From ab640dfe77769f8ae4ef92e59bcf1624d0a252d6 Mon Sep 17 00:00:00 2001 From: Howard Enos Date: Tue, 30 Jun 2026 17:28:33 -0700 Subject: [PATCH] sync: auto-sync from HOWARD-HOME at 2026-06-30 17:28:00 Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-30 17:28:00 --- .../cascades-tucson/docs/printer-gpo-map.md | 38 +++++++++++++ ...6-30-howard-alis-sso-login-model-recall.md | 53 +++++++++++++++++++ ...6-06-30-howard-vlan20-printer-migration.md | 25 +++++++++ ...26-06-29-howard-rmm-onboard-edr-billing.md | 8 +++ 4 files changed, 124 insertions(+) create mode 100644 clients/cascades-tucson/session-logs/2026-06/2026-06-30-howard-alis-sso-login-model-recall.md diff --git a/clients/cascades-tucson/docs/printer-gpo-map.md b/clients/cascades-tucson/docs/printer-gpo-map.md index 3e6eb877..df7adca1 100644 --- a/clients/cascades-tucson/docs/printer-gpo-map.md +++ b/clients/cascades-tucson/docs/printer-gpo-map.md @@ -32,6 +32,44 @@ prints). Any GPO/share for those Canons MUST use `Canon Generic Plus UFR II V250 | Memory Care MedTech - Brother MFC-L8900CDW (`\\CS-SERVER\MCMedTech`) | Brother MFC-L8900CDW | 10.0.20.74 | Brother MFC-L8900CDW series | RECEPTIONIST-PC (memcare box → **rename to MEMCARE-***); DESKTOP-LPOPV30 | memory care; karen rossini | **WORKGROUP** | DONE direct-IP machine-wide on both; old 192.168.2.53 + WSD connections removed; LPOPV30 default = new printer (was the old one); memcare box default unchanged (iR-ADV). MedTech room in Memory Care. **TODO: GPO + domain accounts once joined.** | | `\\CS-SERVER\Kitchen` | Canon MF743CDW | 192.168.3.232 (pre-migration) | (verify) | (kitchen) | chefs | — | Kitchen printer (with the chefs). Not yet migrated to VLAN20 this round. | +## Current GPO state (live-inspected 2026-06-30) + +- **NO GPO sets the Point-and-Print policy** (`RestrictDriverInstallationToAdministrators` / Point-and-Print Restrictions / Package Point and Print). This is the missing **Layer 1** — without it, GPP-deployed printers fail to install the driver for standard users (event 513 / 0xBCB). Must be added. +- Printer deployment is via **User-side GPP Printers** (not Deployed Printers / not GPP Computer), linked per-department OU: + - **CSC - Caregiver Workstation** -> OU `Departments/Caregivers` (ComputerSettingsDisabled; User GPP Printers + Registry + Shortcuts). Deploys 6 shares (action=Update): `\\CS-SERVER\NursesPrinter`, `HealthServices`, `MCMedTech`, `MCReception`, `MCDirector`, `CopyRoom`; sets default = NursesPrinter and MCMedTech (the two default=1 entries; intended per-location but no item-level targeting currently parsed). + - **CSC - Life Enrichment Printers** -> OU `Departments/Life Enrichment`. Deploys ONE printer `\\CS-SERVER\RecRoom-Canon` (action=Update, no targeting) — **STALE share name; the printer is now shared as `LifeEnrichment`**. + - **CSC - Reception Workstation Policy** -> OU `Workstations/Staff PCs`. Computer Registry only, no printers. + - **CSC - Printer Deployment** -> not linked, empty. Dead — ignore. +- AD OU structure in play: `Departments/{Caregivers, Life Enrichment}`, `Workstations/Staff PCs`. + +## Target-state design + action list + +**Layer 1 — Point-and-Print policy (NEW computer GPO, fleet-wide).** Create e.g. `CSC - Point and Print (CS-SERVER)`, Computer config, set: +`HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers` `RestrictDriverInstallationToAdministrators=0`; subkey `PointAndPrint`: `Restricted=1, TrustedServers=1, ServerList=CS-SERVER, InForest=0, NoWarningNoElevationOnInstall=1, UpdatePromptSettings=2`. Link at the OU that contains all staff/department workstations (e.g. `Workstations` and/or `Departments`). This makes every GPP/printer install from CS-SERVER silent for standard users. (Same values we set manually on the LE machines this session.) + +**Layer 2 — per-department printer GPOs (existing pattern, User GPP Printers).** To add a printer going forward: edit the department's GPO -> User Config -> Preferences -> Control Panel Settings -> Printers -> add a **Shared Printer** item, action=Update/Create, path `\\CS-SERVER\`, optional Set this printer as the default + item-level targeting (by security group / location) if needed. Link the GPO to the department OU. + +**Immediate fixes identified:** +1. CREATE the Layer-1 Point-and-Print GPO (above) and link it. (Prerequisite — do first.) +2. REPOINT `CSC - Life Enrichment Printers` from `\\CS-SERVER\RecRoom-Canon` -> `\\CS-SERVER\LifeEnrichment`. +3. UPDATE the CS-SERVER share ports to the new VLAN20 static IPs so the GPO-deployed shares actually print: `MCMedTech` -> 10.0.20.74 (currently 192.168.2.53), `MCReception` -> 10.0.20.78, and audit `NursesPrinter`/`HealthServices`/`MCDirector`/`CopyRoom` ports as those printers migrate. (Front Desk + Life Enrichment shares already repointed this session.) +4. Confirm caregiver default-printer item-level targeting (Nurses vs MCMedTech by location group) is intact, or re-add it. +5. Workgroup machines (DESKTOP-MD6UQI3, CHEF-PC, MEMCARE-STATION, MEMRECEPT-PC, DESKTOP-LPOPV30) get direct-IP printers until domain-joined; then move them into the right OU and let the GPO take over. + +## PILOT RESULT (2026-06-30) — important + +Created `CSC - Point and Print (CS-SERVER)` GPO, scoped it (security filter) to ONE machine **DESKTOP-H6QHRR7** (Lauren Hasselman, Staff PCs OU), linked, `gpupdate`. **The policy registry landed correctly via GPO** (RestrictDriverInstallationToAdministrators=0 + full PointAndPrint set verified on the machine). + +**BUT the in-session test still PROMPTED:** mapping a printer whose driver was NOT already on the machine (front-desk Epson ET-5800) triggered the elevation prompt for the standard user, even after a spooler restart — the driver did not install. The earlier LE-machine "silent" maps only worked because that driver was already present (we never actually exercised the install path). + +**Conclusion:** the Point-and-Print policy via GPO is necessary but NOT sufficient on its own to make a *brand-new driver install* silent in a running session. Likely causes: `RestrictDriverInstallationToAdministrators=0` needs a **reboot** to fully take effect (it's a CVE-2021-34527 mitigation), and/or v3 (non-package) drivers (Epson/Canon Generic Plus) still elevate. + +**Two reliable paths (to validate/decide):** +1. **Reboot-dependent:** policy likely only fully effective after the machine reboots (spooler starts with it). Test: reboot a machine, then confirm a new-driver map is silent. Normal for GPO rollout, but unproven for v3 drivers here. +2. **Pre-stage drivers (most reliable, recommended):** deploy each printer's driver machine-wide (computer GPO startup script installing from CS-SERVER as SYSTEM, or the direct-IP/SYSTEM method we used on workgroup boxes). Then the User GPP printer connection attaches to an already-present driver -> always silent, no reboot/point-and-print-install dependency. + +**State:** GPO is scoped to DESKTOP-H6QHRR7 only (harmless; not fleet-live). Lauren's machine cleaned (no test artifacts). NOT yet rolled out. Next: decide reboot-test vs pre-stage-drivers, then go live. + ## Machine rename TODO - **RECEPTIONIST-PC** (the Memory Care box, "memory care" user, S/N MJ0KQH4R, agent 57f19e17) shares its hostname with the front-desk RECEPTIONIST-PC box — too hard to tell apart in the agent list. **Rename STAGED 2026-06-30 -> `MEMCARE-STATION`; applies on next reboot** (not forced; user was active). The OTHER RECEPTIONIST-PC (frontdesk user, S/N MJ0KQHNP) is the actual front desk. diff --git a/clients/cascades-tucson/session-logs/2026-06/2026-06-30-howard-alis-sso-login-model-recall.md b/clients/cascades-tucson/session-logs/2026-06/2026-06-30-howard-alis-sso-login-model-recall.md new file mode 100644 index 00000000..d6ba6526 --- /dev/null +++ b/clients/cascades-tucson/session-logs/2026-06/2026-06-30-howard-alis-sso-login-model-recall.md @@ -0,0 +1,53 @@ +## User +- **User:** Howard Enos (howard) +- **Machine:** Howard-Home +- **Role:** tech + +## Session Summary + +Short recall/reference session. Howard asked to pull up the ALIS online setup done for Cascades of Tucson and confirm the staff login model: whether usernames just need to match the email address, and whether an ALIS password needs to be set. + +Invoked the `alis` skill for the staff-import/roster context, then read the authoritative record in `wiki/clients/cascades-tucson.md` ("ALIS SSO" section) plus the skill's `references/api-reference.md` and `import_builder.py` login/password logic. Confirmed the setup: ALIS at Cascades is wired for Entra OIDC SSO (tenant-wide admin consent granted 2026-06-03), the per-user join key is the ALIS staff Email field equalling the Entra UPN, and no local ALIS password is required because authentication is delegated to Microsoft/Entra. + +Answered Howard directly: set Login Enabled = Yes with Email = the user's UPN (email), leave Password blank for SSO users. Flagged that the import builder auto-defaults Login Enabled to No when no password is present, so SSO rows must set Login Enabled = Yes explicitly. Also surfaced the still-pending related item from the 2026-06-05 notes: lowering the ALIS app session timeout 20->15 min (Howard, ALIS admin). + +## Key Decisions + +- Treated `wiki/clients/cascades-tucson.md` as the source of truth for the ALIS SSO join model rather than re-deriving from the API — the wiki explicitly records "Per-user join key = ALIS staff Email must equal the Entra UPN." +- No file changes or import build performed — this was a reference/confirmation session only. + +## Problems Encountered + +- None. + +## Configuration Changes + +- None (recall session). Session log created only. + +## Credentials & Secrets + +- None discovered or created. (ALIS API user login remains vaulted at `clients/cascades-tucson/alis-api-howard-user.sops.yaml`; not accessed this session.) + +## Infrastructure & Servers + +- ALIS tenant: Cascades of Tucson, communityId 622; tenant subdomain `cascadestucson`; API host `api.alisonline.com`. +- Identity: hybrid AD `cascades.local` -> Entra/M365 (Entra Connect, PHS + Seamless SSO), UPN suffix `cascadestucson.com`. Windows login = email = M365 = ALIS identity. +- ALIS SSO: Entra app registration -> OIDC into ALIS; tenant-wide admin consent granted 2026-06-03. + +## Commands & Outputs + +- `Skill alis` — loaded staff-import/roster reference. +- Read `wiki/clients/cascades-tucson.md` (ALIS SSO section, lines ~116-146). +- Grep `import_builder.py` — confirmed Login Enabled auto-defaults to No when Email+Password not both present (lines 214-226). + +## Pending / Incomplete Tasks + +- ALIS app session timeout 20->15 min (Howard as ALIS admin) — still pending per 2026-06-05 wiki notes. Not actioned this session. +- No import file was requested/built; offered to build one (Login Enabled=Yes, Email=UPN, no passwords) if needed. + +## Reference Information + +- Wiki: `wiki/clients/cascades-tucson.md` ("ALIS SSO" + "Entra Access Architecture" sections). +- Skill: `C:\Users\Howard\.claude\skills\alis\` — `references/api-reference.md`, `references/role-map.json`, `scripts/import_builder.py`. +- ALIS staff endpoints are READ-ONLY; staff/login writes happen via web UI Staff -> Import (.xls). +- Related prior log: `2026-06-29-howard-alis-caregiver-phoneonly-caretaker-crosscheck.md`. diff --git a/clients/cascades-tucson/session-logs/2026-06/2026-06-30-howard-vlan20-printer-migration.md b/clients/cascades-tucson/session-logs/2026-06/2026-06-30-howard-vlan20-printer-migration.md index d3407b6f..92bd44db 100644 --- a/clients/cascades-tucson/session-logs/2026-06/2026-06-30-howard-vlan20-printer-migration.md +++ b/clients/cascades-tucson/session-logs/2026-06/2026-06-30-howard-vlan20-printer-migration.md @@ -114,3 +114,28 @@ Continued the VLAN 20 printer migration with several **workgroup** (not-domain-j - All workgroup machines (DESKTOP-MD6UQI3, CHEF-PC, MEMCARE-STATION, MEMRECEPT-PC, DESKTOP-LPOPV30): domain-join + GPO migration still pending. New IPs/printers this update: Dining Canon MF743CDW 10.0.20.228; Chef Brother MFC-9330CDW 10.0.20.236; MedTech Brother MFC-L8900CDW 10.0.20.74; MemCare front desk Epson ET-5800 10.0.20.78 (not yet set up). + +## Update: 17:27 PT — printer GPO inspection, Point-and-Print GPO build, single-machine pilot (revealed silent-install gap) + +Shifted from per-machine printer setup to the **printer GPO** ("go over it, update docs + policies, keep building"). Inspected the live GPO state, built the missing Point-and-Print policy GPO dark, and piloted it on one machine before going live (per Howard: "not make it live until we can test on a machine that mapping works correctly"). The pilot surfaced a real gap. + +**GPO inspection (live, via CS-SERVER RMM + Get-GPOReport):** +- **No GPO sets the Point-and-Print policy** anywhere (the missing prerequisite; explains the 0xBCB failures). +- Printer deployment = **User-side GPP Printers**, per-department OU: + - `CSC - Caregiver Workstation` -> OU `Departments/Caregivers` (ComputerSettingsDisabled): deploys 6 shares `\\CS-SERVER\`{NursesPrinter, HealthServices, MCMedTech, MCReception, MCDirector, CopyRoom}; defaults = NursesPrinter + MCMedTech (default=1 entries, no item-level targeting currently). + - `CSC - Life Enrichment Printers` -> OU `Departments/Life Enrichment`: deploys ONE printer `\\CS-SERVER\RecRoom-Canon` = **STALE share name** (now `LifeEnrichment`). + - `CSC - Reception Workstation Policy` -> OU `Workstations/Staff PCs`: Registry only, no printers. + - `CSC - Printer Deployment`: not linked, empty. Dead. +- Gotcha: reading SYSVOL Printers.xml via `\\$env:USERDNSDOMAIN\...` FAILS under SYSTEM (that env var is empty for SYSTEM) -> use Get-GPOReport XML (SelectNodes local-name()='SharedPrinter') or the GPO's gpcFileSysPath instead. + +**Built the P&P policy GPO (dark):** `CSC - Point and Print (CS-SERVER)` guid `{BFAB721A-513D-4C14-8255-DEB1D4266830}`, Computer config: `RestrictDriverInstallationToAdministrators=0` + `PointAndPrint`{Restricted=1,TrustedServers=1,ServerList=CS-SERVER,InForest=0,NoWarningNoElevationOnInstall=1,UpdatePromptSettings=2}. Created via New-GPO + Set-GPRegistryValue as the DC's SYSTEM (SYSTEM CAN create/manage GPOs on this DC). Left UNLINKED initially. + +**Pilot (scoped to ONE machine):** DESKTOP-H6QHRR7 (Lauren Hasselman, Staff PCs OU, domain-joined). Scoped via security filter (H6QHRR7=Apply, Authenticated Users=Read) + linked to `OU=Staff PCs,OU=Workstations`. gpupdate -> **policy registry landed correctly on the machine** (verified). BUT the in-session test (map `\\CS-SERVER\FrontDesk`, whose Epson ET-5800 driver was NOT present) **STILL prompted** (watchdog-timeout = elevation dialog), even after a spooler restart; driver did not install. The earlier LE-machine "silent" maps only worked because that driver was already present -> the install path was never actually exercised before. + +**Conclusion:** the P&P policy (manual or GPO) is necessary but NOT sufficient alone to make a brand-new driver install silent in a running session. Likely `RestrictDriverInstallationToAdministrators=0` needs a **reboot** to take effect (CVE-2021-34527 mitigation) and/or v3 (Epson/Canon Generic Plus) drivers still elevate. Two paths proposed to Howard: (1) reboot-test a machine; (2) **pre-stage drivers** machine-wide (computer GPO startup script installing from CS-SERVER as SYSTEM) so GPP connections always attach to a present driver = silent forever (RECOMMENDED). Awaiting Howard's choice. + +**State:** P&P GPO is scoped to DESKTOP-H6QHRR7 ONLY (security-filtered; not fleet-live, harmless). Lauren's machine cleaned (back to Accounting + Copy Room, no test artifacts, Epson driver NOT installed). Full current-state + target-state design + action list captured in `clients/cascades-tucson/docs/printer-gpo-map.md`. + +**DC gotcha:** the GroupPolicy module (Get-GPOReport / Get-GPO / New-GPLink) is SLOW on the R610 DC via RMM (frequently hit the 90-170s server-side reaper). New-GPO/Set-GPRegistryValue DO complete (only the trailing report render times out) — verify GPO state via fast LDAP (`[adsisearcher]"(objectClass=groupPolicyContainer)"`) + read registry.pol from gpcFileSysPath, NOT Get-GPOReport. Pass big PS scripts via `jq --rawfile` (a file) not `--arg` (inline) — the inline heredoc payloads kept breaking jq ("Invalid numeric literal"). + +Pending (GPO): decide reboot-test vs pre-stage-drivers; then repoint `CSC - Life Enrichment Printers` RecRoom-Canon->LifeEnrichment; update CS-SERVER share ports (MCMedTech .53->.74); broaden the P&P GPO link/filter to go live; add per-printer GPP items as printers migrate. diff --git a/clients/michaeljohnson/session-logs/2026-06/2026-06-29-howard-rmm-onboard-edr-billing.md b/clients/michaeljohnson/session-logs/2026-06/2026-06-29-howard-rmm-onboard-edr-billing.md index 524f0761..c47b8ab3 100644 --- a/clients/michaeljohnson/session-logs/2026-06/2026-06-29-howard-rmm-onboard-edr-billing.md +++ b/clients/michaeljohnson/session-logs/2026-06/2026-06-29-howard-rmm-onboard-edr-billing.md @@ -79,3 +79,11 @@ Finally, billed Syncro ticket #32477 (id 113125174, "Onsite - Check machine conn - Datto EDR console: https://azcomp4587.infocyte.com - Vault: `clients/michaeljohnson/gururmm-site-main.sops.yaml`, `clients/michaeljohnson/datto-edr.sops.yaml`. - Baselines: `clients/michaeljohnson/onboarding-baselines/`. + +## Update: 17:27 PT (2026-06-30) — wiki full recompile + +Ran `/wiki-compile client:michaeljohnson --full` after the earlier save. Full Sonnet-mode recompile of `wiki/clients/michaeljohnson.md` (existing article authored earlier this session), serialized behind a coord lock (`wiki/clients/michaeljohnson`, id `953a60a4-d708-47ea-9375-bcefae81e83d`) and staged to `.claude/wiki_staging/` for diff review before applying. + +Pulled live Syncro data for authoritative billing: customer 152567, `prepay_hours = 0.0` (break-fix), 2 assets, no open tickets (#32477 now Invoiced), invoice history since 2013 confirms per-ticket billing at standard rates (latest labor line $175 onsite). Recompile changes: billing made Syncro-authoritative ($175 onsite, break-fix, 2 assets); added a Datto EDR/AV infrastructure block (org/group/agent IDs + vault path); added a History Highlights section (2013 record, GuruRMM onboarding, EDR deploy w/ no-Bitdefender note, #32477 static-IP fix); Active Work updated to "no open tickets" while keeping the P1–P3 remediation items; added an Access section (vault paths only, no raw secrets); Patterns/History preserved per --full. Updated the `wiki/index.md` row (added EDR + $175 onsite + static-IP share; dropped the stale "open #32477"). + +Committed `0eb32e8` and pushed; coord lock released; staging cleared. No code or infra changes this update — documentation only. Open remediation items unchanged (MJ-PARALEGAL firewall + E: full still the two P1 criticals).