azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

wiki: compile 5 missing articles + dedupe neptune queue entry

Browse Source 
Seeded via /wiki-compile (parallel sub-agents):
- clients: gonzvar-tax-services, tohono-oodham-doit (Syncro 33069069),
  tucson-golden-corral (Syncro 3859123)
- projects: gururmm-agent (artifact-based, agent/ @ origin/main), msp-tools (umbrella)
Index rows added for all five. Deduped the duplicate system:neptune compile-queue
entry (merged the cert/DkimSigner note into one).

Left as-is (intentional, not duplicates/dead): wiki/projects/guru-rmm.md is a
redirect tombstone; the patterns/tailscale-client-enroll.ps1 index link is valid
(the .ps1 script exists).
This commit is contained in:
Mike Swanson
2026-06-12 08:06:07 -07:00
parent 33ba780ba6
commit 70c496bb30
6 changed files with 940 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

127
wiki/clients/gonzvar-tax-services.md Normal file
View File

@@ -0,0 +1,127 @@
---
type: client
name: gonzvar-tax-services
display_name: Gonzvar Tax Services
last_compiled: 2026-06-12
compiled_by: GURU-5070/claude-main
sources:
- clients/gonzvar-tax-services/session-logs/2026-06-06-mike-rmm-onboarding-diagnostic-bug-discovery.md
- clients/gonzvar-tax-services/TASKS.md
- clients/gonzvar-tax-services/DIAGNOSTIC-SUMMARY-2026-06-06.md
- clients/gonzvar-tax-services/GTS-W0-DISK-ANALYSIS.md
- clients/gonzvar-tax-services/onboarding-baselines/GTS-W0-20260606T180736.md
- clients/gonzvar-tax-services/onboarding-baselines/GTS-W1-20260606T180908.md
- clients/gonzvar-tax-services/onboarding-baselines/GTS-W2-20260606T181016.md
- clients/gonzvar-tax-services/onboarding-baselines/GTS-PEDRO-H-20260606T181113.md
- clients/gonzvar-tax-services/onboarding-baselines/GTS-SVR25-20260606T181205.md
- clients/gonzvar-tax-services/onboarding-baselines/SERVER-20260606T181304.md
- session-logs/2026-06-07-mike-gururmm-backup-alert-cleanup.md
backlinks:
- projects/msp-tools/guru-rmm
---
# Gonzvar Tax Services
Tax services firm onboarded as new MSP client in June 2026. Six machines enrolled in GuruRMM across a Windows AD environment (GTS.local). Fleet-wide onboarding diagnostics completed at intake; multiple security findings remain open. Active setup tasks pending (QuickBooks RemoteApp, Tailscale VPN, security hardening).
## Profile
- **Contract type:** (verify — not found in Syncro; search returned 0 matches on "gonzvar tax services")
- **Key contacts:** (verify — pgonz / GTS\gonzvar account names inferred from baselines; no Syncro contact record found)
- **Billing rate:** (verify — check Syncro invoices)
- **Hours remaining (if prepaid):** (verify)
- **Managed device count:** 6 (all enrolled in GuruRMM as of 2026-06-06)
- **Syncro customer ID:** none (customer not found in Syncro as of 2026-06-12)
## Infrastructure
### Servers & Services
| Host | IP | Role | OS | Notes |
|---|---|---|---|---|
| GTS-SVR25 | 192.168.0.2 (static) | Primary DC, DNS | Windows Server 2025 Standard (build 26100) | ASUS; i7-12700, 32 GB; Defender RTP off at baseline; firewall enabled |
| SERVER | 192.168.0.5 (static) | Legacy server | Windows Server 2019 Standard (build 17763) | Dell PowerEdge T440; Xeon Bronze 3204, 8 GB; SMBv1 enabled; firewall off; 104-day uptime at baseline |
### Workstations
| Host | IP | OS | Notes |
|---|---|---|---|
| GTS-W0 | 192.168.0.145 (DHCP) | Win11 Pro for Workstations (build 26200) | Lenovo 90SM006QUS; i5-12400, 16 GB; firewall off, RDP without NLA; ZeroTier 10.244.136.41 |
| GTS-W1 | 192.168.0.143 (DHCP) | Win11 Pro for Workstations (build 26200) | Lenovo 90SM006QUS; i5-12400, 16 GB; domain-joined |
| GTS-W2 | 192.168.0.146 (DHCP) | Win11 Pro for Workstations (build 26200) | Lenovo 90SM006QUS; i5-12400, 16 GB; domain-joined |
| GTS-PEDRO-H | 192.168.0.146 (DHCP, WiFi) | Win11 (build 26200) | Lenovo 90SM006QUS; i5-12400, 16 GB; NOT domain-joined (WORKGROUP); personal machine; WiFi only; ZeroTier 10.244.10.231 |
Note: GTS-W2 and GTS-PEDRO-H both resolved to 192.168.0.146 at scan time — probable DHCP address overlap worth checking.
### Email & Identity
- **M365 tenant:** (verify)
- **MX / mail flow:** (verify)
- **MFA status:** (verify)
- **Domain:** GTS.local (AD); GTS-SVR25 is primary DC and NTP source; workstations W0/W1/W2 and SERVER domain-joined; GTS-PEDRO-H in WORKGROUP
- **LAPS:** Present on GTS-W0, GTS-W1, GTS-W2, GTS-SVR25; not detected on SERVER
### Network
- **ISP / WAN:** Cox Communications (inferred from PEDRO-H DNS: 68.105.28.11, 68.105.29.11, 68.105.28.12)
- **Subnet:** 192.168.0.0/24 (DHCP served by GTS-SVR25)
- **Firewall:** (verify — no perimeter device observed in logs)
- **VPN:** ZeroTier present on GTS-W0 and GTS-PEDRO-H; Tailscale planned but not yet deployed
- **DNS:** GTS-SVR25 (192.168.0.2) primary, SERVER (192.168.0.5) secondary (domain-joined machines)
## Access
- **RMM (GuruRMM):** Site code `INNER-BEAR-6727`; enrollment key and site IDs in vault (`clients/gonzvar-tax-services/gururmm-site-main.sops.yaml`); install page: `https://rmm.azcomputerguru.com/install/INNER-BEAR-6727`
- **ScreenConnect:** All machines enrolled; client ID `1912bf3444b41a08`, version 26.1.24.9579
- **Splashtop:** All machines; Streamer 3.8.x running
- **Syncro agent:** All machines; version 1.0.201.18410
- **Datto RMM:** Present on GTS-SVR25 (4.4.11616) as additional ACG tooling
- **Admin accounts:** `pgonz` (local admin on all workstations); `GTS\gonzvar` (domain admin); `sysadmin` (local admin on servers); `GTS\pedro` (domain admin, seen on GTS-W0); `MediaAdmin$` (managed service account on servers)
- **Vault path:** `clients/gonzvar-tax-services/`
## Patterns & Known Issues
**Fleet-wide security configuration gaps (baseline 2026-06-06):**
- Firewalls disabled (all profiles: Domain, Private, Public) on GTS-W0 and SERVER; GTS-SVR25 has all profiles enabled; W1/W2/PEDRO-H status requires re-run after probe fix.
- RDP without NLA on GTS-W0 (pre-auth vulnerability). GTS-SVR25 and SERVER have RDP enabled with NLA — confirm restricted to VPN/internal IPs.
- No backup agent detected on any machine at baseline. SERVER had an abandoned Nov-2024 MSP360 image plan (needs deletion from MSP360 console).
- Defender RTP and antimalware service both off on GTS-SVR25. No AV agent detected (Server SKU — Security Center does not register; verify a managed AV is active or re-enable Defender).
- BitLocker inconsistent: GTS-W1 encrypted (TPM + recovery key); GTS-W0 unencrypted; servers returned null (verify with `manage-bde -status`).
- Group Policy Client service stopped on GTS-W0 (and possibly other machines). Investigate Group Policy application.
**SERVER legacy risk:**
- Windows Server 2019 (build 17763) with SMBv1 enabled and 5 pending updates at baseline; 104-day uptime. Server 2019 extended support ends 2029-01-09 — plan upgrade path to Server 2025.
- SMBv1 must be disabled: `Set-SmbServerConfiguration -EnableSMB1Protocol $false`.
**Diagnostic probe false positives (GuruRMM onboarding-diagnostic.ps1):**
- Event ID 153 from `Microsoft-Windows-Kernel-Boot` (VBS enabled boot message) is counted the same as Event ID 153 from the `Disk` source (real I/O error). On Windows 11 machines with VBS/HVCI enabled (default on 12th-gen Intel+), every boot logs an Event ID 153 that falsely inflates the disk-error count.
- GTS-W0 initially showed 9 "disk errors" — all were VBS boot messages; drive (Kingston NVMe 1TB) confirmed healthy via SMART.
- GTS-SVR25 showed 83 "disk errors" at baseline — almost certainly the same false positive given 20+ days uptime and similar Win11 base.
- Probe fix required (filter Event ID 153 by `ProviderName != 'Microsoft-Windows-Kernel-Boot'` or query `ProviderName = 'disk'` directly). Re-run baselines after fix to get accurate grades.
**GTS-PEDRO-H is not domain-joined:**
- Personal machine; WORKGROUP only; WiFi connectivity; only `pgonz` is local admin. Treat as bring-your-own device — lower management priority but still enrolled in RMM.
## Active Work
*Syncro not available for this client as of 2026-06-12. Open tasks from coord API (project key: gonzvar):*
| Task | Status | Notes |
|---|---|---|
| QuickBooks RemoteApp setup | Pending | Install QB on server; configure RemoteApp for local + VPN users |
| System cleanup (all machines) | Pending | Disk cleanup, temp files, updates, clear reboots |
| RDP over VPN (Tailscale) | Pending | Install Tailscale on server + workstations; addresses RDP exposure |
| GuruRMM enrollment | Complete | All 6 machines enrolled 2026-06-06 (was deferred, found pre-enrolled) |
| Security hardening (fleet) | Open | Firewall enable, RDP NLA, BitLocker, Defender RTP on SVR25, SMBv1 disable |
## History Highlights
- **2026-06-06** — New MSP client created; GuruRMM client `ae78d033` + site "Main" (`INNER-BEAR-6727`) provisioned; enrollment key vaulted.
- **2026-06-06** — Discovered 6 machines already enrolled in RMM (expected 4; found 3 workstations + 1 personal + 2 servers).
- **2026-06-06** — Fleet-wide onboarding diagnostic baseline run: GTS-W0, GTS-SVR25, SERVER graded RED; GTS-W1, GTS-W2, GTS-PEDRO-H graded AMBER.
- **2026-06-06** — Critical GuruRMM probe bug discovered: Event ID 153 / Kernel-Boot (VBS) counted as disk errors on Win11 machines; GTS-W0 initial "failing drive" alert retracted; drive confirmed healthy.
- **2026-06-07** — SERVER (Gonzvar) flagged during backup alert review; abandoned Nov-2024 MSP360 image plan identified for deletion.
## Backlinks
- [GuruRMM](../projects/msp-tools/guru-rmm.md) — onboarding diagnostic probe; Event ID 153 false-positive bug fix required

85
wiki/clients/tohono-oodham-doit.md Normal file
View File

@@ -0,0 +1,85 @@
---
type: client
name: tohono-oodham-doit
display_name: Tohono O'odham Nation - Department of Information & Technology (DoIT)
last_compiled: 2026-06-12
compiled_by: GURU-5070/claude-main
sources:
- clients/tohono-oodham-doit/session-logs/2026-05-27-session.md
- syncro:33069069
backlinks:
- clients/sif-oidak
---
# Tohono O'odham Nation - Department of Information & Technology (DoIT)
## Profile
- **Contract type:** Break-fix with recurring Starlink service reseller billing (monthly internet + per-incident labor)
- **Key contacts:**
- Shannon Ramon — shannon.ramon@tonation-nsn.gov, 520-471-3072 (primary)
- Brandon Capeheart (I&T System Administrator) — brandon.capeheart@tonation-nsn.gov, 520-993-5779
- Marcus Ramon (I&T Network Manager) — marcus.ramon@tonation-nsn.gov, 520-240-0844
- Trina Rodriguez (DoIT) — trina.rodriguez@tonation-nsn.gov, 520-383-0270 / 520-349-4297
- Yvonne Enriguez (DoIT Office Manager) — Yvonne.Enriquez@tonation-nsn.gov, 520-383-0270
- Tianna Aguilla (Accounts Payable) — tianna.aguilla@tonation-nsn.gov, (520) 648-4130 ext 4108
- Denise Darrell (Accounts Payable, Dept of IT) — denise.darrell@tonnation-nsn.gov, 520-383-6600
- **Billing rate:** $175/hr (onsite labor)
- **Hours remaining (if prepaid):** N/A — no prepaid block
- **Active ticket:** Syncro #32328 (Waiting on Customer)
- **Syncro customer ID:** 33069069
- **Address:** 25310 South Toltec Buttes Road, Eloy, AZ 85131; mailing: PO Box 837, Sells, AZ 85634; DoIT Annex: 307 Vamori Street, Tucson, AZ 85756
## Infrastructure
### Servers & Services
| Host | IP | Role | OS | Notes |
|---|---|---|---|---|
No Syncro-managed assets on record. No RMM agents deployed as of 2026-06-12.
### Email & Identity
- **M365 tenant:** (verify)
- **MX / mail flow:** (verify) — staff use @tonation-nsn.gov addresses
- **MFA status:** (verify)
### Network
- **ISP / WAN (field sites x2):** Starlink Roam Unlimited (mobile); configured in bypass mode — Check Point 1550 WAN interface holds the ISP-assigned IP directly. Starlink Roam issues CGNAT 100.64.x.x addresses, so each field site has no public routable WAN IP.
- **ISP / WAN (main office):** Non-Starlink; public static IP(s). ISP and gateway hardware unconfirmed.
- **Firewall (field):** Check Point 1550 (Gaia Embedded) — 2 units, one per field site
- **Firewall (main office):** (verify — make/model unconfirmed; assumed Check Point based on field fleet)
- **VPN:** Pending design decision; two options under evaluation:
- **Option A — Native IPsec hub-and-spoke:** Field 1550s initiate outbound IPsec to office public IP using existing hardware; no overlay required. Cleanest path if main office gateway is also Check Point.
- **Option B — Tailscale overlay:** Subnet-router node deployed behind the office firewall; small Tailscale-capable node (GL.iNet Beryl AX, Flint 2, pfSense, or OPNsense) at each field site. Traverses CGNAT via NAT-traversal and DERP relay on port 443.
## Access
- No remote access credentials or vault paths on file for this client.
- Vault path: (verify — create at `clients/tohono-oodham-doit/` if credentials are issued)
- Syncro: https://computerguru.syncromsp.com/customers/33069069
## Patterns & Known Issues
- **CGNAT field WAN:** All field sites are behind Starlink Roam Unlimited in bypass mode. Bypass mode removes Starlink's own NAT but Starlink Roam still assigns a CGNAT 100.64.x.x address to the 1550 WAN port — not a public IP. Any site-to-site VPN or remote management initiated from the field must be outbound-only; the main office hub must be the reachable endpoint. On-site verification: each field 1550's WAN IP should show 100.64.x.x. If a real public IP appears, a Starlink public-IP add-on may be active, which changes the VPN calculus.
- **Check Point 1550 (Gaia Embedded) is a closed appliance:** Third-party overlay software (Tailscale, ZeroTier) is not supported and cannot be installed on the 1550 itself. An Option B Tailscale deployment requires a separate device alongside the 1550 at each field site.
- **Multiple Tohono O'odham accounts in Syncro:** DoIT (33069069), Legislative Branch (35323240), Farming Authority (33405788), Sif-oidak District (7694718) are separate Syncro customer records for the same tribal nation. Confirm account before opening tickets.
- **Starlink reseller billing:** ComputerGuru bills DoIT for recurring Starlink internet service (~$397-421/month for 2 lines). Labor is billed break-fix at $175/hr as separate line items.
## Active Work
*As of 2026-06-12 — Syncro shows 1 open ticket:*
| Ticket | Subject | Status | Opened |
|---|---|---|---|
| #32328 (ID: 111209848) | Request for Starlink Static IP options | Waiting on Customer | 2026-05-27 |
Ticket #32328: Presented two site-to-site VPN design options (native Check Point IPsec hub-and-spoke vs. Tailscale overlay) for CGNAT field-to-office connectivity. Recommended skipping a Starlink static IP upgrade — the reachable main office hub makes it unnecessary for either option. Awaiting DoIT internal IT decision on VPN entrypoint and main office gateway make/model confirmation.
## History Highlights
- **2025-01:** Onsite Starlink installation (invoice #64532, 1 hr labor, $175)
- **2025-11-18:** Onsite event Starlink rental and setup for November event in Sells, AZ (invoice #66431, $362.50 — rental + 1hr setup + 0.5hr trip fee)
- **2025-11-25:** Sold and installed 2x Starlink Mini Mobile Roam kits (receiver, car adapter, roof mount) at field sites; monthly Starlink service billing initiated (invoice #66494, $915.94 hardware; recurring ~$397-421/month since)
- **2026-05-27:** VPN design consultation for CGNAT field-to-office connectivity — researched Starlink static IP availability (not available on Roam) and CGNAT traversal options; created Ticket #32328, posted customer-visible two-option recommendation; ticket set to Waiting on Customer
## Backlinks
- [Sif-oidak District - Tohono O'odham Nation](sif-oidak.md) — related Syncro account for the same tribal nation (Sif-oidak District, ID 7694718)

111
wiki/clients/tucson-golden-corral.md Normal file
View File

@@ -0,0 +1,111 @@
---
type: client
name: tucson-golden-corral
display_name: Tucson Golden Corral
last_compiled: 2026-06-12
compiled_by: GURU-5070/claude-main
sources:
- clients/tucson-golden-corral/session-logs/2026-05-26-session.md
- session-logs/2026-05-25-session.md
- session-logs/2026-04-30-session.md
- .claude/memory/reference_resource_map.md
backlinks:
- systems/neptune
- systems/ix-server
- projects/gururmm
---
# Tucson Golden Corral
Restaurant / food-service business in Tucson, AZ. Managed by ACG with a prepaid hour block
contract. Primary contact is Jeffrey Schaufel (owner). Email is on IX cPanel hosting.
TGC-SERVER is a single-box DC + RDS + Hyper-V running Windows Server 2016 with several
unresolved architecture concerns flagged at onboarding.
## Profile
- **Contract type:** Prepaid hour block
- **Key contacts:**
- Jeffrey Schaufel (owner) — office 520-574-9167
- Al Young — 520-571-0972 / mobile 520-338-1004
- Josie Schaffel — 520-971-3991
- **Service address:** 4380 E 22nd St, Tucson, AZ 85711
- **Billing rate:** (verify — check Syncro invoices)
- **Hours remaining (if prepaid):** 12.75 hrs as of 2026-06-12
- **Syncro customer ID:** 3859123
- **Managed device count (Syncro assets):** 3
## Infrastructure
### Servers & Services
| Host | IP | Role | OS | Notes |
|---|---|---|---|---|
| TGC-SERVER | 98.181.90.163 (public) | DC / DNS / RDS / Hyper-V / SQL / IIS | Windows Server 2016 (build 14393) | Extended support ends Jan 2027; GuruRMM agent 1275daa1; ScreenConnect installed; admin account actively browsing (Chrome) |
**Hyper-V VMs on TGC-SERVER:**
| VM | State | Notes |
|---|---|---|
| MAS90 | Running | Sage 100 ERP — customer-critical workload |
| MAS90.old | Off | Prior snapshot / backup copy |
**Syncro workstation assets:**
| Device | Type |
|---|---|
| Desktop Dell DHM | Desktop |
| Lenovo ThinkCenter 001LUS | Desktop |
| Lenovo Ideapad 3305-15KB 81FS | Laptop |
**GuruRMM:**
- Client ID: 3248bdec-cbc3-45df-ba63-c8cdc9395e58
- Site: Co-Located (ID: e5caa88f-f395-40e3-befa-f54e035f4293, code: INNER-STORM-2733)
- Agent (TGC-SERVER): 1275daa1-3996-4ecf-a1db-c82e88f757b4
### Email & Identity
- **Email platform:** IX cPanel hosting — cPanel account `tucsongc`, domain `tucsongoldencorral.com`
- **Neptune Exchange note:** In April 2026, a webmail password reset for `accounting@tucsongoldencorral.com` was attempted on Neptune Exchange (67.206.163.124). Relationship between Neptune-hosted accounts and IX-hosted accounts is (verify — determine if any mailboxes remain on Neptune Exchange or if all are on IX).
- **M365:** "Office 365 annual" recurring invoice ($108.69/yr) exists in Syncro. Per May 2026 session context, primary email is on IX, not M365. Verify current M365 scope (licensing only vs. active mailboxes).
- **MFA status:** (verify)
### Network
- **ISP / WAN:** (verify)
- **Firewall:** (verify — TGC-SERVER is on public IP 98.181.90.163 with no firewall recorded)
- **VPN:** (verify)
## Access
- **GuruRMM dashboard:** https://rmm.azcomputerguru.com — client filter: Tucson Golden Corral
- **GuruRMM IEX installer:** `irm 'https://rmm.azcomputerguru.com/install/INNER-STORM-2733/windows' | iex`
- **IX cPanel (email / hosting):** https://72.194.62.5:2083 — account `tucsongc`; credentials via vault: `infrastructure/ix-server.sops.yaml`
- **IX WHM API:** https://72.194.62.5:2087 (used for email account management)
- **Vault — GuruRMM enrollment key:** `clients/tucson-golden-corral/gururmm-site-co-located.sops.yaml`
- **RDP to TGC-SERVER:** (verify — no RDP path recorded; use GuruRMM agent 1275daa1 or ScreenConnect)
## Patterns & Known Issues
- **TGC-SERVER is doing too much.** Single Windows Server 2016 machine running DC, DNS, full RDS stack, Hyper-V (with a production ERP VM), SQL Server, and IIS. Customer confirmed Hyper-V was not expected on this box. Architecture needs remediation.
- **MAS90 (Sage 100 ERP) in Hyper-V on the DC.** Running as a VM on the same box as Active Directory. No dedicated Hyper-V host. Migration options (dedicated HV host, or P2V to bare-metal Sage) not yet decided — requires customer input on hardware availability and MAS90 usage.
- **Administrator account browsing from the DC.** Process list at onboarding showed Chrome running as Administrator on TGC-SERVER (a domain controller). Security risk; should be flagged to customer for remediation (dedicated admin workstation or jump server).
- **Windows Server 2016 EOL approaching.** Extended support ends January 2027. OS upgrade planning should be in the queue.
- **Email account churn via Discord.** Terminations/additions are requested by Jeffrey Schaufel via the Discord bot, not a formal ticket. Work is straightforward (IX cPanel UAPI) but tickets should continue to be created in Syncro for audit trail.
- **No backup recorded.** No backup product or destination observed for TGC-SERVER or workstations. (Verify — may be absent or unreported.)
## Active Work
*No open tickets in Syncro as of 2026-06-12. See session logs for recent work.*
## History Highlights
- **2026-04-30** — Webmail password reset requested for `accounting@tucsongoldencorral.com`; attempted via Neptune Exchange ECP, resolved via Active Directory on DC16. (Source: session-logs/2026-04-30-session.md)
- **2026-05-25** — Client onboarded into GuruRMM; TGC-SERVER enrolled (agent 1275daa1, Windows Server 2016, 16 GB RAM, 1.8 TB disk); full Windows role inventory confirmed AD DS, DNS, full RDS stack, Hyper-V, SQL Server, IIS + Certify the Web. Hyper-V flagged as unexpected by customer; MAS90 (Sage 100 ERP) VM found running. Chrome-on-DC and WS2016 EOL noted.
- **2026-05-26** — Email account `Erick.Godoy@tucsongoldencorral.com` deleted via IX cPanel UAPI on employee termination request from Jeffrey Schaufel. Billed 0.25 hrs prepaid; Syncro ticket #32327, invoice ID 1650421921.
## Backlinks
- [[systems/neptune]] — Neptune Exchange (67.206.163.124, Exchange 2016); accounting@ reset attempt April 2026
- [[systems/ix-server]] — IX cPanel server hosts tucsongoldencorral.com email (account `tucsongc`)
- [[projects/gururmm]] — GuruRMM client enrollment; TGC-SERVER monitored via agent 1275daa1