From 80509523c887652e6e469396cadfa29e63f3bf7a Mon Sep 17 00:00:00 2001
From: Mike Swanson <mike@azcomputerguru.com>
Date: Mon, 23 Mar 2026 14:45:39 -0700
Subject: [PATCH] Session log: Multi-client work - email routing, Intune
 deploy, MDM fix, disk analysis

- Sorensen/RieussetCorp email routing fixed (MailProtector IP auth)
- Neptune SBR routing chain fully documented
- MVAN ScreenConnect deployed via Intune to JUNE and MODERN_STILE_20
- Lonestar MDM self-enrollment identified as cause of personal phone issue
- Dataforth AD1 disk analysis: C:\Engineering 787 GB on DC
- Tailscale routing, SSH keys, brightness fix, memory system to repo

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../2026-03-23-galactic-advisors-report.md    |  47 ++++
 session-logs/2026-03-23-session.md            | 215 ++++++++++++++++++
 2 files changed, 262 insertions(+)
 create mode 100644 clients/dataforth/session-logs/2026-03-23-galactic-advisors-report.md
 create mode 100644 session-logs/2026-03-23-session.md

diff --git a/clients/dataforth/session-logs/2026-03-23-galactic-advisors-report.md b/clients/dataforth/session-logs/2026-03-23-galactic-advisors-report.md
new file mode 100644
index 0000000..bded3f8
--- /dev/null
+++ b/clients/dataforth/session-logs/2026-03-23-galactic-advisors-report.md
@@ -0,0 +1,47 @@
+# Galactic Advisors Security Assessment - Dataforth Corporation
+
+**Report Date:** March 23, 2026 (Analyzed March 23, 2026, data collected March 20)
+**Source:** Detail Report - Dataforth Corporation [BETA] (Galactic Advisors, Inc.)
+**PDF Location:** ~/Downloads/Detail Report - Dataforth Corporation [BETA].pdf
+
+---
+
+## Computers Evaluated (3)
+
+| Date Found | Username | Computer |
+|-----------|----------|----------|
+| Mar 20, 2026 7:50 PM | sysadmin | AD1 |
+| Mar 20, 2026 9:06 PM | jantar | DESKTOP-AH0SLT7 |
+| Mar 20, 2026 9:03 PM | tdean | D1-CUST-003 |
+
+## Hard Drive Details (4)
+
+| Size | User | Drive | Used | % | Computer | Free |
+|------|------|-------|------|---|----------|------|
+| 1862 GB | jantar | D:\ | 7 GB | 0% | DESKTOP-AH0SLT7 | 1855 GB |
+| 476 GB | tdean | C:\ | 95 GB | 19% | D1-CUST-003 | 381 GB |
+| 1023 GB | sysadmin | C:\ | 926 GB | **90%** | AD1 | 97 GB |
+| 237 GB | jantar | C:\ | 71 GB | 29% | DESKTOP-AH0SLT7 | 166 GB |
+
+## Issues to Address
+
+### [CRITICAL] AD1 Disk Space at 90%
+- Domain controller C:\ drive is 926 GB / 1023 GB (only 97 GB free)
+- Risk: AD replication failures, log space exhaustion, inability to apply updates
+- Action: Investigate what's consuming space, clean up or expand
+
+### [INFO] Legacy SQL Components
+- Microsoft SQL Server 2008 R2 Native Client (2 installs) — EOL product
+- Microsoft SQL Server 2019 LocalDB (1 install)
+- Action: Evaluate if 2008 R2 client can be removed or upgraded
+
+### [INFO] Software Inventory Highlights
+- **Security/RMM:** Datto RMM (3), Datto EDR Agent (2), ScreenConnect Client (3)
+- **Identity:** Entra Connect Health Agent, Entra Connect Sync, Azure AD Connect Agent Updater, Entra Connect synchronization services — hybrid AD sync on AD1
+- **Business Apps:** Sage Exchange Desktop (2), Stonefield Query for Sage Pro ERP (2), Paya Connect Desktop (2), Paya Application Deployment (2), Nuvei Terminal Drivers (2)
+- **Office:** Microsoft 365 Apps for business (2), Office 16 Click-to-Run (2)
+- **Utilities:** PuTTY 0.83, Microsoft IdFix, Quick Restore 8.1.4, Online Backup 8.2, Adobe Acrobat DC
+- **Peripherals:** Brother Printer/Scanner/Port drivers, HP LaserJet Pro MFP 3301-3304 3388
+- **Other:** Google Play Games (1 workstation), Google Chrome (2), Microsoft Edge (2)
+
+## Total Installed Programs: 84 (across 3 machines)
diff --git a/session-logs/2026-03-23-session.md b/session-logs/2026-03-23-session.md
new file mode 100644
index 0000000..7f34dc1
--- /dev/null
+++ b/session-logs/2026-03-23-session.md
@@ -0,0 +1,215 @@
+# Session Log: 2026-03-23
+
+## Session Summary
+
+Multi-client session covering email routing fixes, Intune deployments, MDM investigation, infrastructure changes, and workstation maintenance.
+
+### Key Accomplishments
+1. **Sorensen/RieussetCorp email routing fixed** — identified MailProtector IP authorization as root cause, added Neptune IPs
+2. **Neptune Exchange infrastructure fully documented** — SBR agent chain, config file locations, send connectors, transport agents
+3. **MVAN Enterprises ScreenConnect deployed** — pushed via Intune PowerShell scripts to JUNE (confirmed) and MODERN_STILE_20 (pending)
+4. **Lonestar Electrical MDM issue investigated** — identified ManageEngine MDM self-enrollment as cause of joser's personal phone MDM prompt
+5. **Dataforth Galactic Advisors security report reviewed** — AD1 disk at 90%, C:\Engineering consuming 787 GB
+6. **Tailscale routing fixed** — moved 172.16.0.0/22 route from ACG pfSense to D2TESTNAS to reach Neptune
+7. **CachyOS workstation** — SSH key generated, brightness hotkey fix (acpi_backlight=native), memory system moved to repo
+8. **Claude Code memory system moved in-repo** — now syncs via Gitea across all machines
+
+---
+
+## Client Work: Sorensen / RieussetCorp.com
+
+### Problem
+Outbound email not routing properly from Neptune Exchange server, same issue as devcon.
+
+### Investigation
+- MX: `10 rieussetcorp-com.inbound.emailservice.io` (MailProtector) -- correct
+- SPF: `v=spf1 include:spf.us.emailservice.io -all` -- correct
+- mail.rieussetcorp.com: CNAME to mail.acghosting.com -> 67.206.163.124 -- correct
+- Neptune SBR agent config files at `C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\agents\Custom\`:
+  - `Microsoft.Exchange.SBR.InternalDomains.config` — rieussetcorp.com listed
+  - `Microsoft.Exchange.SBR.OverrideSettings.config` — `rieussetcorp.com;rieussetcorp.sbr` listed
+- Send connector `Outbound.Sorensen` exists, smarthost `rieussetcorp-com.outbound.emailservice.io`
+- Message tracking from 3/16 showed SETROUTE (Sender Based Routing) and SENDEXTERNAL via Outbound.Sorensen with 250 OK
+
+### Root Cause
+MailProtector did not have Neptune's new IPs (67.206.163.124 and .122) authorized as sending servers for rieussetcorp.com.
+
+### Fix
+Added 67.206.163.124 and 67.206.163.122 to MailProtector's authorized sender IPs for rieussetcorp.com.
+
+### Neptune SBR Routing Chain (documented for future reference)
+1. User sends mail from Exchange mailbox on Neptune (172.16.3.11)
+2. Microsoft.Exchange.SBR transport agent (Priority 12) fires on OnResolved
+3. SBR reads `OverrideSettings.config` — maps domain to `.sbr` routing domain
+4. Exchange matches `.sbr` address space to send connector
+5. Send connector smarthosts through MailProtector: `domain-com.outbound.emailservice.io`
+6. Also: messageconcept ExSBR agent at Priority 11 (`C:\Program Files\messageconcept\ExSBR\`)
+
+### Neptune Access
+- WinRM: 172.16.3.11, ACG\administrator / Gptf*77ttb##, NTLM transport
+- Exchange PS: `New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://neptune.acg.local/PowerShell/ -Authentication Kerberos`
+- Requires Tailscale route through D2TESTNAS for 172.16.0.0/22
+
+---
+
+## Client Work: MVAN Enterprises
+
+### Intune ScreenConnect Deployment
+- **Tenant:** mvan.onmicrosoft.com
+- **Admin:** sysadmin@mvaninc.com / r3tr0gradE99#
+- **Claude-MSP-Access App:** fabb3421-8b34-484b-bc17-e46de9703418 (multi-tenant Graph API)
+- **Client Secret:** ~QJ8Q~NyQSs4OcGqHZyPrA2CVnq9KBfKiimntbMO
+
+### Licenses
+- Microsoft Intune Plan 2 (2/2)
+- Microsoft 365 Business Premium SPB (4/6)
+- Entra ID P2 (1/1)
+
+### Managed Devices
+| Device | User | OS | Last Sync | Status |
+|--------|------|-----|-----------|--------|
+| MODERN_STILE_20 | alisha.p@mvaninc.com | Win 10.0.26100 | Today | Active |
+| JUNE | june.b@mvaninc.com | Win 10.0.26200 | Today | Active |
+| MITCH-LAPTOP | | Win 10.0.22631 | Feb 15 | Stale |
+| MITCH_WORK2 | | Win 10.0.26200 | Nov 2025 | Very stale |
+
+### ScreenConnect Deployment
+- **Installer URL:** `https://computerguru.screenconnect.com/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest&c=MVAN%20Enterprised&c=&c=&c=&c=&c=&c=&c=`
+- **Method:** Intune PowerShell script (beta API: deviceManagementScripts)
+- **Script v1 ID:** 55661d90-2c13-42fe-a3f1-156e410a74d2 (deleted after JUNE confirmed)
+- **Script v2 ID:** 25383326-5d27-4fa2-862d-1550fca3e65b (re-push for MODERN_STILE_20)
+- **Dynamic Group (both devices):** 3c804c2e-d2ab-4bc5-8720-16224e138a3c "ScreenConnect Deploy - MVAN Active Devices"
+- **Dynamic Group (MS20 only):** 58673ed2-6075-47be-9f26-bb46b3fbb098 "MODERN_STILE_20 - SC Reinstall"
+- **Results:** JUNE appeared in ScreenConnect. MODERN_STILE_20 had old version, uninstalled, re-pushed (pending).
+
+### MVAN Device IDs
+- MODERN_STILE_20: Intune `6211568f-1c5c-491f-89a7-1aac82127653`, Entra `8b1d5aa6-8acf-4ce3-ab4f-81e37980dc45`
+- JUNE: Intune `f478fd56-bccb-4f7e-856f-4a27a172ae4b`
+
+---
+
+## Client Work: Lonestar Electrical
+
+### Problem
+joser@lonestarelectrical.net getting MDM enrollment prompt on personal phone.
+
+### Investigation
+- Google Workspace admin console: Mobile management = **Basic** (no MDM push)
+- ManageEngine MDM (mdm.manageengine.com) is the actual MDM provider
+- Admin: mike@azcomputerguru.com (Zoho account, Super Admin)
+- Two enrolled devices: Zach and JOSE (both via QR Code, Dec 4 2025, Fully managed — company tablets)
+- **Self Enrollment Settings:** Enabled for ALL directory groups, unlimited devices per user, no platform restrictions
+- When joser installs ME MDM app on personal phone, self-enrollment prompts
+
+### Fix (pending — page was broken)
+- Disable Self Enrollment entirely in ManageEngine MDM (Enrollment > Self Enrollment > Disable)
+- Tell joser to uninstall ME MDM app from personal phone
+- Path: `https://mdm.manageengine.com/webclient#/uems/mdm/enrollment/self-enrollment/details`
+
+---
+
+## Dataforth: Galactic Advisors Security Report
+
+### Report
+- **Source:** "Detail Report - Dataforth Corporation [BETA]" from Galactic Advisors, analyzed March 23 2026
+- **PDF:** ~/Downloads/Detail Report - Dataforth Corporation [BETA].pdf
+- **Session log:** clients/dataforth/session-logs/2026-03-23-galactic-advisors-report.md
+
+### 3 Computers Evaluated
+| Computer | User | Role |
+|----------|------|------|
+| AD1 (192.168.0.27) | sysadmin | Domain controller |
+| DESKTOP-AH0SLT7 | jantar | Workstation |
+| D1-CUST-003 | tdean | Workstation |
+
+### [CRITICAL] AD1 Disk at 90%
+- C:\ 926 GB / 1023 GB (97 GB free)
+- **C:\Engineering: 787.66 GB** (85% of used space) — single subfolder "ENGR"
+- C:\Engineering is shared as `\\AD1\Engineering`
+- C:\Shares: 81.77 GB, C:\Users: 80.38 GB, C:\ProgramData: 40.23 GB
+- Plan: Add new virtual disk on ESXi, move Engineering data to new volume
+- ESXi host: 192.168.0.122 (root / Gptf*77ttb!@#!@#) — SSH failed, needs web UI
+
+### AD1 Access
+- WinRM: 192.168.0.27, INTRANET\sysadmin / Paper123!@#, NTLM
+- Via Tailscale D2TESTNAS route (192.168.0.0/24)
+
+---
+
+## Infrastructure Changes
+
+### Tailscale Routing
+- **Changed:** 172.16.0.0/22 route moved from ACG pfSense to D2TESTNAS
+- **Reason:** Neptune (172.16.3.11) is at Dataforth, same IP range as ACG office
+- **D2TESTNAS advertised routes:** 192.168.0.0/24, 192.168.100.0/24, 172.16.0.0/22
+- **ACG pfSense:** 172.16.0.0/22 route disabled
+- **[WARNING]:** ACG office can't reach its own 172.16.x.x via Tailscale until restored
+
+### D2TESTNAS SSH Key
+- Generated ed25519 key on acg-guru-5070: `ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE59Jz7w2PBYMUZySIT7WtUHv/ek5hCwYQefUqsPY/QN guru@acg-guru-5070`
+- Authorized on D2TESTNAS for root
+- D2TESTNAS SSH: root@192.168.0.9 (key auth works, password Paper123!@#)
+
+### CachyOS Workstation
+- **SSH key generated:** ~/.ssh/id_ed25519 (guru@acg-guru-5070)
+- **Brightness fix:** Added `acpi_backlight=native` to kernel cmdline in /boot/limine.conf — takes effect on reboot
+- **Root cause:** KDE powerdevil using nvidia_0 (max=100) scale but writing to intel_backlight (max=496)
+
+### Claude Code Memory System
+- Moved from ~/.claude/projects/-home-guru-ClaudeTools/memory/ to repo at .claude/memory/
+- Symlinked system path to repo path
+- CLAUDE.md updated with instructions for other machines
+- Synced to Gitea
+
+---
+
+## Neptune Outstanding Issues (for next session)
+
+1. **SNAT rule** — outbound mail going as 67.206.163.122 not .124. Check UDM (192.168.0.254) `/data/on_boot.d/10-neptune-snat.sh`. UDM SSH password (Paper123!@#-unifi) was rejected.
+2. **No PTR record for 67.206.163.122** — Gmail rejecting
+3. **67.206.163.122 blacklisted** — at least by bassanonet.it/Aruba
+4. **MAIL ghost server** — decommissioned but still in Exchange transport config
+5. **Spam queues** — ~25 retry queues to junk domains
+6. **Tailscale route** — needs permanent solution (currently D2TESTNAS, ACG office may need it back)
+
+---
+
+## Pending Tasks
+
+1. **MODERN_STILE_20** — ScreenConnect reinstall via Intune script v2 (pending execution)
+2. **Lonestar MDM** — Disable self-enrollment in ManageEngine when Zoho portal works
+3. **AD1 disk** — Add new ESXi virtual disk, move C:\Engineering to new volume
+4. **Neptune issues** — SNAT, PTR, blacklist, MAIL server cleanup, spam queues
+5. **Tailscale routing** — permanent solution for 172.16.0.0/22 conflict
+
+---
+
+## Credentials Referenced This Session
+
+### Neptune Exchange
+- Host: 172.16.3.11 (via Tailscale through D2TESTNAS)
+- WinRM: ACG\administrator / Gptf*77ttb##
+- Exchange PS: http://neptune.acg.local/PowerShell/ (Kerberos)
+
+### MVAN Enterprises M365
+- Tenant: mvan.onmicrosoft.com
+- Admin: sysadmin@mvaninc.com / r3tr0gradE99#
+- Claude-MSP-Access App: fabb3421-8b34-484b-bc17-e46de9703418
+- Client Secret: ~QJ8Q~NyQSs4OcGqHZyPrA2CVnq9KBfKiimntbMO
+
+### Dataforth AD1
+- Host: 192.168.0.27
+- User: INTRANET\sysadmin / Paper123!@#
+- ESXi: 192.168.0.122, root / Gptf*77ttb!@#!@#
+
+### D2TESTNAS
+- Host: 192.168.0.9
+- User: root / Paper123!@# (also key auth from acg-guru-5070)
+
+### Lonestar Electrical Google Workspace
+- Admin: sysadmin@lonestarelectrical.net
+- ManageEngine MDM: mike@azcomputerguru.com (Zoho account)
+- MDM URL: https://mdm.manageengine.com/webclient
+
+### ScreenConnect
+- Instance: https://computerguru.screenconnect.com