diff --git a/.tmp-xen-snapvdi.py b/.tmp-xen-snapvdi.py new file mode 100644 index 0000000..c45cdec --- /dev/null +++ b/.tmp-xen-snapvdi.py @@ -0,0 +1,17 @@ +import os, paramiko +host="192.168.0.104"; user="root"; pw=os.environ["XEN_PW"] +c=paramiko.SSHClient(); c.set_missing_host_key_policy(paramiko.AutoAddPolicy()) +c.connect(host, username=user, password=pw, timeout=20, + disabled_algorithms={'pubkeys': ['rsa-sha2-256','rsa-sha2-512']}, + look_for_keys=False, allow_agent=False) +def run(cmd): + i,o,e=c.exec_command(cmd,timeout=120); return (o.read().decode(errors="replace")+e.read().decode(errors="replace")).strip() +g_vdi="828ea0ff-04c7-4f7c-9e4d-baa9e15d72bd" # G: = "2003 Disk 2" xvdb +print("=== snapshotting G: VDI for consistent export ===") +snap=run(f'xe vdi-snapshot uuid={g_vdi}') +print("snapshot VDI uuid:", snap) +print("=== snapshot details ===") +print(run(f"xe vdi-param-list uuid={snap} | grep -iE 'uuid \\(|name-label|virtual-size|is-a-snapshot|sr-name-label'")) +print("=== dom0 free space (confirm we must stream, not stage locally) ===") +print(run("df -h / /var/tmp 2>/dev/null | head")) +c.close() diff --git a/clients/valleywide/session-logs/2026-06/2026-06-13-mike-vwp-gpo-disable.md b/clients/valleywide/session-logs/2026-06/2026-06-13-mike-vwp-gpo-disable.md new file mode 100644 index 0000000..1ba458c --- /dev/null +++ b/clients/valleywide/session-logs/2026-06/2026-06-13-mike-vwp-gpo-disable.md @@ -0,0 +1,117 @@ +## User +- **User:** Mike Swanson (mike) +- **Machine:** GURU-5070 +- **Role:** admin + +## Session Summary + +Disabled two RMM-agent deployment GPOs in the Valley Wide Plastering (VWP) Active Directory +domain. The session began with a quick credential question (Gemini API key — none exists; the +`agy`/Gemini CLI integration is keyless via Google OAuth), then moved to the primary task on the +VWP domain controllers. + +Loaded VWP context from `wiki/clients/valleywide.md` and the vault. Confirmed the live AD domain +is `VWP.US` (NetBIOS `VWP`, PDC = `VWP-DC1.VWP.US`) — correcting the wiki's `vwp.local` reference, +which is not the actual AD DNS root. Both DCs were reachable over the already-connected VPN: +VWP_ADSRVR (192.168.0.25) and VWP-DC1 (172.16.9.2). Used VWP_ADSRVR as the entry point because it +has working ed25519 SSH key auth for `vwp\guru`. + +Enumerated all domain GPOs and located the target: a GPO named `Syncro` +(`{F6C27AA4-4A8B-4AA0-B5B9-B0DD47ECF6CA}`), a machine-assigned software-installation policy that +deploys the Syncro agent MSI, linked at the domain root (applies to all domain computers) and +fully enabled. After confirming method with the user, disabled it (set GpoStatus to +AllSettingsDisabled). The user then requested the same for the second RMM GPO — `Datto RMM Agent +install by immediate scheduled task` (`{9795454E-4C25-4B3F-8655-9DF5F46054FF}`), also linked at +the domain root — which was likewise disabled. Both are confirmed `flags=3` on ADSRVR. This looks +like a Syncro→Datto migration cleanup, but both deployment mechanisms were disabled per the user's +instruction. + +## Key Decisions + +- **Disabled via LDAP `Set-ADObject` (`flags=3`) rather than `Set-GPO`/GPMC.** `Get-GPO`/`Set-GPO` + failed with `0x80072020` over SSH — the GPMC COM layer needs to bind to SYSVOL over SMB, and the + key-based SSH logon has no delegatable credentials (classic double-hop). Pure-LDAP cmdlets + (`Get-ADDomain`, `Get-ADObject`, `Set-ADObject`) work because they bind directly to the local + DC. Setting the GPC `flags` attribute to `3` is exactly equivalent to + `Set-GPO -Status AllSettingsDisabled`. +- **Chose AllSettingsDisabled over unlinking.** Disables the GPO wherever linked, is fully + reversible (set `flags` back to `0`), and is a single object change. Both GPOs are only linked at + the domain root today, so the effect is identical to disabling the link. +- **Left the GPOs linked and present (not deleted/unlinked).** Reversible and non-destructive. +- **Did not attempt to uninstall existing agents.** Disabling a deployment GPO stops future + installs/reinstalls but does not remove agents already present — flagged to the user as a + separate task. + +## Problems Encountered + +- **`Get-GPO -All` → `0x80072020` (operations error) over SSH.** Cause: GPMC COM double-hop (no + delegatable creds on the SSH key logon). Resolution: enumerated GPOs and read/wrote status via + LDAP cmdlets instead, and read GPO contents from the local SYSVOL path on the DC. +- **Cross-DC verification via `-Server VWP-DC1.VWP.US` failed** ("Unable to contact the server … + AD Web Services"). Cause: ADWS on the remote DC not answering from the SSH session context + (ADWS/double-hop). Not a write failure — the writes committed locally on ADSRVR and will + replicate via normal AD replication. Verified `flags=3` on ADSRVR for both GPOs. + +## Configuration Changes + +AD directory changes on domain `VWP.US` (no repo files changed for the VWP work): +- GPO `Syncro` `{F6C27AA4-4A8B-4AA0-B5B9-B0DD47ECF6CA}`: `flags` 0 → 3 (AllSettingsDisabled). +- GPO `Datto RMM Agent install by immediate scheduled task` `{9795454E-4C25-4B3F-8655-9DF5F46054FF}`: + `flags` 0 → 3 (AllSettingsDisabled). + +Repo: +- Created this session log. + +## Credentials & Secrets + +No new credentials discovered or created. Used existing vaulted access: +- `clients/vwp/adsrvr` — SSH key auth `vwp\guru` (ed25519); domain admin `vwp\sysadmin`. +- Gemini API key: confirmed **none exists** — `agy`/Gemini CLI is keyless (Google OAuth, + `~/.gemini/oauth_creds.json`). + +## Infrastructure & Servers + +- **AD domain:** `VWP.US` (NetBIOS `VWP`). PDC emulator: `VWP-DC1.VWP.US`. + - Note: wiki says `vwp.local`; the actual AD DNS root is `VWP.US`. SYSVOL path: + `C:\Windows\SYSVOL\sysvol\vwp.us\Policies\{GUID}`. +- **VWP_ADSRVR** — 192.168.0.25, DC + SSH entry point, Server 2019. SSH ed25519 key auth for + `vwp\guru`. Default shell cmd.exe — wrap with `powershell -NoProfile -Command`. +- **VWP-DC1** — 172.16.9.2, PDC emulator, NPS/RADIUS, `VWP-DC1.VWP.US`. +- Both reachable over VPN this session. + +## Commands & Outputs + +- Domain identity: `Get-ADDomain` → `DNSRoot=VWP.US NetBIOS=VWP PDC=VWP-DC1.VWP.US`. +- Enumerate GPOs (LDAP, avoids GPMC double-hop): + `Get-ADObject -Filter { objectClass -eq 'groupPolicyContainer' } -Properties displayName,gPCFileSysPath,flags` +- Find links: `Get-ADObject -LDAPFilter "(gPLink=**)" -SearchBase ` → + both target GPOs linked at `DC=VWP,DC=US` (domain root, `;0` = enabled, not enforced). +- Syncro GPO contents (local SYSVOL): `Machine\Applications\{B2B45EC0-548F-4187-9065-E4575A652ACD}.aas` + → machine-assigned software installation (MSI deploy). +- Disable: `Set-ADObject -Identity "CN={},CN=Policies,CN=System,DC=VWP,DC=US" -Replace @{flags=3}` + → verified `flags=3` for both on ADSRVR. +- `Get-GPO -All` → `0x80072020` (double-hop; use LDAP path instead). + +## Pending / Incomplete Tasks + +- **Existing RMM agents not removed.** Disabling the GPOs stops deployment/reinstall only. If the + intent is full Syncro removal (and/or Datto), uninstall existing agents separately (managed + uninstall, or removal via the RMM platform). Awaiting user direction. +- **Wiki correction:** update `wiki/clients/valleywide.md` to reflect the AD DNS root is `VWP.US`, + not `vwp.local` (vwp.us is the live AD domain, not just an external FQDN domain). +- **Replication spot-check:** ADWS on VWP-DC1 not reachable from the SSH session; confirm the + `flags=3` change replicated to DC1 on a future visit if desired (normal replication expected). +- **Next project (this session):** Peaceful Spirit AD + DFS investigation and setup (started a few + days ago) — resuming after this save. + +## Reference Information + +- Syncro GPO GUID: `{F6C27AA4-4A8B-4AA0-B5B9-B0DD47ECF6CA}` +- Datto RMM GPO GUID: `{9795454E-4C25-4B3F-8655-9DF5F46054FF}` +- Other domain-root GPOs observed (untouched): `Default Domain Policy` + `{31B2F340-016D-11D2-945F-00C04FB984F9}`, `Enable SMB1 Client` + `{22068DEC-5E9A-4539-B8C5-2C08F2DD9AE0}`, `MappedDrives` + `{7D1AAC5B-2E39-4D6C-9248-AEC511E2A86D}`, `Default Domain Controllers Policy` + `{6AC1786C-016F-11D2-945F-00C04FB984F9}`. +- Vault: `clients/vwp/adsrvr`, `clients/vwp/dc1`. +- Wiki: `wiki/clients/valleywide.md`.