sync: auto-sync from HOWARD-HOME at 2026-06-25 12:53:21
Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-25 12:53:21
This commit is contained in:
@@ -123,9 +123,7 @@
|
||||
- [pfSense 25.07 ops quirks](reference_pfsense_25_07_ops.md) — Cascades pfSense Plus 25.07: logs are PLAIN TEXT (use tail/grep, NOT clog → clog returns empty); clean dhcpd restart = `services_dhcpd_configure()` via slow pfSsh.php (needs 50s+ timeout); dirty boot can leave 2 dhcpd → DISCOVER/OFFER but no ACK; reboot the Cox modem after a config restore; ZFS survives power loss. From the 2026-06-17 power-outage incident.
|
||||
- [feedback_ascii_only_api_payloads](feedback_ascii_only_api_payloads.md) -- On Windows/Git-bash, non-ASCII chars (em-dash, arrow, smart quotes) in JSON payload TEXT passed to curl get mangled and rejected — Discord bot-alert returns 400, the coord API returns "error parsing the body". Use ASCII-only in API payload text, or a single-quoted heredoc.
|
||||
- [feedback_bitdefender_unattended_install](feedback_bitdefender_unattended_install.md) -- Bitdefender unattended RMM install must use the FULL KIT as SYSTEM (silent, no UAC) — the downloader stub fails headless and triggers UAC
|
||||
- [Broken [[backlinks]] are write-me-later markers — flesh out from session history, don't delete](feedback_broken_backlinks_are_writeme_markers.md) -- A [[name]] link in a memory body whose target file doesn't exist is NOT an error to clean up — it's an intentional marker that that memory is worth writing. When you hit one (or memory-dream lists them), flesh the missing memory out from the session logs / session history, don't strip the link.
|
||||
- [feedback_rmm_longops_fire_and_forget](feedback_rmm_longops_fire_and_forget.md) -- Long-running RMM endpoint ops (software installs, big downloads) must be fire-and-forget, not live-monitored
|
||||
- [Broken [[backlinks]] are write-me-later markers — flesh out from session history, don't delete](feedback_broken_backlinks_are_writeme_markers.md) -- A [[name]] link in a memory body whose target file doesn't exist is NOT an error to clean up — it's an intentional marker that that memory is worth writing. When you hit one (or memory-dream lists them), flesh the missing memory out from the session logs / session history, don't strip the link.
|
||||
|
||||
## Machine
|
||||
- [GURU-5070 Workstation Setup](reference_workstation_setup.md) — Mike's primary (owner confirmed 2026-05-26). Windows 11 Pro. Renamed from OC-5070 → ACG-5070/acg-guru-5070 → GURU-5070; all the same box, all Mike's.
|
||||
|
||||
@@ -23,9 +23,11 @@ import os
|
||||
import random
|
||||
import subprocess
|
||||
import sys
|
||||
import tempfile
|
||||
import time
|
||||
import urllib.error
|
||||
import urllib.request
|
||||
from contextlib import contextmanager
|
||||
from dataclasses import dataclass, field
|
||||
from datetime import datetime, timezone
|
||||
from email.utils import parsedate_to_datetime
|
||||
@@ -111,6 +113,11 @@ CACHE_TTL_SECONDS = 86400
|
||||
SKILL_DIR = Path(__file__).resolve().parent.parent
|
||||
CACHE_DIR = SKILL_DIR / ".cache"
|
||||
CACHE_FILE = CACHE_DIR / "inventory.json"
|
||||
CACHE_LOCK_FILE = CACHE_DIR / "inventory.lock"
|
||||
# Best-effort advisory lock for read-modify-write of the cache. Short timeout:
|
||||
# losing a write-through update is acceptable; hanging the CLI is not.
|
||||
CACHE_LOCK_TIMEOUT_SECONDS = 5.0
|
||||
CACHE_LOCK_STALE_SECONDS = 30.0
|
||||
|
||||
|
||||
class GravityZoneError(RuntimeError):
|
||||
@@ -1136,10 +1143,60 @@ class GravityZoneClient:
|
||||
return None
|
||||
|
||||
def _write_cache(self, cache: dict) -> None:
|
||||
"""Atomically replace the cache file (temp write + os.replace) so a crash
|
||||
mid-write or a concurrent reader can never see a truncated file."""
|
||||
CACHE_DIR.mkdir(parents=True, exist_ok=True)
|
||||
CACHE_FILE.write_text(
|
||||
json.dumps(cache, indent=2, sort_keys=True), encoding="utf-8"
|
||||
)
|
||||
payload = json.dumps(cache, indent=2, sort_keys=True)
|
||||
fd, tmp = tempfile.mkstemp(dir=str(CACHE_DIR), prefix=".inventory.",
|
||||
suffix=".tmp")
|
||||
try:
|
||||
with os.fdopen(fd, "w", encoding="utf-8") as fh:
|
||||
fh.write(payload)
|
||||
fh.flush()
|
||||
os.fsync(fh.fileno())
|
||||
os.replace(tmp, CACHE_FILE) # atomic on the same filesystem
|
||||
except BaseException:
|
||||
try:
|
||||
os.unlink(tmp)
|
||||
except OSError:
|
||||
pass
|
||||
raise
|
||||
|
||||
@contextmanager
|
||||
def _cache_lock(self):
|
||||
"""Best-effort cross-platform advisory lock around a read-modify-write of
|
||||
the cache, so two concurrent gz.py invocations don't lose each other's
|
||||
write-through update. Steals a stale lock; on timeout proceeds unlocked
|
||||
(a lost update is tolerable, a hang is not)."""
|
||||
CACHE_DIR.mkdir(parents=True, exist_ok=True)
|
||||
deadline = time.monotonic() + CACHE_LOCK_TIMEOUT_SECONDS
|
||||
acquired = False
|
||||
while True:
|
||||
try:
|
||||
fd = os.open(str(CACHE_LOCK_FILE),
|
||||
os.O_CREAT | os.O_EXCL | os.O_WRONLY)
|
||||
os.close(fd)
|
||||
acquired = True
|
||||
break
|
||||
except FileExistsError:
|
||||
try:
|
||||
age = time.time() - os.path.getmtime(CACHE_LOCK_FILE)
|
||||
if age > CACHE_LOCK_STALE_SECONDS:
|
||||
os.unlink(CACHE_LOCK_FILE)
|
||||
continue
|
||||
except OSError:
|
||||
pass
|
||||
if time.monotonic() >= deadline:
|
||||
break # give up the lock, proceed unlocked
|
||||
time.sleep(0.1)
|
||||
try:
|
||||
yield
|
||||
finally:
|
||||
if acquired:
|
||||
try:
|
||||
os.unlink(CACHE_LOCK_FILE)
|
||||
except OSError:
|
||||
pass
|
||||
|
||||
def _cache_is_fresh(self, cache: dict) -> bool:
|
||||
fetched = cache.get("fetched_at")
|
||||
@@ -1226,27 +1283,29 @@ class GravityZoneClient:
|
||||
return self.refresh_inventory()
|
||||
|
||||
def _cache_add_group(self, group_id: str, name: str) -> None:
|
||||
cache = self._read_cache()
|
||||
if cache is None:
|
||||
return # no cache yet - next refresh picks it up
|
||||
cache.setdefault("companies", {})
|
||||
# Groups live in the inventory tree; store under a 'groups' map.
|
||||
cache.setdefault("groups", {})[group_id] = name
|
||||
self._write_cache(cache)
|
||||
with self._cache_lock():
|
||||
cache = self._read_cache()
|
||||
if cache is None:
|
||||
return # no cache yet - next refresh picks it up
|
||||
# Groups live in the inventory tree; store under a 'groups' map.
|
||||
cache.setdefault("groups", {})[group_id] = name
|
||||
self._write_cache(cache)
|
||||
|
||||
def _cache_add_package(self, package_name: str, create_result: Any) -> None:
|
||||
cache = self._read_cache()
|
||||
if cache is None:
|
||||
return
|
||||
packages = cache.setdefault("packages", [])
|
||||
pkg_id = create_result if isinstance(create_result, str) else None
|
||||
if isinstance(create_result, dict):
|
||||
pkg_id = create_result.get("id")
|
||||
if not any(
|
||||
(isinstance(p, dict) and p.get("name") == package_name) for p in packages
|
||||
):
|
||||
packages.append({"id": pkg_id, "name": package_name})
|
||||
self._write_cache(cache)
|
||||
with self._cache_lock():
|
||||
cache = self._read_cache()
|
||||
if cache is None:
|
||||
return
|
||||
packages = cache.setdefault("packages", [])
|
||||
pkg_id = create_result if isinstance(create_result, str) else None
|
||||
if isinstance(create_result, dict):
|
||||
pkg_id = create_result.get("id")
|
||||
if not any(
|
||||
(isinstance(p, dict) and p.get("name") == package_name)
|
||||
for p in packages
|
||||
):
|
||||
packages.append({"id": pkg_id, "name": package_name})
|
||||
self._write_cache(cache)
|
||||
|
||||
|
||||
def main() -> int:
|
||||
@@ -1258,9 +1317,4 @@ def main() -> int:
|
||||
"httpx" if _HAS_HTTPX else "urllib")
|
||||
return 0
|
||||
except GravityZoneError as exc:
|
||||
print(f"[ERROR] {exc}", file=sys.stderr)
|
||||
return 1
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
raise SystemExit(main())
|
||||
prin
|
||||
1
.x_edr_aid.txt
Normal file
1
.x_edr_aid.txt
Normal file
@@ -0,0 +1 @@
|
||||
99d6d692-99e0-4359-9f9c-f43be89f49e5
|
||||
1
.x_edr_install_cmd.txt
Normal file
1
.x_edr_install_cmd.txt
Normal file
@@ -0,0 +1 @@
|
||||
84537db7-e9a6-4e95-b024-aa8ab03f0b14
|
||||
@@ -104,7 +104,7 @@ Nothing else in this tenant is touched. No office staff change. No password cuto
|
||||
|
||||
| Item | When | Blocker |
|
||||
|---|---|---|
|
||||
| **C1** Phase 2 sync — in-building office-PHI staff (Sharon, Allison, Alma, Kyla, etc.) | Week-2 or later | Pre-cutover AD password reset to known values; 48h user comms; scheduled maintenance window |
|
||||
| **C1** Phase 2 sync — in-building office-PHI staff (Sharon, Allison, Kyla, etc.; ~~Alma~~ offboarded 2026-06-25) | Week-2 or later | Pre-cutover AD password reset to known values; 48h user comms; scheduled maintenance window |
|
||||
| **C2** Phase 3 sync — remaining staff | Week-3 or later | Same mechanics as C1, larger batch |
|
||||
| **C3** G2 role mailbox conversion (6 ready, 5 pending delegations) | Any time — execute the 6 with lists we have | 5 of 11 pending Meredith answers on delegates (Q8, Q11, Q14, Q15, Q16) |
|
||||
| **C4** Synology → CS-SERVER file-share migration (Phase 4) | After Phase 2/3 sync | John answers on pacs/Activities/chat/Sandra Fish shares + MainOffice group membership |
|
||||
|
||||
@@ -55,7 +55,7 @@ The CSV encodes access posture per person with three columns: **Access** (D / P
|
||||
| Memory Care | Christine Nyanzunda | MC Admin Assistant |
|
||||
| Resident Services | Christina DuPras | Resident Services Director |
|
||||
| Life Enrichment | Susan Hicks | Life Enrichment Director |
|
||||
| Life Enrichment | Alma R Montt | *(title blank in CSV — follow-up)* |
|
||||
| ~~Life Enrichment~~ | ~~Alma R Montt~~ | **OFFBOARDED 2026-06-25** (was MC Life Enrichment) — see `docs/security/offboarding-2026-06-25-alma-montt.md` |
|
||||
| Culinary | JD Martin | Culinary Director |
|
||||
| Culinary | Alyssa Brooks | Dining Manager |
|
||||
| Maintenance | John Trozzi | Facilities Director |
|
||||
@@ -107,7 +107,7 @@ No answer yet. This decision directly changes the license count and the CA polic
|
||||
|
||||
| Scenario | Qty | Notes |
|
||||
|---|---|---|
|
||||
| Office staff with Outside=Y (Office-PHI external-OK) | **18** | Includes Alma. Britney removed (departed). |
|
||||
| Office staff with Outside=Y (Office-PHI external-OK) | **17** | ~~18 incl. Alma~~ — Alma offboarded 2026-06-25 (SPB seat freed). Britney removed earlier (departed). |
|
||||
| + Office Outside=N + ALIS=Y (Allison Reibschied, Sharon Edwards) | **20** | Need CA coverage even in building-only posture |
|
||||
| + Matt Brooks (dual-dept, ALIS=Y) | **21** | Per rollout plan §3 |
|
||||
| All licensed seats under building-only-default | 21 office + 3 Courtesy Patrol + 4 Reception + 37 caregivers = **65** | Plus Ramon Castaneda for office non-PHI = **66** total active identities |
|
||||
|
||||
@@ -2,6 +2,11 @@
|
||||
|
||||
**Status:** Planning — no account creation or license assignment yet.
|
||||
**Created:** 2026-04-22 (Howard)
|
||||
|
||||
> **[RECONCILE 2026-06-25]** Alma R Montt (`Alma.Montt`) was **OFFBOARDED 2026-06-25** (terminated).
|
||||
> Disregard every "create account / add to SG-External-Signin-Allowed" line for her below; her AD
|
||||
> account is disabled + moved to `OU=Excluded-From-Sync` and her M365 sign-in is blocked. Persona/seat
|
||||
> counts that listed her should drop by 1. See `docs/security/offboarding-2026-06-25-alma-montt.md`.
|
||||
**Inputs:**
|
||||
- `reports/cascades-staff-2026-04-22.csv` — returned staff-editor questionnaire, 70 rows (source of truth for *who should exist* and *what access posture*)
|
||||
- `docs/servers/active-directory.md` — current AD state (42 accounts, 40 enabled)
|
||||
@@ -22,7 +27,7 @@ Build every person on the 2026-04-22 CSV into a consistent AD + M365 identity, l
|
||||
|
||||
| Persona | Access | Outside | ALIS | Count | Examples |
|
||||
|---|---|---|---|---|---|
|
||||
| **Office-PHI (external-OK)** | D+P | Y | Y | 18 | Meredith, Megan, Lois, Susan, Alma, JD, John Trozzi, Lupe |
|
||||
| **Office-PHI (external-OK)** | D+P | Y | Y | 17 | Meredith, Megan, Lois, Susan, JD, John Trozzi, Lupe (~~Alma~~ offboarded 2026-06-25) |
|
||||
| **Office-PHI (in-building)** | D+P | N | Y | 2 | Allison Reibschied, Sharon Edwards |
|
||||
| **Office non-PHI (in-building)** | D+P | N | N | 1 | Ramon Castaneda |
|
||||
| **Maintenance (in-building PHI)** | D+P | N | Y | 1 | Matt Brooks |
|
||||
@@ -121,7 +126,7 @@ This collapses the earlier per-persona policy matrix into two primary CA policie
|
||||
| `CSC - Caregivers Shared Phone` | `SG-Caregivers` | Already designed per `caregiver-m365-p2-rollout.md` (shared-phone Intune + named location) |
|
||||
| `CSC - Drivers Phone-Only` | `SG-Drivers` | Require compliant Intune-managed phone; no web fallback. Drivers added to `SG-External-Signin-Allowed` as well if they need off-site phone access. |
|
||||
|
||||
**Initial `SG-External-Signin-Allowed` membership** — seed from the CSV's Outside=Y column, post-2026-04-22 updates. All 18 office-PHI staff (including Alma R Montt). Everyone else stays on the default building-only policy until Meredith adds them. Britney is no longer on this list — she departed 2026-04-22.
|
||||
**Initial `SG-External-Signin-Allowed` membership** — seed from the CSV's Outside=Y column, post-2026-04-22 updates. All 17 office-PHI staff (~~Alma R Montt~~ offboarded 2026-06-25 — do NOT seed). Everyone else stays on the default building-only policy until Meredith adds them. Britney is no longer on this list — she departed 2026-04-22.
|
||||
|
||||
**Named location "Cascades Building":** Define once, reuse. Use the site's public IP range(s) from pfSense NAT (`clients/cascades-tucson/pfsense-firewall.sops.yaml`).
|
||||
|
||||
@@ -139,7 +144,7 @@ These must be resolved before creating or converting accounts. See also `cascade
|
||||
| **Polett Pinazavala** — was on 2026-04-18 caregiver roster | **RESOLVED 2026-04-22 (John's reply) — DEPARTED.** | Remove from roster. No existing account — no AD/M365 action needed. |
|
||||
| **Drivers (Richard Adams, Julian Crim, Christopher Holick)** — all have AD accounts + Transportation@ shared mailbox | **Decision 2026-04-22 (Howard) — drivers no longer get IT access.** | Disable the 3 AD accounts. Keep them on the working roster for employee tracking. Separate decision: keep or retire `Transportation@` shared mailbox — ask Meredith. |
|
||||
| **Christine Nyanzunda** — one person, MC Admin + part-time Sun/Mon MedTech | **Resolved 2026-04-22 (Howard) — one account covers both roles.** | Single account in `OU=Care-MemoryCare`. Default building-only CA policy. When she's covering a MedTech shift she logs into the shared MC phone with her own account. If that sign-in gets blocked by the shared-phone CA, add her to a specific exception group rather than splitting into two accounts. |
|
||||
| **Alma R Montt** — on CSV (Life Enrichment), NOT in AD | **RESOLVED 2026-04-22 (John's reply).** Username `Alma.Montt`, title "Memory Care Life Enrichment", D+P, ALIS=Y, Outside=Y. LE staff assigned to Memory Care residents — stays in `OU=Life Enrichment`. | Create AD account `Alma.Montt` (UPN `alma.montt@cascadestucson.com`). Add to SG-External-Signin-Allowed (Outside=Y). |
|
||||
| ~~**Alma R Montt**~~ — **OFFBOARDED 2026-06-25** | Account was created 2026-05-19, then **terminated + offboarded 2026-06-25** (disabled, groups stripped, OU=Excluded-From-Sync; M365 sign-in blocked, mailbox → shared). | **No action — do NOT create or grant.** See `docs/security/offboarding-2026-06-25-alma-montt.md`. |
|
||||
| **Kyla QuickTiffany** — on CSV and in AD "needs account" list | **Resolved 2026-04-22 (Howard, per Kyla's preference): `Kyla.QuickTiffany`** — last name treated as a single word. | Create AD account `Kyla.QuickTiffany` (UPN `kyla.quicktiffany@cascadestucson.com`). Persona: Shared-PC Reception. Building-only, no outside sign-in. |
|
||||
| **Ederick Yuzon** — spelling not confirmed | **Still pending Meredith/John.** | Block on creation of his caregiver account only. Everyone else proceeds. Tentative: `Ederick.Yuzon` if needed to unblock Wave 3. |
|
||||
| **Matt Brooks** — AD dept = Maintenance, CSV note "works in both departments" | Confirmed (CSV-inline). | Keep in Maintenance OU; add to secondary MC group for access overlap. |
|
||||
@@ -213,7 +218,7 @@ User-visible impact: one Outlook password prompt on day-of-cutover. **No impact
|
||||
- Disable 3 driver AD accounts (`Richard.Adams`, `Julian.Crim`, `Christopher.Holick`)
|
||||
- Ask Meredith whether to keep or retire `Transportation@` shared mailbox
|
||||
- Create AD accounts (and let Entra Connect sync to M365) for:
|
||||
- Alma R Montt (`Alma.Montt` — Memory Care Life Enrichment, D+P, ALIS=Y, Outside=Y)
|
||||
- ~~Alma R Montt (`Alma.Montt` — Memory Care Life Enrichment, D+P, ALIS=Y, Outside=Y)~~ — **OFFBOARDED 2026-06-25, skip**
|
||||
- Kyla QuickTiffany (`Kyla.QuickTiffany` — Shared-PC Reception, D only, building-only)
|
||||
- Validate group membership + CA policy assignment on the new accounts before moving to Wave 2
|
||||
- Pilot the `CSC - Building Only (Default)` policy with Kyla (Report-only mode first)
|
||||
@@ -288,7 +293,7 @@ Output goes to `docs/migration/synology-permission-inventory.md`, which is then
|
||||
- Restrict-everyone default vs. selective → **building-only by default, allow-list for exceptions** (§5).
|
||||
- Christine Nyanzunda → one account covers both roles.
|
||||
- Kyla → `Kyla.QuickTiffany` (her preference).
|
||||
- Alma R Montt → `Alma.Montt`, title "Memory Care Life Enrichment", D+P, ALIS=Y, Outside=Y (answered by John).
|
||||
- Alma R Montt → `Alma.Montt`, title "Memory Care Life Enrichment", D+P, ALIS=Y, Outside=Y (answered by John). **[OFFBOARDED 2026-06-25 — terminated.]**
|
||||
- Britney Thompson → **departed (John)**. Disable AD + harvest license.
|
||||
- Polett Pinazavala → **departed (John)**. Remove from roster.
|
||||
- Agency shared logins → **NOT CREATED** (HIPAA review supersedes John's confirmation — §164.312(a)(2)(i) prohibits shared PHI-access log-ons). Per-person accounts only when Reliable Agency provides names.
|
||||
|
||||
@@ -136,7 +136,7 @@ $printers = @(
|
||||
}
|
||||
# Memory Care Reception (EPSON833571 — dc:cd:2f:83:35:71)
|
||||
# Added 2026-05-29. Driver already installed from FrontDesk ET-5800 — no EPWizard re-run needed.
|
||||
# Access: OU=Care-Memorycare (GPO ILT). Alma Montt (cloud-only M365) connects manually to \\CS-SERVER\MCReception.
|
||||
# Access: OU=Care-Memorycare (GPO ILT). (Alma Montt offboarded 2026-06-25 — reassign to MC Reception replacement when named.)
|
||||
@{
|
||||
IP = '10.0.20.78'
|
||||
Port = 'TCP_10.0.20.78'
|
||||
@@ -144,7 +144,7 @@ $printers = @(
|
||||
Driver = 'EPSON ET-5800 Series'
|
||||
Share = 'MCReception'
|
||||
Location = 'Memory Care Reception (Floors 5/6)'
|
||||
Comment = 'Epson ET-5800 - MemCare Reception / Alma Montt + MC nurses'
|
||||
Comment = 'Epson ET-5800 - MemCare Reception / MC nurses'
|
||||
}
|
||||
)
|
||||
|
||||
|
||||
@@ -147,9 +147,9 @@ Read-only: Management
|
||||
Access: Directory, Life Enrichment
|
||||
**Note:** Same LE-new-mapping note as Susan.
|
||||
|
||||
### Alma R Montt — MC Life Enrichment
|
||||
Access: Directory, Life Enrichment
|
||||
**Note:** AD account not yet created (Wave 1 of user rollout). LE-machine drive mapping applies once her account + PC are set up.
|
||||
### ~~Alma R Montt — MC Life Enrichment~~ — OFFBOARDED 2026-06-25
|
||||
~~Access: Directory, Life Enrichment~~
|
||||
**Note:** **OFFBOARDED 2026-06-25 (terminated).** Excluded from all share groups — see the live roster `share-group-roster-proposed-2026-06-25.md` and `docs/security/offboarding-2026-06-25-alma-montt.md`.
|
||||
|
||||
---
|
||||
|
||||
@@ -233,7 +233,7 @@ These names show up on Synology but are not in John's current employee list. The
|
||||
- **Crystal Suszek → Crystal Rodriguez** — same person, former name. Single AD account `Crystal.Rodriguez`; old Synology `Crystal Suszek` account disabled at cutover (settled 2026-04-23).
|
||||
- **`CasAdmin201`** — will NOT become a domain user on cs-server/CS-SERVER. Disabled on Synology at cutover (settled 2026-04-23).
|
||||
- **New CS-SERVER shares to create** (settled 2026-04-23):
|
||||
- **`LifeEnrichment`** — CS-SERVER local, RW for Susan/Sharon/Alma only. LE workstations currently have no mapped drives — this will be their first.
|
||||
- **`LifeEnrichment`** — CS-SERVER local, RW for Susan/Sharon only (~~Alma~~ offboarded 2026-06-25). LE workstations currently have no mapped drives — this will be their first.
|
||||
- **`ALdocs`** — Assisted Living documentation, CS-SERVER local, RW for nurses (Lois, Karen) + Meredith + Ashley + Sales team (Megan, Crystal, Tamra).
|
||||
- **`WebDocs`** — web/marketing collateral, CS-SERVER local, RW for Sales team + Meredith + Ashley. Distinct from the retired Synology `web` DSM share.
|
||||
- **Sales team share set** (settled 2026-04-23) — Megan, Crystal, Tamra all get RW on: ALdocs, WebDocs, SalesDept, Management, Directory.
|
||||
|
||||
@@ -15,7 +15,7 @@
|
||||
| 9 | Room 206 (large printer) | 192.168.1.138 | 00:20:6b:b3:4a:55 | Konica Minolta Bizhub C368 | A7PV011016305 | Health Services | Network | Online |
|
||||
| 10 | Kitchen Manager | 192.168.3.232 | — | Canon imageClass MFC743CDW | — | Alyssa (Brooks) | Network | Online |
|
||||
| 11 | Chef | 192.168.3.88 | — | Brother MFC-9330CDW | — | Chef | Network | Online |
|
||||
| 12 | MemCare Reception | 10.0.20.78 | dc:cd:2f:83:35:71 (EPSON833571) | Epson ET-5800 | — | Alma Montt (MemCare receptionist), MemCare nurses/users | Network — VLAN 20. Share: \\CS-SERVER\MCReception | Online 2026-05-29 |
|
||||
| 12 | MemCare Reception | 10.0.20.78 | dc:cd:2f:83:35:71 (EPSON833571) | Epson ET-5800 | — | MemCare nurses/users (Alma Montt offboarded 2026-06-25 — reassign to MC Reception replacement when named) | Network — VLAN 20. Share: \\CS-SERVER\MCReception | Online 2026-05-29 |
|
||||
| 13 | MemCare Room 615 | 192.168.2.53 | c8:a3:e8:a2:dd:93 (brwc8a3e8a2dd93) | Brother (model TBD) | — | MedTechs, Nurses | WiFi (static IP) | Online |
|
||||
| 14 | Meredith's Office | 192.168.2.67 | — | Canon imageClass MF743CDW | — | Meredith (Kuhn) | Network | Online |
|
||||
| 15 | MemCare Director (Room 603) | 192.168.3.52 | 20:0b:74:b2:29:08 | Canon Color imageClass MF751CDW | — | Shelby Trozzi | Network | Online |
|
||||
|
||||
@@ -42,4 +42,4 @@
|
||||
**The PAA role is still assigned to the SP and must be removed manually** in Entra
|
||||
(Roles & admins → Privileged Authentication Administrator → remove `ComputerGuru - Tenant Admin`).
|
||||
Its standing **Conditional Access Administrator** role is intentional — leave that.
|
||||
- [ ] Reconcile: Alma removed from the proposed share rosters (`docs/migration/share-group-roster-proposed-2026-06-25.md`).
|
||||
- [x] Reconcile: Alma removed from the proposed share rosters (`docs/migration/share-group-roster-proposed-2026-06-25.md`) **and all other active plans** (2026-06-25): `docs/servers/active-directory.md`, `docs/printers.md`, `docs/cloud/user-account-rollout-plan.md`, `docs/cloud/p2-staff-candidates.md`, `PLAN-AND-QUESTIONS-2026-04-24.md`, `docs/migration/share-access-matrix-2026-04-23.md`, `docs/migration/scripts/phase2-print-server.ps1`. Dated April/May questionnaires, CSVs, reports, and the archived plan left as historical record.
|
||||
|
||||
@@ -11,7 +11,7 @@
|
||||
## AD Users (updated 2026-05-19)
|
||||
|
||||
**Changes since 2026-04-13:**
|
||||
- Alma.Montt added to OU=Administrative (provisioned 2026-05-19) — cloud-only M365 account also created same day; needs reconciliation (see Pending Issues)
|
||||
- ~~Alma.Montt added to OU=Administrative (provisioned 2026-05-19)~~ — **OFFBOARDED 2026-06-25**: AD account disabled, groups stripped, moved to `OU=Excluded-From-Sync`; cloud-only M365 sign-in blocked + mailbox converted to shared. See `docs/security/offboarding-2026-06-25-alma-montt.md`.
|
||||
- Kyla.QuickTiffany confirmed in OU=Resident Services (was listed as "needs account" in prior doc)
|
||||
- Zachary.Nelson confirmed: Accounting Assistant (replacing Allison.Reibschied)
|
||||
- Allison.Reibschied: no longer employed — account disabled in DC 2026-05-19
|
||||
@@ -26,7 +26,7 @@
|
||||
| Meredith.Kuhn | Meredith Kuhn | Executive Director | |
|
||||
| Ashley.Jensen | Ashley Jensen | Assistant Executive Director | M365: Accounting@ |
|
||||
| lauren.hasselman | Lauren Hasselman | Business Office Director | lowercase SAM. Replaced Jeff Bristol. M365: Accounting@ |
|
||||
| Alma.Montt | Alma Montt | Life Enrichment | Provisioned 2026-05-19. **Cloud-only M365 account also created same day — reconcile before next Entra sync** (see Pending Issues) |
|
||||
| ~~Alma.Montt~~ | ~~Alma Montt~~ | ~~Life Enrichment~~ | **OFFBOARDED 2026-06-25 — disabled, groups stripped, moved to OU=Excluded-From-Sync.** See `docs/security/offboarding-2026-06-25-alma-montt.md`. |
|
||||
| Zachary.Nelson | Zachary Nelson | Accounting Assistant | Confirmed 2026-05-19. Replacing Allison.Reibschied. |
|
||||
| ~~Allison.Reibschied~~ | ~~Allison Reibschied~~ | ~~Accounting Assistant~~ | **Disabled 2026-05-19 — no longer employed.** |
|
||||
|
||||
@@ -180,7 +180,7 @@ cascades.local
|
||||
├── Domain Controllers
|
||||
│ └── CS-SERVER
|
||||
├── Departments
|
||||
│ ├── Administrative — Alma.Montt, Ashley.Jensen, lauren.hasselman, Meredith.Kuhn, Zachary.Nelson
|
||||
│ ├── Administrative — Ashley.Jensen, lauren.hasselman, Meredith.Kuhn, Zachary.Nelson (Alma.Montt offboarded 2026-06-25 → OU=Excluded-From-Sync)
|
||||
│ ├── Care-Assisted Living — britney.thompson, karen.rossini, Lois.Lane, Veronica.Feller
|
||||
│ │ └── Nurses (empty sub-OU)
|
||||
│ ├── Caregivers — 38 accounts (shift caregivers/medtechs, first.last format)
|
||||
@@ -310,7 +310,7 @@ Do NOT populate these further. They remain in service until Phase 4 cutover reti
|
||||
| LifeEnrichment | (via Life Enrichment Printers GPO) | OU=Life Enrichment |
|
||||
| MCDirector | Canon imageClass MF751CDW (192.168.3.52) | OU=Care-Memorycare |
|
||||
| MCMedTech | Brother (192.168.2.53) | OU=Caregivers OR OU=Care-Memorycare |
|
||||
| MCReception | Epson ET-5800 (10.0.20.78) | OU=Care-Memorycare. Alma Montt (cloud-only M365 — no GPO) connects manually. |
|
||||
| MCReception | Epson ET-5800 (10.0.20.78) | OU=Care-Memorycare. (Alma Montt offboarded 2026-06-25 — reassign to the MC Reception replacement when named.) |
|
||||
|
||||
## Group Policy (as of 2026-05-20)
|
||||
|
||||
@@ -368,7 +368,7 @@ GPOs exist but effectiveness is limited since most PCs are not domain-joined. Al
|
||||
| ~~Still enabled — departed~~ | ~~britney.thompson~~ | **DONE 2026-05-20** — AD disabled. M365: sign-in blocked, license removed, litigation hold applied. |
|
||||
| ~~Still enabled — flagged for disable~~ | ~~Richard.Adams, Julian.Crim, Christopher.Holick~~ | **DONE 2026-05-20** — all disabled. |
|
||||
| ~~Old-format account — superseded~~ | ~~Shontiel.Nunn~~ | **DONE 2026-05-20** — disabled. s.nunn (Caregivers) is the active account. |
|
||||
| Cloud-only M365 account — RESOLVED | Alma.Montt | Intentional and correct — no AD sync conflict. |
|
||||
| Cloud-only M365 account — ~~RESOLVED~~ OFFBOARDED | Alma.Montt | **OFFBOARDED 2026-06-25** — AD disabled + moved to OU=Excluded-From-Sync; M365 sign-in blocked, mailbox → shared (Shelby Trozzi FullAccess). See `docs/security/offboarding-2026-06-25-alma-montt.md`. |
|
||||
| krbtgt password age | krbtgt | 569+ days old as of 2026-03-20. Needs rotation. Deferred. |
|
||||
| Meredith.Kuhn + John.Trozzi in Domain Admins | Both | Non-IT staff — remove from Domain Admins. Deferred. |
|
||||
| ~~britney.thompson M365 offboarding~~ | ~~britney.thompson~~ | **DONE 2026-05-20** — sign-in blocked, license removed, litigation hold applied via sysadmin@. |
|
||||
|
||||
@@ -113,3 +113,32 @@ queue.
|
||||
- Termination runbook: `docs/security/termination-procedures.md`
|
||||
- Coord message id: `4b2bb6a9-881b-4003-984c-687183b96802`
|
||||
- Cascades wiki: `wiki/clients/cascades-tucson.md`
|
||||
|
||||
## Update: 12:53 PT — Reconciled Alma out of all active plans
|
||||
|
||||
Following the verified offboarding, reconciled Alma Montt out of every forward-looking Cascades
|
||||
doc so no future session/tech treats her as a current or to-be-created user. The 2026-06-25
|
||||
proposed share roster was already done (struck + OFFBOARDED) by the lost session. Edited the
|
||||
remaining active docs, each annotated with `OFFBOARDED 2026-06-25` + a pointer to the offboarding
|
||||
record (strikethrough preserves the decision history rather than deleting it):
|
||||
|
||||
- `docs/servers/active-directory.md` — current-state AD reference: changelog entry, Enabled-Accounts
|
||||
table row, OU tree (Administrative), MCReception printer access, and Pending-Issues row all updated
|
||||
to reflect disabled + moved to OU=Excluded-From-Sync.
|
||||
- `docs/printers.md` — MCReception printer user list (removed Alma; note to reassign replacement).
|
||||
- `docs/cloud/user-account-rollout-plan.md` — added a [RECONCILE] banner; fixed persona count 18->17,
|
||||
SG-External-Signin-Allowed seed line, the per-person resolution row, the Wave-1 create list, and the
|
||||
decision summary.
|
||||
- `docs/cloud/p2-staff-candidates.md` — license-math count 18->17; candidate roster row.
|
||||
- `PLAN-AND-QUESTIONS-2026-04-24.md` — Track C / C1 Phase 2 sync list.
|
||||
- `docs/migration/share-access-matrix-2026-04-23.md` — Alma section + LifeEnrichment share RW list.
|
||||
- `docs/migration/scripts/phase2-print-server.ps1` — MCReception comment + printer Comment field.
|
||||
|
||||
Left as historical record (dated point-in-time artifacts, intentionally NOT rewritten): the April
|
||||
questionnaires/working-lists/followups, `reports/cascades-staff-2026-04-22.csv`, the Canva and
|
||||
orphan-deletes reports, the 2026-04-22 HIPAA review, `scripts/create-alma-montt-2026-05-18.ps1`,
|
||||
`scripts/build-open-questions-docx.py`, and `PLAN-AND-QUESTIONS-2026-04-23-archived.md`.
|
||||
|
||||
Ticked the offboarding record follow-up checkbox (reconciliation complete). Remaining open item is
|
||||
unchanged: Mike to remove the stranded Privileged Authentication Administrator role on the Tenant
|
||||
Admin SP.
|
||||
|
||||
14
errorlog.md
14
errorlog.md
@@ -17,6 +17,20 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure ·
|
||||
|
||||
<!-- Append entries below this line -->
|
||||
|
||||
2026-06-25 | Howard-Home | synology/ssh | syno-ssh recipe 'shares' failed (rc=1) [ctx: host=192.168.0.120]
|
||||
|
||||
2026-06-25 | Howard-Home | synology/ssh | syno-ssh recipe 'acl' failed (rc=1) [ctx: host=192.168.0.120]
|
||||
|
||||
2026-06-25 | Howard-Home | synology/ssh | syno-ssh recipe 'acl' failed (rc=1) [ctx: host=192.168.0.120]
|
||||
|
||||
2026-06-25 | Howard-Home | synology/ssh | syno-ssh recipe 'groups' failed (rc=127) [ctx: host=192.168.0.120]
|
||||
|
||||
2026-06-25 | Howard-Home | synology/ssh | syno-ssh recipe 'users' failed (rc=127) [ctx: host=192.168.0.120]
|
||||
|
||||
2026-06-25 | Howard-Home | synology/ssh | syno-ssh recipe 'shares' failed (rc=1) [ctx: host=192.168.0.120]
|
||||
|
||||
2026-06-25 | Howard-Home | memory-dream | orphan detector mis-parses index lines containing [[wikilink]] text: flags feedback_broken_backlinks_are_writeme_markers.md as orphan despite being indexed (L174), so --apply-safe appends duplicate index lines every run. Fix: match orphan on the ](<filename>.md) link target, not the rendered link text. [ctx: skill=memory-dream file=scripts/memory_dream.py recurring=yes]
|
||||
|
||||
2026-06-25 | GURU-5070 | remediation-tool/EOP | [friction] checking ACG own-tenant EOP quarantine: reached for investigator-exo (401 - Exchange Admin role only on Exchange OPERATOR SP, not Investigator), then RecipientAddress needs JSON array not string (400); skill has no EOP/quarantine section at all [ctx: ref=feedback_exchange_role_recurring_gap]
|
||||
|
||||
2026-06-25 | GURU-5070 | sync/tailscale | [correction] diagnosed 172.16.3.x unreachable as transient blip; real cause was Tailscale node KEY EXPIRY on the subnet-router node (pfSense advertising 172.16.0.0/22) dropping it off the tailnet [ctx: fix=disabled key expiration on the node; symptom=internet OK but whole 172.16.3.x dead]
|
||||
|
||||
Reference in New Issue
Block a user