sync: auto-sync from GURU-5070 at 2026-06-13 15:49:09

Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-13 15:49:09

.tmp-xen-snapvdi.py

@@ -0,0 +1,17 @@
+import os, paramiko
+host="192.168.0.104"; user="root"; pw=os.environ["XEN_PW"]
+c=paramiko.SSHClient(); c.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+c.connect(host, username=user, password=pw, timeout=20,
+          disabled_algorithms={'pubkeys': ['rsa-sha2-256','rsa-sha2-512']},
+          look_for_keys=False, allow_agent=False)
+def run(cmd):
+    i,o,e=c.exec_command(cmd,timeout=120); return (o.read().decode(errors="replace")+e.read().decode(errors="replace")).strip()
+g_vdi="828ea0ff-04c7-4f7c-9e4d-baa9e15d72bd"  # G: = "2003 Disk 2" xvdb
+print("=== snapshotting G: VDI for consistent export ===")
+snap=run(f'xe vdi-snapshot uuid={g_vdi}')
+print("snapshot VDI uuid:", snap)
+print("=== snapshot details ===")
+print(run(f"xe vdi-param-list uuid={snap} | grep -iE 'uuid \\(|name-label|virtual-size|is-a-snapshot|sr-name-label'"))
+print("=== dom0 free space (confirm we must stream, not stage locally) ===")
+print(run("df -h / /var/tmp 2>/dev/null | head"))
+c.close()

clients/valleywide/session-logs/2026-06/2026-06-13-mike-vwp-gpo-disable.md

@@ -0,0 +1,117 @@
+## User
+- **User:** Mike Swanson (mike)
+- **Machine:** GURU-5070
+- **Role:** admin
+
+## Session Summary
+
+Disabled two RMM-agent deployment GPOs in the Valley Wide Plastering (VWP) Active Directory
+domain. The session began with a quick credential question (Gemini API key — none exists; the
+`agy`/Gemini CLI integration is keyless via Google OAuth), then moved to the primary task on the
+VWP domain controllers.
+
+Loaded VWP context from `wiki/clients/valleywide.md` and the vault. Confirmed the live AD domain
+is `VWP.US` (NetBIOS `VWP`, PDC = `VWP-DC1.VWP.US`) — correcting the wiki's `vwp.local` reference,
+which is not the actual AD DNS root. Both DCs were reachable over the already-connected VPN:
+VWP_ADSRVR (192.168.0.25) and VWP-DC1 (172.16.9.2). Used VWP_ADSRVR as the entry point because it
+has working ed25519 SSH key auth for `vwp\guru`.
+
+Enumerated all domain GPOs and located the target: a GPO named `Syncro`
+(`{F6C27AA4-4A8B-4AA0-B5B9-B0DD47ECF6CA}`), a machine-assigned software-installation policy that
+deploys the Syncro agent MSI, linked at the domain root (applies to all domain computers) and
+fully enabled. After confirming method with the user, disabled it (set GpoStatus to
+AllSettingsDisabled). The user then requested the same for the second RMM GPO — `Datto RMM Agent
+install by immediate scheduled task` (`{9795454E-4C25-4B3F-8655-9DF5F46054FF}`), also linked at
+the domain root — which was likewise disabled. Both are confirmed `flags=3` on ADSRVR. This looks
+like a Syncro→Datto migration cleanup, but both deployment mechanisms were disabled per the user's
+instruction.
+
+## Key Decisions
+
+- **Disabled via LDAP `Set-ADObject` (`flags=3`) rather than `Set-GPO`/GPMC.** `Get-GPO`/`Set-GPO`
+  failed with `0x80072020` over SSH — the GPMC COM layer needs to bind to SYSVOL over SMB, and the
+  key-based SSH logon has no delegatable credentials (classic double-hop). Pure-LDAP cmdlets
+  (`Get-ADDomain`, `Get-ADObject`, `Set-ADObject`) work because they bind directly to the local
+  DC. Setting the GPC `flags` attribute to `3` is exactly equivalent to
+  `Set-GPO -Status AllSettingsDisabled`.
+- **Chose AllSettingsDisabled over unlinking.** Disables the GPO wherever linked, is fully
+  reversible (set `flags` back to `0`), and is a single object change. Both GPOs are only linked at
+  the domain root today, so the effect is identical to disabling the link.
+- **Left the GPOs linked and present (not deleted/unlinked).** Reversible and non-destructive.
+- **Did not attempt to uninstall existing agents.** Disabling a deployment GPO stops future
+  installs/reinstalls but does not remove agents already present — flagged to the user as a
+  separate task.
+
+## Problems Encountered
+
+- **`Get-GPO -All` → `0x80072020` (operations error) over SSH.** Cause: GPMC COM double-hop (no
+  delegatable creds on the SSH key logon). Resolution: enumerated GPOs and read/wrote status via
+  LDAP cmdlets instead, and read GPO contents from the local SYSVOL path on the DC.
+- **Cross-DC verification via `-Server VWP-DC1.VWP.US` failed** ("Unable to contact the server …
+  AD Web Services"). Cause: ADWS on the remote DC not answering from the SSH session context
+  (ADWS/double-hop). Not a write failure — the writes committed locally on ADSRVR and will
+  replicate via normal AD replication. Verified `flags=3` on ADSRVR for both GPOs.
+
+## Configuration Changes
+
+AD directory changes on domain `VWP.US` (no repo files changed for the VWP work):
+- GPO `Syncro` `{F6C27AA4-4A8B-4AA0-B5B9-B0DD47ECF6CA}`: `flags` 0 → 3 (AllSettingsDisabled).
+- GPO `Datto RMM Agent install by immediate scheduled task` `{9795454E-4C25-4B3F-8655-9DF5F46054FF}`:
+  `flags` 0 → 3 (AllSettingsDisabled).
+
+Repo:
+- Created this session log.
+
+## Credentials & Secrets
+
+No new credentials discovered or created. Used existing vaulted access:
+- `clients/vwp/adsrvr` — SSH key auth `vwp\guru` (ed25519); domain admin `vwp\sysadmin`.
+- Gemini API key: confirmed **none exists** — `agy`/Gemini CLI is keyless (Google OAuth,
+  `~/.gemini/oauth_creds.json`).
+
+## Infrastructure & Servers
+
+- **AD domain:** `VWP.US` (NetBIOS `VWP`). PDC emulator: `VWP-DC1.VWP.US`.
+  - Note: wiki says `vwp.local`; the actual AD DNS root is `VWP.US`. SYSVOL path:
+    `C:\Windows\SYSVOL\sysvol\vwp.us\Policies\{GUID}`.
+- **VWP_ADSRVR** — 192.168.0.25, DC + SSH entry point, Server 2019. SSH ed25519 key auth for
+  `vwp\guru`. Default shell cmd.exe — wrap with `powershell -NoProfile -Command`.
+- **VWP-DC1** — 172.16.9.2, PDC emulator, NPS/RADIUS, `VWP-DC1.VWP.US`.
+- Both reachable over VPN this session.
+
+## Commands & Outputs
+
+- Domain identity: `Get-ADDomain` → `DNSRoot=VWP.US NetBIOS=VWP PDC=VWP-DC1.VWP.US`.
+- Enumerate GPOs (LDAP, avoids GPMC double-hop):
+  `Get-ADObject -Filter { objectClass -eq 'groupPolicyContainer' } -Properties displayName,gPCFileSysPath,flags`
+- Find links: `Get-ADObject -LDAPFilter "(gPLink=*<guid>*)" -SearchBase <domainDN>` →
+  both target GPOs linked at `DC=VWP,DC=US` (domain root, `;0` = enabled, not enforced).
+- Syncro GPO contents (local SYSVOL): `Machine\Applications\{B2B45EC0-548F-4187-9065-E4575A652ACD}.aas`
+  → machine-assigned software installation (MSI deploy).
+- Disable: `Set-ADObject -Identity "CN={<guid>},CN=Policies,CN=System,DC=VWP,DC=US" -Replace @{flags=3}`
+  → verified `flags=3` for both on ADSRVR.
+- `Get-GPO -All` → `0x80072020` (double-hop; use LDAP path instead).
+
+## Pending / Incomplete Tasks
+
+- **Existing RMM agents not removed.** Disabling the GPOs stops deployment/reinstall only. If the
+  intent is full Syncro removal (and/or Datto), uninstall existing agents separately (managed
+  uninstall, or removal via the RMM platform). Awaiting user direction.
+- **Wiki correction:** update `wiki/clients/valleywide.md` to reflect the AD DNS root is `VWP.US`,
+  not `vwp.local` (vwp.us is the live AD domain, not just an external FQDN domain).
+- **Replication spot-check:** ADWS on VWP-DC1 not reachable from the SSH session; confirm the
+  `flags=3` change replicated to DC1 on a future visit if desired (normal replication expected).
+- **Next project (this session):** Peaceful Spirit AD + DFS investigation and setup (started a few
+  days ago) — resuming after this save.
+
+## Reference Information
+
+- Syncro GPO GUID: `{F6C27AA4-4A8B-4AA0-B5B9-B0DD47ECF6CA}`
+- Datto RMM GPO GUID: `{9795454E-4C25-4B3F-8655-9DF5F46054FF}`
+- Other domain-root GPOs observed (untouched): `Default Domain Policy`
+  `{31B2F340-016D-11D2-945F-00C04FB984F9}`, `Enable SMB1 Client`
+  `{22068DEC-5E9A-4539-B8C5-2C08F2DD9AE0}`, `MappedDrives`
+  `{7D1AAC5B-2E39-4D6C-9248-AEC511E2A86D}`, `Default Domain Controllers Policy`
+  `{6AC1786C-016F-11D2-945F-00C04FB984F9}`.
+- Vault: `clients/vwp/adsrvr`, `clients/vwp/dc1`.
+- Wiki: `wiki/clients/valleywide.md`.