azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Session log: Multi-client work - email routing, Intune deploy, MDM fix, disk analysis

Browse Source 
- Sorensen/RieussetCorp email routing fixed (MailProtector IP auth)
- Neptune SBR routing chain fully documented
- MVAN ScreenConnect deployed via Intune to JUNE and MODERN_STILE_20
- Lonestar MDM self-enrollment identified as cause of personal phone issue
- Dataforth AD1 disk analysis: C:\Engineering 787 GB on DC
- Tailscale routing, SSH keys, brightness fix, memory system to repo

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-03-23 14:45:39 -07:00
parent ad88fc31f0
commit 80509523c8
2 changed files with 262 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
clients/dataforth/session-logs/2026-03-23-galactic-advisors-report.md Normal file
View File

@@ -0,0 +1,47 @@
# Galactic Advisors Security Assessment - Dataforth Corporation
**Report Date:** March 23, 2026 (Analyzed March 23, 2026, data collected March 20)
**Source:** Detail Report - Dataforth Corporation [BETA] (Galactic Advisors, Inc.)
**PDF Location:** ~/Downloads/Detail Report - Dataforth Corporation [BETA].pdf
---
## Computers Evaluated (3)
| Date Found | Username | Computer |
|-----------|----------|----------|
| Mar 20, 2026 7:50 PM | sysadmin | AD1 |
| Mar 20, 2026 9:06 PM | jantar | DESKTOP-AH0SLT7 |
| Mar 20, 2026 9:03 PM | tdean | D1-CUST-003 |
## Hard Drive Details (4)
| Size | User | Drive | Used | % | Computer | Free |
|------|------|-------|------|---|----------|------|
| 1862 GB | jantar | D:\ | 7 GB | 0% | DESKTOP-AH0SLT7 | 1855 GB |
| 476 GB | tdean | C:\ | 95 GB | 19% | D1-CUST-003 | 381 GB |
| 1023 GB | sysadmin | C:\ | 926 GB | **90%** | AD1 | 97 GB |
| 237 GB | jantar | C:\ | 71 GB | 29% | DESKTOP-AH0SLT7 | 166 GB |
## Issues to Address
### [CRITICAL] AD1 Disk Space at 90%
- Domain controller C:\ drive is 926 GB / 1023 GB (only 97 GB free)
- Risk: AD replication failures, log space exhaustion, inability to apply updates
- Action: Investigate what's consuming space, clean up or expand
### [INFO] Legacy SQL Components
- Microsoft SQL Server 2008 R2 Native Client (2 installs) — EOL product
- Microsoft SQL Server 2019 LocalDB (1 install)
- Action: Evaluate if 2008 R2 client can be removed or upgraded
### [INFO] Software Inventory Highlights
- **Security/RMM:** Datto RMM (3), Datto EDR Agent (2), ScreenConnect Client (3)
- **Identity:** Entra Connect Health Agent, Entra Connect Sync, Azure AD Connect Agent Updater, Entra Connect synchronization services — hybrid AD sync on AD1
- **Business Apps:** Sage Exchange Desktop (2), Stonefield Query for Sage Pro ERP (2), Paya Connect Desktop (2), Paya Application Deployment (2), Nuvei Terminal Drivers (2)
- **Office:** Microsoft 365 Apps for business (2), Office 16 Click-to-Run (2)
- **Utilities:** PuTTY 0.83, Microsoft IdFix, Quick Restore 8.1.4, Online Backup 8.2, Adobe Acrobat DC
- **Peripherals:** Brother Printer/Scanner/Port drivers, HP LaserJet Pro MFP 3301-3304 3388
- **Other:** Google Play Games (1 workstation), Google Chrome (2), Microsoft Edge (2)
## Total Installed Programs: 84 (across 3 machines)

215
session-logs/2026-03-23-session.md Normal file
View File

@@ -0,0 +1,215 @@
# Session Log: 2026-03-23
## Session Summary
Multi-client session covering email routing fixes, Intune deployments, MDM investigation, infrastructure changes, and workstation maintenance.
### Key Accomplishments
1. **Sorensen/RieussetCorp email routing fixed** — identified MailProtector IP authorization as root cause, added Neptune IPs
2. **Neptune Exchange infrastructure fully documented** — SBR agent chain, config file locations, send connectors, transport agents
3. **MVAN Enterprises ScreenConnect deployed** — pushed via Intune PowerShell scripts to JUNE (confirmed) and MODERN_STILE_20 (pending)
4. **Lonestar Electrical MDM issue investigated** — identified ManageEngine MDM self-enrollment as cause of joser's personal phone MDM prompt
5. **Dataforth Galactic Advisors security report reviewed** — AD1 disk at 90%, C:\Engineering consuming 787 GB
6. **Tailscale routing fixed** — moved 172.16.0.0/22 route from ACG pfSense to D2TESTNAS to reach Neptune
7. **CachyOS workstation** — SSH key generated, brightness hotkey fix (acpi_backlight=native), memory system moved to repo
8. **Claude Code memory system moved in-repo** — now syncs via Gitea across all machines
---
## Client Work: Sorensen / RieussetCorp.com
### Problem
Outbound email not routing properly from Neptune Exchange server, same issue as devcon.
### Investigation
- MX: `10 rieussetcorp-com.inbound.emailservice.io` (MailProtector) -- correct
- SPF: `v=spf1 include:spf.us.emailservice.io -all` -- correct
- mail.rieussetcorp.com: CNAME to mail.acghosting.com -> 67.206.163.124 -- correct
- Neptune SBR agent config files at `C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\agents\Custom\`:
- `Microsoft.Exchange.SBR.InternalDomains.config` — rieussetcorp.com listed
- `Microsoft.Exchange.SBR.OverrideSettings.config``rieussetcorp.com;rieussetcorp.sbr` listed
- Send connector `Outbound.Sorensen` exists, smarthost `rieussetcorp-com.outbound.emailservice.io`
- Message tracking from 3/16 showed SETROUTE (Sender Based Routing) and SENDEXTERNAL via Outbound.Sorensen with 250 OK
### Root Cause
MailProtector did not have Neptune's new IPs (67.206.163.124 and .122) authorized as sending servers for rieussetcorp.com.
### Fix
Added 67.206.163.124 and 67.206.163.122 to MailProtector's authorized sender IPs for rieussetcorp.com.
### Neptune SBR Routing Chain (documented for future reference)
1. User sends mail from Exchange mailbox on Neptune (172.16.3.11)
2. Microsoft.Exchange.SBR transport agent (Priority 12) fires on OnResolved
3. SBR reads `OverrideSettings.config` — maps domain to `.sbr` routing domain
4. Exchange matches `.sbr` address space to send connector
5. Send connector smarthosts through MailProtector: `domain-com.outbound.emailservice.io`
6. Also: messageconcept ExSBR agent at Priority 11 (`C:\Program Files\messageconcept\ExSBR\`)
### Neptune Access
- WinRM: 172.16.3.11, ACG\administrator / Gptf*77ttb##, NTLM transport
- Exchange PS: `New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://neptune.acg.local/PowerShell/ -Authentication Kerberos`
- Requires Tailscale route through D2TESTNAS for 172.16.0.0/22
---
## Client Work: MVAN Enterprises
### Intune ScreenConnect Deployment
- **Tenant:** mvan.onmicrosoft.com
- **Admin:** sysadmin@mvaninc.com / r3tr0gradE99#
- **Claude-MSP-Access App:** fabb3421-8b34-484b-bc17-e46de9703418 (multi-tenant Graph API)
- **Client Secret:** ~QJ8Q~NyQSs4OcGqHZyPrA2CVnq9KBfKiimntbMO
### Licenses
- Microsoft Intune Plan 2 (2/2)
- Microsoft 365 Business Premium SPB (4/6)
- Entra ID P2 (1/1)
### Managed Devices
| Device | User | OS | Last Sync | Status |
|--------|------|-----|-----------|--------|
| MODERN_STILE_20 | alisha.p@mvaninc.com | Win 10.0.26100 | Today | Active |
| JUNE | june.b@mvaninc.com | Win 10.0.26200 | Today | Active |
| MITCH-LAPTOP | | Win 10.0.22631 | Feb 15 | Stale |
| MITCH_WORK2 | | Win 10.0.26200 | Nov 2025 | Very stale |
### ScreenConnect Deployment
- **Installer URL:** `https://computerguru.screenconnect.com/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest&c=MVAN%20Enterprised&c=&c=&c=&c=&c=&c=&c=`
- **Method:** Intune PowerShell script (beta API: deviceManagementScripts)
- **Script v1 ID:** 55661d90-2c13-42fe-a3f1-156e410a74d2 (deleted after JUNE confirmed)
- **Script v2 ID:** 25383326-5d27-4fa2-862d-1550fca3e65b (re-push for MODERN_STILE_20)
- **Dynamic Group (both devices):** 3c804c2e-d2ab-4bc5-8720-16224e138a3c "ScreenConnect Deploy - MVAN Active Devices"
- **Dynamic Group (MS20 only):** 58673ed2-6075-47be-9f26-bb46b3fbb098 "MODERN_STILE_20 - SC Reinstall"
- **Results:** JUNE appeared in ScreenConnect. MODERN_STILE_20 had old version, uninstalled, re-pushed (pending).
### MVAN Device IDs
- MODERN_STILE_20: Intune `6211568f-1c5c-491f-89a7-1aac82127653`, Entra `8b1d5aa6-8acf-4ce3-ab4f-81e37980dc45`
- JUNE: Intune `f478fd56-bccb-4f7e-856f-4a27a172ae4b`
---
## Client Work: Lonestar Electrical
### Problem
joser@lonestarelectrical.net getting MDM enrollment prompt on personal phone.
### Investigation
- Google Workspace admin console: Mobile management = **Basic** (no MDM push)
- ManageEngine MDM (mdm.manageengine.com) is the actual MDM provider
- Admin: mike@azcomputerguru.com (Zoho account, Super Admin)
- Two enrolled devices: Zach and JOSE (both via QR Code, Dec 4 2025, Fully managed — company tablets)
- **Self Enrollment Settings:** Enabled for ALL directory groups, unlimited devices per user, no platform restrictions
- When joser installs ME MDM app on personal phone, self-enrollment prompts
### Fix (pending — page was broken)
- Disable Self Enrollment entirely in ManageEngine MDM (Enrollment > Self Enrollment > Disable)
- Tell joser to uninstall ME MDM app from personal phone
- Path: `https://mdm.manageengine.com/webclient#/uems/mdm/enrollment/self-enrollment/details`
---
## Dataforth: Galactic Advisors Security Report
### Report
- **Source:** "Detail Report - Dataforth Corporation [BETA]" from Galactic Advisors, analyzed March 23 2026
- **PDF:** ~/Downloads/Detail Report - Dataforth Corporation [BETA].pdf
- **Session log:** clients/dataforth/session-logs/2026-03-23-galactic-advisors-report.md
### 3 Computers Evaluated
| Computer | User | Role |
|----------|------|------|
| AD1 (192.168.0.27) | sysadmin | Domain controller |
| DESKTOP-AH0SLT7 | jantar | Workstation |
| D1-CUST-003 | tdean | Workstation |
### [CRITICAL] AD1 Disk at 90%
- C:\ 926 GB / 1023 GB (97 GB free)
- **C:\Engineering: 787.66 GB** (85% of used space) — single subfolder "ENGR"
- C:\Engineering is shared as `\\AD1\Engineering`
- C:\Shares: 81.77 GB, C:\Users: 80.38 GB, C:\ProgramData: 40.23 GB
- Plan: Add new virtual disk on ESXi, move Engineering data to new volume
- ESXi host: 192.168.0.122 (root / Gptf*77ttb!@#!@#) — SSH failed, needs web UI
### AD1 Access
- WinRM: 192.168.0.27, INTRANET\sysadmin / Paper123!@#, NTLM
- Via Tailscale D2TESTNAS route (192.168.0.0/24)
---
## Infrastructure Changes
### Tailscale Routing
- **Changed:** 172.16.0.0/22 route moved from ACG pfSense to D2TESTNAS
- **Reason:** Neptune (172.16.3.11) is at Dataforth, same IP range as ACG office
- **D2TESTNAS advertised routes:** 192.168.0.0/24, 192.168.100.0/24, 172.16.0.0/22
- **ACG pfSense:** 172.16.0.0/22 route disabled
- **[WARNING]:** ACG office can't reach its own 172.16.x.x via Tailscale until restored
### D2TESTNAS SSH Key
- Generated ed25519 key on acg-guru-5070: `ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE59Jz7w2PBYMUZySIT7WtUHv/ek5hCwYQefUqsPY/QN guru@acg-guru-5070`
- Authorized on D2TESTNAS for root
- D2TESTNAS SSH: root@192.168.0.9 (key auth works, password Paper123!@#)
### CachyOS Workstation
- **SSH key generated:** ~/.ssh/id_ed25519 (guru@acg-guru-5070)
- **Brightness fix:** Added `acpi_backlight=native` to kernel cmdline in /boot/limine.conf — takes effect on reboot
- **Root cause:** KDE powerdevil using nvidia_0 (max=100) scale but writing to intel_backlight (max=496)
### Claude Code Memory System
- Moved from ~/.claude/projects/-home-guru-ClaudeTools/memory/ to repo at .claude/memory/
- Symlinked system path to repo path
- CLAUDE.md updated with instructions for other machines
- Synced to Gitea
---
## Neptune Outstanding Issues (for next session)
1. **SNAT rule** — outbound mail going as 67.206.163.122 not .124. Check UDM (192.168.0.254) `/data/on_boot.d/10-neptune-snat.sh`. UDM SSH password (Paper123!@#-unifi) was rejected.
2. **No PTR record for 67.206.163.122** — Gmail rejecting
3. **67.206.163.122 blacklisted** — at least by bassanonet.it/Aruba
4. **MAIL ghost server** — decommissioned but still in Exchange transport config
5. **Spam queues** — ~25 retry queues to junk domains
6. **Tailscale route** — needs permanent solution (currently D2TESTNAS, ACG office may need it back)
---
## Pending Tasks
1. **MODERN_STILE_20** — ScreenConnect reinstall via Intune script v2 (pending execution)
2. **Lonestar MDM** — Disable self-enrollment in ManageEngine when Zoho portal works
3. **AD1 disk** — Add new ESXi virtual disk, move C:\Engineering to new volume
4. **Neptune issues** — SNAT, PTR, blacklist, MAIL server cleanup, spam queues
5. **Tailscale routing** — permanent solution for 172.16.0.0/22 conflict
---
## Credentials Referenced This Session
### Neptune Exchange
- Host: 172.16.3.11 (via Tailscale through D2TESTNAS)
- WinRM: ACG\administrator / Gptf*77ttb##
- Exchange PS: http://neptune.acg.local/PowerShell/ (Kerberos)
### MVAN Enterprises M365
- Tenant: mvan.onmicrosoft.com
- Admin: sysadmin@mvaninc.com / r3tr0gradE99#
- Claude-MSP-Access App: fabb3421-8b34-484b-bc17-e46de9703418
- Client Secret: ~QJ8Q~NyQSs4OcGqHZyPrA2CVnq9KBfKiimntbMO
### Dataforth AD1
- Host: 192.168.0.27
- User: INTRANET\sysadmin / Paper123!@#
- ESXi: 192.168.0.122, root / Gptf*77ttb!@#!@#
### D2TESTNAS
- Host: 192.168.0.9
- User: root / Paper123!@# (also key auth from acg-guru-5070)
### Lonestar Electrical Google Workspace
- Admin: sysadmin@lonestarelectrical.net
- ManageEngine MDM: mike@azcomputerguru.com (Zoho account)
- MDM URL: https://mdm.manageengine.com/webclient
### ScreenConnect
- Instance: https://computerguru.screenconnect.com