session log: 2026-04-30 — Tedards/Bardach/Dataforth MSP work + DKIM setup

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.claude/scheduled_tasks.lock

@@ -1 +1 @@
-{"sessionId":"4d2b9d2c-b660-489f-8598-0a87605389c2","pid":45148,"acquiredAt":1777321662742}
+{"sessionId":"31aaef87-777d-44da-b349-33c7d60e9f89","pid":39128,"acquiredAt":1777572911399}

session-logs/2026-04-30-session.md

@@ -222,3 +222,87 @@ Excluded: Private (intentional)
 
 ### Why the deep-dive verdict was "patch held"
 - Each of the 7 actual exploit attempts had distinct cp_security_tokens that, when grep'd against access_log, appeared exactly once each with HTTP 403 against `/json-api/version` (and /applist, /listwwwacctconf, /get_tweaksetting on one). No HTTP 200 with an injected token from any external IP. The patch's session-validation logic is doing its job.
+
+---
+
+## Update: 11:25 — Multi-client MSP work (Tedards, Bardach, Dataforth, Cascades/Golden Corral)
+
+## User
+- **User:** Mike Swanson (mike)
+- **Machine:** DESKTOP-0O8A1RL
+- **Role:** admin
+
+## Session Summary
+
+The session opened with a request to reset the webmail password for `accounting@tucsongoldencorral.com` on the Neptune Exchange server (67.206.163.124, Exchange 2016). WinRM was firewalled even after a VPN change, and browser automation via ECP at `https://neptune.acghosting.com/ecp` was attempted but interrupted — Mike resolved the password directly via Active Directory on DC16.
+
+The session then shifted to Dataforth M365, granting Dan Center (`dcenter@dataforth.com`) FullAccess to Joel Lohr's (`jlohr@dataforth.com`) mailbox. This was executed via Exchange Operator InvokeCommand (`Add-MailboxPermission`) and completed cleanly with AutoMapping enabled.
+
+Significant remediation tool work followed. The `onboard-tenant.sh` script was patched to assign the **Conditional Access Administrator** directory role to the Tenant Admin service principal at onboard time (resolving a 403 on CA policy Graph endpoints), and Howard's independently discovered `Policy.Read.All` backfill block was retained. A `# TODO(howard)` comment was added to the `role_assigned()` function documenting the PIM roleAssignmentSchedules gap. tedards.net was fully onboarded to the remediation tool suite.
+
+Bardach client work: confirmed Barbara Bardach (`barbara@bardach.net`) holds Exchange Online Plan 2 + EXCHANGEARCHIVE licenses (100GB primary, 110GB archive). Auto-expanding archive was enabled via Exchange Operator InvokeCommand (`Enable-Mailbox -AutoExpandingArchive`), returning `AutoExpandingArchiveEnabled: true`. The bardach.net tenant was freshly onboarded this session.
+
+QuickBooks Desktop 2024 "Missing PDF component" error on Yvonne Tedards' Windows 11 machine: the Amyuni PDF Converter virtual printer was missing entirely. Root cause identified as Windows 11 Protected Print Mode blocking legacy unsigned printer drivers. Steps given: disable Protected Print Mode in Settings, then run QB Repair from Programs and Features. Awaiting confirmation.
+
+Syncro ticket management for Tedards: logged 30 min Remote Business ($75) on ticket #32219 (QB error), and created new ticket #32228 for the email delivery issue with `lindsay@agencyzoomify.com` (no billing yet).
+
+Full DKIM setup for tedards.net was completed end-to-end via automation: selector1/selector2 CNAME values retrieved from M365 Exchange Online, added to the tedards.net DNS zone via WHM API (zone lives directly in WHM on the ACG IX server — no separate cPanel account), and DKIM enabled via `Set-DkimSigningConfig`. Final status: `Enabled: true, Status: Valid`. A `p=none` DMARC record was also added. A cron job was scheduled at 1:17 PM to auto-escalate DMARC to `p=quarantine` if DNS validation passes.
+
+## Key Decisions
+
+- **ECP browser automation for Neptune password reset abandoned** in favor of AD on DC16. WinRM blocked externally; AD reset is the correct tool for Exchange 2016 on-prem.
+- **onboard-tenant.sh CA Admin fix via script** rather than ad-hoc patching. Idempotent; safe to re-run against existing tenants.
+- **role_assigned() PIM gap flagged as TODO for Howard** — fix requires querying `roleAssignmentSchedules` in addition to `roleAssignments`; deferred to Howard who discovered it.
+- **tedards.net DKIM handled via WHM API directly** — no separate cPanel account exists; zone is in WHM under ACG server account. Full automation, no browser required.
+- **DMARC escalation deferred 2 hours** to allow propagation verification before moving from `p=none` to `p=quarantine`.
+- **Bardach auto-expanding archive** chosen over additional Archive licenses. Exchange Online Plan 2 includes auto-expanding at no extra cost; archive quota becomes unlimited.
+
+## Problems Encountered
+
+- **investigator-exo 401 on tedards.net Exchange Online**: Security Investigator app returns 401 on InvokeCommand. Resolved by switching to exchange-op tier which has `full_access_as_app` Exchange role.
+- **WHM account search returned no results for tedards**: tedards.net DNS zone managed directly in WHM (no cPanel account). Confirmed via `dumpzone` API.
+- **Get-DkimSigningConfig with Domain parameter returned null**: M365 InvokeCommand rejects the `Domain` parameter on this cmdlet. Resolved by calling with empty parameters and filtering client-side.
+- **M365 returned CnameMissing immediately after enabling DKIM**: stale negative cache. Records resolved correctly from 8.8.8.8. Re-running enable after 5 seconds returned `Enabled: true, Status: Valid`.
+
+## Infrastructure and DNS Changes
+
+### tedards.net DNS (WHM on 72.194.62.5)
+
+| Record | Type | Value | Action |
+|---|---|---|---|
+| selector1._domainkey.tedards.net | CNAME | selector1-tedards-net._domainkey.tedards.w-v1.dkim.mail.microsoft | Added |
+| selector2._domainkey.tedards.net | CNAME | selector2-tedards-net._domainkey.tedards.w-v1.dkim.mail.microsoft | Added |
+| _dmarc.tedards.net | TXT | v=DMARC1; p=none; sp=none; adkim=r; aspf=r; | Added |
+
+### M365 Changes
+
+| Tenant | Action |
+|---|---|
+| dataforth.com | dcenter FullAccess to jlohr mailbox (Exchange Online) |
+| bardach.net | Auto-expanding archive enabled for barbara@bardach.net |
+| tedards.net | DKIM enabled (Enabled: true, Status: Valid) |
+
+## Syncro Tickets
+
+| Ticket | Client | Action |
+|---|---|---|
+| #32219 (ID 109545451) | Bill/Yvonne Tedards | 30 min Remote Business logged — QB PDF component fix ($75) |
+| #32228 (ID 109697650) | Bill/Yvonne Tedards | Created — email delivery issue with lindsay@agencyzoomify.com (no billing yet) |
+
+## Pending Tasks
+
+- **QuickBooks PDF fix confirmation**: Yvonne Tedards, Win11. Steps given (disable Protected Print Mode + QB Repair). Awaiting result.
+- **Tedards DMARC escalation**: cron scheduled 1:17 PM to escalate p=none to p=quarantine. Session-only — if Claude exits, run manually.
+- **Tedards email issue** (ticket #32228): inability to send/receive email to/from lindsay@agencyzoomify.com. Not yet investigated.
+- **Backfill onboard-tenant.sh** against 6 ACG tenants: bg-builders, cascades-tucson, cw-concrete, dataforth, heieck-org, mvan. Scheduled for 21:00 PT per note to Howard.
+- **Howard TODO**: Fix `role_assigned()` in onboard-tenant.sh to also query `roleAssignmentSchedules` for PIM-managed assignments.
+- **Cascades**: Grant Howard Contributor on `rg-audit-cascadestucson` once he creates the RG.
+
+## Reference
+
+- Neptune Exchange ECP: https://neptune.acghosting.com/ecp (Exchange 2016, on-prem)
+- WHM API base: https://72.194.62.5:2087 (credentials in vault: infrastructure/ix-server.sops.yaml)
+- tedards.net tenant ID: 4fcbb1f4-fbf9-4548-a93e-7d14a3c091e6
+- bardach.net tenant ID: dd4a82e8-85a3-44ac-8800-07945ab4d95f
+- Syncro API base: https://computerguru.syncromsp.com/api/v1 (vault: msp-tools/syncro.sops.yaml)
+- onboard-tenant.sh: D:/claudetools/.claude/skills/remediation-tool/scripts/onboard-tenant.sh