azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-05-27 00:31:32

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-27 00:31:32
This commit is contained in:
Howard Enos
2026-05-27 00:31:45 -07:00
parent bad034cd15
commit dad9a68a0a
4 changed files with 205 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

116
clients/cascades-tucson/session-logs/2026-05-27-howard-wiki-review.md Normal file
View File

@@ -0,0 +1,116 @@
# Cascades of Tucson — Wiki Review
## User
- **User:** Howard Enos (howard)
- **Machine:** Howard-Home
- **Role:** tech
---
## Session Summary
This session was a full review of the `wiki/clients/cascades-tucson.md` article at Mike's request. Howard went through the wiki section by section, flagging corrections based on onsite knowledge and recent work. Live M365 tenant checks via the remediation tool were used to answer questions that could be resolved without asking Howard.
The Profile section had several issues: Winter (ACG billing staff, not a Cascades employee) was removed from contacts; Zachary Nelson (Accounting Assistant, already domain-joined and folder-redirect confirmed) was added; Lois Lane (CareTakers department head, DESKTOP-KQSL232, resistant to domain migration) was added with context that John Trozzi is the liaison working with her; ticket #109225085 was removed (Valleywide's Yealink phone inventory, not Cascades); hours remaining corrected from ~37.5h (stale, 2026-05-20) to ~28.0h (as of 2026-05-26 post-billing).
The Email & Identity section had the most changes. The Yealink SDM entry was removed entirely — Cascades uses Samsung Galaxy A15s enrolled via Intune Shared Device Mode, not Yealink phones; the Yealink SIP-T54W entry had been incorrectly compiled from a Valleywide ticket handled in the same session. ALIS SSO was corrected from "blocked on Medtelligent" to live and working, proven end-to-end with pilot.test on the Galaxy A15 caregiver phones. Entra Connect was updated from "not yet exited staging" to actively syncing (exited staging 2026-05-14, last sync confirmed live as 2026-05-27). DMARC was corrected from p=none to p=quarantine;pct=100 (confirmed via DNS). M365 licensing was clarified: Business Standard is SUSPENDED with 31 users still assigned; 31 SPB (Business Premium) seats are free — relicensing is pending and time-critical. Break-glass accounts were confirmed not created via live tenant check. The remediation tool entry was corrected from "old app fabb3421, tiered suite not consented" to all six ComputerGuru apps confirmed consented in the tenant as of 2026-04-21.
The Network section was updated to mark the floors 2/3/4 switch hardware replacement as complete. The Patterns & Known Issues section was updated to reflect the CA pilot moving from SG-Caregivers-Pilot to SG-Caregivers after Entra Connect exited staging. The Active Work table was expanded with Crystal Rodriguez (folder redirect confirmed 2026-05-21), Lauren Hasselman (complete 2026-05-23), Megan Hiatt (pending), and the Lois Lane / DESKTOP-KQSL232 blocker. The history table received three missing entries covering 2026-05-14 (Entra Connect staging exit), 2026-05-23 (Lauren folder redirect), and 2026-05-26 (access control vendor meeting, remote diagnosis impossible). The CS-QB VoIP server entry in the infrastructure table was flagged for review — Cascades is moving away from traditional landlines; phones section deferred to a future session.
---
## Key Decisions
- **Yealink SDM removed from Cascades wiki** — confirmed misattributed. The Yealink SIP-T54W phones and YMCS portal entry came from a Valleywide ticket (#109225085) processed in the same session as Cascades work. Cascades caregiver phones are Samsung Galaxy A15s via Intune SDM.
- **Live tenant checks used to resolve unverified items** — rather than asking Howard about DMARC, break-glass accounts, licensing, Entra Connect state, and remediation app consent, the Security Investigator app was used to pull live data. Reduced interruptions significantly.
- **CS-QB / VoIP entry flagged but not removed** — Cascades is transitioning away from traditional landlines. Entry marked for review rather than deleted; phones section will be revisited in a future session once Howard has more detail.
- **Winter removed from Cascades contacts** — she is ACG staff (handles our invoicing, sends bills to Cascades), not a Cascades employee or point of contact.
---
## Problems Encountered
- **ALIS service principal not found via Graph search** — queried Graph for service principals with "ALIS" in display name; returned null. ALIS SSO is working per Howard's confirmation; the app may be registered under a different display name or as a web app type not surfaced by that filter. Not a blocker — Howard confirmed SSO is live.
---
## Configuration Changes
- `wiki/clients/cascades-tucson.md` — comprehensive update across all sections (last_compiled updated to 2026-05-27, compiled_by updated to HOWARD-HOME/claude-main)
---
## Credentials & Secrets
None created or discovered this session. Existing vault paths confirmed:
- `clients/cascades-tucson/alis-sso-app-registration.sops.yaml` — Entra app reg + ALIS Inbound Connections Basic Auth + install key
- `clients/cascades-tucson/m365-admin.sops.yaml`
- `clients/cascades-tucson/m365-sysadmin.sops.yaml`
- `clients/cascades-tucson/pfsense-firewall.sops.yaml`
- `msp-tools/computerguru-security-investigator.sops.yaml` — used for live tenant checks
---
## Infrastructure & Servers
- **M365 tenant:** cascadestucson.com / `207fa277-e9d8-4eb7-ada1-1064d2221498`
- **Entra Connect:** active, last sync 2026-05-27T06:07:20Z
- **ComputerGuru apps consented in Cascades tenant:** Security Investigator (`bfbc12a4`), Exchange Operator (`b43e7342`), User Manager (`64fac46b`), Tenant Admin (`709e6eed`), Defender Add-on (`dbf8ad1a`), Intune Manager (`46986910`) — all consented 2026-04-21
- **Old AI Remediation app** (`fabb3421`) — still present in tenant, superseded
- **Caregiver phones:** 22 Samsung Galaxy A15s, Intune SDM, dynamic group `ea96f4b7-3000-45da-ab1f-ddb28f509526`
- **Cascades prepaid block:** ~28.0h as of 2026-05-26
- **Syncro customer ID:** 20149445
---
## Commands & Outputs
```bash
# License check — key findings
SPB (Business Premium): enabled=34, consumed=331 seats free
O365_BUSINESS_PREMIUM (Business Standard): SUSPENDED, consumed=31 → relicensing urgent
# Break-glass accounts
GET /users?filter=startswith(userPrincipalName,'breakglass')[] (none exist)
# Entra Connect sync status
onPremisesSyncEnabled: true
onPremisesLastSyncDateTime: 2026-05-27T06:07:20Z
# DMARC
_dmarc.cascadestucson.com → v=DMARC1;p=quarantine;pct=100;...
# ComputerGuru apps in tenant
6 apps consented — Security Investigator, Exchange Operator, User Manager, Tenant Admin, Defender Add-on, Intune Manager
```
---
## Pending / Incomplete Tasks
- **M365 relicensing** — 31 users on SUSPENDED Business Standard; 31 SPB seats available. Time-critical.
- **Break-glass accounts** — `breakglass1-csc@` and `breakglass2-csc@` not created. YubiKey arrival unconfirmed.
- **Audit retention infra** — approved 2026-04-29, not yet built (Azure LAW 90d + Storage 6yr)
- **NURSESTATION-PC auto-lock GPO** — HIPAA requirement (~10 min idle), not yet applied
- **Entra Connect: OU=Administrative** — not yet in sync scope; UPN suffix updates for that OU pending
- **Megan Hiatt (Marketing)** — domain join pending; GuruRMM agent not yet confirmed online
- **DESKTOP-KQSL232 (Lois Lane / CareTakers)** — blocked on user cooperation; John Trozzi working with her
- **CHEF-PC, SALES4-PC, MDIRECTOR-PC** — Phase 3 domain joins not yet started
- **CS-QB / VoIP section** — deferred; Cascades transitioning away from traditional landlines, phones section needs revisit
- **dunedolly21@gmail.com** — external guest invited 2026-04-14 by Lauren Hasselman; status unconfirmed
- **ALIS per-caregiver email match** — each caregiver's ALIS staff-record Email must match Entra UPN exactly
- **ALIS BAA with Medtelligent** — not yet verified; confirm with Meredith
---
## Reference Information
- **Cascades wiki:** `wiki/clients/cascades-tucson.md`
- **Migration plan:** `C:\Users\Howard\.claude\plans\wise-discovering-panda.md`
- **Workstation audit:** `clients/cascades-tucson/docs/workstations.md` (last audited 2026-03-20)
- **Migration ticket:** Syncro #110680053
- **Entra setup ticket:** Syncro #109412123
- **Access control vendor meeting ticket:** Syncro #32324
- **ALIS install key:** `d796539d-356b-4190-9c17-35f0f1129376`
- **Cascades ALIS tenant:** https://cascadestucson.alisonline.com
- **Caregiver dynamic group:** `ea96f4b7-3000-45da-ab1f-ddb28f509526` (Cascades - Shared Phones)

50
projects/msp-tools/guru-scan/Invoke-ScannerCleanup.ps1 Normal file
View File

@@ -0,0 +1,50 @@
#Requires -RunAsAdministrator
<#
.SYNOPSIS
Post-reboot scanner cleanup. Registered as a SYSTEM logon task by
Register-ScannerCleanupTask; removes scanner installation paths, writes
logs-ready.json for GuruRMM to pull, then unregisters itself.
Run directly to trigger cleanup immediately without waiting for the task:
.\Invoke-ScannerCleanup.ps1
#>
$Base = 'C:\GuruScan'
$stateFile = "$Base\cleanup-state.json"
$state = @{ scan_id = ''; log_root = '' }
if (Test-Path $stateFile) {
try { $state = Get-Content $stateFile -Raw | ConvertFrom-Json } catch {}
}
$scannerPaths = @(
'C:\EmsisoftCmd',
'C:\AdwCleaner',
'C:\ProgramData\HitmanPro',
'C:\ProgramData\HitmanPro.Alert'
)
foreach ($p in $scannerPaths) {
if (Test-Path $p) {
Remove-Item -Path $p -Recurse -Force -ErrorAction SilentlyContinue
}
}
# Remove scanner download EXEs (leave C:\GuruScan\ itself intact)
$downloadsPath = "$Base\downloads"
if (Test-Path $downloadsPath) {
Remove-Item -Path $downloadsPath -Recurse -Force -ErrorAction SilentlyContinue
}
# Flag logs as ready for GuruRMM to pull
$zipPath = "$Base\reports\$($state.scan_id).zip"
@{
scan_id = $state.scan_id
log_root = $state.log_root
zip_path = $zipPath
cleaned_at = (Get-Date).ToUniversalTime().ToString('o')
} | ConvertTo-Json | Set-Content "$Base\logs-ready.json" -Encoding UTF8
Remove-Item -Path $stateFile -Force -ErrorAction SilentlyContinue
Unregister-ScheduledTask -TaskName 'GuruRMM-ScannerCleanup' -Confirm:$false -ErrorAction SilentlyContinue

2
projects/msp-tools/guru-scan/scanners.json
View File

@@ -112,12 +112,14 @@
"scan_args": [
"/noinstall",
"/scan",
"/quiet",
"/log=\"{LOG_ROOT}\\HitmanPro_Scan_Log.txt\"",
"/excludelist=\"C:\\GuruScan\\whitelist.txt\""
],
"clean_args": [
"/noinstall",
"/clean",
"/quiet",
"/log=\"{LOG_ROOT}\\HitmanPro_Scan_Log.txt\"",
"/excludelist=\"C:\\GuruScan\\whitelist.txt\""
],

66
wiki/clients/cascades-tucson.md
View File

@@ -2,8 +2,8 @@
type: client
name: cascades-tucson
display_name: Cascades of Tucson
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
last_compiled: 2026-05-27
compiled_by: HOWARD-HOME/claude-main
sources:
- session-logs/2026-03-24-session.md
- session-logs/2026-03-31-session.md
@@ -30,6 +30,7 @@ sources:
- session-logs/2026-05-23-session.md
- session-logs/2026-05-24-GURU-KALI-session.md
- clients/cascades-tucson/session-logs/2026-05-22-session.md
- session-logs/2026-05-26-howard-session.md
- clients/cascades-tucson/docs/overview.md
- clients/cascades-tucson/docs/network/topology.md
- clients/cascades-tucson/docs/network/vlans.md
@@ -56,21 +57,21 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building
- **Contract type:** Prepaid hour block
- **Key contacts:**
- Winter — front desk / billing; handles invoice processing and prepaid block purchases
- Meredith Kuhn — Assistant Manager (ASSISTMAN-PC); internal billing contact. **NEVER set her as ticket contact in Syncro** — she is the wrong default that keeps being selected.
- John Trozzi — Maintenance staff, Mac at 201cascades@gmail.com (shared facility account)
- Lauren Hasselman — Accounting
- Zachary Nelson — Accounting Assistant
- Lois Lane — CareTakers department head (DESKTOP-KQSL232); resistant to domain migration; John Trozzi is liaison
- Crystal Rodriguez — staff
- Sharon Edwards — Life Enrichment Assistant (DESKTOP-DLTAGOI)
- Ashley Jensen — Accountant (DESKTOP-U2DHAP0)
- Shelby Trozzi — MemCare Director (MDIRECTOR-PC)
- **Billing rate:** $175/hr all labor (prepaid block customer)
- **Hours remaining:** ~37.5 hrs as of 2026-05-20. Always live-check via `GET /customers/20149445` before billing — balance is unreliable across sessions. [verify]
- **Hours remaining:** ~28.0 hrs as of 2026-05-26. Always live-check via `GET /customers/20149445` before billing — balance is unreliable across sessions.
- **Syncro customer ID:** 20149445
- **Active tickets:**
- #110680053 — Dept-by-dept domain migration (primary active project; plan: `C:\Users\Howard\.claude\plans\wise-discovering-panda.md`)
- #109412123 — Entra setup project (may be invoiced as of 2026-05-18; verify status)
- #109225085 — Yealink phone inventory
- #109035475 — John Trozzi desktop WiFi upgrade (billed)
---
@@ -83,7 +84,7 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building
|---|---|---|---|---|
| CS-SERVER | 192.168.2.254 | DC, DNS, DHCP (no scopes), File Server, Hyper-V host, Print Server | Windows Server 2019 Standard | Dell PowerEdge R610 (~2009 hardware, 16+ years old). **Single DC — CRITICAL risk. No backup.** GuruRMM agent ID: `6766e973-e703-47c1-be56-76950290f87c` |
| CS-SERVER iDRAC | 192.168.2.65 | Out-of-band management | — | Dell OOB interface |
| CS-QB (Hyper-V VM on CS-SERVER) | 192.168.2.228 | VoIP server | — | Phones go down if R610 dies |
| CS-QB (Hyper-V VM on CS-SERVER) | 192.168.2.228 | VoIP server | — | [REVIEW — transitioning away from traditional landlines to wireless phones; revisit this entry] |
| cascadesDS (Synology NAS) | 192.168.0.120 | NAS / legacy file storage | DSM | Port 5000 HTTP. Workgroup name is "CASCADES" — same as AD short name, causing Kerberos auth failures from domain-joined machines. Slated to become backup-only. |
| pfSense Firewall | 192.168.0.1 | Perimeter firewall, inter-VLAN routing | pfSense 24.0 | Dual-WAN. All DHCP served here (CS-SERVER DHCP role has no scopes). MAC: 00:f1:f5:34:b3:4a |
@@ -94,24 +95,24 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building
### Email & Identity
- **M365 tenant:** cascadestucson.com | Tenant ID: `207fa277-e9d8-4eb7-ada1-1064d2221498`
- **M365 license:** Business Standard (34 seats). Business Premium upgrade proposed (net -$56.50/mo savings after shared mailbox cleanup). 31 SPB seats reportedly free as of 2026-05-22 — relicensing time-sensitive.
- **M365 license:** Business Premium (SPB) — 34 seats enabled, 3 consumed, 31 free. Business Standard (O365_BUSINESS_PREMIUM) — **SUSPENDED**, 31 users still assigned. Relicensing 31 users Business Standard → Business Premium is pending and time-sensitive — those users may have degraded service.
- **On-prem AD domain:** cascades.local | UPN suffix: cascadestucson.com (added 2026-04-13 for Entra Connect SSO readiness)
- **MX / mail flow:** Exchange Online (M365). SPF strict (`-all`). DKIM: both M365 selectors published. DMARC: `p=none` (monitoring only) — **action needed: upgrade to `p=quarantine`**. DMARC reports to `info@cascadestucson.com` (unmonitored).
- **MX / mail flow:** Exchange Online (M365). SPF strict (`-all`). DKIM: both M365 selectors published. DMARC: `p=quarantine;pct=100` — upgraded from p=none. Reports to `info@cascadestucson.com` (unmonitored).
- **MFA:** CA policy "Require MFA for all users" is enabled. Caregiver bypass pilot in progress — caregivers cannot satisfy MFA (no personal device), so three scoped CA policies use BLOCK instead. See Patterns section.
- **Entra Connect:** Installed on CS-SERVER in staging mode as of 2026-04-25. **Not yet exited staging.** Exit from staging is a pending task.
- **Break-glass accounts:** Two planned (`breakglass1-csc@cascadestucson.com`, `breakglass2-csc@cascadestucson.com`). FIDO2 YubiKeys ordered. Vault entries not yet created. [unverified — check if YubiKeys arrived and accounts created]
- **Entra Connect:** Installed on CS-SERVER 2026-04-25. Exited staging 2026-05-14 — actively syncing (last sync confirmed 2026-05-27). OU=Administrative not yet in sync scope; UPN suffix updates for Administrative OU users pending before that OU can be added.
- **Break-glass accounts:** Two planned (`breakglass1-csc@cascadestucson.com`, `breakglass2-csc@cascadestucson.com`). Confirmed not yet created as of 2026-05-27 (live tenant check). FIDO2 YubiKeys ordered — arrival unconfirmed. Vault entries not yet created.
- **Admin accounts:**
- `admin@cascadestucson.com` — Mike's working admin (cloud-only, Connect-excluded by design)
- `sysadmin@cascadestucson.com` — Howard's working admin (cloud-only, Connect-excluded by design)
- **ALIS (clinical SaaS):** https://www.go-alis.com/ — Entra SSO configured but **BLOCKED on Medtelligent enabling it** on Cascades tenant. App registration values ready in vault: `clients/cascades-tucson/alis-sso-app-registration.sops.yaml`.
- **Yealink SDM:** 16 SIP-T54W phones via YMCS portal. SDM token success 2026-05-08. ~30 phones still to roll as of 2026-05-10. [unverified — check current count]
- **ALIS (clinical SaaS):** https://cascadestucson.alisonline.com — Entra SSO live and working; proven end-to-end with pilot.test on Galaxy A15 caregiver phones. Install key: `d796539d-356b-4190-9c17-35f0f1129376`. Vault: `clients/cascades-tucson/alis-sso-app-registration.sops.yaml` (Entra app reg + ALIS Inbound Connections Basic Auth creds + install key). Per-caregiver: ALIS staff-record Email must match Entra UPN exactly. BAA with Medtelligent not yet verified — confirm with Meredith.
- **Caregiver phones:** 22 Samsung Galaxy A15s enrolled in Intune Shared Device Mode (SDM). Enrollment profile: `CSC - Android Shared Phones (Entra SDM)`. Dynamic group: `Cascades - Shared Phones` (`ea96f4b7-3000-45da-ab1f-ddb28f509526`). Used by caregivers for Teams, Outlook, and ALIS. CA policies: block off-network, block non-compliant device, 8h sign-in frequency.
- **Audit retention:** Approved 2026-04-29. Azure Log Analytics (90d) + Storage Account (6yr) in ACG subscription `e507e953-2ce9-4887-ba96-9b654f7d3267`, RG `rg-audit-cascadestucson`. **Not yet built.** Runbook: `.claude/skills/remediation-tool/references/audit-retention-runbook.md`.
### Network
- **ISP / WAN:** Dual-WAN Cox Fiber (primary, static `184.191.143.62/30`, gateway `184.191.143.61`) + Cox Coax (secondary, DHCP `72.211.21.217`). Both WAN IPs added as Cascades Named Location in Entra (ID: `061c6b06-b980-40de-bff9-6a50a4071f6f`).
- **Firewall:** pfSense 24.0 at 192.168.0.1. All DHCP. Inter-VLAN routing. 236 resident room VLANs (per-room /28, `10.[floor].[room].0/28`). Staff/infra VLAN 20 (`10.0.20.0/24`, gateway `10.0.20.1`). Guest VLAN 50 (`10.0.50.0/24`, RFC1918 blocked).
- **Switching:** Full UniFi. 82 APs + 5 managed switches (1st Floor USW-48 PoE core; floors 2-4 USW-Pro-24-PoE; MemCare USW-Pro-24-PoE; USW Lite 8 PoE; USW-16-PoE VoIP switch). Floors 2/3/4 switches pending hardware replacement.
- **Switching:** Full UniFi. 82 APs + 5 managed switches (1st Floor USW-48 PoE core; floors 2-4 USW-Pro-24-PoE; MemCare USW-Pro-24-PoE; USW Lite 8 PoE; USW-16-PoE VoIP switch). Switch hardware replacement on floors 2/3/4 complete.
- **WiFi SSIDs:**
- CSCNet — staff, VLAN 20
- CSC ENT — legacy SSID, main LAN (192.168.0.0/22), being deprecated as migration proceeds
@@ -132,8 +133,7 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building
- **MDM service account:** vault: `clients/cascades-tucson/mdm-service-account.sops.yaml`
- **ALIS SSO app registration:** vault: `clients/cascades-tucson/alis-sso-app-registration.sops.yaml`
- **GuruRMM — RECEPTIONIST-PC:** agent ID `9c91d324-1073-449c-8cc0-45c5bccfc218` (flaky WebSocket, may lag fleet updates)
- **Yealink YMCS portal:** https://us.ymcs.yealink.com/manager/login — vault: `infrastructure/voip-phones.sops.yaml`
- **Remediation tool:** Still on old app `fabb3421` (ComputerGuru - AI Remediation) as of 2026-04-20. New tiered app suite not yet consented. [unverified — check if consented since then]
- **Remediation tool:** Full tiered app suite consented 2026-04-21. All six apps active: Security Investigator, Exchange Operator, User Manager, Tenant Admin, Defender Add-on, Intune Manager. Old app `fabb3421` (ComputerGuru - AI Remediation) still present but superseded.
- **Vault root:** `clients/cascades-tucson/` in vault repo
---
@@ -163,7 +163,7 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building
### Conditional Access / Caregiver Pilot
- **Phased rollout — never tenant-wide.** CA policies for caregivers target `SG-Caregivers-Pilot` only (then `SG-Caregivers` after Entra Connect exits staging). The legacy "Require MFA for all users" policy stays in place. Expansion to other departments uses PATCH on `excludeGroups`, never replace. Source: `project_cascades_ca_phased_rollout.md`.
- **Phased rollout — never tenant-wide.** CA policies for caregivers now target `SG-Caregivers` (Entra Connect exited staging 2026-05-14; SG-Caregivers-Pilot superseded). The legacy "Require MFA for all users" policy stays in place. Expansion to other departments uses PATCH on `excludeGroups`, never replace. Source: `project_cascades_ca_phased_rollout.md`.
- **Caregiver CA policy set:**
- PATCH legacy MFA-all-users: add `SG-Caregivers-Pilot` to excludeGroups
- CREATE `CSC - Block caregivers off Cascades network` (BLOCK if location not Cascades)
@@ -193,24 +193,27 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building
Primary active project as of 2026-05-24: dept-by-dept domain migration (Syncro #110680053).
**Migration phase status (approx. as of 2026-05-22):**
**Migration phase status (as of 2026-05-26):**
| Machine / User | Status |
|---|---|
| Sharon Edwards (DESKTOP-DLTAGOI) | Domain-joined, folder redirect working via registry workaround |
| Ashley Jensen (DESKTOP-U2DHAP0) | Domain-joined, folder redirect incomplete (manually fixed) |
| Ashley Jensen (DESKTOP-U2DHAP0) | Domain-joined, folder redirect manually fixed |
| Crystal Rodriguez (CRYSTAL-PC) | Domain-joined, folder redirect confirmed working 2026-05-21 |
| RECEPTIONIST-PC (frontdesk) | Domain-joined 2026-05-22; loopback Replace mode, no folder redirect by design |
| NURSESTATION-PC | Domain-joined, folder redirect complete |
| Lauren Hasselman | Passwords didn't work 2026-05-21, machine not accessible — pending |
| DESKTOP-KQSL232, CHEF-PC, SALES4-PC, MDIRECTOR-PC | Not yet started |
| Lauren Hasselman | Domain-joined, folder redirect complete 2026-05-23 |
| Megan Hiatt (Marketing) | Pending — GuruRMM agent not yet confirmed online |
| DESKTOP-KQSL232 (Lois Lane — CareTakers) | Blocked — Lois Lane resistant to change; John Trozzi working with her |
| CHEF-PC, SALES4-PC, MDIRECTOR-PC | Not yet started |
**Blocking issues / pending:**
- Entra Connect: exit staging (requires OU=Administrative UPN changes + cascadestucson.com UPN suffix for that OU)
- M365 relicensing: 31 Business Standard → Business Premium (time-sensitive, 31 SPB seats reportedly free)
- ALIS SSO: blocked on Medtelligent
- Break-glass accounts: not created
- M365 relicensing: 31 Business Standard → Business Premium (SUSPENDED — time-critical, 31 SPB seats free)
- Break-glass accounts: not created (confirmed 2026-05-27)
- Audit retention infra: not built
- RECEPTIONIST-PC GuruRMM agent (9c91d324): flaky WebSocket, lagging fleet
- Entra Connect: OU=Administrative not yet in sync scope; UPN suffix updates for that OU pending
- NURSESTATION-PC: auto-lock GPO (HIPAA, ~10 min idle) not yet applied
---
@@ -233,9 +236,12 @@ Primary active project as of 2026-05-24: dept-by-dept domain migration (Syncro #
| 2026-05-14-16 | Caregiver AD accounts created. Security groups always deliberate (no OU→group automation). Wireless diagnostic. |
| 2026-05-18 | Billing review. 39.5 hrs remaining before session. 7 hrs billed separately. |
| 2026-05-20 | Canva email delivery resolved (canva.com domains added to EOP). |
| 2026-05-21 | Lauren Hasselman + Crystal Rodriguez domain join attempted — passwords didn't work. Comment posted to migration ticket. |
| 2026-05-21 | Crystal Rodriguez folder redirect confirmed working. Lauren Hasselman + Crystal Rodriguez domain join attempted — passwords didn't work initially. |
| 2026-05-22 | Ashley Jensen domain-joined. RECEPTIONIST-PC domain-joined. GPO ILT fixes (FrontDesk printer + R: drive). cascadesDS auth failure diagnosed (workgroup collision) and deferred. |
| 2026-05-14 | Entra Connect exited staging mode — actively syncing. CA pilot re-pointed to SG-Caregivers. |
| 2026-05-23 | Lauren Hasselman folder redirect complete. Megan Hiatt (Marketing) confirmed in AD, domain join pending. |
| 2026-05-24 | RECEPTIONIST-PC GuruRMM agent noted as 0.6.37 straggler while fleet at 0.6.38. Flaky WebSocket. |
| 2026-05-26 | Access control vendor meeting onsite (ticket #32324). 0.5h Howard + 0.5h Mike billed against prepaid block. Block at 28.0h. Remote diagnosis of UniFi controller confirmed impossible (no Tailscale route, GuruRMM WebSocket-only, pfSense SSH blocked). |
---
@@ -246,13 +252,15 @@ Primary active project as of 2026-05-24: dept-by-dept domain migration (Syncro #
**Client folder:** `clients/cascades-tucson/` (NOT `clients/cascades/` — that directory does not exist).
**Open items flagged as unverified:**
- Hour balance — always live-check; 2026-05-01 invoice debit may not have fired correctly
- New tiered remediation app suite — Cascades still on old `fabb3421` as of 2026-04-20; unknown if consented since
- DMARC p=none — action item from 2026-04-20, no evidence of resolution
- Break-glass accounts + YubiKeys — decision 2026-04-29, no evidence of execution
- Hour balance — always live-check; treat cached counts as approximate
- Break-glass accounts + YubiKeys — confirmed not created as of 2026-05-27; YubiKey arrival unconfirmed
- Audit retention infra — approved 2026-04-29, not yet built
- dunedolly21@gmail.com guest invite — confirm with Lauren
**Resolved since last compile:**
- New tiered remediation app suite — confirmed consented 2026-04-21 (all 6 apps active)
- DMARC — confirmed upgraded to p=quarantine;pct=100
## Backlinks
- [[projects/gururmm]] — RECEPTIONIST-PC enrolled (site CascadesTucson); CS-SERVER enrolled