From d4fd71baabe7b35f20923d8225ac10f174087b03 Mon Sep 17 00:00:00 2001 From: Howard Enos Date: Thu, 25 Jun 2026 12:54:04 -0700 Subject: [PATCH] sync: auto-sync from HOWARD-HOME at 2026-06-25 12:53:21 Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-25 12:53:21 --- .claude/memory/MEMORY.md | 2 - .../skills/bitdefender/scripts/gz_client.py | 110 +++++++++++++----- .x_edr_aid.txt | 1 + .x_edr_install_cmd.txt | 1 + .../PLAN-AND-QUESTIONS-2026-04-24.md | 2 +- .../docs/cloud/p2-staff-candidates.md | 4 +- .../docs/cloud/user-account-rollout-plan.md | 15 ++- .../migration/scripts/phase2-print-server.ps1 | 4 +- .../share-access-matrix-2026-04-23.md | 8 +- clients/cascades-tucson/docs/printers.md | 2 +- .../offboarding-2026-06-25-alma-montt.md | 2 +- .../docs/servers/active-directory.md | 10 +- ...howard-alma-offboarding-recovery-verify.md | 29 +++++ errorlog.md | 14 +++ 14 files changed, 153 insertions(+), 51 deletions(-) create mode 100644 .x_edr_aid.txt create mode 100644 .x_edr_install_cmd.txt diff --git a/.claude/memory/MEMORY.md b/.claude/memory/MEMORY.md index e25f2a7d..cb6f5f75 100644 --- a/.claude/memory/MEMORY.md +++ b/.claude/memory/MEMORY.md @@ -123,9 +123,7 @@ - [pfSense 25.07 ops quirks](reference_pfsense_25_07_ops.md) — Cascades pfSense Plus 25.07: logs are PLAIN TEXT (use tail/grep, NOT clog → clog returns empty); clean dhcpd restart = `services_dhcpd_configure()` via slow pfSsh.php (needs 50s+ timeout); dirty boot can leave 2 dhcpd → DISCOVER/OFFER but no ACK; reboot the Cox modem after a config restore; ZFS survives power loss. From the 2026-06-17 power-outage incident. - [feedback_ascii_only_api_payloads](feedback_ascii_only_api_payloads.md) -- On Windows/Git-bash, non-ASCII chars (em-dash, arrow, smart quotes) in JSON payload TEXT passed to curl get mangled and rejected — Discord bot-alert returns 400, the coord API returns "error parsing the body". Use ASCII-only in API payload text, or a single-quoted heredoc. - [feedback_bitdefender_unattended_install](feedback_bitdefender_unattended_install.md) -- Bitdefender unattended RMM install must use the FULL KIT as SYSTEM (silent, no UAC) — the downloader stub fails headless and triggers UAC -- [Broken [[backlinks]] are write-me-later markers — flesh out from session history, don't delete](feedback_broken_backlinks_are_writeme_markers.md) -- A [[name]] link in a memory body whose target file doesn't exist is NOT an error to clean up — it's an intentional marker that that memory is worth writing. When you hit one (or memory-dream lists them), flesh the missing memory out from the session logs / session history, don't strip the link. - [feedback_rmm_longops_fire_and_forget](feedback_rmm_longops_fire_and_forget.md) -- Long-running RMM endpoint ops (software installs, big downloads) must be fire-and-forget, not live-monitored -- [Broken [[backlinks]] are write-me-later markers — flesh out from session history, don't delete](feedback_broken_backlinks_are_writeme_markers.md) -- A [[name]] link in a memory body whose target file doesn't exist is NOT an error to clean up — it's an intentional marker that that memory is worth writing. When you hit one (or memory-dream lists them), flesh the missing memory out from the session logs / session history, don't strip the link. ## Machine - [GURU-5070 Workstation Setup](reference_workstation_setup.md) — Mike's primary (owner confirmed 2026-05-26). Windows 11 Pro. Renamed from OC-5070 → ACG-5070/acg-guru-5070 → GURU-5070; all the same box, all Mike's. diff --git a/.claude/skills/bitdefender/scripts/gz_client.py b/.claude/skills/bitdefender/scripts/gz_client.py index 8ad2917e..4781bc86 100644 --- a/.claude/skills/bitdefender/scripts/gz_client.py +++ b/.claude/skills/bitdefender/scripts/gz_client.py @@ -23,9 +23,11 @@ import os import random import subprocess import sys +import tempfile import time import urllib.error import urllib.request +from contextlib import contextmanager from dataclasses import dataclass, field from datetime import datetime, timezone from email.utils import parsedate_to_datetime @@ -111,6 +113,11 @@ CACHE_TTL_SECONDS = 86400 SKILL_DIR = Path(__file__).resolve().parent.parent CACHE_DIR = SKILL_DIR / ".cache" CACHE_FILE = CACHE_DIR / "inventory.json" +CACHE_LOCK_FILE = CACHE_DIR / "inventory.lock" +# Best-effort advisory lock for read-modify-write of the cache. Short timeout: +# losing a write-through update is acceptable; hanging the CLI is not. +CACHE_LOCK_TIMEOUT_SECONDS = 5.0 +CACHE_LOCK_STALE_SECONDS = 30.0 class GravityZoneError(RuntimeError): @@ -1136,10 +1143,60 @@ class GravityZoneClient: return None def _write_cache(self, cache: dict) -> None: + """Atomically replace the cache file (temp write + os.replace) so a crash + mid-write or a concurrent reader can never see a truncated file.""" CACHE_DIR.mkdir(parents=True, exist_ok=True) - CACHE_FILE.write_text( - json.dumps(cache, indent=2, sort_keys=True), encoding="utf-8" - ) + payload = json.dumps(cache, indent=2, sort_keys=True) + fd, tmp = tempfile.mkstemp(dir=str(CACHE_DIR), prefix=".inventory.", + suffix=".tmp") + try: + with os.fdopen(fd, "w", encoding="utf-8") as fh: + fh.write(payload) + fh.flush() + os.fsync(fh.fileno()) + os.replace(tmp, CACHE_FILE) # atomic on the same filesystem + except BaseException: + try: + os.unlink(tmp) + except OSError: + pass + raise + + @contextmanager + def _cache_lock(self): + """Best-effort cross-platform advisory lock around a read-modify-write of + the cache, so two concurrent gz.py invocations don't lose each other's + write-through update. Steals a stale lock; on timeout proceeds unlocked + (a lost update is tolerable, a hang is not).""" + CACHE_DIR.mkdir(parents=True, exist_ok=True) + deadline = time.monotonic() + CACHE_LOCK_TIMEOUT_SECONDS + acquired = False + while True: + try: + fd = os.open(str(CACHE_LOCK_FILE), + os.O_CREAT | os.O_EXCL | os.O_WRONLY) + os.close(fd) + acquired = True + break + except FileExistsError: + try: + age = time.time() - os.path.getmtime(CACHE_LOCK_FILE) + if age > CACHE_LOCK_STALE_SECONDS: + os.unlink(CACHE_LOCK_FILE) + continue + except OSError: + pass + if time.monotonic() >= deadline: + break # give up the lock, proceed unlocked + time.sleep(0.1) + try: + yield + finally: + if acquired: + try: + os.unlink(CACHE_LOCK_FILE) + except OSError: + pass def _cache_is_fresh(self, cache: dict) -> bool: fetched = cache.get("fetched_at") @@ -1226,27 +1283,29 @@ class GravityZoneClient: return self.refresh_inventory() def _cache_add_group(self, group_id: str, name: str) -> None: - cache = self._read_cache() - if cache is None: - return # no cache yet - next refresh picks it up - cache.setdefault("companies", {}) - # Groups live in the inventory tree; store under a 'groups' map. - cache.setdefault("groups", {})[group_id] = name - self._write_cache(cache) + with self._cache_lock(): + cache = self._read_cache() + if cache is None: + return # no cache yet - next refresh picks it up + # Groups live in the inventory tree; store under a 'groups' map. + cache.setdefault("groups", {})[group_id] = name + self._write_cache(cache) def _cache_add_package(self, package_name: str, create_result: Any) -> None: - cache = self._read_cache() - if cache is None: - return - packages = cache.setdefault("packages", []) - pkg_id = create_result if isinstance(create_result, str) else None - if isinstance(create_result, dict): - pkg_id = create_result.get("id") - if not any( - (isinstance(p, dict) and p.get("name") == package_name) for p in packages - ): - packages.append({"id": pkg_id, "name": package_name}) - self._write_cache(cache) + with self._cache_lock(): + cache = self._read_cache() + if cache is None: + return + packages = cache.setdefault("packages", []) + pkg_id = create_result if isinstance(create_result, str) else None + if isinstance(create_result, dict): + pkg_id = create_result.get("id") + if not any( + (isinstance(p, dict) and p.get("name") == package_name) + for p in packages + ): + packages.append({"id": pkg_id, "name": package_name}) + self._write_cache(cache) def main() -> int: @@ -1258,9 +1317,4 @@ def main() -> int: "httpx" if _HAS_HTTPX else "urllib") return 0 except GravityZoneError as exc: - print(f"[ERROR] {exc}", file=sys.stderr) - return 1 - - -if __name__ == "__main__": - raise SystemExit(main()) + prin \ No newline at end of file diff --git a/.x_edr_aid.txt b/.x_edr_aid.txt new file mode 100644 index 00000000..a26440b5 --- /dev/null +++ b/.x_edr_aid.txt @@ -0,0 +1 @@ +99d6d692-99e0-4359-9f9c-f43be89f49e5 diff --git a/.x_edr_install_cmd.txt b/.x_edr_install_cmd.txt new file mode 100644 index 00000000..f6b8f1bc --- /dev/null +++ b/.x_edr_install_cmd.txt @@ -0,0 +1 @@ +84537db7-e9a6-4e95-b024-aa8ab03f0b14 diff --git a/clients/cascades-tucson/PLAN-AND-QUESTIONS-2026-04-24.md b/clients/cascades-tucson/PLAN-AND-QUESTIONS-2026-04-24.md index 0eda75d3..0a4f6dd8 100644 --- a/clients/cascades-tucson/PLAN-AND-QUESTIONS-2026-04-24.md +++ b/clients/cascades-tucson/PLAN-AND-QUESTIONS-2026-04-24.md @@ -104,7 +104,7 @@ Nothing else in this tenant is touched. No office staff change. No password cuto | Item | When | Blocker | |---|---|---| -| **C1** Phase 2 sync — in-building office-PHI staff (Sharon, Allison, Alma, Kyla, etc.) | Week-2 or later | Pre-cutover AD password reset to known values; 48h user comms; scheduled maintenance window | +| **C1** Phase 2 sync — in-building office-PHI staff (Sharon, Allison, Kyla, etc.; ~~Alma~~ offboarded 2026-06-25) | Week-2 or later | Pre-cutover AD password reset to known values; 48h user comms; scheduled maintenance window | | **C2** Phase 3 sync — remaining staff | Week-3 or later | Same mechanics as C1, larger batch | | **C3** G2 role mailbox conversion (6 ready, 5 pending delegations) | Any time — execute the 6 with lists we have | 5 of 11 pending Meredith answers on delegates (Q8, Q11, Q14, Q15, Q16) | | **C4** Synology → CS-SERVER file-share migration (Phase 4) | After Phase 2/3 sync | John answers on pacs/Activities/chat/Sandra Fish shares + MainOffice group membership | diff --git a/clients/cascades-tucson/docs/cloud/p2-staff-candidates.md b/clients/cascades-tucson/docs/cloud/p2-staff-candidates.md index 32a636ba..14c0301f 100644 --- a/clients/cascades-tucson/docs/cloud/p2-staff-candidates.md +++ b/clients/cascades-tucson/docs/cloud/p2-staff-candidates.md @@ -55,7 +55,7 @@ The CSV encodes access posture per person with three columns: **Access** (D / P | Memory Care | Christine Nyanzunda | MC Admin Assistant | | Resident Services | Christina DuPras | Resident Services Director | | Life Enrichment | Susan Hicks | Life Enrichment Director | -| Life Enrichment | Alma R Montt | *(title blank in CSV — follow-up)* | +| ~~Life Enrichment~~ | ~~Alma R Montt~~ | **OFFBOARDED 2026-06-25** (was MC Life Enrichment) — see `docs/security/offboarding-2026-06-25-alma-montt.md` | | Culinary | JD Martin | Culinary Director | | Culinary | Alyssa Brooks | Dining Manager | | Maintenance | John Trozzi | Facilities Director | @@ -107,7 +107,7 @@ No answer yet. This decision directly changes the license count and the CA polic | Scenario | Qty | Notes | |---|---|---| -| Office staff with Outside=Y (Office-PHI external-OK) | **18** | Includes Alma. Britney removed (departed). | +| Office staff with Outside=Y (Office-PHI external-OK) | **17** | ~~18 incl. Alma~~ — Alma offboarded 2026-06-25 (SPB seat freed). Britney removed earlier (departed). | | + Office Outside=N + ALIS=Y (Allison Reibschied, Sharon Edwards) | **20** | Need CA coverage even in building-only posture | | + Matt Brooks (dual-dept, ALIS=Y) | **21** | Per rollout plan §3 | | All licensed seats under building-only-default | 21 office + 3 Courtesy Patrol + 4 Reception + 37 caregivers = **65** | Plus Ramon Castaneda for office non-PHI = **66** total active identities | diff --git a/clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md b/clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md index 498d86e0..180d6c4d 100644 --- a/clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md +++ b/clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md @@ -2,6 +2,11 @@ **Status:** Planning — no account creation or license assignment yet. **Created:** 2026-04-22 (Howard) + +> **[RECONCILE 2026-06-25]** Alma R Montt (`Alma.Montt`) was **OFFBOARDED 2026-06-25** (terminated). +> Disregard every "create account / add to SG-External-Signin-Allowed" line for her below; her AD +> account is disabled + moved to `OU=Excluded-From-Sync` and her M365 sign-in is blocked. Persona/seat +> counts that listed her should drop by 1. See `docs/security/offboarding-2026-06-25-alma-montt.md`. **Inputs:** - `reports/cascades-staff-2026-04-22.csv` — returned staff-editor questionnaire, 70 rows (source of truth for *who should exist* and *what access posture*) - `docs/servers/active-directory.md` — current AD state (42 accounts, 40 enabled) @@ -22,7 +27,7 @@ Build every person on the 2026-04-22 CSV into a consistent AD + M365 identity, l | Persona | Access | Outside | ALIS | Count | Examples | |---|---|---|---|---|---| -| **Office-PHI (external-OK)** | D+P | Y | Y | 18 | Meredith, Megan, Lois, Susan, Alma, JD, John Trozzi, Lupe | +| **Office-PHI (external-OK)** | D+P | Y | Y | 17 | Meredith, Megan, Lois, Susan, JD, John Trozzi, Lupe (~~Alma~~ offboarded 2026-06-25) | | **Office-PHI (in-building)** | D+P | N | Y | 2 | Allison Reibschied, Sharon Edwards | | **Office non-PHI (in-building)** | D+P | N | N | 1 | Ramon Castaneda | | **Maintenance (in-building PHI)** | D+P | N | Y | 1 | Matt Brooks | @@ -121,7 +126,7 @@ This collapses the earlier per-persona policy matrix into two primary CA policie | `CSC - Caregivers Shared Phone` | `SG-Caregivers` | Already designed per `caregiver-m365-p2-rollout.md` (shared-phone Intune + named location) | | `CSC - Drivers Phone-Only` | `SG-Drivers` | Require compliant Intune-managed phone; no web fallback. Drivers added to `SG-External-Signin-Allowed` as well if they need off-site phone access. | -**Initial `SG-External-Signin-Allowed` membership** — seed from the CSV's Outside=Y column, post-2026-04-22 updates. All 18 office-PHI staff (including Alma R Montt). Everyone else stays on the default building-only policy until Meredith adds them. Britney is no longer on this list — she departed 2026-04-22. +**Initial `SG-External-Signin-Allowed` membership** — seed from the CSV's Outside=Y column, post-2026-04-22 updates. All 17 office-PHI staff (~~Alma R Montt~~ offboarded 2026-06-25 — do NOT seed). Everyone else stays on the default building-only policy until Meredith adds them. Britney is no longer on this list — she departed 2026-04-22. **Named location "Cascades Building":** Define once, reuse. Use the site's public IP range(s) from pfSense NAT (`clients/cascades-tucson/pfsense-firewall.sops.yaml`). @@ -139,7 +144,7 @@ These must be resolved before creating or converting accounts. See also `cascade | **Polett Pinazavala** — was on 2026-04-18 caregiver roster | **RESOLVED 2026-04-22 (John's reply) — DEPARTED.** | Remove from roster. No existing account — no AD/M365 action needed. | | **Drivers (Richard Adams, Julian Crim, Christopher Holick)** — all have AD accounts + Transportation@ shared mailbox | **Decision 2026-04-22 (Howard) — drivers no longer get IT access.** | Disable the 3 AD accounts. Keep them on the working roster for employee tracking. Separate decision: keep or retire `Transportation@` shared mailbox — ask Meredith. | | **Christine Nyanzunda** — one person, MC Admin + part-time Sun/Mon MedTech | **Resolved 2026-04-22 (Howard) — one account covers both roles.** | Single account in `OU=Care-MemoryCare`. Default building-only CA policy. When she's covering a MedTech shift she logs into the shared MC phone with her own account. If that sign-in gets blocked by the shared-phone CA, add her to a specific exception group rather than splitting into two accounts. | -| **Alma R Montt** — on CSV (Life Enrichment), NOT in AD | **RESOLVED 2026-04-22 (John's reply).** Username `Alma.Montt`, title "Memory Care Life Enrichment", D+P, ALIS=Y, Outside=Y. LE staff assigned to Memory Care residents — stays in `OU=Life Enrichment`. | Create AD account `Alma.Montt` (UPN `alma.montt@cascadestucson.com`). Add to SG-External-Signin-Allowed (Outside=Y). | +| ~~**Alma R Montt**~~ — **OFFBOARDED 2026-06-25** | Account was created 2026-05-19, then **terminated + offboarded 2026-06-25** (disabled, groups stripped, OU=Excluded-From-Sync; M365 sign-in blocked, mailbox → shared). | **No action — do NOT create or grant.** See `docs/security/offboarding-2026-06-25-alma-montt.md`. | | **Kyla QuickTiffany** — on CSV and in AD "needs account" list | **Resolved 2026-04-22 (Howard, per Kyla's preference): `Kyla.QuickTiffany`** — last name treated as a single word. | Create AD account `Kyla.QuickTiffany` (UPN `kyla.quicktiffany@cascadestucson.com`). Persona: Shared-PC Reception. Building-only, no outside sign-in. | | **Ederick Yuzon** — spelling not confirmed | **Still pending Meredith/John.** | Block on creation of his caregiver account only. Everyone else proceeds. Tentative: `Ederick.Yuzon` if needed to unblock Wave 3. | | **Matt Brooks** — AD dept = Maintenance, CSV note "works in both departments" | Confirmed (CSV-inline). | Keep in Maintenance OU; add to secondary MC group for access overlap. | @@ -213,7 +218,7 @@ User-visible impact: one Outlook password prompt on day-of-cutover. **No impact - Disable 3 driver AD accounts (`Richard.Adams`, `Julian.Crim`, `Christopher.Holick`) - Ask Meredith whether to keep or retire `Transportation@` shared mailbox - Create AD accounts (and let Entra Connect sync to M365) for: - - Alma R Montt (`Alma.Montt` — Memory Care Life Enrichment, D+P, ALIS=Y, Outside=Y) + - ~~Alma R Montt (`Alma.Montt` — Memory Care Life Enrichment, D+P, ALIS=Y, Outside=Y)~~ — **OFFBOARDED 2026-06-25, skip** - Kyla QuickTiffany (`Kyla.QuickTiffany` — Shared-PC Reception, D only, building-only) - Validate group membership + CA policy assignment on the new accounts before moving to Wave 2 - Pilot the `CSC - Building Only (Default)` policy with Kyla (Report-only mode first) @@ -288,7 +293,7 @@ Output goes to `docs/migration/synology-permission-inventory.md`, which is then - Restrict-everyone default vs. selective → **building-only by default, allow-list for exceptions** (§5). - Christine Nyanzunda → one account covers both roles. - Kyla → `Kyla.QuickTiffany` (her preference). -- Alma R Montt → `Alma.Montt`, title "Memory Care Life Enrichment", D+P, ALIS=Y, Outside=Y (answered by John). +- Alma R Montt → `Alma.Montt`, title "Memory Care Life Enrichment", D+P, ALIS=Y, Outside=Y (answered by John). **[OFFBOARDED 2026-06-25 — terminated.]** - Britney Thompson → **departed (John)**. Disable AD + harvest license. - Polett Pinazavala → **departed (John)**. Remove from roster. - Agency shared logins → **NOT CREATED** (HIPAA review supersedes John's confirmation — §164.312(a)(2)(i) prohibits shared PHI-access log-ons). Per-person accounts only when Reliable Agency provides names. diff --git a/clients/cascades-tucson/docs/migration/scripts/phase2-print-server.ps1 b/clients/cascades-tucson/docs/migration/scripts/phase2-print-server.ps1 index 175f6603..1731603f 100644 --- a/clients/cascades-tucson/docs/migration/scripts/phase2-print-server.ps1 +++ b/clients/cascades-tucson/docs/migration/scripts/phase2-print-server.ps1 @@ -136,7 +136,7 @@ $printers = @( } # Memory Care Reception (EPSON833571 — dc:cd:2f:83:35:71) # Added 2026-05-29. Driver already installed from FrontDesk ET-5800 — no EPWizard re-run needed. - # Access: OU=Care-Memorycare (GPO ILT). Alma Montt (cloud-only M365) connects manually to \\CS-SERVER\MCReception. + # Access: OU=Care-Memorycare (GPO ILT). (Alma Montt offboarded 2026-06-25 — reassign to MC Reception replacement when named.) @{ IP = '10.0.20.78' Port = 'TCP_10.0.20.78' @@ -144,7 +144,7 @@ $printers = @( Driver = 'EPSON ET-5800 Series' Share = 'MCReception' Location = 'Memory Care Reception (Floors 5/6)' - Comment = 'Epson ET-5800 - MemCare Reception / Alma Montt + MC nurses' + Comment = 'Epson ET-5800 - MemCare Reception / MC nurses' } ) diff --git a/clients/cascades-tucson/docs/migration/share-access-matrix-2026-04-23.md b/clients/cascades-tucson/docs/migration/share-access-matrix-2026-04-23.md index e70431cb..2b2fa78b 100644 --- a/clients/cascades-tucson/docs/migration/share-access-matrix-2026-04-23.md +++ b/clients/cascades-tucson/docs/migration/share-access-matrix-2026-04-23.md @@ -147,9 +147,9 @@ Read-only: Management Access: Directory, Life Enrichment **Note:** Same LE-new-mapping note as Susan. -### Alma R Montt — MC Life Enrichment -Access: Directory, Life Enrichment -**Note:** AD account not yet created (Wave 1 of user rollout). LE-machine drive mapping applies once her account + PC are set up. +### ~~Alma R Montt — MC Life Enrichment~~ — OFFBOARDED 2026-06-25 +~~Access: Directory, Life Enrichment~~ +**Note:** **OFFBOARDED 2026-06-25 (terminated).** Excluded from all share groups — see the live roster `share-group-roster-proposed-2026-06-25.md` and `docs/security/offboarding-2026-06-25-alma-montt.md`. --- @@ -233,7 +233,7 @@ These names show up on Synology but are not in John's current employee list. The - **Crystal Suszek → Crystal Rodriguez** — same person, former name. Single AD account `Crystal.Rodriguez`; old Synology `Crystal Suszek` account disabled at cutover (settled 2026-04-23). - **`CasAdmin201`** — will NOT become a domain user on cs-server/CS-SERVER. Disabled on Synology at cutover (settled 2026-04-23). - **New CS-SERVER shares to create** (settled 2026-04-23): - - **`LifeEnrichment`** — CS-SERVER local, RW for Susan/Sharon/Alma only. LE workstations currently have no mapped drives — this will be their first. + - **`LifeEnrichment`** — CS-SERVER local, RW for Susan/Sharon only (~~Alma~~ offboarded 2026-06-25). LE workstations currently have no mapped drives — this will be their first. - **`ALdocs`** — Assisted Living documentation, CS-SERVER local, RW for nurses (Lois, Karen) + Meredith + Ashley + Sales team (Megan, Crystal, Tamra). - **`WebDocs`** — web/marketing collateral, CS-SERVER local, RW for Sales team + Meredith + Ashley. Distinct from the retired Synology `web` DSM share. - **Sales team share set** (settled 2026-04-23) — Megan, Crystal, Tamra all get RW on: ALdocs, WebDocs, SalesDept, Management, Directory. diff --git a/clients/cascades-tucson/docs/printers.md b/clients/cascades-tucson/docs/printers.md index 4820c15b..0bb5425a 100644 --- a/clients/cascades-tucson/docs/printers.md +++ b/clients/cascades-tucson/docs/printers.md @@ -15,7 +15,7 @@ | 9 | Room 206 (large printer) | 192.168.1.138 | 00:20:6b:b3:4a:55 | Konica Minolta Bizhub C368 | A7PV011016305 | Health Services | Network | Online | | 10 | Kitchen Manager | 192.168.3.232 | — | Canon imageClass MFC743CDW | — | Alyssa (Brooks) | Network | Online | | 11 | Chef | 192.168.3.88 | — | Brother MFC-9330CDW | — | Chef | Network | Online | -| 12 | MemCare Reception | 10.0.20.78 | dc:cd:2f:83:35:71 (EPSON833571) | Epson ET-5800 | — | Alma Montt (MemCare receptionist), MemCare nurses/users | Network — VLAN 20. Share: \\CS-SERVER\MCReception | Online 2026-05-29 | +| 12 | MemCare Reception | 10.0.20.78 | dc:cd:2f:83:35:71 (EPSON833571) | Epson ET-5800 | — | MemCare nurses/users (Alma Montt offboarded 2026-06-25 — reassign to MC Reception replacement when named) | Network — VLAN 20. Share: \\CS-SERVER\MCReception | Online 2026-05-29 | | 13 | MemCare Room 615 | 192.168.2.53 | c8:a3:e8:a2:dd:93 (brwc8a3e8a2dd93) | Brother (model TBD) | — | MedTechs, Nurses | WiFi (static IP) | Online | | 14 | Meredith's Office | 192.168.2.67 | — | Canon imageClass MF743CDW | — | Meredith (Kuhn) | Network | Online | | 15 | MemCare Director (Room 603) | 192.168.3.52 | 20:0b:74:b2:29:08 | Canon Color imageClass MF751CDW | — | Shelby Trozzi | Network | Online | diff --git a/clients/cascades-tucson/docs/security/offboarding-2026-06-25-alma-montt.md b/clients/cascades-tucson/docs/security/offboarding-2026-06-25-alma-montt.md index 3b9096b3..c9fd4b32 100644 --- a/clients/cascades-tucson/docs/security/offboarding-2026-06-25-alma-montt.md +++ b/clients/cascades-tucson/docs/security/offboarding-2026-06-25-alma-montt.md @@ -42,4 +42,4 @@ **The PAA role is still assigned to the SP and must be removed manually** in Entra (Roles & admins → Privileged Authentication Administrator → remove `ComputerGuru - Tenant Admin`). Its standing **Conditional Access Administrator** role is intentional — leave that. -- [ ] Reconcile: Alma removed from the proposed share rosters (`docs/migration/share-group-roster-proposed-2026-06-25.md`). +- [x] Reconcile: Alma removed from the proposed share rosters (`docs/migration/share-group-roster-proposed-2026-06-25.md`) **and all other active plans** (2026-06-25): `docs/servers/active-directory.md`, `docs/printers.md`, `docs/cloud/user-account-rollout-plan.md`, `docs/cloud/p2-staff-candidates.md`, `PLAN-AND-QUESTIONS-2026-04-24.md`, `docs/migration/share-access-matrix-2026-04-23.md`, `docs/migration/scripts/phase2-print-server.ps1`. Dated April/May questionnaires, CSVs, reports, and the archived plan left as historical record. diff --git a/clients/cascades-tucson/docs/servers/active-directory.md b/clients/cascades-tucson/docs/servers/active-directory.md index 3e494a1c..8b2b8643 100644 --- a/clients/cascades-tucson/docs/servers/active-directory.md +++ b/clients/cascades-tucson/docs/servers/active-directory.md @@ -11,7 +11,7 @@ ## AD Users (updated 2026-05-19) **Changes since 2026-04-13:** -- Alma.Montt added to OU=Administrative (provisioned 2026-05-19) — cloud-only M365 account also created same day; needs reconciliation (see Pending Issues) +- ~~Alma.Montt added to OU=Administrative (provisioned 2026-05-19)~~ — **OFFBOARDED 2026-06-25**: AD account disabled, groups stripped, moved to `OU=Excluded-From-Sync`; cloud-only M365 sign-in blocked + mailbox converted to shared. See `docs/security/offboarding-2026-06-25-alma-montt.md`. - Kyla.QuickTiffany confirmed in OU=Resident Services (was listed as "needs account" in prior doc) - Zachary.Nelson confirmed: Accounting Assistant (replacing Allison.Reibschied) - Allison.Reibschied: no longer employed — account disabled in DC 2026-05-19 @@ -26,7 +26,7 @@ | Meredith.Kuhn | Meredith Kuhn | Executive Director | | | Ashley.Jensen | Ashley Jensen | Assistant Executive Director | M365: Accounting@ | | lauren.hasselman | Lauren Hasselman | Business Office Director | lowercase SAM. Replaced Jeff Bristol. M365: Accounting@ | -| Alma.Montt | Alma Montt | Life Enrichment | Provisioned 2026-05-19. **Cloud-only M365 account also created same day — reconcile before next Entra sync** (see Pending Issues) | +| ~~Alma.Montt~~ | ~~Alma Montt~~ | ~~Life Enrichment~~ | **OFFBOARDED 2026-06-25 — disabled, groups stripped, moved to OU=Excluded-From-Sync.** See `docs/security/offboarding-2026-06-25-alma-montt.md`. | | Zachary.Nelson | Zachary Nelson | Accounting Assistant | Confirmed 2026-05-19. Replacing Allison.Reibschied. | | ~~Allison.Reibschied~~ | ~~Allison Reibschied~~ | ~~Accounting Assistant~~ | **Disabled 2026-05-19 — no longer employed.** | @@ -180,7 +180,7 @@ cascades.local ├── Domain Controllers │ └── CS-SERVER ├── Departments -│ ├── Administrative — Alma.Montt, Ashley.Jensen, lauren.hasselman, Meredith.Kuhn, Zachary.Nelson +│ ├── Administrative — Ashley.Jensen, lauren.hasselman, Meredith.Kuhn, Zachary.Nelson (Alma.Montt offboarded 2026-06-25 → OU=Excluded-From-Sync) │ ├── Care-Assisted Living — britney.thompson, karen.rossini, Lois.Lane, Veronica.Feller │ │ └── Nurses (empty sub-OU) │ ├── Caregivers — 38 accounts (shift caregivers/medtechs, first.last format) @@ -310,7 +310,7 @@ Do NOT populate these further. They remain in service until Phase 4 cutover reti | LifeEnrichment | (via Life Enrichment Printers GPO) | OU=Life Enrichment | | MCDirector | Canon imageClass MF751CDW (192.168.3.52) | OU=Care-Memorycare | | MCMedTech | Brother (192.168.2.53) | OU=Caregivers OR OU=Care-Memorycare | -| MCReception | Epson ET-5800 (10.0.20.78) | OU=Care-Memorycare. Alma Montt (cloud-only M365 — no GPO) connects manually. | +| MCReception | Epson ET-5800 (10.0.20.78) | OU=Care-Memorycare. (Alma Montt offboarded 2026-06-25 — reassign to the MC Reception replacement when named.) | ## Group Policy (as of 2026-05-20) @@ -368,7 +368,7 @@ GPOs exist but effectiveness is limited since most PCs are not domain-joined. Al | ~~Still enabled — departed~~ | ~~britney.thompson~~ | **DONE 2026-05-20** — AD disabled. M365: sign-in blocked, license removed, litigation hold applied. | | ~~Still enabled — flagged for disable~~ | ~~Richard.Adams, Julian.Crim, Christopher.Holick~~ | **DONE 2026-05-20** — all disabled. | | ~~Old-format account — superseded~~ | ~~Shontiel.Nunn~~ | **DONE 2026-05-20** — disabled. s.nunn (Caregivers) is the active account. | -| Cloud-only M365 account — RESOLVED | Alma.Montt | Intentional and correct — no AD sync conflict. | +| Cloud-only M365 account — ~~RESOLVED~~ OFFBOARDED | Alma.Montt | **OFFBOARDED 2026-06-25** — AD disabled + moved to OU=Excluded-From-Sync; M365 sign-in blocked, mailbox → shared (Shelby Trozzi FullAccess). See `docs/security/offboarding-2026-06-25-alma-montt.md`. | | krbtgt password age | krbtgt | 569+ days old as of 2026-03-20. Needs rotation. Deferred. | | Meredith.Kuhn + John.Trozzi in Domain Admins | Both | Non-IT staff — remove from Domain Admins. Deferred. | | ~~britney.thompson M365 offboarding~~ | ~~britney.thompson~~ | **DONE 2026-05-20** — sign-in blocked, license removed, litigation hold applied via sysadmin@. | diff --git a/clients/cascades-tucson/session-logs/2026-06/2026-06-25-howard-alma-offboarding-recovery-verify.md b/clients/cascades-tucson/session-logs/2026-06/2026-06-25-howard-alma-offboarding-recovery-verify.md index b1d0b24f..c3786fa0 100644 --- a/clients/cascades-tucson/session-logs/2026-06/2026-06-25-howard-alma-offboarding-recovery-verify.md +++ b/clients/cascades-tucson/session-logs/2026-06/2026-06-25-howard-alma-offboarding-recovery-verify.md @@ -113,3 +113,32 @@ queue. - Termination runbook: `docs/security/termination-procedures.md` - Coord message id: `4b2bb6a9-881b-4003-984c-687183b96802` - Cascades wiki: `wiki/clients/cascades-tucson.md` + +## Update: 12:53 PT — Reconciled Alma out of all active plans + +Following the verified offboarding, reconciled Alma Montt out of every forward-looking Cascades +doc so no future session/tech treats her as a current or to-be-created user. The 2026-06-25 +proposed share roster was already done (struck + OFFBOARDED) by the lost session. Edited the +remaining active docs, each annotated with `OFFBOARDED 2026-06-25` + a pointer to the offboarding +record (strikethrough preserves the decision history rather than deleting it): + +- `docs/servers/active-directory.md` — current-state AD reference: changelog entry, Enabled-Accounts + table row, OU tree (Administrative), MCReception printer access, and Pending-Issues row all updated + to reflect disabled + moved to OU=Excluded-From-Sync. +- `docs/printers.md` — MCReception printer user list (removed Alma; note to reassign replacement). +- `docs/cloud/user-account-rollout-plan.md` — added a [RECONCILE] banner; fixed persona count 18->17, + SG-External-Signin-Allowed seed line, the per-person resolution row, the Wave-1 create list, and the + decision summary. +- `docs/cloud/p2-staff-candidates.md` — license-math count 18->17; candidate roster row. +- `PLAN-AND-QUESTIONS-2026-04-24.md` — Track C / C1 Phase 2 sync list. +- `docs/migration/share-access-matrix-2026-04-23.md` — Alma section + LifeEnrichment share RW list. +- `docs/migration/scripts/phase2-print-server.ps1` — MCReception comment + printer Comment field. + +Left as historical record (dated point-in-time artifacts, intentionally NOT rewritten): the April +questionnaires/working-lists/followups, `reports/cascades-staff-2026-04-22.csv`, the Canva and +orphan-deletes reports, the 2026-04-22 HIPAA review, `scripts/create-alma-montt-2026-05-18.ps1`, +`scripts/build-open-questions-docx.py`, and `PLAN-AND-QUESTIONS-2026-04-23-archived.md`. + +Ticked the offboarding record follow-up checkbox (reconciliation complete). Remaining open item is +unchanged: Mike to remove the stranded Privileged Authentication Administrator role on the Tenant +Admin SP. diff --git a/errorlog.md b/errorlog.md index 9da82e91..a3f44d29 100644 --- a/errorlog.md +++ b/errorlog.md @@ -17,6 +17,20 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure · +2026-06-25 | Howard-Home | synology/ssh | syno-ssh recipe 'shares' failed (rc=1) [ctx: host=192.168.0.120] + +2026-06-25 | Howard-Home | synology/ssh | syno-ssh recipe 'acl' failed (rc=1) [ctx: host=192.168.0.120] + +2026-06-25 | Howard-Home | synology/ssh | syno-ssh recipe 'acl' failed (rc=1) [ctx: host=192.168.0.120] + +2026-06-25 | Howard-Home | synology/ssh | syno-ssh recipe 'groups' failed (rc=127) [ctx: host=192.168.0.120] + +2026-06-25 | Howard-Home | synology/ssh | syno-ssh recipe 'users' failed (rc=127) [ctx: host=192.168.0.120] + +2026-06-25 | Howard-Home | synology/ssh | syno-ssh recipe 'shares' failed (rc=1) [ctx: host=192.168.0.120] + +2026-06-25 | Howard-Home | memory-dream | orphan detector mis-parses index lines containing [[wikilink]] text: flags feedback_broken_backlinks_are_writeme_markers.md as orphan despite being indexed (L174), so --apply-safe appends duplicate index lines every run. Fix: match orphan on the ](.md) link target, not the rendered link text. [ctx: skill=memory-dream file=scripts/memory_dream.py recurring=yes] + 2026-06-25 | GURU-5070 | remediation-tool/EOP | [friction] checking ACG own-tenant EOP quarantine: reached for investigator-exo (401 - Exchange Admin role only on Exchange OPERATOR SP, not Investigator), then RecipientAddress needs JSON array not string (400); skill has no EOP/quarantine section at all [ctx: ref=feedback_exchange_role_recurring_gap] 2026-06-25 | GURU-5070 | sync/tailscale | [correction] diagnosed 172.16.3.x unreachable as transient blip; real cause was Tailscale node KEY EXPIRY on the subnet-router node (pfSense advertising 172.16.0.0/22) dropping it off the tailnet [ctx: fix=disabled key expiration on the node; symptom=internet OK but whole 172.16.3.x dead]