple Silicon Mac enrollment fails (blocks Nick's Mac; same root issue likely affects Scileppi's Mac). -- **LEGALASST and REDNOURCARRIEVI are on Win 10 22H2 (EOL).** No security updates since 2025-10-14. Plan OS upgrade to Win 11 or Win 10 newer build. +- **Prior MSP agents still installed.** ScreenConnect, Splashtop, and Syncro on all workstations; Datto RMM on REDNOURCARRIEVI. Not yet remediated as of 2026-06-29. +- **macOS RMM agent installs but does not enroll (site code vs UUID bug).** The macOS install script writes the site enrollment CODE (`GREEN-FALCON-7214`) into `site.plist` as `site_id`. The server's `EnrollRequest.site_id` is typed `uuid::Uuid` — posting the code string causes a 422 UUID deserialization error; the agent retries enrollment forever without connecting. Fix: overwrite `site.plist` with the site UUID `c7f5787c-8e71-45b3-841f-fa52436f7d26` and reload the LaunchDaemon. The paste-block fix was delivered to Howard's Discord DMs (2026-06-26) but has not been applied to Nick's Mac (blocked: no onsite access + no Mac password as of 2026-06-29). Root code fix for Mike: either the install script should stamp the UUID (like the `.pkg` postinstall), or `/api/enroll` should accept a site code. Secondary: add a macOS branch to `default_config_path()` in `agent/src/config.rs`. Coord todo: 6f2d22be-e653-48c8-9f9b-0155420b315d (project gururmm). +- **LEGALASST and REDNOURCARRIEVI are on Win 10 22H2 (EOL).** No security updates since 2025-10-14. Plan OS upgrade to Win 11. - **REDNOURCARRIEVI: Defender was off at onboarding.** Confirm it has been re-enabled; it is a critical finding. -- **LEGALASST: built-in Compressed Folders handler hangs explorer on `.zip` open.** Local zips; - Word/PDF fine. `zipfldr.dll` intact (environmental, not a corrupt DLL). AppHang Event 1002, - no faulting module. Workaround = 7-Zip as default for `.zip`. Win11 upgrade planned to - resolve. If it persists post-upgrade, suspect Defender archive-scan + cloud (MAPS) lookup - stalling the shell. To test-disable any shell extension reversibly, add its CLSID to - `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked` (delete to restore). -- **LEGALASST: WordPerfect 5 "not enough free space" on save** despite verified free space and - regardless of save location. Likely legacy free-space overflow on large-capacity volumes; - **OS upgrade will not fix it**; mitigate via DOSBox / SUBST small-capacity drive. Confirm WP - version/edition. -- **`.NET Runtime 1022` "profiling API attach" errors are noise** unless a `COR_PROFILER` env - var is actually set — do not chase them as a hang cause. +- **REDNOURCARRIEVI: RDP enabled without NLA at onboarding.** Restrict RDP to VPN-only or require NLA. +- **LEGALASST: built-in Compressed Folders handler hangs explorer on `.zip` open.** Local zips; Word/PDF fine. `zipfldr.dll` intact (environmental, not a corrupt DLL). AppHang Event 1002, no faulting module. Workaround = 7-Zip as default for `.zip`. Win11 upgrade planned to resolve. If it persists post-upgrade, suspect Defender archive-scan + cloud (MAPS) lookup stalling the shell. To test-disable any shell extension reversibly, add its CLSID to `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked` (delete to restore). +- **LEGALASST: WordPerfect 5 "not enough free space" on save** despite verified free space and regardless of save location. Likely legacy free-space overflow on large-capacity volumes; **OS upgrade will not fix it**; mitigate via DOSBox / SUBST small-capacity drive. Confirm WP version/edition. +- **`.NET Runtime 1022` "profiling API attach" errors are noise** unless a `COR_PROFILER` env var is actually set — do not chase them as a hang cause. +- **Plaintext local-account passwords in Syncro customer notes.** Accounts `carrie` and `ale` appear in Syncro notes in plaintext — vault migration pending. Do not rely on Syncro notes as the authoritative credential store for these accounts. ## Active Work / Open Items @@ -252,18 +263,22 @@ orphaned RMM diagnostic process killed) — the box was left clean. |---|---|---|---| | P1 | Re-enable Defender on REDNOURCARRIEVI | Howard/Mike | Was off at onboarding 2026-05-29; confirm current state | | P1 | Remove prior MSP agents (ScreenConnect, Splashtop, Syncro, Datto RMM) | Mike/Howard | Present on all 3 machines; Datto RMM on REDNOURCARRIEVI only | -| P1 | Upgrade LEGALASST and REDNOURCARRIEVI to a supported OS | Mike | Both on Win 10 22H2 (EOL 2025-10-14) | -| P1 | Upgrade LEGALASST to Windows 11 | Mike/Howard | 2026-06-29: expected to resolve the explorer-on-.zip hang (rebuilds shell/system files) + applies pending SFC repair. Pre-reqs: enable fTPM + Secure Boot (Ryzen 3 3200G is Win11-supported), bump RAM from 5.9 GB, remove leftover Syncro agent. Test a local `.zip` with the built-in handler post-upgrade | +| P1 | Upgrade LEGALASST to Windows 11 | Mike/Howard | Expected to resolve the explorer-on-.zip hang (rebuilds shell/system files) + applies pending SFC repair. Pre-reqs: enable fTPM + Secure Boot (Ryzen 3 3200G is Win11-supported), bump RAM from 5.9 GB, remove leftover Syncro agent. Test a local `.zip` with the built-in handler post-upgrade | +| P1 | Upgrade REDNOURCARRIEVI to a supported OS | Mike | Win 10 22H2 (EOL 2025-10-14) | +| P1 | Fix GuruRMM macOS agent enrollment on Nick's Apple Silicon Mac | Howard/Mike | Agent installs but does not enroll. Root cause: install script writes site CODE not UUID; server expects UUID. Fix = overwrite `/usr/local/etc/gururmm/site.plist` with `site_id = c7f5787c-8e71-45b3-841f-fa52436f7d26` and reload LaunchDaemon. Paste-block delivered to Howard's Discord DMs (2026-06-26). Blocked: need onsite access + Mac password. Code fix for Mike: enroll.rs accept site code OR install script stamp UUID. Coord todo 6f2d22be | +| P1 | Vault migration of plaintext local-account passwords in Syncro customer notes | Howard/Mike | Accounts carrie, ale; not yet vaulted | | P2 | LEGALASST: WordPerfect 5 "not enough free space" on save | Howard | 2026-06-29: error on save regardless of location; ample free space verified. Likely legacy free-space overflow on large volume; OS upgrade will NOT fix. Mitigate via DOSBox / SUBST small-capacity drive; confirm WP version/edition | | INTERIM | LEGALASST: set 7-Zip as default for `.zip`/`.7z`/`.rar` | Howard | 2026-06-29: 7-Zip 26.02 installed as workaround for the built-in zip-handler hang; set defaults via 7-Zip GUI (Tools -> Options -> System) | -| DONE | Shared-drive access for Nick Pafford | Howard | 2026-06-25: created local `nick` account on REDNOURCARRIEVI; `Documents` share = Change + NTFS = Modify; cred vaulted `clients/rednour/nick-smb-rednourcarrievi.sops.yaml`; Nick's Apple Silicon Mac mounts `smb://192.168.10.194/Documents` | -| P1 | Fix GuruRMM macOS agent install on Nick's Apple Silicon Mac | Howard/Mike | 2026-06-25 install failed. Likely cause: served aarch64 binary is **unsigned** -> Apple Silicon SIGKILLs it. Fix: serve the signed+notarized binary (`agent/build-macos-signed.sh`, Mike's Developer ID) or ad-hoc `codesign -s -` in the installer. Confirm with Mac log (`killed: 9`). Deferred (limited ScreenConnect session only) | | P2 | Return visit: phone + printer setup at Rednour | Howard | 2026-06-25: pending; may require running a new wire / installing a switch | -| P2 | Final invoice on Syncro #32343 | Mike | 0.5h remote labor (line item 42654682) sitting on Resolved ticket | +| P2 | Final invoice on Syncro #32343 | Mike | 0.5h remote labor (line item 42654682) sitting on Invoiced ticket; additional onsite labor from 2026-06-25 SMB share work deferred by Howard | | P2 | Address BitLocker gap on FRONTDESKRECEPT | Mike/Howard | OS volume unencrypted at onboarding | +| P2 | Confirm Nick's Mac is actually `DUXs-Mac-Studio` | Howard | ScreenConnect shows this name; "Dux" username may indicate it's not Nick's machine — verify before enrolling | | P3 | Remove stale local admin accounts (Ale, Emma on LEGALASST) | Howard | Left from prior user assignment | | P3 | emma@ alias — revisit if firm wants it decommissioned | Mike | Retained by design; currently serves as Carla's legacy address | +| P3 | Security cleanup: over-broad Everyone=Full SMB shares on REDNOURCARRIEVI | Howard | Time Matters Shared Files, Program Files sage, Users shares | +| P3 | Fix REDNOURCARRIEVI RDP: require NLA or restrict to VPN | Howard | RDP open without NLA at onboarding | +| DONE | Shared-drive access for Nick Pafford | Howard | 2026-06-25: created local `nick` account on REDNOURCARRIEVI; `Documents` share = Change + NTFS = Modify; cred vaulted `clients/rednour/nick-smb-rednourcarrievi.sops.yaml`; Nick's Apple Silicon Mac mounts `smb://192.168.10.194/Documents` | ## Backlinks -- [[projects/gururmm]] — FRONTDESKRECEPT, LEGALASST, REDNOURCARRIEVI enrolled (site: Main Office) +- [[projects/gururmm]] — FRONTDESKRECEPT, LEGALASST, REDNOURCARRIEVI enrolled (site: Main Office); macOS enrollment code-vs-UUID bug (coord todo 6f2d22be) diff --git a/wiki/index.md b/wiki/index.md index 671da9b6..9a6adead 100644 --- a/wiki/index.md +++ b/wiki/index.md @@ -31,7 +31,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks. | [Grabb & Durando Law Office](clients/grabb-durando.md) | Personal injury law firm; GND-SERVER GuruRMM enrolled; AI demand review app scoped ($4K–$7K); website migration pending; plaintext DB password in README needs vaulting | 2026-05-24 | | [Pavon](clients/pavon.md) | Former/archive client; GeoVision NVR surveillance; OwnCloud at 172.16.3.22 backed by Uranus; cron stacking fixed; Nextcloud migration deferred 3–6 months | 2026-05-24 | | [Rieusset Corp (Tom Sorensen)](clients/rieusset-corp.md) | Small business; email hosted on Neptune Exchange (4 mailboxes: tsorensen, tomrc, ojodeagua, csorensen @rieussetcorp.com); Mailprotector domain ID 57833; outbound via SBR Outbound.Sorensen connector; clipto.com allow rule added 2026-06-08 | 2026-06-08 | -| [Rednour Law Offices](clients/rednour.md) | Law firm; M365 rednourlaw.com (tenant 4a4ca18a) fully onboarded 2026-05-31; all 5 ComputerGuru SPs consented; no MDE license; 3 workstations GuruRMM enrolled (FRONTDESKRECEPT/LEGALASST/REDNOURCARRIEVI); Carla Skinner renamed from Emma; prior MSP agents (ScreenConnect/Splashtop/Datto) still present; shared-drive access for Nick Pafford deferred | 2026-06-02 | +| [Rednour Law Offices](clients/rednour.md) | Law firm (break-fix/T&M, prepay 0); M365 rednourlaw.com (tenant 4a4ca18a) onboarded, 5 ComputerGuru SPs consented, no MDE license; 3 Win workstations GuruRMM-enrolled (all RED, prior MSP agents pending removal); REDNOURCARRIEVI hosts the firm's peer-to-peer SMB shares (Nick's Mac access done 2026-06-25); **LEGALASST explorer hangs on .zip open (built-in Compressed Folders handler) — 7-Zip workaround + Win11 upgrade planned**; WordPerfect 5 "not enough free space" save error (legacy large-volume bug, OS upgrade won't fix); macOS RMM agent installs but won't enroll (site code-vs-UUID bug, fix staged, coord 6f2d22be); plaintext local-account creds from Syncro notes vaulted (clients/rednour/local-accounts) | 2026-06-29 | | [Peaceful Spirit Therapeutic Massage](clients/peaceful-spirit.md) | Massage therapy practice; PST-SERVER (192.168.0.2) + 5 GuruRMM agents; L2TP/IPsec RRAS VPN complete; 2026-06-04 site-wide outage resolved (UDR Ultra reboot dropped VPN port-forward, re-added in controller); BridgettePSHomeComputer re-enrolled (new UUID 01160fc8); vault drift open (pst-admin password); Syncro 278525 (Peaceful Spirit Massage) | 2026-06-04 | | [Patriot Internal Medicine](clients/patriot-internal-medicine.md) | Medical practice, two locations (Tucson + Sonoita); GuruRMM client+sites provisioned 2026-06-18 (Tucson: NORTH-WOLF-6270, Sonoita: LIGHT-HARBOR-9617); no agents deployed yet; enrollment keys vaulted; infrastructure discovery pending | 2026-06-18 | | [Sombra Residential LLC](clients/sombra-residential.md) | Property management; Server2013 (actually WS2012 EOL, unpatched) + DESKTOP-UQRN4K3 GuruRMM enrolled; Transwiz migration artifacts cause Office credential prompts | 2026-05-24 |