azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-05-27 00:31:32

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-27 00:31:32
This commit is contained in:
Howard Enos
2026-05-27 00:31:45 -07:00
parent bad034cd15
commit dad9a68a0a
4 changed files with 205 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
wiki/clients/cascades-tucson.md
View File

@@ -2,8 +2,8 @@
type: client
name: cascades-tucson
display_name: Cascades of Tucson
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
last_compiled: 2026-05-27
compiled_by: HOWARD-HOME/claude-main
sources:
- session-logs/2026-03-24-session.md
- session-logs/2026-03-31-session.md
@@ -30,6 +30,7 @@ sources:
- session-logs/2026-05-23-session.md
- session-logs/2026-05-24-GURU-KALI-session.md
- clients/cascades-tucson/session-logs/2026-05-22-session.md
- session-logs/2026-05-26-howard-session.md
- clients/cascades-tucson/docs/overview.md
- clients/cascades-tucson/docs/network/topology.md
- clients/cascades-tucson/docs/network/vlans.md
@@ -56,21 +57,21 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building
- **Contract type:** Prepaid hour block
- **Key contacts:**
- Winter — front desk / billing; handles invoice processing and prepaid block purchases
- Meredith Kuhn — Assistant Manager (ASSISTMAN-PC); internal billing contact. **NEVER set her as ticket contact in Syncro** — she is the wrong default that keeps being selected.
- John Trozzi — Maintenance staff, Mac at 201cascades@gmail.com (shared facility account)
- Lauren Hasselman — Accounting
- Zachary Nelson — Accounting Assistant
- Lois Lane — CareTakers department head (DESKTOP-KQSL232); resistant to domain migration; John Trozzi is liaison
- Crystal Rodriguez — staff
- Sharon Edwards — Life Enrichment Assistant (DESKTOP-DLTAGOI)
- Ashley Jensen — Accountant (DESKTOP-U2DHAP0)
- Shelby Trozzi — MemCare Director (MDIRECTOR-PC)
- **Billing rate:** $175/hr all labor (prepaid block customer)
- **Hours remaining:** ~37.5 hrs as of 2026-05-20. Always live-check via `GET /customers/20149445` before billing — balance is unreliable across sessions. [verify]
- **Hours remaining:** ~28.0 hrs as of 2026-05-26. Always live-check via `GET /customers/20149445` before billing — balance is unreliable across sessions.
- **Syncro customer ID:** 20149445
- **Active tickets:**
- #110680053 — Dept-by-dept domain migration (primary active project; plan: `C:\Users\Howard\.claude\plans\wise-discovering-panda.md`)
- #109412123 — Entra setup project (may be invoiced as of 2026-05-18; verify status)
- #109225085 — Yealink phone inventory
- #109035475 — John Trozzi desktop WiFi upgrade (billed)
---
@@ -83,7 +84,7 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building
|---|---|---|---|---|
| CS-SERVER | 192.168.2.254 | DC, DNS, DHCP (no scopes), File Server, Hyper-V host, Print Server | Windows Server 2019 Standard | Dell PowerEdge R610 (~2009 hardware, 16+ years old). **Single DC — CRITICAL risk. No backup.** GuruRMM agent ID: `6766e973-e703-47c1-be56-76950290f87c` |
| CS-SERVER iDRAC | 192.168.2.65 | Out-of-band management | — | Dell OOB interface |
| CS-QB (Hyper-V VM on CS-SERVER) | 192.168.2.228 | VoIP server | — | Phones go down if R610 dies |
| CS-QB (Hyper-V VM on CS-SERVER) | 192.168.2.228 | VoIP server | — | [REVIEW — transitioning away from traditional landlines to wireless phones; revisit this entry] |
| cascadesDS (Synology NAS) | 192.168.0.120 | NAS / legacy file storage | DSM | Port 5000 HTTP. Workgroup name is "CASCADES" — same as AD short name, causing Kerberos auth failures from domain-joined machines. Slated to become backup-only. |
| pfSense Firewall | 192.168.0.1 | Perimeter firewall, inter-VLAN routing | pfSense 24.0 | Dual-WAN. All DHCP served here (CS-SERVER DHCP role has no scopes). MAC: 00:f1:f5:34:b3:4a |
@@ -94,24 +95,24 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building
### Email & Identity
- **M365 tenant:** cascadestucson.com | Tenant ID: `207fa277-e9d8-4eb7-ada1-1064d2221498`
- **M365 license:** Business Standard (34 seats). Business Premium upgrade proposed (net -$56.50/mo savings after shared mailbox cleanup). 31 SPB seats reportedly free as of 2026-05-22 — relicensing time-sensitive.
- **M365 license:** Business Premium (SPB) — 34 seats enabled, 3 consumed, 31 free. Business Standard (O365_BUSINESS_PREMIUM) — **SUSPENDED**, 31 users still assigned. Relicensing 31 users Business Standard → Business Premium is pending and time-sensitive — those users may have degraded service.
- **On-prem AD domain:** cascades.local | UPN suffix: cascadestucson.com (added 2026-04-13 for Entra Connect SSO readiness)
- **MX / mail flow:** Exchange Online (M365). SPF strict (`-all`). DKIM: both M365 selectors published. DMARC: `p=none` (monitoring only) — **action needed: upgrade to `p=quarantine`**. DMARC reports to `info@cascadestucson.com` (unmonitored).
- **MX / mail flow:** Exchange Online (M365). SPF strict (`-all`). DKIM: both M365 selectors published. DMARC: `p=quarantine;pct=100` — upgraded from p=none. Reports to `info@cascadestucson.com` (unmonitored).
- **MFA:** CA policy "Require MFA for all users" is enabled. Caregiver bypass pilot in progress — caregivers cannot satisfy MFA (no personal device), so three scoped CA policies use BLOCK instead. See Patterns section.
- **Entra Connect:** Installed on CS-SERVER in staging mode as of 2026-04-25. **Not yet exited staging.** Exit from staging is a pending task.
- **Break-glass accounts:** Two planned (`breakglass1-csc@cascadestucson.com`, `breakglass2-csc@cascadestucson.com`). FIDO2 YubiKeys ordered. Vault entries not yet created. [unverified — check if YubiKeys arrived and accounts created]
- **Entra Connect:** Installed on CS-SERVER 2026-04-25. Exited staging 2026-05-14 — actively syncing (last sync confirmed 2026-05-27). OU=Administrative not yet in sync scope; UPN suffix updates for Administrative OU users pending before that OU can be added.
- **Break-glass accounts:** Two planned (`breakglass1-csc@cascadestucson.com`, `breakglass2-csc@cascadestucson.com`). Confirmed not yet created as of 2026-05-27 (live tenant check). FIDO2 YubiKeys ordered — arrival unconfirmed. Vault entries not yet created.
- **Admin accounts:**
- `admin@cascadestucson.com` — Mike's working admin (cloud-only, Connect-excluded by design)
- `sysadmin@cascadestucson.com` — Howard's working admin (cloud-only, Connect-excluded by design)
- **ALIS (clinical SaaS):** https://www.go-alis.com/ — Entra SSO configured but **BLOCKED on Medtelligent enabling it** on Cascades tenant. App registration values ready in vault: `clients/cascades-tucson/alis-sso-app-registration.sops.yaml`.
- **Yealink SDM:** 16 SIP-T54W phones via YMCS portal. SDM token success 2026-05-08. ~30 phones still to roll as of 2026-05-10. [unverified — check current count]
- **ALIS (clinical SaaS):** https://cascadestucson.alisonline.com — Entra SSO live and working; proven end-to-end with pilot.test on Galaxy A15 caregiver phones. Install key: `d796539d-356b-4190-9c17-35f0f1129376`. Vault: `clients/cascades-tucson/alis-sso-app-registration.sops.yaml` (Entra app reg + ALIS Inbound Connections Basic Auth creds + install key). Per-caregiver: ALIS staff-record Email must match Entra UPN exactly. BAA with Medtelligent not yet verified — confirm with Meredith.
- **Caregiver phones:** 22 Samsung Galaxy A15s enrolled in Intune Shared Device Mode (SDM). Enrollment profile: `CSC - Android Shared Phones (Entra SDM)`. Dynamic group: `Cascades - Shared Phones` (`ea96f4b7-3000-45da-ab1f-ddb28f509526`). Used by caregivers for Teams, Outlook, and ALIS. CA policies: block off-network, block non-compliant device, 8h sign-in frequency.
- **Audit retention:** Approved 2026-04-29. Azure Log Analytics (90d) + Storage Account (6yr) in ACG subscription `e507e953-2ce9-4887-ba96-9b654f7d3267`, RG `rg-audit-cascadestucson`. **Not yet built.** Runbook: `.claude/skills/remediation-tool/references/audit-retention-runbook.md`.
### Network
- **ISP / WAN:** Dual-WAN Cox Fiber (primary, static `184.191.143.62/30`, gateway `184.191.143.61`) + Cox Coax (secondary, DHCP `72.211.21.217`). Both WAN IPs added as Cascades Named Location in Entra (ID: `061c6b06-b980-40de-bff9-6a50a4071f6f`).
- **Firewall:** pfSense 24.0 at 192.168.0.1. All DHCP. Inter-VLAN routing. 236 resident room VLANs (per-room /28, `10.[floor].[room].0/28`). Staff/infra VLAN 20 (`10.0.20.0/24`, gateway `10.0.20.1`). Guest VLAN 50 (`10.0.50.0/24`, RFC1918 blocked).
- **Switching:** Full UniFi. 82 APs + 5 managed switches (1st Floor USW-48 PoE core; floors 2-4 USW-Pro-24-PoE; MemCare USW-Pro-24-PoE; USW Lite 8 PoE; USW-16-PoE VoIP switch). Floors 2/3/4 switches pending hardware replacement.
- **Switching:** Full UniFi. 82 APs + 5 managed switches (1st Floor USW-48 PoE core; floors 2-4 USW-Pro-24-PoE; MemCare USW-Pro-24-PoE; USW Lite 8 PoE; USW-16-PoE VoIP switch). Switch hardware replacement on floors 2/3/4 complete.
- **WiFi SSIDs:**
- CSCNet — staff, VLAN 20
- CSC ENT — legacy SSID, main LAN (192.168.0.0/22), being deprecated as migration proceeds
@@ -132,8 +133,7 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building
- **MDM service account:** vault: `clients/cascades-tucson/mdm-service-account.sops.yaml`
- **ALIS SSO app registration:** vault: `clients/cascades-tucson/alis-sso-app-registration.sops.yaml`
- **GuruRMM — RECEPTIONIST-PC:** agent ID `9c91d324-1073-449c-8cc0-45c5bccfc218` (flaky WebSocket, may lag fleet updates)
- **Yealink YMCS portal:** https://us.ymcs.yealink.com/manager/login — vault: `infrastructure/voip-phones.sops.yaml`
- **Remediation tool:** Still on old app `fabb3421` (ComputerGuru - AI Remediation) as of 2026-04-20. New tiered app suite not yet consented. [unverified — check if consented since then]
- **Remediation tool:** Full tiered app suite consented 2026-04-21. All six apps active: Security Investigator, Exchange Operator, User Manager, Tenant Admin, Defender Add-on, Intune Manager. Old app `fabb3421` (ComputerGuru - AI Remediation) still present but superseded.
- **Vault root:** `clients/cascades-tucson/` in vault repo
---
@@ -163,7 +163,7 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building
### Conditional Access / Caregiver Pilot
- **Phased rollout — never tenant-wide.** CA policies for caregivers target `SG-Caregivers-Pilot` only (then `SG-Caregivers` after Entra Connect exits staging). The legacy "Require MFA for all users" policy stays in place. Expansion to other departments uses PATCH on `excludeGroups`, never replace. Source: `project_cascades_ca_phased_rollout.md`.
- **Phased rollout — never tenant-wide.** CA policies for caregivers now target `SG-Caregivers` (Entra Connect exited staging 2026-05-14; SG-Caregivers-Pilot superseded). The legacy "Require MFA for all users" policy stays in place. Expansion to other departments uses PATCH on `excludeGroups`, never replace. Source: `project_cascades_ca_phased_rollout.md`.
- **Caregiver CA policy set:**
- PATCH legacy MFA-all-users: add `SG-Caregivers-Pilot` to excludeGroups
- CREATE `CSC - Block caregivers off Cascades network` (BLOCK if location not Cascades)
@@ -193,24 +193,27 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building
Primary active project as of 2026-05-24: dept-by-dept domain migration (Syncro #110680053).
**Migration phase status (approx. as of 2026-05-22):**
**Migration phase status (as of 2026-05-26):**
| Machine / User | Status |
|---|---|
| Sharon Edwards (DESKTOP-DLTAGOI) | Domain-joined, folder redirect working via registry workaround |
| Ashley Jensen (DESKTOP-U2DHAP0) | Domain-joined, folder redirect incomplete (manually fixed) |
| Ashley Jensen (DESKTOP-U2DHAP0) | Domain-joined, folder redirect manually fixed |
| Crystal Rodriguez (CRYSTAL-PC) | Domain-joined, folder redirect confirmed working 2026-05-21 |
| RECEPTIONIST-PC (frontdesk) | Domain-joined 2026-05-22; loopback Replace mode, no folder redirect by design |
| NURSESTATION-PC | Domain-joined, folder redirect complete |
| Lauren Hasselman | Passwords didn't work 2026-05-21, machine not accessible — pending |
| DESKTOP-KQSL232, CHEF-PC, SALES4-PC, MDIRECTOR-PC | Not yet started |
| Lauren Hasselman | Domain-joined, folder redirect complete 2026-05-23 |
| Megan Hiatt (Marketing) | Pending — GuruRMM agent not yet confirmed online |
| DESKTOP-KQSL232 (Lois Lane — CareTakers) | Blocked — Lois Lane resistant to change; John Trozzi working with her |
| CHEF-PC, SALES4-PC, MDIRECTOR-PC | Not yet started |
**Blocking issues / pending:**
- Entra Connect: exit staging (requires OU=Administrative UPN changes + cascadestucson.com UPN suffix for that OU)
- M365 relicensing: 31 Business Standard → Business Premium (time-sensitive, 31 SPB seats reportedly free)
- ALIS SSO: blocked on Medtelligent
- Break-glass accounts: not created
- M365 relicensing: 31 Business Standard → Business Premium (SUSPENDED — time-critical, 31 SPB seats free)
- Break-glass accounts: not created (confirmed 2026-05-27)
- Audit retention infra: not built
- RECEPTIONIST-PC GuruRMM agent (9c91d324): flaky WebSocket, lagging fleet
- Entra Connect: OU=Administrative not yet in sync scope; UPN suffix updates for that OU pending
- NURSESTATION-PC: auto-lock GPO (HIPAA, ~10 min idle) not yet applied
---
@@ -233,9 +236,12 @@ Primary active project as of 2026-05-24: dept-by-dept domain migration (Syncro #
| 2026-05-14-16 | Caregiver AD accounts created. Security groups always deliberate (no OU→group automation). Wireless diagnostic. |
| 2026-05-18 | Billing review. 39.5 hrs remaining before session. 7 hrs billed separately. |
| 2026-05-20 | Canva email delivery resolved (canva.com domains added to EOP). |
| 2026-05-21 | Lauren Hasselman + Crystal Rodriguez domain join attempted — passwords didn't work. Comment posted to migration ticket. |
| 2026-05-21 | Crystal Rodriguez folder redirect confirmed working. Lauren Hasselman + Crystal Rodriguez domain join attempted — passwords didn't work initially. |
| 2026-05-22 | Ashley Jensen domain-joined. RECEPTIONIST-PC domain-joined. GPO ILT fixes (FrontDesk printer + R: drive). cascadesDS auth failure diagnosed (workgroup collision) and deferred. |
| 2026-05-14 | Entra Connect exited staging mode — actively syncing. CA pilot re-pointed to SG-Caregivers. |
| 2026-05-23 | Lauren Hasselman folder redirect complete. Megan Hiatt (Marketing) confirmed in AD, domain join pending. |
| 2026-05-24 | RECEPTIONIST-PC GuruRMM agent noted as 0.6.37 straggler while fleet at 0.6.38. Flaky WebSocket. |
| 2026-05-26 | Access control vendor meeting onsite (ticket #32324). 0.5h Howard + 0.5h Mike billed against prepaid block. Block at 28.0h. Remote diagnosis of UniFi controller confirmed impossible (no Tailscale route, GuruRMM WebSocket-only, pfSense SSH blocked). |
---
@@ -246,13 +252,15 @@ Primary active project as of 2026-05-24: dept-by-dept domain migration (Syncro #
**Client folder:** `clients/cascades-tucson/` (NOT `clients/cascades/` — that directory does not exist).
**Open items flagged as unverified:**
- Hour balance — always live-check; 2026-05-01 invoice debit may not have fired correctly
- New tiered remediation app suite — Cascades still on old `fabb3421` as of 2026-04-20; unknown if consented since
- DMARC p=none — action item from 2026-04-20, no evidence of resolution
- Break-glass accounts + YubiKeys — decision 2026-04-29, no evidence of execution
- Hour balance — always live-check; treat cached counts as approximate
- Break-glass accounts + YubiKeys — confirmed not created as of 2026-05-27; YubiKey arrival unconfirmed
- Audit retention infra — approved 2026-04-29, not yet built
- dunedolly21@gmail.com guest invite — confirm with Lauren
**Resolved since last compile:**
- New tiered remediation app suite — confirmed consented 2026-04-21 (all 6 apps active)
- DMARC — confirmed upgraded to p=quarantine;pct=100
## Backlinks
- [[projects/gururmm]] — RECEPTIONIST-PC enrolled (site CascadesTucson); CS-SERVER enrolled