sync: auto-sync from GURU-5070 at 2026-06-29 15:30:34

Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-29 15:30:34
This commit is contained in:
2026-06-29 15:31:29 -07:00
parent a88a360450
commit 9a6e1157a7
9 changed files with 275 additions and 1014 deletions

View File

@@ -2,6 +2,7 @@
## Reference
- [ACG resource map](reference_resource_map.md) — **READ THIS FIRST** when a task references a server/service/tenant/API. What we have access to, how to connect from this machine, per-machine exceptions, gotchas. Points at the detail files below.
- [GuruRMM User Manager](reference_gururmm_user_manager.md) — GuruRMM has a built-in per-agent User Manager tab (reset_password/enable/disable/groups for local+domain+AAD endpoint users; domain users only on a DC via `is_dc`). Use it, NOT raw Set-ADAccountPassword via /rmm. Endpoints: /api/agents/{id}/users + /users/action.
- [exchange-op = all-access Exchange tier](feedback_exchange_op_all_access.md) — STOP claiming "no tier can write mail." Exchange Operator app = Exchange Admin role + full_access_as_app + Exchange.ManageAsApp = full all-access (move mail, rules, config, EWS). Default to `exchange-op` for any Exchange write.
- [Tedards tenant facts](reference_tedards_tenant_facts.md) — Bill Tedards law office; tenant `4fcbb1f4…`; bt@/y226@ mailboxes; matter-number filing; UAL ingestion OFF; 9 synced devices; botched-import DUPLICATE folder.
- [Investigator EXO ManageAsApp gap](reference_investigator_exo_manageasapp_gap.md) — Security Investigator app lacks `Exchange.ManageAsApp` (only `full_access_as_app`) so `investigator-exo` 401s on EXO adminapi; use `exchange-op` tier for InvokeCommand.

View File

@@ -0,0 +1,25 @@
---
name: reference_gururmm_user_manager
description: GuruRMM has a built-in per-agent User Manager (endpoint local/domain/AAD users) — use it, not raw PowerShell
metadata:
type: reference
---
GuruRMM has a **built-in per-agent User Manager tab** (Users + Groups) for managing the
*endpoint's* Windows accounts — do NOT hand-roll `Set-ADAccountPassword`/`net user` via `/rmm`
PowerShell for routine user ops.
- UI: agent detail → **User Manager** tab (`dashboard/src/components/UserManagerTab.tsx`).
- API: `GET /api/agents/{id}/users` (inventory: users, groups, `domain_join_type`, `domain_name`,
`m365_tenant_id`, **`is_dc`**, `last_collected`), `POST /api/agents/{id}/users/refresh`,
`POST /api/agents/{id}/users/action` body `{username, action, value?, new_password?, group_name?}`.
- Actions: `reset_password`, `set_enabled` (enable/disable), `set_password_never_expires`,
`add_to_group`, `remove_from_group`.
- **Scope gate:** local accounts always manageable; **domain accounts manageable only when the agent
IS a DC** (`is_dc` true) — on a non-DC member they show "Managed in AD" (read-only). AAD accounts
show "Managed in Azure" (read-only). So to reset a domain user, target a DC agent.
- Advantage over raw PowerShell: structured action keeps the password out of the RMM command
history (raw `Set-ADAccountPassword` leaks the plaintext into `command_text`).
(Distinct from SPEC-027 / `usersApi` = GuruRMM's OWN dashboard login accounts — different thing.)
Correction logged 2026-06-29 after I wrongly claimed no built-in action existed. See [[reference_resource_map]].