wiki(sif-oidak): correct identity model, add printer + onboarding runbook

Sif-oidak was documented as a hybrid AD/M365 environment. It is not: there is no
Entra Connect on either DC, no AD object carries msDS-ConsistencyGuid, and every
M365 user has onPremisesSyncEnabled=null. AD and M365 are disjoint, and email is a
third system entirely (sifoidak.com at GoDaddy; the O365_BUSINESS SKU carries the
EXCHANGE_S_FOUNDATION no-mailbox stub).

That mismatch caused a real failure: Dwayne Ortega had a cloud account only, so he
could not log in to a domain-joined workstation. Created his AD account and recorded
the two-account onboarding rule.

Also documented: printer error 740 (Point-and-Print driver install needs admin,
UAC prompt never surfaces), a GPO pushing the MX-6240N queue from the wrong server,
SIF-SERVER2 confirmed as a backup DC, and refreshed stale laptop agent UUIDs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-07-09 16:18:20 -07:00
parent 5a463ae133
commit d9f877661e
2 changed files with 226 additions and 19 deletions

View File

@@ -23,6 +23,16 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure ·
2026-07-09 | GURU-BEAST-ROG | remediation-tool | reset-password: failed to remove JIT Privileged Auth Admin role - standing privilege left behind, REMOVE MANUALLY [ctx: tenant=568eb763-3b95-4271-8443-530c74b1c6bb assignment=ikzke6-tKk6E1qsmSeCKE7PwwTzAbMNNrIysDtlMU0E-1 http=400] 2026-07-09 | GURU-BEAST-ROG | remediation-tool | reset-password: failed to remove JIT Privileged Auth Admin role - standing privilege left behind, REMOVE MANUALLY [ctx: tenant=568eb763-3b95-4271-8443-530c74b1c6bb assignment=ikzke6-tKk6E1qsmSeCKE7PwwTzAbMNNrIysDtlMU0E-1 http=400]
2026-07-09 | Howard-Home | bash/rmm-dispatch | [friction] UNC path SIF-SERVERprint$ collapsed to single-backslash inside a jq --arg PowerShell payload, producing a bogus 'path not found' that nearly read as a real diagnostic finding; use ps-encoded.sh for any payload containing UNC/backslashes [ctx: ref=feedback_windows_quote_stripping client=sif-oidak]
2026-07-09 | Howard-Home | bash/git | [friction] chained 'git push -q 2>&1 | tail -5 && echo [OK]' — the && tested tail's exit status, not git's, so a REJECTED push printed [OK]. Never pipe a command whose exit code you intend to test; capture output then check ${PIPESTATUS[0]} or run the command bare and test $?. [ctx: client=sif-oidak repo=vault]
2026-07-09 | Howard-Home | remediation-tool/get-token.sh | [friction] get-token.sh resolved identity.json from $HOME (/c/Users/Howard/.claude/identity.json) instead of the repo .claude/identity.json and died with 'vault_path not set'; fix is to export VAULT_ROOT_ENV=<vault_path> before calling, or make the script fall back to the repo identity [ctx: ref=vault-skill-gotchas client=sif-oidak]
2026-07-09 | Howard-Home | wiki-lint | [friction] command hardcodes 'cd D:/claudetools' but repo root is machine-specific (identity.json claudetools_root=C:/claudetools on HOWARD-HOME). Same path-drift family as remediation-tool scripts reading ~/.claude/identity.json instead of repo .claude/identity.json. Fix: resolve root from identity.json claudetools_root, never hardcode a drive letter. [ctx: ref=identity.json/claudetools_root machine=HOWARD-HOME]
2026-07-09 | Howard-Home | remediation-tool/consent-audit.sh | consent-audit graded tenant RED 'app NOT consented' for all 4 tiers, but the real cause was a local vault-path lookup failure (scripts read ~/.claude/identity.json; actual identity+vault_path live in repo .claude/identity.json -> D:/vault). Tenant was fully consented; token minted fine with VAULT_ROOT_ENV=D:/vault. Risk: would have sent a client an unnecessary admin-consent link. Fix: consent-audit should fail loud on vault-path error instead of reporting it as a consent gap. [ctx: tenant=cascadestucson.com machine=HOWARD-HOME]
2026-07-09 | GURU-BEAST-ROG | bash/env | [friction] reported wrong current time: Git Bash 'TZ=America/Phoenix date' silently ignored TZ and printed UTC mislabeled as AZ; use PowerShell Get-Date (or explicit UTC-7 math) on Windows for time reporting [ctx: thread=lens-auto-browser-hijack corrected_by=Winter] 2026-07-09 | GURU-BEAST-ROG | bash/env | [friction] reported wrong current time: Git Bash 'TZ=America/Phoenix date' silently ignored TZ and printed UTC mislabeled as AZ; use PowerShell Get-Date (or explicit UTC-7 math) on Windows for time reporting [ctx: thread=lens-auto-browser-hijack corrected_by=Winter]
2026-07-09 | Howard-Home | bash/env | [friction] used $UID as a variable in a Bash tool script; UID is readonly in bash so the assignment failed and the downstream Graph calls silently ran with an empty id - use a non-reserved name (OBJ/USER_ID) 2026-07-09 | Howard-Home | bash/env | [friction] used $UID as a variable in a Bash tool script; UID is readonly in bash so the assignment failed and the downstream Graph calls silently ran with an empty id - use a non-reserved name (OBJ/USER_ID)

View File

@@ -2,11 +2,12 @@
type: client type: client
name: sif-oidak name: sif-oidak
display_name: Sif-oidak District - Tohono O'odham Nation display_name: Sif-oidak District - Tohono O'odham Nation
last_compiled: 2026-06-03 last_compiled: 2026-07-09
compiled_by: GURU-BEAST-ROG/claude-main compiled_by: HOWARD-HOME/claude-main
sources: sources:
- clients/sif-oidak/session-logs/2026-05-28-session.md - clients/sif-oidak/session-logs/2026-05-28-session.md
- clients/sif-oidak/session-logs/2026-06-03-session.md - clients/sif-oidak/session-logs/2026-06-03-session.md
- live GuruRMM + Graph investigation 2026-07-09 (dortega AD account creation)
backlinks: [] backlinks: []
--- ---
@@ -19,7 +20,7 @@ backlinks: []
- **Billing rate:** $150/hr remote labor - **Billing rate:** $150/hr remote labor
- **Syncro customer ID:** 7694718 - **Syncro customer ID:** 7694718
- **Primary contact:** Deanna Cruz — deanna.cruz@tonation-nsn.gov - **Primary contact:** Deanna Cruz — deanna.cruz@tonation-nsn.gov
- **Environment:** Hybrid — on-premises Active Directory domain (SifOidak.local) plus Microsoft 365 tenant - **Environment:** **NOT hybrid** — two *independent, unsynced* identity systems: an on-premises AD domain (SifOidak.local) and a separate M365 cloud tenant. There is **no Entra Connect / AD Connect** anywhere (verified 2026-07-09 on both SIF-SERVER and SIF-SERVER2). See [Identity model](#identity-model-read-before-touching-any-account).
- **M365 onboarding:** Completed 2026-06-03; all four ACG MSP apps consented, roles assigned - **M365 onboarding:** Completed 2026-06-03; all four ACG MSP apps consented, roles assigned
## Contacts ## Contacts
@@ -30,20 +31,116 @@ backlinks: []
| Joshua Albert | End user; jalbert.sod@sifoidak.onmicrosoft.com; domain account: jalbert | | Joshua Albert | End user; jalbert.sod@sifoidak.onmicrosoft.com; domain account: jalbert |
| Dwayne Ortega | End user; Dortega.sod@sifoidak.onmicrosoft.com; new account created 2026-06-03 | | Dwayne Ortega | End user; Dortega.sod@sifoidak.onmicrosoft.com; new account created 2026-06-03 |
## Identity model (READ BEFORE TOUCHING ANY ACCOUNT)
Sif-oidak runs **two separate identity systems with no synchronization between them.** A user
needs a *distinct account in each*, and their passwords are independent.
| | On-prem AD | M365 cloud |
|---|---|---|
| Directory | SifOidak.local | sifoidak.onmicrosoft.com |
| UPN shape | `jalbert@SifOidak.local` | `jalbert.sod@sifoidak.onmicrosoft.com` |
| Used for | **Windows workstation sign-in** | Email / Office / Teams |
| Password reset via | `Set-ADAccountPassword` on SIF-SERVER | Graph API |
**Verified 2026-07-09:** no `ADSync` service and no "Azure AD Connect" uninstall entry on either
SIF-SERVER or SIF-SERVER2; no AD user carries an `msDS-ConsistencyGuid`; every M365 user has
`onPremisesSyncEnabled: null`. The two directories are genuinely disjoint.
**Consequences — these are the traps:**
- **Workstations are domain-joined ONLY** (`dsregcmd`: `DomainJoined: YES`, `AzureAdJoined: NO`).
**M365 credentials cannot sign in to a Sif-oidak machine.** Creating a cloud user does *not*
give anyone a workstation login.
- Resetting the M365 password does nothing for a machine login, and vice versa. When a user says
"I can't log in," **first establish which system** — Windows sign-in screen = AD; Outlook/Teams
prompt = M365.
- Onboarding a new employee requires **two** account creations, not one.
### Actually THREE systems — email is not in M365 either
| System | Directory | Used for |
|---|---|---|
| On-prem AD | SifOidak.local | Windows workstation sign-in |
| M365 cloud | sifoidak.onmicrosoft.com | Office apps + OneDrive sign-in **(no mailbox)** |
| Email | **sifoidak.com @ GoDaddy** | Mail (`MX -> smtp.secureserver.net`) |
The M365 SKU is `O365_BUSINESS` (Microsoft 365 Apps for business). Its Exchange entitlement is
`EXCHANGE_S_FOUNDATION` — the **no-mailbox stub**. Verified 2026-07-09: all 12 users have
`mail: null` and **zero** `proxyAddresses`. There are no Exchange Online mailboxes in this tenant.
Mail lives at GoDaddy and is not managed through M365.
> **Do not confuse "username" with "email" here.** Every M365 user's *username* (UPN) is
> `...@sifoidak.onmicrosoft.com`. Their *email address* is `...@sifoidak.com` at GoDaddy. Both
> statements are simultaneously true.
## USER ONBOARDING RUNBOOK (Mike's standing instruction, 2026-07-09)
**Creating a new Sif-oidak user requires creating accounts in BOTH systems. Never just one.**
1. **On-prem AD account** — on SIF-SERVER, `New-ADUser` into `OU=Domain Users,DC=SifOidak,DC=local`,
SamAccountName = first-initial + surname, UPN `<sam>@SifOidak.local`, `Domain Users` group,
temp password with `-ChangePasswordAtLogon $true`. Verify `pwdLastSet=0` on **both** DCs.
*(Without this the user cannot log in to their machine at all — see the 2026-07-09 history entry.)*
2. **M365 account** — Graph user + `usageLocation: US` **before** license assignment, then assign
`O365_BUSINESS`. Watch for seat auto-expansion.
3. **Email account** — provisioned at **GoDaddy on sifoidak.com**, not in M365.
4. Vault every credential (`clients/sif-oidak/ad-users.sops.yaml`), never paste it into a ticket.
### Username convention — no `onmicrosoft.com` (REQUESTED, BLOCKED)
Mike's requirement (2026-07-09): M365 usernames must **not** contain `onmicrosoft.com`.
**This is currently impossible.** `sifoidak.onmicrosoft.com` is the tenant's *only* verified domain
(`isInitial: true`, `isDefault: true`); no custom domain has been added. A UPN can only use a
verified domain. To satisfy the requirement:
1. Add `sifoidak.com` as a custom domain in Entra, verify it via a **DNS TXT record**.
- The domain is registered at **GoDaddy** (`ns19/ns20.domaincontrol.com`). **ACG has no
GoDaddy credentials for Sif-oidak in the vault** — client/registrar access is needed first.
- Add it **without enabling the Exchange service** so the existing `MX -> secureserver.net`
GoDaddy mail flow is not disturbed.
2. Set the new domain as default, then rename UPNs to `<user>@sifoidak.com`.
3. **Renaming a UPN breaks existing Office sign-ins** — users must sign in again. Schedule it and
notify them; do not do it silently.
Existing UPNs are also inconsistent — most are `<initial><surname>.sod@`, but `m.allen@` and
`marcella.enos@` differ. Settle a single convention as part of this change.
### AD naming conventions (match these)
- `SamAccountName` = first initial + surname (`jalbert`, `dortega`, `dcruz`, `drodriguez`)
- `CN` = full display name (`CN=Dwayne Ortega`)
- Container = `OU=Domain Users,DC=SifOidak,DC=local` (a real OU, not the default `CN=Users`)
- UPN suffix = `@SifOidak.local` (the only suffix in the forest)
- Departmental groups exist (e.g. `AssistancePrograms Group`) — do **not** add a new user to one
without asking; `Domain Users` alone is the safe default.
### AD password policy (weak — note for any hardening discussion)
`MinPasswordLength: 6`, `ComplexityEnabled: False`, `MaxPasswordAge: ~42 days`.
## Infrastructure ## Infrastructure
### On-Premises Servers ### On-Premises Servers
| Host | Role | Domain | GuruRMM Agent ID | Status (last seen) | | Host | Role | Domain | GuruRMM Agent ID | Status (last seen) |
|---|---|---|---|---| |---|---|---|---|---|
| SIF-SERVER | Primary Domain Controller | SifOidak.local | def9fdbb-020b-498d-9d3b-edf5912ba298 | Online (2026-05-28) | | SIF-SERVER | Primary Domain Controller | SifOidak.local | def9fdbb-020b-498d-9d3b-edf5912ba298 | Online (2026-07-09) |
| SIF-SERVER2 | Unknown — possible secondary DC or member server | SifOidak.local | 944b0c4b-048d-44b8-85e5-40da135f58d6 | Online (2026-05-28) | | SIF-SERVER2 | **Backup Domain Controller** (`DomainRole: 4`, confirmed 2026-07-09) | SifOidak.local | 944b0c4b-048d-44b8-85e5-40da135f58d6 | Online (2026-07-09) |
| Sif-Laptop554 | Endpoint | SifOidak.local | ce868d0f-6381-444d-8fd3-94c563ddc4d9 | Offline (2026-05-28) | | Sif-Laptop554 | Endpoint **Joshua Albert's** (jalbert profile, active console session) | SifOidak.local | 9e5016f0-e330-4d24-ab01-67cf4e55d46b | Online (2026-07-09) |
| Sif-Laptop555 | Endpoint | SifOidak.local | acb14901-f659-40eb-a59c-b5954de0ba7f | Offline (2026-05-28) | | Sif-Laptop555 | Endpoint — likely Dwayne Ortega's (unconfirmed) | SifOidak.local | 1be314d5-0395-4b1c-aa26-3b4a96bd2e22 | Offline (2026-07-09) |
> Laptop agent UUIDs changed between 2026-05-28 and 2026-07-09 (agents re-enrolled). **Always
> resolve hostname → UUID live** via `rmm-search.sh -c sif-oidak`; never reuse a UUID from this table.
**Sif-Laptop554 local accounts:** `Localadmin` and `Sif` (both enabled); `Administrator`/`Guest`
disabled. Profiles present: `jalbert`, `guru`, `Sif`, `Localadmin`. Local creds are vaulted at
`clients/sif-oidak/laptops.sops.yaml`.
- Domain: SifOidak.local - Domain: SifOidak.local
- SIF-SERVER confirmed as primary DC (DomainRole >= 4, running `Set-ADAccountPassword` + AD cmdlets successfully) - **SIF-SERVER = PDC** (`DomainRole: 5`); **SIF-SERVER2 = backup DC** (`DomainRole: 4`). Both confirmed 2026-07-09.
- SIF-SERVER2 role not investigated — may be secondary DC or member server; treat as potential DC - Two DCs means a workstation may authenticate against either. After any AD write, verify the change is present on **both** (`Get-ADUser <u> -Server localhost` on each) before telling a user to try again.
### Network ### Network
@@ -97,14 +194,24 @@ https://login.microsoftonline.com/sifoidak.onmicrosoft.com/adminconsent?client_i
### Dwayne Ortega ### Dwayne Ortega
| Field | Value | **Has BOTH accounts as of 2026-07-09.** They are unrelated and have independent passwords.
|---|---|
| UPN | Dortega.sod@sifoidak.onmicrosoft.com |
| M365 user ID | 014c1df6-444b-4502-9239-15c3ff935887 |
| License | O365 Business (assigned 2026-06-03) |
| Initial password | Temp1234! — must change at next sign-in |
New user created 2026-06-03. Usage location set to US before license assignment (Graph API requirement). License assignment triggered auto-expansion from 10 to 11 seats. | Field | M365 cloud | On-prem AD |
|---|---|---|
| Identifier | Dortega.sod@sifoidak.onmicrosoft.com | `dortega` / dortega@SifOidak.local |
| Object ID / DN | 014c1df6-444b-4502-9239-15c3ff935887 | CN=Dwayne Ortega,OU=Domain Users,DC=SifOidak,DC=local |
| Created | 2026-06-03 | 2026-07-09 |
| License | O365 Business | n/a |
| Groups | — | Domain Users only |
| Password | reset 2026-07-09T20:33:05Z (by someone other than this session) | temp, **must change at next logon** (`pwdLastSet=0`) |
| Credential location | not vaulted | `clients/sif-oidak/ad-users.sops.yaml` |
M365 user created 2026-06-03: usage location set to US before license assignment (Graph API
requirement); license assignment triggered seat auto-expansion from 10 to 11.
**AD account created 2026-07-09** to resolve "cannot log in to his machine" — he had a cloud
identity only, and the workstations are domain-joined with no Entra join, so no M365 credential
could ever have signed him in. See History.
## On-Premises Active Directory ## On-Premises Active Directory
@@ -121,6 +228,50 @@ New user created 2026-06-03. Usage location set to US before license assignment
- `Set-ADUser -ChangePasswordAtLogon $true` may fail even after clearing `PasswordNeverExpires` in the same command string (possible replication delay). Use `net user <user> /logonpasswordchg:yes /domain` instead — more reliable. - `Set-ADUser -ChangePasswordAtLogon $true` may fail even after clearing `PasswordNeverExpires` in the same command string (possible replication delay). Use `net user <user> /logonpasswordchg:yes /domain` instead — more reliable.
- ADSI path with single quotes inside double-quoted JSON strings causes PowerShell parse errors in GuruRMM command payloads. Use `DirectorySearcher` with double-quoted ADSI path for AD verification. - ADSI path with single quotes inside double-quoted JSON strings causes PowerShell parse errors in GuruRMM command payloads. Use `DirectorySearcher` with double-quoted ADSI path for AD verification.
## Printing
Print queues are shared off the **domain controllers** (not a dedicated print server). All ports
point at `192.168.0.99`.
| Share | Host | Driver |
|---|---|---|
| `\\SIF-SERVER\SHARP UD3 PCL6` | SIF-SERVER | SHARP UD3 PCL6 |
| `\\SIF-SERVER\SHARP MX-6070V PCL6` | SIF-SERVER | SHARP MX-6070V PCL6 |
| `\\SIF-SERVER2\SHARP MX-6240N PCL6` | SIF-SERVER2 | SHARP MX-6240N PCL6 |
### Adding a shared printer requires local admin (error 740)
**Symptom:** a standard user adds `\\SIF-SERVER\SHARP UD3 PCL6` and gets **error 740**
(`ERROR_ELEVATION_REQUIRED`). `Microsoft-Windows-PrintService/Admin` event **600** logs
`Error code= 800702e4` (`0x2E4` = 740) — "failed to import the printer driver ... from
`\\sif-server\print$\x64\PCC\sv0emenu.inf_amd64_...cab`". The event text blames the digital
signature; **that is a red herring** — 0x800702e4 is purely an elevation failure.
**Cause:** post-KB5005652 (PrintNightmare hardening), `RestrictDriverInstallationToAdministrators`
defaults to **1** — only administrators may install a print driver via Point and Print. The value is
**absent** from the registry on Sif endpoints, so the restrictive default applies. Standard users
(e.g. jalbert) are not local admins; local admins are `Administrator`, `Localadmin`, and
`SIFOIDAK\Domain Admins`.
**In practice the UAC prompt for the driver install does not surface to the user**, so it reads as a
bare error rather than a permission request (confirmed by Howard 2026-07-09).
**Fix:** install the printer with admin rights — supply `Localadmin` credentials at the UAC prompt,
or install it for the user. Once the driver is in the local driver store, subsequent connections work.
**Do NOT "fix" this by setting `RestrictDriverInstallationToAdministrators=0`.** That re-opens the
PrintNightmare (CVE-2021-34527) remote-code-execution class of bug for every user on the machine.
Preferred non-interactive alternative: add a **per-machine** connection as SYSTEM via GuruRMM
(`rundll32 printui.dll,PrintUIEntry /ga /n"\\SIF-SERVER\<share>"` + spooler restart), which installs
the driver under an admin context without weakening the policy.
### Known defect — GPO pushes a printer from the wrong server
Sif-Laptop554 logs event **513**: `Group Policy was unable to add per computer connection
\\SIF-SERVER\SHARP MX-6240N PCL6. Error code 0x709.` The MX-6240N is shared on **SIF-SERVER2**, not
SIF-SERVER, so the GPO path is wrong. Correct the GPO to `\\SIF-SERVER2\SHARP MX-6240N PCL6`
(or re-share the queue on SIF-SERVER). Unresolved as of 2026-07-09.
## Syncro ## Syncro
| Field | Value | | Field | Value |
@@ -147,19 +298,32 @@ New user created 2026-06-03. Usage location set to US before license assignment
## Patterns / Notes ## Patterns / Notes
- **"Cannot log in" is ambiguous at this client — disambiguate FIRST.** Because AD and M365 are
unsynced, the same complaint has two unrelated root causes. Ask (or check) whether the failure is
at the Windows sign-in screen (AD) or in an Office app (M365) before touching a password. On
2026-07-09 Dwayne Ortega's *cloud* password had already been reset the same day, which did nothing
for his machine login because he had no AD account at all.
- **Creating an M365 user does NOT create a workstation login.** New-hire onboarding here needs two
account creations. This is the single easiest mistake to make at Sif-oidak.
- **Tenant identification was non-obvious:** Initial attempt used `toua.net` (Tohono O'odham Nation parent org) before Mike confirmed the correct tenant is `sifoidak.onmicrosoft.com`. Always use the client's specific subdomain, not the tribal parent. The Syncro primary contact (deanna.cruz@tonation-nsn.gov) uses the parent org domain — that does not indicate the correct M365 tenant. - **Tenant identification was non-obvious:** Initial attempt used `toua.net` (Tohono O'odham Nation parent org) before Mike confirmed the correct tenant is `sifoidak.onmicrosoft.com`. Always use the client's specific subdomain, not the tribal parent. The Syncro primary contact (deanna.cruz@tonation-nsn.gov) uses the parent org domain — that does not indicate the correct M365 tenant.
- **ACG MSP app onboarding order matters:** Tenant Admin must be consented first. `onboard-tenant.sh` then handles all other app SPs and role assignments. Do not skip directly to User Manager or Exchange Operator. - **ACG MSP app onboarding order matters:** Tenant Admin must be consented first. `onboard-tenant.sh` then handles all other app SPs and role assignments. Do not skip directly to User Manager or Exchange Operator.
- **Seat auto-expansion accepted without manual purchase:** Microsoft 365 auto-expanded from 10 to 11 seats when Dortega's license was assigned. No manual action required in the moment, but billing implications should be verified with client if they have a fixed-seat contract. - **Seat auto-expansion accepted without manual purchase:** Microsoft 365 auto-expanded from 10 to 11 seats when Dortega's license was assigned. No manual action required in the moment, but billing implications should be verified with client if they have a fixed-seat contract.
- **Graph permission replication timing:** Two Security Investigator Graph permissions failed immediately after SP creation — standard replication lag. Re-run `onboard-tenant.sh sifoidak.onmicrosoft.com` to backfill. Non-blocking for user management operations. - **Graph permission replication timing:** Two Security Investigator Graph permissions failed immediately after SP creation — standard replication lag. Re-run `onboard-tenant.sh sifoidak.onmicrosoft.com` to backfill. Non-blocking for user management operations.
- **SIF-SERVER2 role unknown:** Not investigated. Do not assume it is just a member server — it may be a secondary DC. Verify role before any domain-level operations that assume a single DC. - **Two DCs, not one:** SIF-SERVER (PDC) and SIF-SERVER2 (backup DC). Any assumption of a single DC is wrong; confirm AD writes replicated to both before declaring a fix done.
- **PasswordNeverExpires cleared on jalbert:** Pre-2026-05-28 state was `PasswordNeverExpires = $true`. This was cleared as a prerequisite for must-change and was not restored at Mike's direction. If this account is a service account or has special policy exemption, re-enabling may be needed — confirm at next contact. - **PasswordNeverExpires cleared on jalbert:** Pre-2026-05-28 state was `PasswordNeverExpires = $true`. This was cleared as a prerequisite for must-change and was not restored at Mike's direction. If this account is a service account or has special policy exemption, re-enabling may be needed — confirm at next contact.
- **Client not yet in CIPP:** Tenant is onboarded into ACG MSP apps but has no GDAP / Partner Center delegated admin relationship. For full MSP visibility and CIPP inclusion, a Partner Center delegated admin request is needed. - **Client not yet in CIPP:** Tenant is onboarded into ACG MSP apps but has no GDAP / Partner Center delegated admin relationship. For full MSP visibility and CIPP inclusion, a Partner Center delegated admin request is needed.
## Open Items ## Open Items
- [ ] Re-run `onboard-tenant.sh sifoidak.onmicrosoft.com` to backfill 2 missing Security Investigator Graph permissions (`User.Read.All`, `AuditLog.Read.All`) - [ ] **Still outstanding (re-confirmed 2026-07-09):** re-run `onboard-tenant.sh sifoidak.onmicrosoft.com` to backfill 2 missing Security Investigator Graph permissions (`User.Read.All`, `AuditLog.Read.All`). A `signInActivity` query on 2026-07-09 still 403s with "does not have required Microsoft Graph permission(s): AuditLog.Read.All" — so sign-in history is currently unreadable for this tenant.
- [ ] Confirm which laptop is actually Dwayne Ortega's (Sif-Laptop555 assumed, was offline 2026-07-09) and verify he can sign in + complete the forced password change
- [ ] **Obtain GoDaddy/registrar access for `sifoidak.com`** — prerequisite for removing `onmicrosoft.com` from M365 usernames (needs a DNS TXT verification record). Vault it once obtained.
- [ ] Add `sifoidak.com` as a verified Entra domain (**no Exchange service**, to protect GoDaddy mail flow), then rename UPNs; notify users, sign-ins will break
- [ ] Settle one UPN convention (`m.allen@` and `marcella.enos@` deviate from `<initial><surname>.sod@`)
- [ ] Fix GPO printer path: it pushes `\\SIF-SERVER\SHARP MX-6240N PCL6`, but that queue is shared on **SIF-SERVER2** (event 513, error 0x709)
- [ ] Consider whether AD password policy should be hardened (currently min length 6, complexity OFF)
- [ ] Decide whether Dwayne needs `AssistancePrograms Group` membership (jalbert has it; Dwayne created with `Domain Users` only)
- [ ] Add `clients/sif-oidak/m365-admin.sops.yaml` if client shares admin credentials with ACG - [ ] Add `clients/sif-oidak/m365-admin.sops.yaml` if client shares admin credentials with ACG
- [ ] Clarify SIF-SERVER2 role (secondary DC or member server?)
- [ ] Determine if jalbert's `PasswordNeverExpires` should be restored (was cleared 2026-05-28) - [ ] Determine if jalbert's `PasswordNeverExpires` should be restored (was cleared 2026-05-28)
- [ ] Consider GDAP / Partner Center delegated admin relationship to get tenant into CIPP - [ ] Consider GDAP / Partner Center delegated admin relationship to get tenant into CIPP
@@ -173,6 +337,39 @@ Howard requested a remote password reset for domain user `jalbert` (Joshua Alber
Howard initiated via Discord requesting an O365 license for Joshua Albert. Tenant `sifoidak.onmicrosoft.com` was not in CIPP and had no ACG MSP app consent. Tenant identified by Mike after `toua.net` was tried first (wrong). Onboarded via admin consent + `onboard-tenant.sh`: Tenant Admin, User Manager, Security Investigator, and Exchange Operator all consented; directory roles assigned. Joshua Albert found to already have O365 Business license. Password reset to user-chosen value `Albert#2015`. New user Dwayne Ortega created (Dortega.sod@sifoidak.onmicrosoft.com), usage location set to US, O365 Business license assigned — tenant auto-expanded 10 → 11 seats. Syncro ticket #32380 created, assigned to Howard. Howard initiated via Discord requesting an O365 license for Joshua Albert. Tenant `sifoidak.onmicrosoft.com` was not in CIPP and had no ACG MSP app consent. Tenant identified by Mike after `toua.net` was tried first (wrong). Onboarded via admin consent + `onboard-tenant.sh`: Tenant Admin, User Manager, Security Investigator, and Exchange Operator all consented; directory roles assigned. Joshua Albert found to already have O365 Business license. Password reset to user-chosen value `Albert#2015`. New user Dwayne Ortega created (Dortega.sod@sifoidak.onmicrosoft.com), usage location set to US, O365 Business license assigned — tenant auto-expanded 10 → 11 seats. Syncro ticket #32380 created, assigned to Howard.
### 2026-07-09 — Dwayne Ortega could not log in to his machine; root cause = no AD account
Howard reported Dwayne Ortega could not log in to his machine. Investigation via GuruRMM found
**no on-prem AD account matching `ortega`/`dwayne`** among the 71 domain users — he existed only as
an M365 cloud user (created 2026-06-03). `dsregcmd` on Sif-Laptop554 confirmed the workstations are
`DomainJoined: YES / AzureAdJoined: NO`, so an M365 credential can never authenticate a Windows
sign-in here. Neither SIF-SERVER nor SIF-SERVER2 has any Entra Connect / ADSync component, and no AD
object carries an `msDS-ConsistencyGuid` — the directories are fully disjoint, correcting this
article's prior "hybrid" description. His cloud password had been reset earlier the same day
(`lastPasswordChangeDateTime: 2026-07-09T20:33:05Z`), which could not have fixed a machine login.
**Fix:** created AD user `dortega` (CN=Dwayne Ortega, OU=Domain Users) on SIF-SERVER via GuruRMM
`-EncodedCommand` dispatch, enabled, `Domain Users` only, matching the client's
first-initial+surname convention. Set a temp password with `ChangePasswordAtLogon`; verified
`pwdLastSet=0`. Temp credential vaulted to `clients/sif-oidak/ad-users.sops.yaml` (never posted to
chat/ticket). Laptop agent UUIDs found stale in this article and corrected.
### 2026-07-09 — jalbert could not add the SHARP UD3 printer (error 740)
Joshua Albert hit **error 740** (`ERROR_ELEVATION_REQUIRED`) adding `\\SIF-SERVER\SHARP UD3 PCL6`.
PrintService/Admin event 600 confirmed `Error code= 800702e4` on three attempts. Root cause: the
post-KB5005652 default `RestrictDriverInstallationToAdministrators=1` blocks non-admin print-driver
installs, and **the UAC prompt for the driver install never surfaced to the user**, so it presented
as a bare error. Howard installed the printer himself with admin rights; no remote change was made.
Investigation also surfaced a GPO pushing the MX-6240N queue from the wrong server (event 513).
Also established this session: the tenant has **no Exchange mailboxes** (`O365_BUSINESS` =
Apps-for-business, `EXCHANGE_S_FOUNDATION` stub; all users `mail: null`, no proxyAddresses), and
email for `sifoidak.com` is hosted at GoDaddy. Mike set a standing rule that new Sif-oidak users get
**both** an AD account and an M365 account, and that usernames should drop `onmicrosoft.com` — the
latter is blocked on adding+verifying `sifoidak.com` as a custom Entra domain (registrar access
required). See the Onboarding Runbook.
## Backlinks ## Backlinks
- *(none yet)* - *(none yet)*