diff --git a/errorlog.md b/errorlog.md index 6e030dcb..fa34a670 100644 --- a/errorlog.md +++ b/errorlog.md @@ -23,6 +23,16 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure · 2026-07-09 | GURU-BEAST-ROG | remediation-tool | reset-password: failed to remove JIT Privileged Auth Admin role - standing privilege left behind, REMOVE MANUALLY [ctx: tenant=568eb763-3b95-4271-8443-530c74b1c6bb assignment=ikzke6-tKk6E1qsmSeCKE7PwwTzAbMNNrIysDtlMU0E-1 http=400] +2026-07-09 | Howard-Home | bash/rmm-dispatch | [friction] UNC path SIF-SERVERprint$ collapsed to single-backslash inside a jq --arg PowerShell payload, producing a bogus 'path not found' that nearly read as a real diagnostic finding; use ps-encoded.sh for any payload containing UNC/backslashes [ctx: ref=feedback_windows_quote_stripping client=sif-oidak] + +2026-07-09 | Howard-Home | bash/git | [friction] chained 'git push -q 2>&1 | tail -5 && echo [OK]' — the && tested tail's exit status, not git's, so a REJECTED push printed [OK]. Never pipe a command whose exit code you intend to test; capture output then check ${PIPESTATUS[0]} or run the command bare and test $?. [ctx: client=sif-oidak repo=vault] + +2026-07-09 | Howard-Home | remediation-tool/get-token.sh | [friction] get-token.sh resolved identity.json from $HOME (/c/Users/Howard/.claude/identity.json) instead of the repo .claude/identity.json and died with 'vault_path not set'; fix is to export VAULT_ROOT_ENV= before calling, or make the script fall back to the repo identity [ctx: ref=vault-skill-gotchas client=sif-oidak] + +2026-07-09 | Howard-Home | wiki-lint | [friction] command hardcodes 'cd D:/claudetools' but repo root is machine-specific (identity.json claudetools_root=C:/claudetools on HOWARD-HOME). Same path-drift family as remediation-tool scripts reading ~/.claude/identity.json instead of repo .claude/identity.json. Fix: resolve root from identity.json claudetools_root, never hardcode a drive letter. [ctx: ref=identity.json/claudetools_root machine=HOWARD-HOME] + +2026-07-09 | Howard-Home | remediation-tool/consent-audit.sh | consent-audit graded tenant RED 'app NOT consented' for all 4 tiers, but the real cause was a local vault-path lookup failure (scripts read ~/.claude/identity.json; actual identity+vault_path live in repo .claude/identity.json -> D:/vault). Tenant was fully consented; token minted fine with VAULT_ROOT_ENV=D:/vault. Risk: would have sent a client an unnecessary admin-consent link. Fix: consent-audit should fail loud on vault-path error instead of reporting it as a consent gap. [ctx: tenant=cascadestucson.com machine=HOWARD-HOME] + 2026-07-09 | GURU-BEAST-ROG | bash/env | [friction] reported wrong current time: Git Bash 'TZ=America/Phoenix date' silently ignored TZ and printed UTC mislabeled as AZ; use PowerShell Get-Date (or explicit UTC-7 math) on Windows for time reporting [ctx: thread=lens-auto-browser-hijack corrected_by=Winter] 2026-07-09 | Howard-Home | bash/env | [friction] used $UID as a variable in a Bash tool script; UID is readonly in bash so the assignment failed and the downstream Graph calls silently ran with an empty id - use a non-reserved name (OBJ/USER_ID) diff --git a/wiki/clients/sif-oidak.md b/wiki/clients/sif-oidak.md index b81c529c..4f0f412f 100644 --- a/wiki/clients/sif-oidak.md +++ b/wiki/clients/sif-oidak.md @@ -2,11 +2,12 @@ type: client name: sif-oidak display_name: Sif-oidak District - Tohono O'odham Nation -last_compiled: 2026-06-03 -compiled_by: GURU-BEAST-ROG/claude-main +last_compiled: 2026-07-09 +compiled_by: HOWARD-HOME/claude-main sources: - clients/sif-oidak/session-logs/2026-05-28-session.md - clients/sif-oidak/session-logs/2026-06-03-session.md + - live GuruRMM + Graph investigation 2026-07-09 (dortega AD account creation) backlinks: [] --- @@ -19,7 +20,7 @@ backlinks: [] - **Billing rate:** $150/hr remote labor - **Syncro customer ID:** 7694718 - **Primary contact:** Deanna Cruz — deanna.cruz@tonation-nsn.gov -- **Environment:** Hybrid — on-premises Active Directory domain (SifOidak.local) plus Microsoft 365 tenant +- **Environment:** **NOT hybrid** — two *independent, unsynced* identity systems: an on-premises AD domain (SifOidak.local) and a separate M365 cloud tenant. There is **no Entra Connect / AD Connect** anywhere (verified 2026-07-09 on both SIF-SERVER and SIF-SERVER2). See [Identity model](#identity-model-read-before-touching-any-account). - **M365 onboarding:** Completed 2026-06-03; all four ACG MSP apps consented, roles assigned ## Contacts @@ -30,20 +31,116 @@ backlinks: [] | Joshua Albert | End user; jalbert.sod@sifoidak.onmicrosoft.com; domain account: jalbert | | Dwayne Ortega | End user; Dortega.sod@sifoidak.onmicrosoft.com; new account created 2026-06-03 | +## Identity model (READ BEFORE TOUCHING ANY ACCOUNT) + +Sif-oidak runs **two separate identity systems with no synchronization between them.** A user +needs a *distinct account in each*, and their passwords are independent. + +| | On-prem AD | M365 cloud | +|---|---|---| +| Directory | SifOidak.local | sifoidak.onmicrosoft.com | +| UPN shape | `jalbert@SifOidak.local` | `jalbert.sod@sifoidak.onmicrosoft.com` | +| Used for | **Windows workstation sign-in** | Email / Office / Teams | +| Password reset via | `Set-ADAccountPassword` on SIF-SERVER | Graph API | + +**Verified 2026-07-09:** no `ADSync` service and no "Azure AD Connect" uninstall entry on either +SIF-SERVER or SIF-SERVER2; no AD user carries an `msDS-ConsistencyGuid`; every M365 user has +`onPremisesSyncEnabled: null`. The two directories are genuinely disjoint. + +**Consequences — these are the traps:** + +- **Workstations are domain-joined ONLY** (`dsregcmd`: `DomainJoined: YES`, `AzureAdJoined: NO`). + **M365 credentials cannot sign in to a Sif-oidak machine.** Creating a cloud user does *not* + give anyone a workstation login. +- Resetting the M365 password does nothing for a machine login, and vice versa. When a user says + "I can't log in," **first establish which system** — Windows sign-in screen = AD; Outlook/Teams + prompt = M365. +- Onboarding a new employee requires **two** account creations, not one. + +### Actually THREE systems — email is not in M365 either + +| System | Directory | Used for | +|---|---|---| +| On-prem AD | SifOidak.local | Windows workstation sign-in | +| M365 cloud | sifoidak.onmicrosoft.com | Office apps + OneDrive sign-in **(no mailbox)** | +| Email | **sifoidak.com @ GoDaddy** | Mail (`MX -> smtp.secureserver.net`) | + +The M365 SKU is `O365_BUSINESS` (Microsoft 365 Apps for business). Its Exchange entitlement is +`EXCHANGE_S_FOUNDATION` — the **no-mailbox stub**. Verified 2026-07-09: all 12 users have +`mail: null` and **zero** `proxyAddresses`. There are no Exchange Online mailboxes in this tenant. +Mail lives at GoDaddy and is not managed through M365. + +> **Do not confuse "username" with "email" here.** Every M365 user's *username* (UPN) is +> `...@sifoidak.onmicrosoft.com`. Their *email address* is `...@sifoidak.com` at GoDaddy. Both +> statements are simultaneously true. + +## USER ONBOARDING RUNBOOK (Mike's standing instruction, 2026-07-09) + +**Creating a new Sif-oidak user requires creating accounts in BOTH systems. Never just one.** + +1. **On-prem AD account** — on SIF-SERVER, `New-ADUser` into `OU=Domain Users,DC=SifOidak,DC=local`, + SamAccountName = first-initial + surname, UPN `@SifOidak.local`, `Domain Users` group, + temp password with `-ChangePasswordAtLogon $true`. Verify `pwdLastSet=0` on **both** DCs. + *(Without this the user cannot log in to their machine at all — see the 2026-07-09 history entry.)* +2. **M365 account** — Graph user + `usageLocation: US` **before** license assignment, then assign + `O365_BUSINESS`. Watch for seat auto-expansion. +3. **Email account** — provisioned at **GoDaddy on sifoidak.com**, not in M365. +4. Vault every credential (`clients/sif-oidak/ad-users.sops.yaml`), never paste it into a ticket. + +### Username convention — no `onmicrosoft.com` (REQUESTED, BLOCKED) + +Mike's requirement (2026-07-09): M365 usernames must **not** contain `onmicrosoft.com`. + +**This is currently impossible.** `sifoidak.onmicrosoft.com` is the tenant's *only* verified domain +(`isInitial: true`, `isDefault: true`); no custom domain has been added. A UPN can only use a +verified domain. To satisfy the requirement: + +1. Add `sifoidak.com` as a custom domain in Entra, verify it via a **DNS TXT record**. + - The domain is registered at **GoDaddy** (`ns19/ns20.domaincontrol.com`). **ACG has no + GoDaddy credentials for Sif-oidak in the vault** — client/registrar access is needed first. + - Add it **without enabling the Exchange service** so the existing `MX -> secureserver.net` + GoDaddy mail flow is not disturbed. +2. Set the new domain as default, then rename UPNs to `@sifoidak.com`. +3. **Renaming a UPN breaks existing Office sign-ins** — users must sign in again. Schedule it and + notify them; do not do it silently. + +Existing UPNs are also inconsistent — most are `.sod@`, but `m.allen@` and +`marcella.enos@` differ. Settle a single convention as part of this change. + +### AD naming conventions (match these) + +- `SamAccountName` = first initial + surname (`jalbert`, `dortega`, `dcruz`, `drodriguez`) +- `CN` = full display name (`CN=Dwayne Ortega`) +- Container = `OU=Domain Users,DC=SifOidak,DC=local` (a real OU, not the default `CN=Users`) +- UPN suffix = `@SifOidak.local` (the only suffix in the forest) +- Departmental groups exist (e.g. `AssistancePrograms Group`) — do **not** add a new user to one + without asking; `Domain Users` alone is the safe default. + +### AD password policy (weak — note for any hardening discussion) + +`MinPasswordLength: 6`, `ComplexityEnabled: False`, `MaxPasswordAge: ~42 days`. + ## Infrastructure ### On-Premises Servers | Host | Role | Domain | GuruRMM Agent ID | Status (last seen) | |---|---|---|---|---| -| SIF-SERVER | Primary Domain Controller | SifOidak.local | def9fdbb-020b-498d-9d3b-edf5912ba298 | Online (2026-05-28) | -| SIF-SERVER2 | Unknown — possible secondary DC or member server | SifOidak.local | 944b0c4b-048d-44b8-85e5-40da135f58d6 | Online (2026-05-28) | -| Sif-Laptop554 | Endpoint | SifOidak.local | ce868d0f-6381-444d-8fd3-94c563ddc4d9 | Offline (2026-05-28) | -| Sif-Laptop555 | Endpoint | SifOidak.local | acb14901-f659-40eb-a59c-b5954de0ba7f | Offline (2026-05-28) | +| SIF-SERVER | Primary Domain Controller | SifOidak.local | def9fdbb-020b-498d-9d3b-edf5912ba298 | Online (2026-07-09) | +| SIF-SERVER2 | **Backup Domain Controller** (`DomainRole: 4`, confirmed 2026-07-09) | SifOidak.local | 944b0c4b-048d-44b8-85e5-40da135f58d6 | Online (2026-07-09) | +| Sif-Laptop554 | Endpoint — **Joshua Albert's** (jalbert profile, active console session) | SifOidak.local | 9e5016f0-e330-4d24-ab01-67cf4e55d46b | Online (2026-07-09) | +| Sif-Laptop555 | Endpoint — likely Dwayne Ortega's (unconfirmed) | SifOidak.local | 1be314d5-0395-4b1c-aa26-3b4a96bd2e22 | Offline (2026-07-09) | + +> Laptop agent UUIDs changed between 2026-05-28 and 2026-07-09 (agents re-enrolled). **Always +> resolve hostname → UUID live** via `rmm-search.sh -c sif-oidak`; never reuse a UUID from this table. + +**Sif-Laptop554 local accounts:** `Localadmin` and `Sif` (both enabled); `Administrator`/`Guest` +disabled. Profiles present: `jalbert`, `guru`, `Sif`, `Localadmin`. Local creds are vaulted at +`clients/sif-oidak/laptops.sops.yaml`. - Domain: SifOidak.local -- SIF-SERVER confirmed as primary DC (DomainRole >= 4, running `Set-ADAccountPassword` + AD cmdlets successfully) -- SIF-SERVER2 role not investigated — may be secondary DC or member server; treat as potential DC +- **SIF-SERVER = PDC** (`DomainRole: 5`); **SIF-SERVER2 = backup DC** (`DomainRole: 4`). Both confirmed 2026-07-09. +- Two DCs means a workstation may authenticate against either. After any AD write, verify the change is present on **both** (`Get-ADUser -Server localhost` on each) before telling a user to try again. ### Network @@ -97,14 +194,24 @@ https://login.microsoftonline.com/sifoidak.onmicrosoft.com/adminconsent?client_i ### Dwayne Ortega -| Field | Value | -|---|---| -| UPN | Dortega.sod@sifoidak.onmicrosoft.com | -| M365 user ID | 014c1df6-444b-4502-9239-15c3ff935887 | -| License | O365 Business (assigned 2026-06-03) | -| Initial password | Temp1234! — must change at next sign-in | +**Has BOTH accounts as of 2026-07-09.** They are unrelated and have independent passwords. -New user created 2026-06-03. Usage location set to US before license assignment (Graph API requirement). License assignment triggered auto-expansion from 10 to 11 seats. +| Field | M365 cloud | On-prem AD | +|---|---|---| +| Identifier | Dortega.sod@sifoidak.onmicrosoft.com | `dortega` / dortega@SifOidak.local | +| Object ID / DN | 014c1df6-444b-4502-9239-15c3ff935887 | CN=Dwayne Ortega,OU=Domain Users,DC=SifOidak,DC=local | +| Created | 2026-06-03 | 2026-07-09 | +| License | O365 Business | n/a | +| Groups | — | Domain Users only | +| Password | reset 2026-07-09T20:33:05Z (by someone other than this session) | temp, **must change at next logon** (`pwdLastSet=0`) | +| Credential location | not vaulted | `clients/sif-oidak/ad-users.sops.yaml` | + +M365 user created 2026-06-03: usage location set to US before license assignment (Graph API +requirement); license assignment triggered seat auto-expansion from 10 to 11. + +**AD account created 2026-07-09** to resolve "cannot log in to his machine" — he had a cloud +identity only, and the workstations are domain-joined with no Entra join, so no M365 credential +could ever have signed him in. See History. ## On-Premises Active Directory @@ -121,6 +228,50 @@ New user created 2026-06-03. Usage location set to US before license assignment - `Set-ADUser -ChangePasswordAtLogon $true` may fail even after clearing `PasswordNeverExpires` in the same command string (possible replication delay). Use `net user /logonpasswordchg:yes /domain` instead — more reliable. - ADSI path with single quotes inside double-quoted JSON strings causes PowerShell parse errors in GuruRMM command payloads. Use `DirectorySearcher` with double-quoted ADSI path for AD verification. +## Printing + +Print queues are shared off the **domain controllers** (not a dedicated print server). All ports +point at `192.168.0.99`. + +| Share | Host | Driver | +|---|---|---| +| `\\SIF-SERVER\SHARP UD3 PCL6` | SIF-SERVER | SHARP UD3 PCL6 | +| `\\SIF-SERVER\SHARP MX-6070V PCL6` | SIF-SERVER | SHARP MX-6070V PCL6 | +| `\\SIF-SERVER2\SHARP MX-6240N PCL6` | SIF-SERVER2 | SHARP MX-6240N PCL6 | + +### Adding a shared printer requires local admin (error 740) + +**Symptom:** a standard user adds `\\SIF-SERVER\SHARP UD3 PCL6` and gets **error 740** +(`ERROR_ELEVATION_REQUIRED`). `Microsoft-Windows-PrintService/Admin` event **600** logs +`Error code= 800702e4` (`0x2E4` = 740) — "failed to import the printer driver ... from +`\\sif-server\print$\x64\PCC\sv0emenu.inf_amd64_...cab`". The event text blames the digital +signature; **that is a red herring** — 0x800702e4 is purely an elevation failure. + +**Cause:** post-KB5005652 (PrintNightmare hardening), `RestrictDriverInstallationToAdministrators` +defaults to **1** — only administrators may install a print driver via Point and Print. The value is +**absent** from the registry on Sif endpoints, so the restrictive default applies. Standard users +(e.g. jalbert) are not local admins; local admins are `Administrator`, `Localadmin`, and +`SIFOIDAK\Domain Admins`. + +**In practice the UAC prompt for the driver install does not surface to the user**, so it reads as a +bare error rather than a permission request (confirmed by Howard 2026-07-09). + +**Fix:** install the printer with admin rights — supply `Localadmin` credentials at the UAC prompt, +or install it for the user. Once the driver is in the local driver store, subsequent connections work. + +**Do NOT "fix" this by setting `RestrictDriverInstallationToAdministrators=0`.** That re-opens the +PrintNightmare (CVE-2021-34527) remote-code-execution class of bug for every user on the machine. +Preferred non-interactive alternative: add a **per-machine** connection as SYSTEM via GuruRMM +(`rundll32 printui.dll,PrintUIEntry /ga /n"\\SIF-SERVER\"` + spooler restart), which installs +the driver under an admin context without weakening the policy. + +### Known defect — GPO pushes a printer from the wrong server + +Sif-Laptop554 logs event **513**: `Group Policy was unable to add per computer connection +\\SIF-SERVER\SHARP MX-6240N PCL6. Error code 0x709.` The MX-6240N is shared on **SIF-SERVER2**, not +SIF-SERVER, so the GPO path is wrong. Correct the GPO to `\\SIF-SERVER2\SHARP MX-6240N PCL6` +(or re-share the queue on SIF-SERVER). Unresolved as of 2026-07-09. + ## Syncro | Field | Value | @@ -147,19 +298,32 @@ New user created 2026-06-03. Usage location set to US before license assignment ## Patterns / Notes +- **"Cannot log in" is ambiguous at this client — disambiguate FIRST.** Because AD and M365 are + unsynced, the same complaint has two unrelated root causes. Ask (or check) whether the failure is + at the Windows sign-in screen (AD) or in an Office app (M365) before touching a password. On + 2026-07-09 Dwayne Ortega's *cloud* password had already been reset the same day, which did nothing + for his machine login because he had no AD account at all. +- **Creating an M365 user does NOT create a workstation login.** New-hire onboarding here needs two + account creations. This is the single easiest mistake to make at Sif-oidak. - **Tenant identification was non-obvious:** Initial attempt used `toua.net` (Tohono O'odham Nation parent org) before Mike confirmed the correct tenant is `sifoidak.onmicrosoft.com`. Always use the client's specific subdomain, not the tribal parent. The Syncro primary contact (deanna.cruz@tonation-nsn.gov) uses the parent org domain — that does not indicate the correct M365 tenant. - **ACG MSP app onboarding order matters:** Tenant Admin must be consented first. `onboard-tenant.sh` then handles all other app SPs and role assignments. Do not skip directly to User Manager or Exchange Operator. - **Seat auto-expansion accepted without manual purchase:** Microsoft 365 auto-expanded from 10 to 11 seats when Dortega's license was assigned. No manual action required in the moment, but billing implications should be verified with client if they have a fixed-seat contract. - **Graph permission replication timing:** Two Security Investigator Graph permissions failed immediately after SP creation — standard replication lag. Re-run `onboard-tenant.sh sifoidak.onmicrosoft.com` to backfill. Non-blocking for user management operations. -- **SIF-SERVER2 role unknown:** Not investigated. Do not assume it is just a member server — it may be a secondary DC. Verify role before any domain-level operations that assume a single DC. +- **Two DCs, not one:** SIF-SERVER (PDC) and SIF-SERVER2 (backup DC). Any assumption of a single DC is wrong; confirm AD writes replicated to both before declaring a fix done. - **PasswordNeverExpires cleared on jalbert:** Pre-2026-05-28 state was `PasswordNeverExpires = $true`. This was cleared as a prerequisite for must-change and was not restored at Mike's direction. If this account is a service account or has special policy exemption, re-enabling may be needed — confirm at next contact. - **Client not yet in CIPP:** Tenant is onboarded into ACG MSP apps but has no GDAP / Partner Center delegated admin relationship. For full MSP visibility and CIPP inclusion, a Partner Center delegated admin request is needed. ## Open Items -- [ ] Re-run `onboard-tenant.sh sifoidak.onmicrosoft.com` to backfill 2 missing Security Investigator Graph permissions (`User.Read.All`, `AuditLog.Read.All`) +- [ ] **Still outstanding (re-confirmed 2026-07-09):** re-run `onboard-tenant.sh sifoidak.onmicrosoft.com` to backfill 2 missing Security Investigator Graph permissions (`User.Read.All`, `AuditLog.Read.All`). A `signInActivity` query on 2026-07-09 still 403s with "does not have required Microsoft Graph permission(s): AuditLog.Read.All" — so sign-in history is currently unreadable for this tenant. +- [ ] Confirm which laptop is actually Dwayne Ortega's (Sif-Laptop555 assumed, was offline 2026-07-09) and verify he can sign in + complete the forced password change +- [ ] **Obtain GoDaddy/registrar access for `sifoidak.com`** — prerequisite for removing `onmicrosoft.com` from M365 usernames (needs a DNS TXT verification record). Vault it once obtained. +- [ ] Add `sifoidak.com` as a verified Entra domain (**no Exchange service**, to protect GoDaddy mail flow), then rename UPNs; notify users, sign-ins will break +- [ ] Settle one UPN convention (`m.allen@` and `marcella.enos@` deviate from `.sod@`) +- [ ] Fix GPO printer path: it pushes `\\SIF-SERVER\SHARP MX-6240N PCL6`, but that queue is shared on **SIF-SERVER2** (event 513, error 0x709) +- [ ] Consider whether AD password policy should be hardened (currently min length 6, complexity OFF) +- [ ] Decide whether Dwayne needs `AssistancePrograms Group` membership (jalbert has it; Dwayne created with `Domain Users` only) - [ ] Add `clients/sif-oidak/m365-admin.sops.yaml` if client shares admin credentials with ACG -- [ ] Clarify SIF-SERVER2 role (secondary DC or member server?) - [ ] Determine if jalbert's `PasswordNeverExpires` should be restored (was cleared 2026-05-28) - [ ] Consider GDAP / Partner Center delegated admin relationship to get tenant into CIPP @@ -173,6 +337,39 @@ Howard requested a remote password reset for domain user `jalbert` (Joshua Alber Howard initiated via Discord requesting an O365 license for Joshua Albert. Tenant `sifoidak.onmicrosoft.com` was not in CIPP and had no ACG MSP app consent. Tenant identified by Mike after `toua.net` was tried first (wrong). Onboarded via admin consent + `onboard-tenant.sh`: Tenant Admin, User Manager, Security Investigator, and Exchange Operator all consented; directory roles assigned. Joshua Albert found to already have O365 Business license. Password reset to user-chosen value `Albert#2015`. New user Dwayne Ortega created (Dortega.sod@sifoidak.onmicrosoft.com), usage location set to US, O365 Business license assigned — tenant auto-expanded 10 → 11 seats. Syncro ticket #32380 created, assigned to Howard. +### 2026-07-09 — Dwayne Ortega could not log in to his machine; root cause = no AD account + +Howard reported Dwayne Ortega could not log in to his machine. Investigation via GuruRMM found +**no on-prem AD account matching `ortega`/`dwayne`** among the 71 domain users — he existed only as +an M365 cloud user (created 2026-06-03). `dsregcmd` on Sif-Laptop554 confirmed the workstations are +`DomainJoined: YES / AzureAdJoined: NO`, so an M365 credential can never authenticate a Windows +sign-in here. Neither SIF-SERVER nor SIF-SERVER2 has any Entra Connect / ADSync component, and no AD +object carries an `msDS-ConsistencyGuid` — the directories are fully disjoint, correcting this +article's prior "hybrid" description. His cloud password had been reset earlier the same day +(`lastPasswordChangeDateTime: 2026-07-09T20:33:05Z`), which could not have fixed a machine login. + +**Fix:** created AD user `dortega` (CN=Dwayne Ortega, OU=Domain Users) on SIF-SERVER via GuruRMM +`-EncodedCommand` dispatch, enabled, `Domain Users` only, matching the client's +first-initial+surname convention. Set a temp password with `ChangePasswordAtLogon`; verified +`pwdLastSet=0`. Temp credential vaulted to `clients/sif-oidak/ad-users.sops.yaml` (never posted to +chat/ticket). Laptop agent UUIDs found stale in this article and corrected. + +### 2026-07-09 — jalbert could not add the SHARP UD3 printer (error 740) + +Joshua Albert hit **error 740** (`ERROR_ELEVATION_REQUIRED`) adding `\\SIF-SERVER\SHARP UD3 PCL6`. +PrintService/Admin event 600 confirmed `Error code= 800702e4` on three attempts. Root cause: the +post-KB5005652 default `RestrictDriverInstallationToAdministrators=1` blocks non-admin print-driver +installs, and **the UAC prompt for the driver install never surfaced to the user**, so it presented +as a bare error. Howard installed the printer himself with admin rights; no remote change was made. +Investigation also surfaced a GPO pushing the MX-6240N queue from the wrong server (event 513). + +Also established this session: the tenant has **no Exchange mailboxes** (`O365_BUSINESS` = +Apps-for-business, `EXCHANGE_S_FOUNDATION` stub; all users `mail: null`, no proxyAddresses), and +email for `sifoidak.com` is hosted at GoDaddy. Mike set a standing rule that new Sif-oidak users get +**both** an AD account and an M365 account, and that usernames should drop `onmicrosoft.com` — the +latter is blocked on adding+verifying `sifoidak.com` as a custom Entra domain (registrar access +required). See the Onboarding Runbook. + ## Backlinks - *(none yet)*