From 9467b3e43733e3899c39d32b0b3af735cc1a2cab Mon Sep 17 00:00:00 2001
From: Mike Swanson <mike@azcomputerguru.com>
Date: Thu, 28 May 2026 11:22:48 -0700
Subject: [PATCH] sync: auto-sync from GURU-BEAST-ROG at 2026-05-28 11:22:44

Author: Mike Swanson
Machine: GURU-BEAST-ROG
Timestamp: 2026-05-28 11:22:44
---
 .../session-logs/2026-05-28-session.md        | 115 ++++++++++++++++++
 1 file changed, 115 insertions(+)
 create mode 100644 clients/sif-oidak/session-logs/2026-05-28-session.md

diff --git a/clients/sif-oidak/session-logs/2026-05-28-session.md b/clients/sif-oidak/session-logs/2026-05-28-session.md
new file mode 100644
index 0000000..cf20251
--- /dev/null
+++ b/clients/sif-oidak/session-logs/2026-05-28-session.md
@@ -0,0 +1,115 @@
+# Session Log — 2026-05-28
+
+## User
+- **User:** Mike Swanson (mike)
+- **Machine:** GURU-BEAST-ROG
+- **Role:** admin
+
+---
+
+## Session Summary
+
+Mike requested a remote password reset for domain user `jalbert` (Joshua Albert) on SIF-SERVER, the domain controller for Sif-oidak District - Tohono O'odham Nation (SifOidak.local). The work was performed entirely via GuruRMM remote PowerShell execution, with no direct RDP or console session required. A new Syncro ticket was created and billed as a 30-minute remote session.
+
+The GuruRMM agent on SIF-SERVER (agent ID `def9fdbb-020b-498d-9d3b-edf5912ba298`) was confirmed online before executing commands. Initial recon confirmed SIF-SERVER is a Windows domain controller (DomainRole >= 4) running on the SifOidak.local domain. The user `jalbert` was identified as a domain AD account (not local). A test `whoami` command confirmed execution context as `NT AUTHORITY\SYSTEM`.
+
+The AD password reset was executed via `Set-ADAccountPassword` with a new temporary password. An initial attempt to set `ChangePasswordAtLogon $true` was blocked by AD because the account had `PasswordNeverExpires = $true` — these two flags are mutually exclusive. `PasswordNeverExpires` was cleared, and `net user jalbert /logonpasswordchg:yes /domain` was used to set the must-change flag. Mid-flow, Mike revised the requirement and directed that no must-change flag be applied. The flag was cleared via `net user jalbert /logonpasswordchg:no /domain`, confirmed via ADSI DirectorySearcher showing `pwdLastSet` at a non-zero value.
+
+A Syncro ticket (#32341) was created for Sif-oidak District - Tohono O'odham Nation, initial issue and resolution comments posted, 0.5 hours of remote labor billed at $150/hr ($75.00 total), invoice created (#1650451827), ticket marked Invoiced, and a bot alert posted to #bot-alerts.
+
+---
+
+## Key Decisions
+
+- **Cleared PasswordNeverExpires on jalbert:** Required as a precondition to setting the must-change flag. Left cleared after Mike revised the requirement — better security posture than re-enabling it, and Mike did not ask to restore it.
+- **Used `net user /logonpasswordchg` instead of `Set-ADUser -ChangePasswordAtLogon`:** The PowerShell cmdlet `Set-ADUser` rejected both flags simultaneously and had serialization issues in single-line commands. `net user /domain` proved reliable for toggling the flag and produced clean output.
+- **Temporary password `Temp1234!`:** Chosen to meet AD password complexity requirements (uppercase, lowercase, digit, special char) while being simple to communicate verbally. Not vaulted — short-lived credential for immediate handoff.
+- **No appointment created in Syncro:** Work was already complete at ticket creation time; no scheduled block needed.
+
+---
+
+## Problems Encountered
+
+- **`Set-ADUser -PasswordNeverExpires $false -ChangePasswordAtLogon $true` failed with "One or more properties are invalid":** AD does not allow setting both in one call. Fixed by splitting into two sequential calls — clear `PasswordNeverExpires` first, then set `ChangePasswordAtLogon`.
+- **`Set-ADUser -ChangePasswordAtLogon $true` continued to fail even after clearing `PasswordNeverExpires` in a prior step within the same command string:** Root cause unclear (possible AD replication delay or cmdlet behavior). Resolved by switching to `net user jalbert /logonpasswordchg:yes /domain`, which succeeded immediately.
+- **ADSI path construction failed in JSON payload (`[ADSI]'LDAP://RootDSE'` with single quotes):** Single quotes inside a double-quoted JSON string caused PowerShell parse errors. Abandoned that approach; used `net user` instead for the flag toggle and `DirectorySearcher` (double-quoted ADSI path) for verification.
+- **GuruRMM API `/api/agents/{id}/commands` (plural) returned 404:** Correct endpoint is `/api/agents/{id}/command` (singular). Result polling uses `/api/commands/{id}`.
+
+---
+
+## Configuration Changes
+
+- Created `clients/sif-oidak/session-logs/` directory (new)
+- Created `clients/sif-oidak/session-logs/2026-05-28-session.md` (this file)
+
+---
+
+## Credentials & Secrets
+
+- **jalbert temporary password:** `Temp1234!` — short-lived, for immediate user handoff. Not vaulted.
+- **Vault paths accessed:**
+  - `clients/sif-oidak/laptops.sops.yaml` — standard user / local admin creds for Sif-Laptop554/555 (context lookup only)
+  - `infrastructure/gururmm-server.sops.yaml` — GuruRMM API admin credentials used to authenticate API calls
+
+---
+
+## Infrastructure & Servers
+
+| Host | Role | Domain | Agent ID | Status |
+|------|------|--------|----------|--------|
+| SIF-SERVER | Domain Controller (primary) | SifOidak.local | def9fdbb-020b-498d-9d3b-edf5912ba298 | Online |
+| SIF-SERVER2 | Unknown (secondary DC or member) | SifOidak.local | 944b0c4b-048d-44b8-85e5-40da135f58d6 | Online |
+| Sif-Laptop554 | Endpoint | SifOidak.local | ce868d0f-6381-444d-8fd3-94c563ddc4d9 | Offline |
+| Sif-Laptop555 | Endpoint | SifOidak.local | acb14901-f659-40eb-a59c-b5954de0ba7f | Offline |
+
+- GuruRMM API: `http://172.16.3.30:3001`
+- GuruRMM admin email: `claude-api@azcomputerguru.com`
+
+---
+
+## Commands & Outputs
+
+```powershell
+# Verified execution context
+whoami
+# -> nt authority\system
+
+# Identified domain + DC status + user account type
+$domain = (Get-WmiObject Win32_ComputerSystem).Domain      # SifOidak.local
+$isDC = (Get-WmiObject Win32_ComputerSystem).DomainRole -ge 4  # True
+Get-ADUser -Identity jalbert  # Found - SamAccountName: jalbert
+
+# Reset AD password
+$pw = ConvertTo-SecureString "Temp1234!" -AsPlainText -Force
+Set-ADAccountPassword -Identity jalbert -NewPassword $pw -Reset
+# -> succeeded (exit 0)
+
+# Set must-change (later reversed)
+net user jalbert /logonpasswordchg:yes /domain
+# -> The command completed successfully.
+
+# Clear must-change (per Mike's revised requirement)
+net user jalbert /logonpasswordchg:no /domain
+# -> The command completed successfully.
+
+# Verify final state via ADSI DirectorySearcher
+# pwdLastSet: <non-zero>  ChangeAtLogon: NO  userAccountControl: 512 (normal enabled)
+```
+
+---
+
+## Pending / Incomplete Tasks
+
+- **PasswordNeverExpires on jalbert is now cleared** (was true before this session). Not restored. If Sif-oidak has a domain policy that exempts service or admin accounts from expiry, this account may need it re-enabled. Worth noting at next contact.
+- **SIF-SERVER2 role unknown** — not investigated during this session. May be a secondary DC or member server.
+
+---
+
+## Reference Information
+
+- **Syncro Ticket:** #32341 — https://computerguru.syncromsp.com/tickets/111395067
+- **Syncro Invoice:** #1650451827 — $75.00 (0.5h remote @ $150/hr)
+- **Syncro Customer ID:** 7694718 — Sif-oidak District - Tohono O'odham Nation
+- **GuruRMM Agent:** def9fdbb-020b-498d-9d3b-edf5912ba298 (SIF-SERVER)
+- **Discord Channel:** #VIA RMM reset jalbert user password...
+- **Bot alert message_id:** 1509622581819478088