azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-06-09 17:08:26

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-09 17:08:26
This commit is contained in:
Howard Enos
2026-06-09 17:08:36 -07:00
parent 67e0f8df20
commit 4adf2c586c
4 changed files with 160 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.claude/memory/MEMORY.md
View File

@@ -59,6 +59,7 @@
- [Paste-safe command formatting (Howard)](feedback_command_formatting.md) — Two clauses, one root cause: (a) multi-line scripts not semicolon one-liners (wrap breaks paste), (b) all code at column 0 inside fences (indentation breaks PowerShell paste).
- [Autonomous infra/build setup](feedback_autonomous_infra_setup.md) — During infra/build/CI/dev setup, just install prerequisites and push through routine steps; reserve check-ins for genuine decisions (forks, destructive/outward, client/prod).
- [Check patterns before asking](feedback_check_patterns_before_asking.md) — Before asking how to do something repeat-style (sync, save, sweep, billing), study existing artifacts and workflow docs first; reach for similar past artifacts as the template.
- [Cascades scan-to-folder uses svc-scan](feedback_cascades_scan_account.md) — Every scanner->network-folder setup at Cascades reuses the one `svc-scan` AD service account (NTLMv2, vaulted); never make a per-printer scan account.
- [Calibrate effort to stakes](feedback_calibrate_effort_to_stakes.md) — Don't over-verify or over-engineer low-consequence details; confirm the happy path, note the limitation, and take the simplest path (e.g. put the instruction in the prompt) instead of building robust mechanisms.
- [Pricing verification — no guessing](policy_pricing_verification.md) — ANY cost presented to the team or a client MUST be verified via live web lookup (WebFetch/WebSearch, fallback to headless Chrome). Never estimate from training data. Cite source + date inline. If unreachable, say so — do NOT substitute a guess.
- [Client communication tone](feedback_client_tone.md) — How to write client-facing Syncro comments — expert partner, not intake questionnaire.

20
.claude/memory/feedback_cascades_scan_account.md Normal file
View File

@@ -0,0 +1,20 @@
---
name: Cascades scan-to-folder uses the svc-scan account
description: At Cascades, every scanner→network-folder (scan-to-SMB) setup reuses the single svc-scan AD service account — never create a per-printer/per-folder scan account. Grant svc-scan Modify on the new scan folder and use cascades\svc-scan (NTLMv2) in the device profile.
metadata:
type: feedback
---
Current-state context: [[project_cascades]]. Full setup detail lives in the wiki (Patterns -> File Shares & Scan-to-Folder).
**Rule (Howard, 2026-06-09):** When setting up any scanner / MFP to scan to a network folder at Cascades, **reuse the `svc-scan` AD service account** — do NOT create a new scan account per printer or per folder.
**Why:** One least-privilege, vaulted credential to manage/rotate instead of credentials scattered across many device configs; keeps the stored-in-device credential low-blast-radius and auditable.
**How to apply:**
- Grant `CASCADES\svc-scan` **Modify** on the new scan destination folder (the dropbox subfolder only — least privilege).
- In the device's Scan-to-Network profile: Username `cascades\svc-scan`, Auth Method **NTLMv2**, password from vault `clients/cascades-tucson/svc-scan.sops.yaml` (`credentials.password`).
- Use the **server IP** (e.g. `\\192.168.2.254\...`) not the hostname — VLAN-20 printers may not resolve `CS-SERVER`.
- Remember CS-SERVER cannot reach VLAN-20 printer web UIs (pfSense blocks main-LAN→VLAN20); configure the device from a VLAN-20 PC or onsite. Printer→CS-SERVER:445 is open.
svc-scan: AD account on CS-SERVER (CN=Users, PasswordNeverExpires, CannotChangePassword). First use: Accounting Brother MFC-L8900CDW (10.0.20.220) → `\\CS-SERVER\AcctDept\Scans`, 2026-06-09.

125
clients/cascades-tucson/session-logs/2026-06/2026-06-09-howard-cascades-accounting-scan-folder.md Normal file
View File

@@ -0,0 +1,125 @@
# Cascades of Tucson — Session Log 2026-06-09 — Accounting scan-to-folder build
## User
- **User:** Howard Enos (howard)
- **Machine:** Howard-Home
- **Role:** tech
## Session Summary
Set up a scan-to-folder destination for the Cascades accounting team so the Business Office
Brother MFC-L8900CDW (10.0.20.220) can scan documents to a network folder that Lauren Hasselman
and Chris Knight (and, added mid-session, Zachary Nelson) can access. (Continuation of the same
session that earlier reconciled crashed-session billing — see
`2026-06-09-howard-cascades-billing-recovery-wiki.md`.)
Started with read-only discovery on CS-SERVER via GuruRMM. The 2026-03-20 audit was stale; the
live share set is much larger. Found there is no plain "Accounting" file share — the only
accounting file folder is `Company Web Docs\Accounting` buried under the Synology-Drive-synced
`D:\Shares\Main` tree, with a wide-open `Everyone:FullControl` ACL. Confirmed `10.0.20.220` is the
Business Office Brother and that `lauren.hasselman` + `chris.knight` are real AD users. Per Howard's
choices (dedicated clean share, lock to the named users, dedicated scan service account), built a
fresh structure rather than reusing the Synology-synced folder.
Created the service account `svc-scan` (CN=Users, PasswordNeverExpires, CannotChangePassword),
vaulted its password, then created `D:\Shares\Accounting` with inheritance broken and locked to
Lauren/Chris (Modify), and `D:\Shares\Accounting\Scans` adding svc-scan (Modify, writer only). Hit
a name collision: a pre-existing *printer* share named `Accounting` (Canon MF455DW) meant the file
share didn't create and my grants/Everyone-revoke landed on the printer share. Restored the printer
share (re-added Everyone:Read) and created the file share under the non-colliding name `AcctDept`.
Added Zachary Nelson to NTFS + share when Howard asked. Verified svc-scan can SMB-write to
`\\192.168.2.254\AcctDept\Scans` from ACCT2-PC (a VLAN-20 host, proxy for the printer).
Key network finding: CS-SERVER (192.168.2.254, main LAN) cannot reach the VLAN-20 printers —
pfSense blocks main→VLAN20 (80/443/445 all fail to 10.0.20.220). So the Brother WBM must be
configured from a VLAN-20 PC or onsite; the reverse path (printer→CS-SERVER:445) is open, which is
all scanning needs. Gave Howard the exact Brother Scan-to-Network profile values (NTLMv2,
`cascades\svc-scan`, path `\\192.168.2.254\AcctDept\Scans`); Howard configured it and **a test scan
succeeded**. Finally mapped the `\\cs-server\AcctDept` share as persistent per-user drives via RMM
user_session: Lauren got X: (Y: was in use on her box), Zachary got Y: (matching Chris's manual Y:).
Howard set the standing rule that all future Cascades scanner→folder setups reuse `svc-scan`.
## Key Decisions
- **Dedicated clean share over the existing accounting folder.** The real accounting folder
(`Main\Company Web Docs\Accounting`) is Everyone:Full and sits in the Synology-Drive-synced tree
(scans would replicate to the NAS). Built `D:\Shares\Accounting` fresh with a scoped ACL instead.
- **Dedicated `svc-scan` service account** (not a reused user credential) for the printer's stored
SMB auth — least-privilege, vaulted, low blast radius. Howard then made it the standard for ALL
future Cascades scan-to-folder setups (memory: `feedback_cascades_scan_account.md`).
- **File share named `AcctDept`, not `Accounting`** — a printer share already owns "Accounting".
- **svc-scan granted on the `Scans` subfolder only** (not the parent Accounting), relying on default
bypass-traverse so it can reach/write the dropbox without being able to read accounting documents.
- **NTLMv2 (not Auto/Kerberos) in the Brother profile** — the printer can't reach a KDC cleanly
across the VLAN with explicit credentials.
- **Persistent drive maps via RMM user_session** (per logged-in user) rather than GPP — only two
users, both logged in; X:/Y: per free-letter availability.
## Problems Encountered
- **Share name collision with a printer share.** `New-SmbShare -Name Accounting` / `Grant-SmbShareAccess`
silently operated on the existing `Accounting` Canon MF455DW printer share — the file share never
got created and I added stray grants + revoked Everyone on the printer share. Resolved by removing
my grants, re-adding `Everyone:Read` to the printer share, and creating the file share as `AcctDept`.
- **CS-SERVER cannot reach VLAN-20 printers** (pfSense main→VLAN20 block) — can't configure the
Brother WBM from the server. Resolved by validating from / directing config to a VLAN-20 host
(ACCT2-PC); confirmed the needed direction (printer→server:445) is open.
- **UNC backslash mangling in dispatched scripts** (`\\` collapsed to `\`, paths like `C:\192.168...`).
Resolved by building all UNC/path/identity strings from `[char]92` on the server side (per the
known transport quirk) and using mapped drive letters for write tests.
- **PSDrive UNC root tripled the path** on a write test — switched to `net use` + drive letter.
## Configuration Changes
- **CS-SERVER (cascades.local), via GuruRMM agent `c39f1de7-d5b6-45ae-b132-e06977ab1713`:**
- New AD user `svc-scan` (CN=Users; PasswordNeverExpires, CannotChangePassword; Description points to vault).
- New folders `D:\Shares\Accounting` and `D:\Shares\Accounting\Scans`.
- NTFS `D:\Shares\Accounting`: inheritance disabled; SYSTEM + BUILTIN\Administrators = FullControl;
`CASCADES\lauren.hasselman`, `CASCADES\chris.knight`, `CASCADES\zachary.nelson` = Modify. No Everyone.
- NTFS `D:\Shares\Accounting\Scans`: inherits the above + explicit `CASCADES\svc-scan` = Modify.
- New SMB share `AcctDept``D:\Shares\Accounting` (Change: lauren/chris/zachary/svc-scan; Full: Admins).
- Removed the earlier interim share+folder `AcctScans` (replaced by the AcctDept structure).
- Restored the `Accounting` (Canon MF455DW) printer share — removed my stray grants, re-added Everyone:Read.
- **DESKTOP-H6QHRR7 (Lauren):** persistent map `X: → \\cs-server\AcctDept` (user_session). Earlier also a Public Desktop shortcut "Accounting Scans" → `\\CS-SERVER\AcctDept\Scans`.
- **ACCT2-PC (Zachary):** persistent map `Y: → \\cs-server\AcctDept` (user_session).
- **DESKTOP-N5G1ROO (Chris):** Y: mapped by Howard manually (not by this session). Public Desktop shortcut pushed earlier.
- **Brother MFC-L8900CDW @ 10.0.20.220:** Scan-to-Network profile created by Howard (see below). Test scan confirmed.
- **Repo:** wiki updated (`wiki/clients/cascades-tucson.md` — Access vault pointer, new "File Shares & Scan-to-Folder" Patterns subsection incl. the svc-scan reuse rule, 2026-06-09 history row). Memory: `feedback_cascades_scan_account.md` + MEMORY.md index line. This session log.
## Credentials & Secrets
- **`svc-scan` / `aPqzfE3Sknm2ZbMwccPHAa9#`** — AD service account, cascades.local, on CS-SERVER.
Vault: `clients/cascades-tucson/svc-scan.sops.yaml` (`credentials.password`). Brother SMB auth
username `cascades\svc-scan`. PasswordNeverExpires, CannotChangePassword.
## Infrastructure & Servers
- **CS-SERVER:** 192.168.2.254 (main LAN). Live RMM agent `c39f1de7-d5b6-45ae-b132-e06977ab1713`.
Share root `D:\Shares`. New: `D:\Shares\Accounting{,\Scans}`, share `\\CS-SERVER\AcctDept`.
- **Brother MFC-L8900CDW (Business Office):** 10.0.20.220 (VLAN 20). WBM `http://10.0.20.220`.
Profile → Network Folder Path `\\192.168.2.254\AcctDept\Scans`, Auth NTLMv2, user `cascades\svc-scan`, PDF Multi-Page.
- **ACCT2-PC:** 10.0.20.209 (VLAN 20, Zachary). RMM agent `da48bfbb-6b00-4bc5-bf03-0a3753362968`. Reaches printer WBM + CS-SERVER:445.
- **Network:** pfSense blocks main-LAN (192.168.2.x) → VLAN 20 (10.0.20.x); CS-SERVER→10.0.20.220:80/443/445 all fail. Printer→CS-SERVER:445 open.
- **Pre-existing collision:** SMB printer share `Accounting` = "Accounting - Canon MF455DW" (LocalsplOnly).
## Commands & Outputs
- svc-scan write test (from ACCT2-PC): mapped `\\192.168.2.254\AcctDept\Scans`, wrote+removed a file, owner returned `CASCADES\svc-scan` → OK.
- Drive maps (user_session, /persistent:yes): Lauren `net use X: \\cs-server\AcctDept`; Zachary `net use Y: \\cs-server\AcctDept` — both "command completed successfully."
- Free-letter logic: `(@("Y","X","W"...) | Where-Object { $inUse -notcontains $_ })[0]` from `Win32_LogicalDisk` DeviceIDs.
- RMM/SMB transport: build UNC + `domain\user` from `[char]92` to survive the JSON/PowerShell backslash collapse.
## Pending / Incomplete Tasks
- **ASSISTNURSE-PC 1.0h onsite billing on #32303** — still paused at preview from earlier today (awaiting Howard's go).
- Optional: force all three accounting drive maps to a single consistent letter (currently Chris Y:, Zachary Y:, Lauren X:).
- Optional: lock down the legacy `Main\Company Web Docs\Accounting` Everyone:Full folder (HIPAA) — separate cleanup, not done.
- The `AcctScans` Public Desktop shortcut on Lauren/Chris points at `\Scans`; the mapped drive points at the `AcctDept` root — both valid, just noting the dual entry points.
## Reference Information
- Share: `\\CS-SERVER\AcctDept``D:\Shares\Accounting`; scan dropbox subfolder `\Scans`.
- Printer scan target: `\\192.168.2.254\AcctDept\Scans` (use IP, not hostname — VLAN-20 DNS).
- Vault: `clients/cascades-tucson/svc-scan.sops.yaml`.
- Standing rule: reuse `svc-scan` for all future Cascades scanner→folder setups (`feedback_cascades_scan_account.md`).
- Agents: CS-SERVER `c39f1de7...`, ACCT2-PC `da48bfbb...`, DESKTOP-H6QHRR7 `633458f6...`, DESKTOP-N5G1ROO `205025ee...`.

14
wiki/clients/cascades-tucson.md
View File

@@ -197,6 +197,7 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn
- **M365 sysadmin:** sysadmin@cascadestucson.com — vault: `clients/cascades-tucson/m365-sysadmin.sops.yaml`
- **WiFi CSCNet:** vault: `clients/cascades-tucson/wifi-cscnet.sops.yaml`
- **MDM service account:** vault: `clients/cascades-tucson/mdm-service-account.sops.yaml`
- **svc-scan (scan-to-folder service account):** vault: `clients/cascades-tucson/svc-scan.sops.yaml` (`credentials.password`). AD account on CS-SERVER for the Accounting Brother's SMB scans — see Patterns -> File Shares & Scan-to-Folder.
- **ALIS SSO app registration:** vault: `clients/cascades-tucson/alis-sso-app-registration.sops.yaml`
- **GuruRMM — RECEPTIONIST-PC:** agent ID `9c91d324-1073-449c-8cc0-45c5bccfc218` (flaky WebSocket, may lag fleet updates)
- **Remediation tool:** Full tiered app suite consented 2026-04-21. All six apps active: Security Investigator, Exchange Operator, User Manager, Tenant Admin, Defender Add-on, Intune Manager. Old app `fabb3421` (ComputerGuru - AI Remediation) still present but superseded.
@@ -239,6 +240,18 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn
- **Login-screen hide (SpecialAccounts\UserList):** An enabled local admin that does not appear in the Windows sign-in picker is a `SpecialAccounts\UserList` suppression, not a disabled account. Registry path: `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList`, value `<username>=0`. Fix: delete the DWORD value (or set it to 1); account reappears after sign-out/reboot. Confirmed on NURSESTATION-PC (RMM agent `f5a89784-834f-47b1-82e2-7e3e9dd337ff`) 2026-06-05 — `localadmin=0` removed; account was already enabled and in Administrators (unchanged).
### File Shares & Scan-to-Folder (Accounting)
- **Accounting department folder + scan dropbox (built 2026-06-09):**
- `D:\Shares\Accounting` on CS-SERVER — inheritance broken; **SYSTEM / BUILTIN\Administrators = Full; `lauren.hasselman`, `chris.knight`, `zachary.nelson` = Modify** (no Everyone). Shared as **`\\CS-SERVER\AcctDept`** (Change: those 3 users + `svc-scan`; Full: Admins).
- **Share is named `AcctDept`, NOT `Accounting`** — a *printer* share named `Accounting` (Canon MF455DW, `LocalsplOnly`) already exists. Do not collide with it: `New-SmbShare -Name Accounting` / `Grant-SmbShareAccess -Name Accounting` will silently hit the printer share. (Happened 2026-06-09; printer share's Everyone:Read was restored.)
- `D:\Shares\Accounting\Scans` — scan dropbox; inherits the 3 users + adds **`CASCADES\svc-scan` = Modify** (least-privilege writer; can't read the rest of Accounting; bypass-traverse lets it reach the subfolder).
- **`svc-scan`** = dedicated AD service account (CN=Users, PasswordNeverExpires, CannotChangePassword) for the Brother's SMB auth. Vault: `clients/cascades-tucson/svc-scan.sops.yaml`.
- **REUSE `svc-scan` for EVERY future scanner→network-folder setup at Cascades** (Howard, 2026-06-09) — do NOT create a per-printer/per-folder scan account. For a new scan destination: grant `CASCADES\svc-scan` Modify on the new scan folder, then enter `cascades\svc-scan` + the vaulted password (NTLMv2) in that scanner's Scan-to-Network profile.
- **Brother MFC-L8900CDW "Business Office" printer (10.0.20.220) — Scan-to-Network profile (working 2026-06-09):** Network Folder Path `\\192.168.2.254\AcctDept\Scans`; **Auth Method NTLMv2** (not Auto/Kerberos — printer can't KDC across VLAN); Username `cascades\svc-scan`; PDF Multi-Page. Configured via the printer WBM (`http://10.0.20.220`), panel: Scan -> to Network.
- **[NETWORK] CS-SERVER cannot reach the VLAN-20 printers** — main-LAN `192.168.2.x` -> VLAN 20 `10.0.20.x` is blocked at pfSense. Verified: CS-SERVER -> `10.0.20.220`:80/443/445 all fail. So you **cannot configure a 10.0.20.x printer's web UI from CS-SERVER** — use a VLAN-20 PC's browser (e.g. ACCT2-PC `10.0.20.209`) or go onsite. The reverse (printer -> CS-SERVER:445) **is** open, which is all scan-to-folder needs (svc-scan SMB write verified from ACCT2-PC).
- **Persistent drive maps to `\\cs-server\AcctDept`** (per-user, via RMM `user_session`): Chris (DESKTOP-N5G1ROO) **Y:**, Zachary (ACCT2-PC) **Y:**, Lauren (DESKTOP-H6QHRR7) **X:** (Y: was already in use on hers).
### Conditional Access / Caregiver Policies
- **Phased rollout — never tenant-wide.** CA policies for caregivers now target `SG-Caregivers` (`8b8d9222-5d71-419a-936d-56d895c6c332`) (Entra Connect exited staging 2026-05-14; SG-Caregivers-Pilot superseded). The legacy "Require MFA for all users" policy stays in place. Expansion to other departments uses PATCH on `excludeGroups`, never replace. Source: `project_cascades_ca_phased_rollout.md`.
@@ -368,6 +381,7 @@ Primary active project as of 2026-05-24: dept-by-dept domain migration (Syncro #
| 2026-05-26 | Access control vendor meeting onsite (ticket #32324). 0.5h Howard + 0.5h Mike billed against prepaid block. Block at 28.0h. Remote diagnosis of UniFi controller confirmed impossible (no Tailscale route, GuruRMM WebSocket-only, pfSense SSH blocked). |
| 2026-06-03 | ALIS AADSTS65001 diagnosed and resolved: granted tenant-wide admin consent (`AllPrincipals` `User.Read`) on ALIS SP `e1cae4ad`. Caregiver device allow-list CA policy created in report-only (`CSC - Caregivers: allow-listed devices only (REPORT-ONLY)`, id `1b7fd025`). Allow-list = CSC- phones + 5 tagged devices (NURSESTATION-PC, Laptop2, LAPTOP-8P7HDSEI, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8). Cutover pending laptop Intune enrollment + validation. Three existing enforced caregiver CA policies left untouched. |
| 2026-06-04 | Three same-day tickets: #32381 Tamra scanner (0.5h onsite), #32382 Megan file access (1.5h onsite), #32383 Chris Knight bill.com/BOK email delivery (1.5h remote). Chris Knight mailbox investigation: full EXO/EOP/quarantine/message trace analysis — no tenant config issues found. No Inky in tenant (confirmed). bill.com delivering to other users; zero delivery to chris.knight/c.knight in 90 days. Root cause: wrong address in bill.com/BOK backends + SendGrid suppression on bill.com side. BOK resolved by correcting email in portal (delivery within minutes). bill.com fix requires support call. Resolved externally by Howard; no tenant config changes needed. EXO access token auth method documented (cert not in BEAST cert store). Prepay block: 17.25 → 15.75 hrs. |
| 2026-06-09 | **Accounting scan-to-folder built + billing reconciliation.** Created `D:\Shares\Accounting` + `\Scans` on CS-SERVER (NTFS locked to `lauren.hasselman`/`chris.knight`/`zachary.nelson` = Modify, no Everyone; `svc-scan` = Modify on `\Scans` only), shared as `\\CS-SERVER\AcctDept` (named AcctDept because a Canon MF455DW *printer* share already owns "Accounting" — restored that share after a grant collision). New vaulted AD service account `svc-scan` for the Brother's SMB auth. Brother MFC-L8900CDW (10.0.20.220) Scan-to-Network profile → `\\192.168.2.254\AcctDept\Scans` (NTLMv2, `cascades\svc-scan`); **test scan confirmed**. Found pfSense blocks main-LAN→VLAN-20 (can't reach VLAN-20 printer WBM from CS-SERVER; printer→server:445 open). Persistent drive maps to the share: Chris (Y:), Zachary on ACCT2-PC (Y:), Lauren (X:). Also reconciled crashed-session billing: #32330 (Chris Knight computer) was already invoiced (#67790) — fixed status Resolved→Invoiced; live prepay confirmed **57.75h** (prior 7.75 was pre-top-up). Updated machine inventory (ASSISTNURSE-PC reinstall, caregiver device table) in this wiki. |
| 2026-06-08 | **Chris Knight workstation setup (onsite).** Discovered his AD account `chris.knight` already existed (created 2026-05-27, OU=Administrative) but was incomplete; finished it to match Lauren Hasselman — `New-HomeFolder`, added to `SG-FolderRedirect`, set `mail`, reset AD password to `Cascades2026!` (change-at-logon cleared). Confirmed mailbox is cloud-only/unsynced (so are Lauren/Ashley/Meredith/Zachary/Alma — Entra Connect include-list is Caregivers+Groups+Caregiver Devices only; OU=Administrative NOT in scope). Machine **DESKTOP-N5G1ROO** domain-joined + GuruRMM-enrolled (agent `205025ee...`), Office installed, Chris logged in. **MAJOR: root-caused why folder redirection has failed on every machine** — the FR GPO's targets were in a misnamed `fdeploy1.ini`; Windows reads `fdeploy.ini` (absent) → empty path → silent no-op → manual registry workaround every time. Fixed by writing a correct `fdeploy.ini` to GPO `{512B43A4}` + version bump 917506→983042 (GPT.INI + AD versionNumber); backup at `C:\Windows\Temp\frfix-20260608-161144`. LE GPO found completely empty too. CS-SERVER live RMM agent is now `c39f1de7-...` (was `6766e973`). Billed 1.0h onsite (computer setup, ticket #111216087). |
| 2026-06-08 | **ASSISTNURSE-PC reinstalled (Win10→Win11).** Howard did a clean Windows 11 install (machine was Win10 19045; in-place upgrade attempts failed, clean install the only option) using our key, then reinstalled the RMM agent. Claude (RMM): deleted the stale pre-reinstall agent `88891eb8` (Win10, offline) — HTTP 204; kept the new agent `62d108d6` (`Assistnurse-pc`, Win11 Pro for Workstations 24H2, v0.6.57, online). Deployed 3 caregiver app shortcuts as `.url` files to `C:\Users\Public\Desktop` (machine-wide) matching the team's GPP definitions: ALIS `https://cascadestucson.alisonline.com/Login`, LinkRx `https://pharmcare.linkrxnow.com/Login.aspx`, Helpany `https://app.safe-living.com/login`. Heads-up: reinstall = new Entra device object → needs re-join + re-tag `CSCCaregiverDevice` (+ clean old Entra record) at caregiver cutover. Billing for the 1.0h onsite reinstall: **pending on #32303** as of 2026-06-09. |
| 2026-06-05 | NURSESTATION-PC localadmin login-screen issue: `SpecialAccounts\UserList` hide (`localadmin=0`) — removed via RMM (agent `f5a89784`); account was already enabled + admin. Vault hygiene: `sysadmin@` GA password vaulted (`clients/cascades-tucson/m365-sysadmin.sops.yaml`); voice MFA scoped group "MFA - Voice Call Scoped (sysadmin)" (`304f941e`) created; `alternateMobile` updated to +1 520-585-1310 (Howard). Caregiver test rig built: `SG-Caregivers-DeviceTest` (`db5849ec`, full rule set), `Cascades - Caregiver Devices` (`02c6f698`, static), `SG-Intune-Enrollment` (`13d94f6e`), `pilot.test@cascadestucson.com` (`d26e0e5a`, ephemeral). Hybrid Entra Join enabled in Entra Connect (SCP `ConfigureSCP.ps1`; `OU=Caregiver Devices` added to sync scope). NURSESTATION re-domain-joined (Win11 25H2) + hybrid-registered as `trustType: ServerAd`, new deviceId `d3bf931f-f128-4261-8398-b46c34a4b342` (object `de199a15`). Caregiver access model proven end-to-end on desktop: pilot.test + NURSESTATION — ALIS via silent SSO, CA off-network block + device allow-list holding. CA 53003 on `extensionAttribute1` tag lag (>70 min); resolved by adding deviceId directly to allow-list rule (immediate). Windows Hello does NOT auto-provision on hybrid-joined machines (`WillNotProvision: PolicyEnabled NO`). GPO `CSC - Caregiver Workstation` (`{3B5CD9A6-A278-4676-A9FD-9396D21A8261}`, User config GPP): 3 desktop shortcuts (ALIS, LinkRx, Helpany) + 6 `\\CS-SERVER\` printers with location-based default (Nurses for `SG-PC-MainTower`, MCMedTech for `SG-PC-MemoryCare`, computer-context ILT) + `LegacyDefaultPrinterMode=1` — built, linked at `OU=Caregivers`, security-filtered to `SG-Caregivers-Test` (pilot.test only), validated on NURSESTATION. GPO `CSC - Caregiver Device Lockdown` (`{E6174988-2721-4D96-ADF5-F5BB44E92769}`, computer-only): startup script (lock 3 min / auto sign-out 15 min / 90s warning / never sleep) + psscripts.ini in SYSVOL — deployed + linked at `OU=Caregiver Devices` (takes effect on next NURSESTATION reboot). Intune enrollment blocked tenant-wide (`INTUNE_A: PendingInput` on newly-licensed accounts); MS case open; GPO path used instead. Ticket #32303 billing reconciliation: work summary posted as customer-visible resolution note (comment 417582473); 7.0h onsite line item (42750851) + invoice #67782 ($0.00 prepaid); prepay block 15.75 → 8.75 hrs; ticket status → Invoiced. |