wiki: compile cascades-tucson (full) — CS-SERVER Datto removal + SMB error-67 RMM-test-artifact correction

This commit is contained in:
2026-06-26 09:40:03 -07:00
parent 929598418e
commit c97dd98616
2 changed files with 16 additions and 5 deletions

View File

@@ -2,7 +2,7 @@
type: client
name: cascades-tucson
display_name: Cascades of Tucson
last_compiled: 2026-06-25
last_compiled: 2026-06-26
compiled_by: HOWARD-HOME/claude-main
sources:
- session-logs/2026-03-24-session.md
@@ -96,6 +96,8 @@ sources:
- clients/cascades-tucson/session-logs/2026-06/2026-06-25-howard-alma-offboarding-recovery-verify.md
- clients/cascades-tucson/docs/security/offboarding-2026-06-25-alma-montt.md
- clients/cascades-tucson/session-logs/2026-06/2026-06-25-howard-edr-rollout-bitdefender-removal.md
- clients/cascades-tucson/session-logs/2026-06/2026-06-25-howard-cs-server-smb-migration-diagnosis.md
- clients/cascades-tucson/session-logs/2026-06/2026-06-26-howard-cs-server-datto-removal-smb-rootcause.md
backlinks:
- projects/gururmm
- wiki/systems/uos-server
@@ -163,10 +165,10 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn
- Lupe Sanchez -- staff (DESKTOP-TRCIEJA). EOL workstation (Gateway ZX6971 AIO, i3-2120, 8 GB RAM, Win11 unsupported). **Decision 2026-06-18: replace machine** (dual-AV + EOL hardware causing slow Excel; no remediation on current box). GuruRMM agent `c9bf1a2d-bfdc-401e-9cc8-f9e90bb19587` (resolve live by hostname; UUIDs change on re-enroll).
- **Syncro contact emails (authoritative):** ashley.jensen@, jd.martin@, crystal.rodriguez@, John.trozzi@, meredith.kuhn@, accounting@/accountingassistant@cascadestucson.com.
- **Billing rate:** $175/hr all labor (prepaid block customer)
- **Hours remaining:** **46.75 hrs as of 2026-06-25 (live Syncro).** Prior: 47.75 hrs as of 2026-06-25 (post-Alma-offboarding session); 48.25 hrs as of 2026-06-24; 0.5h remote 2026-06-24 Executive restricted share #32193 (48.75->48.25). Prior: 7h remote+onsite 2026-06-19 voice VLAN + RF optimization (ticket #32444, 55.75->48.75). Prior: 0.5h remote 2026-06-12 shared mailboxes (ticket #32417, 56.25->55.75); 0.5h remote 2026-06-10 Meredith locked Word doc (ticket #32403, 56.75->56.25). Always live-check via `GET /customers/20149445` before billing.
- **Hours remaining:** **46.75 hrs as of 2026-06-26 (live Syncro).** Prior: 47.75 hrs as of 2026-06-25 (post-Alma-offboarding session); 48.25 hrs as of 2026-06-24; 0.5h remote 2026-06-24 Executive restricted share #32193 (48.75->48.25). Prior: 7h remote+onsite 2026-06-19 voice VLAN + RF optimization (ticket #32444, 55.75->48.75). Prior: 0.5h remote 2026-06-12 shared mailboxes (ticket #32417, 56.25->55.75); 0.5h remote 2026-06-10 Meredith locked Word doc (ticket #32403, 56.75->56.25). Always live-check via `GET /customers/20149445` before billing.
- **Syncro customer ID:** 20149445
- **Managed devices (Syncro):** 29 (live 2026-06-25)
- **Active tickets:** **0 open Syncro tickets as of 2026-06-25 (live Syncro -- end of day).** Previously open work tickets (#32194 spare machine, #32254 Chef-PC reinstall, #32319 WiFi rm343, #32342 Copy Room switch, #32370 eFax+scanner) are now closed/resolved per live Syncro pull. **#32230 (Karen->ALDOCS) RESOLVED** (earlier today). 4 hardware items Invoiced (work done): #32440 server SSDs, #32439 MemCare UPS, #32443 Front Desk battery backup, #32330 Chris Knight PC. See Active Work and session logs for ongoing project work.
- **Managed devices (Syncro):** 29 (live 2026-06-26)
- **Active tickets:** **0 open Syncro tickets as of 2026-06-26 (live Syncro).** Previously open work tickets (#32194 spare machine, #32254 Chef-PC reinstall, #32319 WiFi rm343, #32342 Copy Room switch, #32370 eFax+scanner) are now closed/resolved per live Syncro pull. **#32230 (Karen->ALDOCS) RESOLVED** (earlier today). 4 hardware items Invoiced (work done): #32440 server SSDs, #32439 MemCare UPS, #32443 Front Desk battery backup, #32330 Chris Knight PC. See Active Work and session logs for ongoing project work.
- #110680053 / #32303 -- Entra / domain migration project. Status: **Invoiced** as of 2026-06-05. Plan: `C:\Users\Howard\.claude\plans\wise-discovering-panda.md`
- #109412123 -- Entra setup project (verify status)
- #32403 -- Meredith locked Word doc (0.5h remote, billed 2026-06-10, Invoiced)
@@ -371,6 +373,12 @@ Cascades' line-of-business / reporting SaaS (the systems they pull data OUT of,
- **Accessing cascadesDS from RMM -- always use a user session, not CS-SERVER SYSTEM.** The domain-joined CS-SERVER machine account cannot authenticate to the Synology `Public` share because cascadesDS uses workgroup "CASCADES" (same short name as the AD domain), causing Kerberos auth failures. Run the command in `user_session` context of a machine where the target user is actively logged in.
- **Synology Drive sync scope (as of 2026-06-18):** The Drive Client on CS-SERVER syncs only the **Sync DSM user's My Drive** (`/volume1/homes/Sync/Drive/`) into `D:\Shares\Main` -- one-way download. The real department shared folders (`/volume1/Server`, `/volume1/Management`, `/volume1/Public`, `/volume1/SalesDept`, etc.) are **NOT** in this scope. Note: `synopkg status SynologyDrive` falsely returns "stopped" (status 263) even when active -- verify via `systemctl is-active pkgctl-SynologyDrive` and `netstat -tlnp | grep 6690`.
### CS-SERVER SMB & Endpoint AV (2026-06-26)
- **The "CS-SERVER SMB error 67 outage" was a TEST-METHOD ARTIFACT, not a real outage.** RMM-dispatched SMB client commands (`net use`/`net view`/`Test-Path`/`Get-SmbConnection`, even in `user_session`) **false-negative** -- they return error 67 (BAD_NETWORK_NAME) / RPC 1702 / "none" even for KNOWN-GOOD targets (proven: a user's daily-use NAS failed the same way; a client with a live server-side session showed "no connections" locally). **CS-SERVER SMB is healthy** -- `Get-SmbSession` showed 7 live SMB 3.1.1 users / 30 open files / new sessions forming. **VALIDATE SMB server-side (`Get-SmbSession`/`Get-SmbOpenFile`) or with a REAL interactive test -- never from RMM client-side results.** A drive-map `verify` failure is NOT proof of a problem (skill caveat added; errorlog `rmm/smb-testing`).
- **CS-SERVER endpoint AV was DattoAV, not GravityZone Bitdefender.** It was the Datto EDR "Endpoint Protection SDK" (Bitdefender engine + Avira "Sentry" driver -> drivers `BdSentry`/`rtp1`/`rtp2`), managed by Datto RMM (CentraStage/`CagService`) + Datto EDR Agent (`HUNTAgent`/Infocyte HUNT, tenant azcomp4587). Removing the box from the GravityZone console did nothing because GravityZone never managed it. **ALL Datto software was fully removed from CS-SERVER 2026-06-26** (services deleted, `infocyte`/`CentraStage` dirs gone, registry + kernel drivers cleared). CS-SERVER was already de-enrolled from the EDR tenant, so no uninstall token could be issued -- forced removal once the tamper drivers were gone.
- **Karen Rossini share access -- RESOLVED.** `CASCADES\karen.rossini` (reset + vaulted `clients/cascades-tucson/karen-rossini.sops.yaml`, member of `SG-IT-RW`) verified able to open `\CS-SERVER\Server` shares **interactively** from another PC. Her ALDocs desktop shortcut + Quick Access pin were set on DESKTOP-LPOPV30 (`\CS-SERVER\Server\ALDocs`) via the `drive-map` skill. Note: her earlier move to CSCNet (WPA3-SAE) broke NAS-by-name resolution (unrelated side effect).
### Browser / Edge
- **[BUG - FLEET] Edge 149 cannot open Office files via download-list when Downloads is a UNC-redirected folder (Chromium issue 519243472).** A regression introduced in Chromium 149 prepends `\\?\` to UNC paths without converting to the correct `\\?\UNC\` form. **Symptom:** clicking `.xlsx` or `.docx` in the Edge download panel shows "Windows cannot find '\\?\\\cs-server\...'". Text files and PDFs open fine. **Trigger:** Downloads folder redirected via GPO Folder Redirection to a UNC path. **Affected build:** Edge stable 149.0.4022.52. **Fix options (none applied as of 2026-06-08):** (1) Update Edge past the fix; (2) Interim: `--disable-features=LaunchShellExecuteViaExplorer`; (3) Zero-config: use "Show in folder" then double-click from Explorer; (4) Rollback to 148. Note: pinning to 148 forfeits security fixes; prefer option 1 or 3 for HIPAA machines.
@@ -598,11 +606,14 @@ Invoiced hardware (work done): #32440 server SSDs, #32439 MemCare UPS, #32443 Fr
| 2026-06-24 | **CSC ENT device-island consolidation plan (voice + Helpany).** Merged the Poly 5 GHz fix with the Helpany "Paul" sensor rollout: repurpose the existing CSC ENT SSID as a permanent 5 GHz-only WPA2 PPSK "device island" carrying both the Poly voice handsets (PPSK -> VLAN 30) and the Helpany radar sensors (PPSK -> new VLAN 40), separated at the VLAN layer; both vendors transition their devices remotely. Onsite gate: verify per-room 5 GHz coverage before the band flip. CSC ENT is NOT deleted -- it becomes the WPA2 island that later unblocks moving CSCNet to WPA3/WiFi7/6 GHz. Plan: `docs/network/csc-ent-device-island-plan.md`. |
| 2026-06-25 | **Alma Montt OFFBOARDED (terminated; MC Life Enrichment; no PHI/ALIS).** M365: sessions revoked, sign-in blocked, password reset+vaulted, mailbox -> SharedMailbox (Shelby Trozzi FullAccess+AutoMap), SPB license removed (seat freed), hidden from GAL, removed from groups. On-prem AD: disabled, groups stripped, moved to `OU=Excluded-From-Sync`. No litigation hold (no PHI). **Verified live end-to-end** (Graph + EXO + AD via RMM) and reconciled out of all active plans/rosters. Left a tenant-security item for Mike: the Tenant Admin SP still holds a standing Privileged Authentication Administrator role (Graph blocked the JIT teardown) -- needs GA removal. Record: `docs/security/offboarding-2026-06-25-alma-montt.md`. |
| 2026-06-25 | **Endpoint security migration: Datto EDR/AV rollout + Bitdefender decommission.** Reconciled 33 GuruRMM devices vs 27 Datto EDR agents (org `2d5ea96e`); found 8 coverage gaps. Deployed EDR to 6 online clean machines (reg key `6qw68y2rwl`, target group `1dbd2b02`); fleet count 27->33. Discovered RECEPTIONIST-PC is two distinct physical machines sharing a hostname (serials MJ0KQH4R, MJ0KQHNP); only one had EDR -- installed on the second box (33->34 agents). Removed Bitdefender BEST 8.26.6.644 from both RECEPTIONIST-PC boxes via GravityZone console "Uninstall client" task (API uninstall dead; no uninstall password on policy). Cleaned 6 orphaned `C:\Program Files\Bitdefender` folders (safety-checked). Queued EDR installs + BD-checks on 5-7 offline machines; background watcher `bfm81iqdz` left polling. **Datto EDR/AV is now the ACG-managed endpoint stack; Bitdefender (GravityZone BEST) being fully decommissioned.** |
| 2026-06-26 | **CS-SERVER: full Datto stack removal + SMB "outage" debunked.** The endpoint AV was DattoAV (Datto EDR "Endpoint Protection SDK", Bitdefender engine + Avira Sentry), managed by Datto RMM (CentraStage) + Datto EDR Agent (HUNTAgent/Infocyte, tenant azcomp4587) -- NOT GravityZone Bitdefender (so the console removal did nothing). Removed ALL Datto software (uninstallSdk cleared rtp1/rtp2/BdSentry; CentraStage `/VERYSILENT`; EDR agent force-removed since CS-SERVER was already de-enrolled and the tamper drivers were gone). **The long "SMB error 67" investigation was a TEST-METHOD ARTIFACT** -- RMM-dispatched SMB client cmds false-negative even for good targets; CS-SERVER SMB is healthy (`Get-SmbSession` = 7 users / 30 open files). Karen Rossini share access verified interactively; ALDocs shortcut set on DESKTOP-LPOPV30. Built the `drive-map` skill; logged the RMM-SMB-test friction. |
---
## Compilation Notes
**2026-06-26 recompile (HOWARD-HOME/claude-main):** Refreshed dynamic fields (46.75 hrs, 29 devices, 0 tickets as of 2026-06-26). Added the **CS-SERVER SMB & Endpoint AV (2026-06-26)** pattern: full Datto stack removal, the "error 67" RMM-test-artifact correction (server is healthy), and Karen ALDocs resolution. Patterns/History preserved.
**2026-06-25 recompile #2 (HOWARD-HOME/claude-main) changes vs. prior (2026-06-25 #1, compiled during Alma offboarding session):**
- Main new source: `2026-06-25-howard-edr-rollout-bitdefender-removal.md`. Largest security-posture change since ACG onboarding: endpoint protection is migrating from Syncro-deployed Bitdefender GravityZone BEST to Datto EDR/AV (Infocyte/azcomp4587).
- Infrastructure > endpoint warning block replaced: stale "agent sprawl / clean up the Datto stack" replaced with the active migration status (34 agents enrolled, BD removed from RECEPTIONIST-PC, pending offline machines, confirm Syncro BD deployment removed).

View File

@@ -18,7 +18,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks.
| Article | Summary | Last Compiled |
|---|---|---|
| [Cascades of Tucson](clients/cascades-tucson.md) | Prepaid block $175/hr, **46.75 hrs remaining** (live 2026-06-25); senior living; active domain migration + HIPAA caregiver-lockdown project (GPOs deployed; Entra Hybrid Join + CA allow-list + ALIS SSO model proven); single DC (CS-SERVER) on aging R610 -- RAID **live-verified HEALTHY 2026-06-24** (the 6/15 "degraded" self-recovered; both mirrors Ok, 1:0:4 = global hot spare; consumer 320GB drives + lost-PSU-redundancy are planned follow-ups, NOT an emergency); cloud backup verified running; **Planned power outage 2026-06-23** clean self-shutdown executed + verified (bring-up ~09:00, John onsite); **Voice VLAN 30 migration COMPLETE 2026-06-19** (~38 devices: 29 Poly + 8 AudioCodes + desktop; awaiting Vertical to set Poly 5GHz-only); **UniFi RF optimized 2026-06-19** (77 U7-Pro APs/~587 clients: 2.4GHz power->Medium on 47 radios + 5GHz clean-DFS 40MHz channel plan -> 5GHz retry halved; 6GHz blocked by WPA3 on PPSK SSID); Syncro 0 open tickets (live EOD 2026-06-25), device-readiness audit done (5 PCs on Win Home need Home->Pro before join); **Alma Montt offboarded 2026-06-25** (Tenant Admin SP left holding a standing PAA role -- removal pending Mike); **CARF Technology & System Plan** deliverable in progress for Ashley Jensen; **endpoint security migration started 2026-06-25** (Datto EDR/AV replacing Bitdefender; 34 agents enrolled); remaining-work plan: docs/REMAINING-WORK-PLAN.md | 2026-06-25 |
| [Cascades of Tucson](clients/cascades-tucson.md) | Prepaid block $175/hr, **46.75 hrs remaining** (live 2026-06-26); senior living; active domain migration + HIPAA caregiver-lockdown project (GPOs deployed; Entra Hybrid Join + CA allow-list + ALIS SSO model proven); single DC (CS-SERVER) on aging R610 -- RAID **live-verified HEALTHY 2026-06-24** (the 6/15 "degraded" self-recovered; both mirrors Ok, 1:0:4 = global hot spare; consumer 320GB drives + lost-PSU-redundancy are planned follow-ups, NOT an emergency); cloud backup verified running; **Planned power outage 2026-06-23** clean self-shutdown executed + verified (bring-up ~09:00, John onsite); **Voice VLAN 30 migration COMPLETE 2026-06-19** (~38 devices: 29 Poly + 8 AudioCodes + desktop; awaiting Vertical to set Poly 5GHz-only); **UniFi RF optimized 2026-06-19** (77 U7-Pro APs/~587 clients: 2.4GHz power->Medium on 47 radios + 5GHz clean-DFS 40MHz channel plan -> 5GHz retry halved; 6GHz blocked by WPA3 on PPSK SSID); Syncro 0 open tickets (live EOD 2026-06-25), device-readiness audit done (5 PCs on Win Home need Home->Pro before join); **Alma Montt offboarded 2026-06-25** (Tenant Admin SP left holding a standing PAA role -- removal pending Mike); **CARF Technology & System Plan** deliverable in progress for Ashley Jensen; **endpoint security migration started 2026-06-25** (Datto EDR/AV replacing Bitdefender; 34 agents enrolled); **CS-SERVER: all Datto software removed 2026-06-26**, and the CS-SERVER "SMB error 67" proved to be an RMM-test artifact -- server is healthy, Karen share access verified interactively; remaining-work plan: docs/REMAINING-WORK-PLAN.md | 2026-06-26 |
| [Dataforth Corporation](clients/dataforth.md) | Prepaid block ~$2,099/mo, **31.5 hrs remaining** (live 2026-06-23); signal-conditioning manufacturer; 64 DOS test stations; 2025 ransomware recovery + incomplete file restore (migration-gap audit); 2026-03 phishing + MFA rollout; test-datasheet pipeline (DSCA cert publish via Hoffman API + testdatadb UI on AD2); mail stack INKY->Mailprotector CloudFilter->EXO; FreePBX 17 outage fixed 2026-06-08/09 (qualify_frequency=0; no RTP-forward); shares-ACL project (all open to staff; Phase 2 target-state strawman drafted 2026-06-22); Syncro asset reconciliation 2026-06-02; GuruRMM fleet ~45; Bitdefender phase-off | 2026-06-23 |
| [Instrumental Music Center](clients/instrumental-music-center.md) | Prepaid block $175/hr, 12.5 hrs remaining; music retail/repair; AIMsi POS on SQL Server 2019; phantom DC causing slow logons; GuruRMM enrolled (IMC1) | 2026-05-24 |
| [Jimmy Company](clients/jimmy.md) | Break-fix, $150/hr; single aging workstation BLASTER2 (Win10 22H2 EOL, i5-3470/3.8GB — replace); backups the recurring theme (QuickBooks data); onboarded to GuruRMM 2026-06-19 (RDP NLA + Kaseya removal + cleanup); MSP360 local backup drive full, 90-day retention set, space reclaim pending in console (cloud B2 healthy) | 2026-06-19 |