diff --git a/.claude/memory/MEMORY.md b/.claude/memory/MEMORY.md index 9932d92..a066453 100644 --- a/.claude/memory/MEMORY.md +++ b/.claude/memory/MEMORY.md @@ -59,6 +59,7 @@ - [Paste-safe command formatting (Howard)](feedback_command_formatting.md) — Two clauses, one root cause: (a) multi-line scripts not semicolon one-liners (wrap breaks paste), (b) all code at column 0 inside fences (indentation breaks PowerShell paste). - [Autonomous infra/build setup](feedback_autonomous_infra_setup.md) — During infra/build/CI/dev setup, just install prerequisites and push through routine steps; reserve check-ins for genuine decisions (forks, destructive/outward, client/prod). - [Check patterns before asking](feedback_check_patterns_before_asking.md) — Before asking how to do something repeat-style (sync, save, sweep, billing), study existing artifacts and workflow docs first; reach for similar past artifacts as the template. +- [Cascades scan-to-folder uses svc-scan](feedback_cascades_scan_account.md) — Every scanner->network-folder setup at Cascades reuses the one `svc-scan` AD service account (NTLMv2, vaulted); never make a per-printer scan account. - [Calibrate effort to stakes](feedback_calibrate_effort_to_stakes.md) — Don't over-verify or over-engineer low-consequence details; confirm the happy path, note the limitation, and take the simplest path (e.g. put the instruction in the prompt) instead of building robust mechanisms. - [Pricing verification — no guessing](policy_pricing_verification.md) — ANY cost presented to the team or a client MUST be verified via live web lookup (WebFetch/WebSearch, fallback to headless Chrome). Never estimate from training data. Cite source + date inline. If unreachable, say so — do NOT substitute a guess. - [Client communication tone](feedback_client_tone.md) — How to write client-facing Syncro comments — expert partner, not intake questionnaire. diff --git a/.claude/memory/feedback_cascades_scan_account.md b/.claude/memory/feedback_cascades_scan_account.md new file mode 100644 index 0000000..5bd92ae --- /dev/null +++ b/.claude/memory/feedback_cascades_scan_account.md @@ -0,0 +1,20 @@ +--- +name: Cascades scan-to-folder uses the svc-scan account +description: At Cascades, every scanner→network-folder (scan-to-SMB) setup reuses the single svc-scan AD service account — never create a per-printer/per-folder scan account. Grant svc-scan Modify on the new scan folder and use cascades\svc-scan (NTLMv2) in the device profile. +metadata: + type: feedback +--- + +Current-state context: [[project_cascades]]. Full setup detail lives in the wiki (Patterns -> File Shares & Scan-to-Folder). + +**Rule (Howard, 2026-06-09):** When setting up any scanner / MFP to scan to a network folder at Cascades, **reuse the `svc-scan` AD service account** — do NOT create a new scan account per printer or per folder. + +**Why:** One least-privilege, vaulted credential to manage/rotate instead of credentials scattered across many device configs; keeps the stored-in-device credential low-blast-radius and auditable. + +**How to apply:** +- Grant `CASCADES\svc-scan` **Modify** on the new scan destination folder (the dropbox subfolder only — least privilege). +- In the device's Scan-to-Network profile: Username `cascades\svc-scan`, Auth Method **NTLMv2**, password from vault `clients/cascades-tucson/svc-scan.sops.yaml` (`credentials.password`). +- Use the **server IP** (e.g. `\\192.168.2.254\...`) not the hostname — VLAN-20 printers may not resolve `CS-SERVER`. +- Remember CS-SERVER cannot reach VLAN-20 printer web UIs (pfSense blocks main-LAN→VLAN20); configure the device from a VLAN-20 PC or onsite. Printer→CS-SERVER:445 is open. + +svc-scan: AD account on CS-SERVER (CN=Users, PasswordNeverExpires, CannotChangePassword). First use: Accounting Brother MFC-L8900CDW (10.0.20.220) → `\\CS-SERVER\AcctDept\Scans`, 2026-06-09. diff --git a/clients/cascades-tucson/session-logs/2026-06/2026-06-09-howard-cascades-accounting-scan-folder.md b/clients/cascades-tucson/session-logs/2026-06/2026-06-09-howard-cascades-accounting-scan-folder.md new file mode 100644 index 0000000..f4d7979 --- /dev/null +++ b/clients/cascades-tucson/session-logs/2026-06/2026-06-09-howard-cascades-accounting-scan-folder.md @@ -0,0 +1,125 @@ +# Cascades of Tucson — Session Log 2026-06-09 — Accounting scan-to-folder build + +## User +- **User:** Howard Enos (howard) +- **Machine:** Howard-Home +- **Role:** tech + +## Session Summary + +Set up a scan-to-folder destination for the Cascades accounting team so the Business Office +Brother MFC-L8900CDW (10.0.20.220) can scan documents to a network folder that Lauren Hasselman +and Chris Knight (and, added mid-session, Zachary Nelson) can access. (Continuation of the same +session that earlier reconciled crashed-session billing — see +`2026-06-09-howard-cascades-billing-recovery-wiki.md`.) + +Started with read-only discovery on CS-SERVER via GuruRMM. The 2026-03-20 audit was stale; the +live share set is much larger. Found there is no plain "Accounting" file share — the only +accounting file folder is `Company Web Docs\Accounting` buried under the Synology-Drive-synced +`D:\Shares\Main` tree, with a wide-open `Everyone:FullControl` ACL. Confirmed `10.0.20.220` is the +Business Office Brother and that `lauren.hasselman` + `chris.knight` are real AD users. Per Howard's +choices (dedicated clean share, lock to the named users, dedicated scan service account), built a +fresh structure rather than reusing the Synology-synced folder. + +Created the service account `svc-scan` (CN=Users, PasswordNeverExpires, CannotChangePassword), +vaulted its password, then created `D:\Shares\Accounting` with inheritance broken and locked to +Lauren/Chris (Modify), and `D:\Shares\Accounting\Scans` adding svc-scan (Modify, writer only). Hit +a name collision: a pre-existing *printer* share named `Accounting` (Canon MF455DW) meant the file +share didn't create and my grants/Everyone-revoke landed on the printer share. Restored the printer +share (re-added Everyone:Read) and created the file share under the non-colliding name `AcctDept`. +Added Zachary Nelson to NTFS + share when Howard asked. Verified svc-scan can SMB-write to +`\\192.168.2.254\AcctDept\Scans` from ACCT2-PC (a VLAN-20 host, proxy for the printer). + +Key network finding: CS-SERVER (192.168.2.254, main LAN) cannot reach the VLAN-20 printers — +pfSense blocks main→VLAN20 (80/443/445 all fail to 10.0.20.220). So the Brother WBM must be +configured from a VLAN-20 PC or onsite; the reverse path (printer→CS-SERVER:445) is open, which is +all scanning needs. Gave Howard the exact Brother Scan-to-Network profile values (NTLMv2, +`cascades\svc-scan`, path `\\192.168.2.254\AcctDept\Scans`); Howard configured it and **a test scan +succeeded**. Finally mapped the `\\cs-server\AcctDept` share as persistent per-user drives via RMM +user_session: Lauren got X: (Y: was in use on her box), Zachary got Y: (matching Chris's manual Y:). +Howard set the standing rule that all future Cascades scanner→folder setups reuse `svc-scan`. + +## Key Decisions + +- **Dedicated clean share over the existing accounting folder.** The real accounting folder + (`Main\Company Web Docs\Accounting`) is Everyone:Full and sits in the Synology-Drive-synced tree + (scans would replicate to the NAS). Built `D:\Shares\Accounting` fresh with a scoped ACL instead. +- **Dedicated `svc-scan` service account** (not a reused user credential) for the printer's stored + SMB auth — least-privilege, vaulted, low blast radius. Howard then made it the standard for ALL + future Cascades scan-to-folder setups (memory: `feedback_cascades_scan_account.md`). +- **File share named `AcctDept`, not `Accounting`** — a printer share already owns "Accounting". +- **svc-scan granted on the `Scans` subfolder only** (not the parent Accounting), relying on default + bypass-traverse so it can reach/write the dropbox without being able to read accounting documents. +- **NTLMv2 (not Auto/Kerberos) in the Brother profile** — the printer can't reach a KDC cleanly + across the VLAN with explicit credentials. +- **Persistent drive maps via RMM user_session** (per logged-in user) rather than GPP — only two + users, both logged in; X:/Y: per free-letter availability. + +## Problems Encountered + +- **Share name collision with a printer share.** `New-SmbShare -Name Accounting` / `Grant-SmbShareAccess` + silently operated on the existing `Accounting` Canon MF455DW printer share — the file share never + got created and I added stray grants + revoked Everyone on the printer share. Resolved by removing + my grants, re-adding `Everyone:Read` to the printer share, and creating the file share as `AcctDept`. +- **CS-SERVER cannot reach VLAN-20 printers** (pfSense main→VLAN20 block) — can't configure the + Brother WBM from the server. Resolved by validating from / directing config to a VLAN-20 host + (ACCT2-PC); confirmed the needed direction (printer→server:445) is open. +- **UNC backslash mangling in dispatched scripts** (`\\` collapsed to `\`, paths like `C:\192.168...`). + Resolved by building all UNC/path/identity strings from `[char]92` on the server side (per the + known transport quirk) and using mapped drive letters for write tests. +- **PSDrive UNC root tripled the path** on a write test — switched to `net use` + drive letter. + +## Configuration Changes + +- **CS-SERVER (cascades.local), via GuruRMM agent `c39f1de7-d5b6-45ae-b132-e06977ab1713`:** + - New AD user `svc-scan` (CN=Users; PasswordNeverExpires, CannotChangePassword; Description points to vault). + - New folders `D:\Shares\Accounting` and `D:\Shares\Accounting\Scans`. + - NTFS `D:\Shares\Accounting`: inheritance disabled; SYSTEM + BUILTIN\Administrators = FullControl; + `CASCADES\lauren.hasselman`, `CASCADES\chris.knight`, `CASCADES\zachary.nelson` = Modify. No Everyone. + - NTFS `D:\Shares\Accounting\Scans`: inherits the above + explicit `CASCADES\svc-scan` = Modify. + - New SMB share `AcctDept` → `D:\Shares\Accounting` (Change: lauren/chris/zachary/svc-scan; Full: Admins). + - Removed the earlier interim share+folder `AcctScans` (replaced by the AcctDept structure). + - Restored the `Accounting` (Canon MF455DW) printer share — removed my stray grants, re-added Everyone:Read. +- **DESKTOP-H6QHRR7 (Lauren):** persistent map `X: → \\cs-server\AcctDept` (user_session). Earlier also a Public Desktop shortcut "Accounting Scans" → `\\CS-SERVER\AcctDept\Scans`. +- **ACCT2-PC (Zachary):** persistent map `Y: → \\cs-server\AcctDept` (user_session). +- **DESKTOP-N5G1ROO (Chris):** Y: mapped by Howard manually (not by this session). Public Desktop shortcut pushed earlier. +- **Brother MFC-L8900CDW @ 10.0.20.220:** Scan-to-Network profile created by Howard (see below). Test scan confirmed. +- **Repo:** wiki updated (`wiki/clients/cascades-tucson.md` — Access vault pointer, new "File Shares & Scan-to-Folder" Patterns subsection incl. the svc-scan reuse rule, 2026-06-09 history row). Memory: `feedback_cascades_scan_account.md` + MEMORY.md index line. This session log. + +## Credentials & Secrets + +- **`svc-scan` / `aPqzfE3Sknm2ZbMwccPHAa9#`** — AD service account, cascades.local, on CS-SERVER. + Vault: `clients/cascades-tucson/svc-scan.sops.yaml` (`credentials.password`). Brother SMB auth + username `cascades\svc-scan`. PasswordNeverExpires, CannotChangePassword. + +## Infrastructure & Servers + +- **CS-SERVER:** 192.168.2.254 (main LAN). Live RMM agent `c39f1de7-d5b6-45ae-b132-e06977ab1713`. + Share root `D:\Shares`. New: `D:\Shares\Accounting{,\Scans}`, share `\\CS-SERVER\AcctDept`. +- **Brother MFC-L8900CDW (Business Office):** 10.0.20.220 (VLAN 20). WBM `http://10.0.20.220`. + Profile → Network Folder Path `\\192.168.2.254\AcctDept\Scans`, Auth NTLMv2, user `cascades\svc-scan`, PDF Multi-Page. +- **ACCT2-PC:** 10.0.20.209 (VLAN 20, Zachary). RMM agent `da48bfbb-6b00-4bc5-bf03-0a3753362968`. Reaches printer WBM + CS-SERVER:445. +- **Network:** pfSense blocks main-LAN (192.168.2.x) → VLAN 20 (10.0.20.x); CS-SERVER→10.0.20.220:80/443/445 all fail. Printer→CS-SERVER:445 open. +- **Pre-existing collision:** SMB printer share `Accounting` = "Accounting - Canon MF455DW" (LocalsplOnly). + +## Commands & Outputs + +- svc-scan write test (from ACCT2-PC): mapped `\\192.168.2.254\AcctDept\Scans`, wrote+removed a file, owner returned `CASCADES\svc-scan` → OK. +- Drive maps (user_session, /persistent:yes): Lauren `net use X: \\cs-server\AcctDept`; Zachary `net use Y: \\cs-server\AcctDept` — both "command completed successfully." +- Free-letter logic: `(@("Y","X","W"...) | Where-Object { $inUse -notcontains $_ })[0]` from `Win32_LogicalDisk` DeviceIDs. +- RMM/SMB transport: build UNC + `domain\user` from `[char]92` to survive the JSON/PowerShell backslash collapse. + +## Pending / Incomplete Tasks + +- **ASSISTNURSE-PC 1.0h onsite billing on #32303** — still paused at preview from earlier today (awaiting Howard's go). +- Optional: force all three accounting drive maps to a single consistent letter (currently Chris Y:, Zachary Y:, Lauren X:). +- Optional: lock down the legacy `Main\Company Web Docs\Accounting` Everyone:Full folder (HIPAA) — separate cleanup, not done. +- The `AcctScans` Public Desktop shortcut on Lauren/Chris points at `\Scans`; the mapped drive points at the `AcctDept` root — both valid, just noting the dual entry points. + +## Reference Information + +- Share: `\\CS-SERVER\AcctDept` → `D:\Shares\Accounting`; scan dropbox subfolder `\Scans`. +- Printer scan target: `\\192.168.2.254\AcctDept\Scans` (use IP, not hostname — VLAN-20 DNS). +- Vault: `clients/cascades-tucson/svc-scan.sops.yaml`. +- Standing rule: reuse `svc-scan` for all future Cascades scanner→folder setups (`feedback_cascades_scan_account.md`). +- Agents: CS-SERVER `c39f1de7...`, ACCT2-PC `da48bfbb...`, DESKTOP-H6QHRR7 `633458f6...`, DESKTOP-N5G1ROO `205025ee...`. diff --git a/wiki/clients/cascades-tucson.md b/wiki/clients/cascades-tucson.md index a9eea6f..dd4b024 100644 --- a/wiki/clients/cascades-tucson.md +++ b/wiki/clients/cascades-tucson.md @@ -197,6 +197,7 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn - **M365 sysadmin:** sysadmin@cascadestucson.com — vault: `clients/cascades-tucson/m365-sysadmin.sops.yaml` - **WiFi CSCNet:** vault: `clients/cascades-tucson/wifi-cscnet.sops.yaml` - **MDM service account:** vault: `clients/cascades-tucson/mdm-service-account.sops.yaml` +- **svc-scan (scan-to-folder service account):** vault: `clients/cascades-tucson/svc-scan.sops.yaml` (`credentials.password`). AD account on CS-SERVER for the Accounting Brother's SMB scans — see Patterns -> File Shares & Scan-to-Folder. - **ALIS SSO app registration:** vault: `clients/cascades-tucson/alis-sso-app-registration.sops.yaml` - **GuruRMM — RECEPTIONIST-PC:** agent ID `9c91d324-1073-449c-8cc0-45c5bccfc218` (flaky WebSocket, may lag fleet updates) - **Remediation tool:** Full tiered app suite consented 2026-04-21. All six apps active: Security Investigator, Exchange Operator, User Manager, Tenant Admin, Defender Add-on, Intune Manager. Old app `fabb3421` (ComputerGuru - AI Remediation) still present but superseded. @@ -239,6 +240,18 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn - **Login-screen hide (SpecialAccounts\UserList):** An enabled local admin that does not appear in the Windows sign-in picker is a `SpecialAccounts\UserList` suppression, not a disabled account. Registry path: `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList`, value `=0`. Fix: delete the DWORD value (or set it to 1); account reappears after sign-out/reboot. Confirmed on NURSESTATION-PC (RMM agent `f5a89784-834f-47b1-82e2-7e3e9dd337ff`) 2026-06-05 — `localadmin=0` removed; account was already enabled and in Administrators (unchanged). +### File Shares & Scan-to-Folder (Accounting) + +- **Accounting department folder + scan dropbox (built 2026-06-09):** + - `D:\Shares\Accounting` on CS-SERVER — inheritance broken; **SYSTEM / BUILTIN\Administrators = Full; `lauren.hasselman`, `chris.knight`, `zachary.nelson` = Modify** (no Everyone). Shared as **`\\CS-SERVER\AcctDept`** (Change: those 3 users + `svc-scan`; Full: Admins). + - **Share is named `AcctDept`, NOT `Accounting`** — a *printer* share named `Accounting` (Canon MF455DW, `LocalsplOnly`) already exists. Do not collide with it: `New-SmbShare -Name Accounting` / `Grant-SmbShareAccess -Name Accounting` will silently hit the printer share. (Happened 2026-06-09; printer share's Everyone:Read was restored.) + - `D:\Shares\Accounting\Scans` — scan dropbox; inherits the 3 users + adds **`CASCADES\svc-scan` = Modify** (least-privilege writer; can't read the rest of Accounting; bypass-traverse lets it reach the subfolder). + - **`svc-scan`** = dedicated AD service account (CN=Users, PasswordNeverExpires, CannotChangePassword) for the Brother's SMB auth. Vault: `clients/cascades-tucson/svc-scan.sops.yaml`. + - **REUSE `svc-scan` for EVERY future scanner→network-folder setup at Cascades** (Howard, 2026-06-09) — do NOT create a per-printer/per-folder scan account. For a new scan destination: grant `CASCADES\svc-scan` Modify on the new scan folder, then enter `cascades\svc-scan` + the vaulted password (NTLMv2) in that scanner's Scan-to-Network profile. +- **Brother MFC-L8900CDW "Business Office" printer (10.0.20.220) — Scan-to-Network profile (working 2026-06-09):** Network Folder Path `\\192.168.2.254\AcctDept\Scans`; **Auth Method NTLMv2** (not Auto/Kerberos — printer can't KDC across VLAN); Username `cascades\svc-scan`; PDF Multi-Page. Configured via the printer WBM (`http://10.0.20.220`), panel: Scan -> to Network. +- **[NETWORK] CS-SERVER cannot reach the VLAN-20 printers** — main-LAN `192.168.2.x` -> VLAN 20 `10.0.20.x` is blocked at pfSense. Verified: CS-SERVER -> `10.0.20.220`:80/443/445 all fail. So you **cannot configure a 10.0.20.x printer's web UI from CS-SERVER** — use a VLAN-20 PC's browser (e.g. ACCT2-PC `10.0.20.209`) or go onsite. The reverse (printer -> CS-SERVER:445) **is** open, which is all scan-to-folder needs (svc-scan SMB write verified from ACCT2-PC). +- **Persistent drive maps to `\\cs-server\AcctDept`** (per-user, via RMM `user_session`): Chris (DESKTOP-N5G1ROO) **Y:**, Zachary (ACCT2-PC) **Y:**, Lauren (DESKTOP-H6QHRR7) **X:** (Y: was already in use on hers). + ### Conditional Access / Caregiver Policies - **Phased rollout — never tenant-wide.** CA policies for caregivers now target `SG-Caregivers` (`8b8d9222-5d71-419a-936d-56d895c6c332`) (Entra Connect exited staging 2026-05-14; SG-Caregivers-Pilot superseded). The legacy "Require MFA for all users" policy stays in place. Expansion to other departments uses PATCH on `excludeGroups`, never replace. Source: `project_cascades_ca_phased_rollout.md`. @@ -368,6 +381,7 @@ Primary active project as of 2026-05-24: dept-by-dept domain migration (Syncro # | 2026-05-26 | Access control vendor meeting onsite (ticket #32324). 0.5h Howard + 0.5h Mike billed against prepaid block. Block at 28.0h. Remote diagnosis of UniFi controller confirmed impossible (no Tailscale route, GuruRMM WebSocket-only, pfSense SSH blocked). | | 2026-06-03 | ALIS AADSTS65001 diagnosed and resolved: granted tenant-wide admin consent (`AllPrincipals` `User.Read`) on ALIS SP `e1cae4ad`. Caregiver device allow-list CA policy created in report-only (`CSC - Caregivers: allow-listed devices only (REPORT-ONLY)`, id `1b7fd025`). Allow-list = CSC- phones + 5 tagged devices (NURSESTATION-PC, Laptop2, LAPTOP-8P7HDSEI, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8). Cutover pending laptop Intune enrollment + validation. Three existing enforced caregiver CA policies left untouched. | | 2026-06-04 | Three same-day tickets: #32381 Tamra scanner (0.5h onsite), #32382 Megan file access (1.5h onsite), #32383 Chris Knight bill.com/BOK email delivery (1.5h remote). Chris Knight mailbox investigation: full EXO/EOP/quarantine/message trace analysis — no tenant config issues found. No Inky in tenant (confirmed). bill.com delivering to other users; zero delivery to chris.knight/c.knight in 90 days. Root cause: wrong address in bill.com/BOK backends + SendGrid suppression on bill.com side. BOK resolved by correcting email in portal (delivery within minutes). bill.com fix requires support call. Resolved externally by Howard; no tenant config changes needed. EXO access token auth method documented (cert not in BEAST cert store). Prepay block: 17.25 → 15.75 hrs. | +| 2026-06-09 | **Accounting scan-to-folder built + billing reconciliation.** Created `D:\Shares\Accounting` + `\Scans` on CS-SERVER (NTFS locked to `lauren.hasselman`/`chris.knight`/`zachary.nelson` = Modify, no Everyone; `svc-scan` = Modify on `\Scans` only), shared as `\\CS-SERVER\AcctDept` (named AcctDept because a Canon MF455DW *printer* share already owns "Accounting" — restored that share after a grant collision). New vaulted AD service account `svc-scan` for the Brother's SMB auth. Brother MFC-L8900CDW (10.0.20.220) Scan-to-Network profile → `\\192.168.2.254\AcctDept\Scans` (NTLMv2, `cascades\svc-scan`); **test scan confirmed**. Found pfSense blocks main-LAN→VLAN-20 (can't reach VLAN-20 printer WBM from CS-SERVER; printer→server:445 open). Persistent drive maps to the share: Chris (Y:), Zachary on ACCT2-PC (Y:), Lauren (X:). Also reconciled crashed-session billing: #32330 (Chris Knight computer) was already invoiced (#67790) — fixed status Resolved→Invoiced; live prepay confirmed **57.75h** (prior 7.75 was pre-top-up). Updated machine inventory (ASSISTNURSE-PC reinstall, caregiver device table) in this wiki. | | 2026-06-08 | **Chris Knight workstation setup (onsite).** Discovered his AD account `chris.knight` already existed (created 2026-05-27, OU=Administrative) but was incomplete; finished it to match Lauren Hasselman — `New-HomeFolder`, added to `SG-FolderRedirect`, set `mail`, reset AD password to `Cascades2026!` (change-at-logon cleared). Confirmed mailbox is cloud-only/unsynced (so are Lauren/Ashley/Meredith/Zachary/Alma — Entra Connect include-list is Caregivers+Groups+Caregiver Devices only; OU=Administrative NOT in scope). Machine **DESKTOP-N5G1ROO** domain-joined + GuruRMM-enrolled (agent `205025ee...`), Office installed, Chris logged in. **MAJOR: root-caused why folder redirection has failed on every machine** — the FR GPO's targets were in a misnamed `fdeploy1.ini`; Windows reads `fdeploy.ini` (absent) → empty path → silent no-op → manual registry workaround every time. Fixed by writing a correct `fdeploy.ini` to GPO `{512B43A4}` + version bump 917506→983042 (GPT.INI + AD versionNumber); backup at `C:\Windows\Temp\frfix-20260608-161144`. LE GPO found completely empty too. CS-SERVER live RMM agent is now `c39f1de7-...` (was `6766e973`). Billed 1.0h onsite (computer setup, ticket #111216087). | | 2026-06-08 | **ASSISTNURSE-PC reinstalled (Win10→Win11).** Howard did a clean Windows 11 install (machine was Win10 19045; in-place upgrade attempts failed, clean install the only option) using our key, then reinstalled the RMM agent. Claude (RMM): deleted the stale pre-reinstall agent `88891eb8` (Win10, offline) — HTTP 204; kept the new agent `62d108d6` (`Assistnurse-pc`, Win11 Pro for Workstations 24H2, v0.6.57, online). Deployed 3 caregiver app shortcuts as `.url` files to `C:\Users\Public\Desktop` (machine-wide) matching the team's GPP definitions: ALIS `https://cascadestucson.alisonline.com/Login`, LinkRx `https://pharmcare.linkrxnow.com/Login.aspx`, Helpany `https://app.safe-living.com/login`. Heads-up: reinstall = new Entra device object → needs re-join + re-tag `CSCCaregiverDevice` (+ clean old Entra record) at caregiver cutover. Billing for the 1.0h onsite reinstall: **pending on #32303** as of 2026-06-09. | | 2026-06-05 | NURSESTATION-PC localadmin login-screen issue: `SpecialAccounts\UserList` hide (`localadmin=0`) — removed via RMM (agent `f5a89784`); account was already enabled + admin. Vault hygiene: `sysadmin@` GA password vaulted (`clients/cascades-tucson/m365-sysadmin.sops.yaml`); voice MFA scoped group "MFA - Voice Call Scoped (sysadmin)" (`304f941e`) created; `alternateMobile` updated to +1 520-585-1310 (Howard). Caregiver test rig built: `SG-Caregivers-DeviceTest` (`db5849ec`, full rule set), `Cascades - Caregiver Devices` (`02c6f698`, static), `SG-Intune-Enrollment` (`13d94f6e`), `pilot.test@cascadestucson.com` (`d26e0e5a`, ephemeral). Hybrid Entra Join enabled in Entra Connect (SCP `ConfigureSCP.ps1`; `OU=Caregiver Devices` added to sync scope). NURSESTATION re-domain-joined (Win11 25H2) + hybrid-registered as `trustType: ServerAd`, new deviceId `d3bf931f-f128-4261-8398-b46c34a4b342` (object `de199a15`). Caregiver access model proven end-to-end on desktop: pilot.test + NURSESTATION — ALIS via silent SSO, CA off-network block + device allow-list holding. CA 53003 on `extensionAttribute1` tag lag (>70 min); resolved by adding deviceId directly to allow-list rule (immediate). Windows Hello does NOT auto-provision on hybrid-joined machines (`WillNotProvision: PolicyEnabled NO`). GPO `CSC - Caregiver Workstation` (`{3B5CD9A6-A278-4676-A9FD-9396D21A8261}`, User config GPP): 3 desktop shortcuts (ALIS, LinkRx, Helpany) + 6 `\\CS-SERVER\` printers with location-based default (Nurses for `SG-PC-MainTower`, MCMedTech for `SG-PC-MemoryCare`, computer-context ILT) + `LegacyDefaultPrinterMode=1` — built, linked at `OU=Caregivers`, security-filtered to `SG-Caregivers-Test` (pilot.test only), validated on NURSESTATION. GPO `CSC - Caregiver Device Lockdown` (`{E6174988-2721-4D96-ADF5-F5BB44E92769}`, computer-only): startup script (lock 3 min / auto sign-out 15 min / 90s warning / never sleep) + psscripts.ini in SYSVOL — deployed + linked at `OU=Caregiver Devices` (takes effect on next NURSESTATION reboot). Intune enrollment blocked tenant-wide (`INTUNE_A: PendingInput` on newly-licensed accounts); MS case open; GPO path used instead. Ticket #32303 billing reconciliation: work summary posted as customer-visible resolution note (comment 417582473); 7.0h onsite line item (42750851) + invoice #67782 ($0.00 prepaid); prepay block 15.75 → 8.75 hrs; ticket status → Invoiced. |