azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-05-05 15:00:22

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-05 15:00:22
This commit is contained in:
Howard Enos
2026-05-05 15:00:22 -07:00
parent b6eb59e8ed
commit 45ec03b447
3 changed files with 317 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

170
clients/cascades-tucson/session-logs/2026-05-05-howard-chef-pc-slow-and-mdirector-ram.md Normal file
View File

@@ -0,0 +1,170 @@
# Cascades — CHEF-PC Slow Diagnosis + MDIRECTOR-PC RAM Plan
**Date:** 2026-05-05
**Client:** Cascades of Tucson (Syncro 20149445)
## User
- **User:** Howard Enos (howard)
- **Machine:** Howard-Home
- **Role:** tech
- **Session span:** afternoon, single thread
## Session Summary
Howard inquired about upgrading the RAM on two workstations, MDIRECTOR-PC and CHEF-PC, both Acer Aspire C24-865 AIOs with Intel i5-8250U CPUs. After reviewing documentation and confirming hardware specifications, it was determined that MDIRECTOR-PC required a 2x 4GB DDR4-2400 SODIMM upgrade, while CHEF-PC already had 12 GB and would not benefit from an 8 GB upgrade. Howard then shifted focus to CHEF-PC, which was experiencing performance issues. An audit of the GuruRMM enrollment revealed that CONTEXT.md was outdated, with 30 agents enrolled, not two. CHEF-PC was confirmed enrolled with agent ID `a2cedfea-8239-4cab-bff7-54d99c417ed1`. Remote diagnostics identified storage subsystem saturation due to concurrent agent activity. Five agent stacks were running simultaneously, including Datto RMM, Syncro RMM, GuruRMM, Datto AV, and Infocyte EDR, all contributing to high CPU and storage load. The workstation also had asymmetric RAM and a Patriot P210 SSD with partition and performance issues.
## Key Decisions
- **RAM upgrade only on MDIRECTOR-PC.** CHEF-PC already had 12 GB, making an 8 GB upgrade a downgrade.
- **Prioritize matched DDR4-2400 SODIMM pair for MDIRECTOR-PC.** Ensures dual-channel performance for the iGPU.
- **Remote diagnostics first, no changes.** Avoided unnecessary onsite work by identifying the root cause of CHEF-PC's slowness through API and PowerShell commands. Per Howard's instruction, no remediation was applied.
- **Keep ScreenConnect, plan removal of other remote tools.** Maintained ACG standard while flagging non-essential tools for removal.
- **Defer SSD replacement.** Postponed until after agent cleanup to avoid premature hardware replacement.
## Problems Encountered
- **Outdated CONTEXT.md.** Listed only 2 enrolled agents at Cascades; actual count is ~30 (enrolled 2026-04-18). Resolved by cross-referencing the GuruRMM admin API directly.
- **Concurrency of agent stacks.** Five RMM/EDR agents caused storage and WMI subsystem saturation. Identified the stacks and provided a removal sequence for onsite work.
- **Asymmetric RAM configuration.** Split 8 GB + 4 GB modules cause effectively single-channel access for the upper 4 GB band. Documented as secondary issue.
- **Patriot P210 SSD limitations.** Known SLC-cache exhaustion under sustained writes plus partition geometry (only half the disk allocated). Recommended C: partition extension; SSD replacement deferred.
- **`Get-StorageReliabilityCounter` hang during diagnostics.** Cmdlet ran for 75+ s while a parallel trivial PowerShell command round-tripped in 4 s on the same agent. Switched to `Win32_DiskDrive` + `Get-PhysicalDisk` (without reliability counter) to gather hardware data. The hang itself is diagnostic evidence of storage-stack saturation.
## Configuration Changes
None. Read-only diagnostics only on CHEF-PC. No remediation performed.
## Credentials & Secrets
- GuruRMM dashboard admin: `admin@azcomputerguru.com` / `GuruRMM2025` — vault `projects/gururmm/dashboard.sops.yaml`
- GuruRMM JWT issued during this session (~24h life): see vault for canonical credential, do not paste tokens to logs
## Infrastructure & Servers
### GuruRMM
- API (external): `https://rmm-api.azcomputerguru.com`
- API (internal): `http://172.16.3.30:3001`
- Dashboard: `https://rmm.azcomputerguru.com`
- POST endpoint for remote command execution: `POST /api/agents/{agent_id}/command` with body `{"command":"<script>","command_type":"powershell"}` — note the field is **`command`**, NOT `command_text` (latter is the GET response field). Schema validation returns 422 if you use the wrong field name.
- GET command result: `GET /api/commands/{command_id}` — returns `status`, `exit_code`, `stdout`, `stderr`, `started_at`, `completed_at`.
- `command_type` accepts `powershell` or `shell`.
### Cascades GuruRMM enrollment (corrected)
Site: CascadesTucson `c157c399-82d3-4581-979a-b9fad70f4fef`
Client: Cascades of Tucson `42e1b0e3-f8b7-4fc5-86bd-06bdbb073b7f`
~30 agents online as of 2026-05-05, including:
- ACCT2-PC, ANN-PC, ASSISTMAN-PC, ASSISTNURSE-PC, **CHEF-PC** `a2cedfea-8239-4cab-bff7-54d99c417ed1`, CRYSTAL-PC, CS-SERVER, DESKTOP-DLTAGOI, DESKTOP-H6QHRR7, DESKTOP-KQSL232, DESKTOP-LPOPV30, DESKTOP-MD6UQI3, DESKTOP-ROK7VNM, DESKTOP-TRCIEJA, DESKTOP-U2DHAP0, LAPTOP-8P7HDSEI, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8, Laptop2, Laptop4, MAINTENANCE-PC, **MDIRECTOR-PC** `018663fc-c676-4374-8c10-086a47d034eb`, MEMRECEPT-PC, NurseAssist, NURSESTATION-PC, RECEPTIONIST-PC, SALES4-PC.
`clients/cascades-tucson/CONTEXT.md` "Agents currently enrolled" table needs updating — currently lists only DLTAGOI and CS-SERVER.
### CHEF-PC inventory (live, 2026-05-05)
- **Manufacturer/Model:** Acer / Aspire C24-865
- **OS:** Windows 11 Pro 25H2 (10.0.26200), installed 2024-12-14
- **Last boot:** 2026-05-04 07:24 (uptime 26.5 h at sample)
- **CPU:** Intel i5-8250U (4C/8T)
- **RAM total:** 11.92 GB — **asymmetric**:
- DIMM1: 4 GB SK Hynix `HMA851S6CJR6N-VK` DDR4-2667
- DIMM2: 8 GB SK Hynix `HMA81GS6CJR8N-VK` DDR4-2667
- **Disk:** Patriot P210 512GB, firmware HT5710A1, IDE/SATA, "OK"
- **Partition:** C: NTFS 222.3 GB / 91.3 GB free — **only half of the 477 GB SSD is allocated**
- **Network:** Ethernet 10.0.20.232/24 (DHCP) — internal VLAN
- **Public IP:** 184.191.143.62
- **Logged-in user:** Administrator (idle 26+ h, matches uptime)
### MDIRECTOR-PC reference (from 2026-03-20 audit)
- **Model:** Acer Aspire C24-865 AIO (same chassis as CHEF-PC)
- **CPU:** Intel i5-8250U
- **RAM:** 3.9 GB (single 4GB stick)
- **OS:** Windows 11 Home 25H2 — cannot domain join
- **Agent ID:** `018663fc-c676-4374-8c10-086a47d034eb`
## Commands & Outputs
### GuruRMM API discovery
```bash
# Login
curl -X POST https://rmm-api.azcomputerguru.com/api/auth/login \
-H "Content-Type: application/json" \
-d '{"email":"admin@azcomputerguru.com","password":"GuruRMM2025"}'
# Returns {token, user{}}
# List agents (filter to a site)
curl -H "Authorization: Bearer $TOKEN" \
"https://rmm-api.azcomputerguru.com/api/agents?site_id=c157c399-82d3-4581-979a-b9fad70f4fef"
# Run command (note: field is "command", not "command_text")
curl -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
-d '{"command":"Write-Output PROBE_OK","command_type":"powershell"}' \
"https://rmm-api.azcomputerguru.com/api/agents/$AGENT_ID/command"
# Fetch result
curl -H "Authorization: Bearer $TOKEN" \
"https://rmm-api.azcomputerguru.com/api/commands/$COMMAND_ID"
```
### CHEF-PC top processes by CPU time (since boot 26.5 h ago)
```
SyncroLive.Agent.Runner 2124 s Syncro RMM
services 1850 s Windows
WmiPrvSE 1720 s WMI provider (driven by RMM agent inventory scans)
svchost (5124) 1518 s Windows
endpointprotection 1153 s Datto AV
infocyte agent 810 s Datto EDR
Splashtop SRAgent 543 s Splashtop remote
Datto AEMAgent 290 s Datto RMM
```
### CHEF-PC concurrent agent / remote-access stacks discovered
| Stack | Processes |
|---|---|
| Datto RMM (CentraStage) | AEMAgent, CagService, RMM.WebRemote |
| Syncro RMM | Syncro.Service.Runner, SyncroLive.Agent.Runner, SyncroLive.Service.Runner, Syncro.Overmind.Service |
| GuruRMM (ours) | GuruRMMAgent |
| Datto AV | endpointprotection (EndpointProtectionService) |
| Datto EDR / Infocyte | agent.exe, RWDWrapper, HUNTAgent service |
| Splashtop | SRAgent, SRService, SRManager |
| ScreenConnect | ScreenConnect.ClientService (`1912bf3444b41a08`) |
| Dropbox | DbxSvc + 2 stopped DropboxUpdater services |
| Synology Drive | Synology Drive VSS Service x64 |
## Pending / Incomplete Tasks
### MDIRECTOR-PC (Howard buying parts)
- [ ] Order **2x 4GB DDR4-2400 SODIMM 260-pin 1.2V** (Crucial CT4G4SFS824A, Kingston KVR24S17S6/4, or kit Crucial CT2K4G4SFS824A)
- [ ] Onsite RAM swap (replace existing 1x 4GB with matched 2x 4GB pair for dual-channel)
- [ ] Verify with `Get-CimInstance Win32_PhysicalMemory` post-swap
- [ ] Uninstall disabled COMODO Antivirus
- [ ] Plan Win 11 Home -> Pro upgrade (so it can domain-join)
- [ ] Remove old user profile `Anna Pitzlin` (last login 2025-06-26)
### CHEF-PC (onsite remediation, deferred)
- [ ] Confirm with Mike that GuruRMM is canonical RMM going forward at Cascades
- [ ] Uninstall in order, reboot between each: Syncro stack -> Datto RMM -> Infocyte / Datto EDR -> Datto AV (verify Defender first) -> Splashtop -> Norton Security Scan
- [ ] Confirm Dropbox usage with chef Ramon Castaneda / Michael Sabia before removing
- [ ] Extend C: partition to consume the unallocated ~254 GB (use `Resize-Partition -DriveLetter C -Size <max>`)
- [ ] Optional: rebalance RAM to matched 2x 8GB or 2x 4GB for full dual-channel
- [ ] Re-test after cleanup; if still slow, plan Samsung 870 EVO 500GB or WD Blue SA510 clone-and-swap (P210 is junk-tier)
- [ ] Disable RDP (audit notes it's enabled with NLA — not needed on a chef workstation)
- [ ] Enable BitLocker
- [ ] Enable screen lock policy
### Fleet-wide (flag for Mike)
- [ ] Previous-MSP cruft cleanup is **not unique to CHEF-PC** — every Cascades workstation onboarded into GuruRMM since 2026-04-18 likely still has Datto RMM + Syncro + Infocyte + Splashtop running. This is a fleet cleanup project, not a one-machine fix. Strategy + ordering decision needed.
### Documentation
- [ ] Update `clients/cascades-tucson/CONTEXT.md` "Agents currently enrolled" section. Current text says 2 agents (DLTAGOI, CS-SERVER); reality is ~30 since 2026-04-18.
## Reference Information
### Vault paths
- `projects/gururmm/dashboard.sops.yaml` — admin login
- `projects/gururmm/api-server.sops.yaml` — JWT secret (server-side)
- `clients/cascades-tucson/gururmm-site-main.sops.yaml` — Cascades enrollment key
### URLs
- GuruRMM dashboard: https://rmm.azcomputerguru.com
- GuruRMM API: https://rmm-api.azcomputerguru.com
- ScreenConnect (ACG standard): see infrastructure vault `msp-tools/screenconnect.sops.yaml`
### File paths
- Cascades workstation inventory (audit 2026-03-20): `clients/cascades-tucson/docs/workstations.md`
- Cascades context (out of date): `clients/cascades-tucson/CONTEXT.md`
- Diagnostic helper used this session: `C:/Users/Howard/AppData/Local/Temp/run-cmd.py` (sends PS scripts to GuruRMM agent and polls for result)
### Note for Mike
**Fleet-wide MSP cleanup decision needed.** Every Cascades workstation we onboarded into GuruRMM since 2026-04-18 still has the previous MSP's Datto RMM, Datto AV, Datto EDR (Infocyte), Syncro RMM, and Splashtop running concurrently with our agent. CHEF-PC is the visible symptom — five RMM/EDR stacks plus three remote-access tools running simultaneously, with `SyncroLive.Agent.Runner` alone consuming 35+ minutes of CPU time and `WmiPrvSE` saturated. Before I scrip a fleet uninstall, need confirmation: (1) is GuruRMM the canonical RMM going forward? (2) Datto AV out, Defender in? (3) Are we still under contract on any of the Datto/Syncro tooling we'd be ripping out? Will scope this onsite workstation by workstation, but the fix is fleet-wide, not just CHEF-PC.

102
clients/cascades-tucson/session-logs/2026-05-05-howard-zachary-nelson-onboarding.md Normal file
View File

@@ -0,0 +1,102 @@
# Cascades — Zachary Nelson onboarding (Accounting Assistant)
**Date:** 2026-05-05
**Tenant:** cascadestucson.com (`207fa277-e9d8-4eb7-ada1-1064d2221498`)
## User
- **User:** Howard Enos (howard)
- **Machine:** Howard-Home
- **Role:** tech
## Summary
Created new M365 account for Zachary Nelson (Accounting Assistant) via the remediation-tool `user-manager` tier. Assigned Microsoft 365 Business Premium (SPB) license. Random initial password issued; user must change at first sign-in.
## Account details
| Field | Value |
|---|---|
| Display name | Zachary Nelson |
| UPN | zachary.nelson@cascadestucson.com |
| Object ID | b17a4645-01f7-4c0e-be1b-563d405867a2 |
| Job title | Accounting Assistant |
| Usage location | US |
| Account enabled | true |
| Created | 2026-05-05T16:42:24Z |
| License | SPB (`cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46`) — Microsoft 365 Business Premium |
| forceChangePasswordNextSignIn | true |
## License selection rationale
Tenant has two coexisting Business-tier subs:
- **SPB** — 34 prepaid, 2 consumed pre-creation (32 free) — active subscription with Defender for Business + Intune + AAD P1
- **O365_BUSINESS_PREMIUM (Business Standard, legacy)** — 0 prepaid, 32 consumed — what existing users (e.g. Allison Reibschied) still have; appears mid-migration
Mike chose SPB for Zachary. Other recent users may need to be migrated to SPB to drop the legacy SKU; tracked as a follow-up below.
## Operations performed
1. Acquired `investigator` token for read-only checks (license inventory, naming convention, dup check).
2. Acquired `user-manager` token for write ops.
3. `POST /v1.0/users` with passwordProfile.forceChangePasswordNextSignIn=true.
4. `POST /v1.0/users/{id}/assignLicense` with addLicenses=[SPB], removeLicenses=[].
5. Re-read user — confirmed accountEnabled=true, usageLocation=US, assignedLicenses=[SPB].
## Not done (deferred — confirm scope with Mike)
- **Manager assignment** — none set (need name from accounting team lead, e.g. Meredith Kuhn or whoever runs accounting).
- **Group memberships** — no groups added. Sample peers in the tenant have either no groups or `Managers`. Will follow up on which CA / mail / Teams groups Accounting normally joins.
- **MFA enrollment** — handled at first sign-in by tenant CA policy; nothing pre-staged here.
- **On-prem AD account / mailbox folder redirection / homes share** — Cascades is mid Entra Connect staging-mode rollout; new cloud-only users don't get on-prem AD provisioning yet. If Zachary needs domain-joined workstation access, on-prem account + folder-redirection OU placement is a separate task.
- **License migration tracking** — 32 users still on legacy O365_BUSINESS_PREMIUM SKU (zero prepaid). Worth a sweep to migrate everyone to SPB and clean up the overage.
## Password handoff
Initial password delivered to Mike in chat (one-time). Not committed to repo. User will change at first sign-in.
## Verification (M365)
```
GET /v1.0/users/b17a4645-01f7-4c0e-be1b-563d405867a2
{
"userPrincipalName": "zachary.nelson@cascadestucson.com",
"displayName": "Zachary Nelson",
"jobTitle": "Accounting Assistant",
"accountEnabled": true,
"usageLocation": "US",
"createdDateTime": "2026-05-05T16:42:24Z",
"assignedLicenses": [{"skuId":"cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46"}]
}
```
## On-prem AD account (cascades.local)
Created via GuruRMM remote PowerShell on CS-SERVER (agent `6766e973-e703-47c1-be56-76950290f87c`). Mirrored Allison Reibschied's setup exactly per Mike's instruction.
| Field | Value |
|---|---|
| sAMAccountName | Zachary.Nelson |
| UPN | Zachary.Nelson@cascadestucson.com |
| EmailAddress | Zachary.Nelson@cascadestucson.com |
| DistinguishedName | CN=Zachary Nelson,OU=Administrative,OU=Departments,DC=cascades,DC=local |
| SID | S-1-5-21-388235164-2207693853-3666415804-1208 |
| Created | 2026-05-05 09:57:23 (server local) |
| Enabled | true |
| ChangePasswordAtLogon | true (PasswordExpired=True confirmed) |
| Group memberships | Domain Users only (matches Allison) |
| HomeDirectory / HomeDrive / ProfilePath / ScriptPath | unset (matches Allison — folder redirection is GPO-driven) |
| Title / Department / Office | unset (matches Allison) |
Note: AD UPN suffix is `@cascadestucson.com` (matches Allison's existing config), even though Mike initially said "separate" — pivoted on the second instruction to mirror Allison verbatim. Future Connect sync (when staging mode exits) would soft-match this AD account against the cloud-only M365 account I created earlier today; we'll need to decide soft-match strategy then.
## Shares
Mike will set department share access manually and update us when done. No share or `D:\Homes\Zachary.Nelson` ACLs touched in this session.
## Password handoff
Two separate one-time passwords delivered to Mike in chat:
- M365 cloud account password
- AD domain account password
Neither committed to repo. Both forced to change at first sign-in.

45
clients/stamback-septic/CONTEXT.md Normal file
View File

@@ -0,0 +1,45 @@
# Stamback Septic — Client Context
**Last updated:** 2026-05-05 (Howard)
## Identity
- Business: Stamback Septic
- Syncro customer ID: **11513046**
- Primary contact: Joe Schmuker — accountspayable@fusionsiteservices.com
- Phone: (520) 384-4803 · Mobile: (520) 484-5235
- Address: 8939 South Eisenhower Road, Tucson AZ 85756
- Customer since: 2018-01-09
Possible duplicate Syncro record `34021422` (Joseph Schmuker, no business linked, email `js.stambackseptic@gmail.com`) — not merged. Flag if it shows up in billing/ticket flows.
## GuruRMM
- Client: **Stamback Septic** (code `STAM`, id `b3ba0e60-6132-4403-888b-601054ed4a9a`)
- Site: **StambackSeptic** (code `SOUTH-PHOENIX-4306`, id `0f3abe88-834f-4943-b28f-e97c236a0fea`)
- Agent enrollment key: encrypted at `clients/stamback-septic/gururmm-site-main.sops.yaml` (shown once at creation 2026-05-05; do not regenerate unless compromised)
### Agents enrolled
None yet.
### Agent deployment (ScreenConnect, SYSTEM context)
```powershell
$u='https://rmm-api.azcomputerguru.com/downloads/gururmm-agent-windows-amd64-latest.exe';
$d='C:\Windows\Temp\gururmm-agent.exe';
Invoke-WebRequest $u -UseBasicParsing -OutFile $d;
& $d install --server-url 'wss://rmm-api.azcomputerguru.com/ws' --api-key 'grmm_vC91v9Rv5FYsVfW4RBWa4UduDsUcW5uc'
```
## Licenses & assets
- Emsisoft License: `PAK-MIV-BAN-843`
## Infrastructure
Not yet documented. Add servers, firewalls, NAS, etc. as discovered.
## Active projects
None.