sync: auto-sync from GURU-5070 at 2026-06-29 15:30:34
Author: Mike Swanson Machine: GURU-5070 Timestamp: 2026-06-29 15:30:34
This commit is contained in:
@@ -2,6 +2,7 @@
|
||||
|
||||
## Reference
|
||||
- [ACG resource map](reference_resource_map.md) — **READ THIS FIRST** when a task references a server/service/tenant/API. What we have access to, how to connect from this machine, per-machine exceptions, gotchas. Points at the detail files below.
|
||||
- [GuruRMM User Manager](reference_gururmm_user_manager.md) — GuruRMM has a built-in per-agent User Manager tab (reset_password/enable/disable/groups for local+domain+AAD endpoint users; domain users only on a DC via `is_dc`). Use it, NOT raw Set-ADAccountPassword via /rmm. Endpoints: /api/agents/{id}/users + /users/action.
|
||||
- [exchange-op = all-access Exchange tier](feedback_exchange_op_all_access.md) — STOP claiming "no tier can write mail." Exchange Operator app = Exchange Admin role + full_access_as_app + Exchange.ManageAsApp = full all-access (move mail, rules, config, EWS). Default to `exchange-op` for any Exchange write.
|
||||
- [Tedards tenant facts](reference_tedards_tenant_facts.md) — Bill Tedards law office; tenant `4fcbb1f4…`; bt@/y226@ mailboxes; matter-number filing; UAL ingestion OFF; 9 synced devices; botched-import DUPLICATE folder.
|
||||
- [Investigator EXO ManageAsApp gap](reference_investigator_exo_manageasapp_gap.md) — Security Investigator app lacks `Exchange.ManageAsApp` (only `full_access_as_app`) so `investigator-exo` 401s on EXO adminapi; use `exchange-op` tier for InvokeCommand.
|
||||
|
||||
25
.claude/memory/reference_gururmm_user_manager.md
Normal file
25
.claude/memory/reference_gururmm_user_manager.md
Normal file
@@ -0,0 +1,25 @@
|
||||
---
|
||||
name: reference_gururmm_user_manager
|
||||
description: GuruRMM has a built-in per-agent User Manager (endpoint local/domain/AAD users) — use it, not raw PowerShell
|
||||
metadata:
|
||||
type: reference
|
||||
---
|
||||
|
||||
GuruRMM has a **built-in per-agent User Manager tab** (Users + Groups) for managing the
|
||||
*endpoint's* Windows accounts — do NOT hand-roll `Set-ADAccountPassword`/`net user` via `/rmm`
|
||||
PowerShell for routine user ops.
|
||||
|
||||
- UI: agent detail → **User Manager** tab (`dashboard/src/components/UserManagerTab.tsx`).
|
||||
- API: `GET /api/agents/{id}/users` (inventory: users, groups, `domain_join_type`, `domain_name`,
|
||||
`m365_tenant_id`, **`is_dc`**, `last_collected`), `POST /api/agents/{id}/users/refresh`,
|
||||
`POST /api/agents/{id}/users/action` body `{username, action, value?, new_password?, group_name?}`.
|
||||
- Actions: `reset_password`, `set_enabled` (enable/disable), `set_password_never_expires`,
|
||||
`add_to_group`, `remove_from_group`.
|
||||
- **Scope gate:** local accounts always manageable; **domain accounts manageable only when the agent
|
||||
IS a DC** (`is_dc` true) — on a non-DC member they show "Managed in AD" (read-only). AAD accounts
|
||||
show "Managed in Azure" (read-only). So to reset a domain user, target a DC agent.
|
||||
- Advantage over raw PowerShell: structured action keeps the password out of the RMM command
|
||||
history (raw `Set-ADAccountPassword` leaks the plaintext into `command_text`).
|
||||
|
||||
(Distinct from SPEC-027 / `usersApi` = GuruRMM's OWN dashboard login accounts — different thing.)
|
||||
Correction logged 2026-06-29 after I wrongly claimed no built-in action existed. See [[reference_resource_map]].
|
||||
Reference in New Issue
Block a user