azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

wiki: compile cascades-tucson (full) — shared mailboxes, Edge UNC bug, cascadesDS lock pattern; live billing 55.75h

Browse Source 
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Howard Enos
2026-06-13 10:03:14 -07:00
parent f76be2e6e3
commit db3edfdb82
2 changed files with 51 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
wiki/clients/cascades-tucson.md
View File

@@ -2,7 +2,7 @@
type: client
name: cascades-tucson
display_name: Cascades of Tucson
last_compiled: 2026-06-05
last_compiled: 2026-06-13
compiled_by: HOWARD-HOME/claude-main
sources:
- session-logs/2026-03-24-session.md
@@ -38,6 +38,9 @@ sources:
- clients/cascades-tucson/session-logs/2026-06-04-session.md
- clients/cascades-tucson/session-logs/2026-06-05-session.md
- clients/cascades-tucson/session-logs/2026-06-05-howard-cascades-entra-ticket-billing.md
- clients/cascades-tucson/session-logs/2026-06/2026-06-08-howard-edge-unc-download-bug-diagnosis.md
- clients/cascades-tucson/session-logs/2026-06/2026-06-10-howard-meredith-locked-word-doc.md
- clients/cascades-tucson/session-logs/2026-06/2026-06-12-howard-shared-mailboxes-grievances-surveys.md
- clients/cascades-tucson/docs/overview.md
- clients/cascades-tucson/docs/network/topology.md
- clients/cascades-tucson/docs/network/vlans.md
@@ -112,17 +115,21 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn
- Ashley Jensen — Accountant (DESKTOP-U2DHAP0)
- Shelby Trozzi — MemCare Director (MDIRECTOR-PC)
- Chris Knight — Accounting / Business Office (same access tier as Lauren Hasselman); chris.knight@cascadestucson.com (alias: c.knight@cascadestucson.com); bill.com and BOK Financial recipient (issue investigated 2026-06-04). **Workstation setup 2026-06-08:** machine **DESKTOP-N5G1ROO** (Win 11 Pro for Workstations) domain-joined + GuruRMM-enrolled (agent `205025ee-2676-4498-8a27-e88562a6f69a`, site CascadesTucson), Office (O365) installed. AD account `chris.knight` (OU=Administrative) finished to match Lauren: home folder created, added to `SG-FolderRedirect`, `mail` set, AD password `Cascades2026!` (change-at-logon cleared). Mailbox remains cloud-only/unsynced (same split state as Lauren — see Entra sync note).
- JD Martin — Syncro-confirmed contact (jd.martin@cascadestucson.com); role not yet documented.
- **Billing rate:** $175/hr all labor (prepaid block customer)
- **Hours remaining:** **57.75 hrs (live Syncro pull 2026-06-09).** This is ~50h HIGHER than the 7.75 the 2026-06-08 session log/prior wiki recorded — the block was almost certainly topped up (prepaid renewal) between 06-08 and 06-09. The old 7.75→8.75→15.75 chain in History/Compilation Notes reflects pre-top-up readings; **trust the live value, not the chain.** 1.0h onsite WAS billed 2026-06-08 on #32330/111216087 "New computer for Chris Knight" (invoice #67790, $0.00 prepaid; ticket status corrected Resolved→Invoiced 2026-06-09). **PENDING:** 1.0h onsite for the ASSISTNURSE-PC Win11 reinstall to be billed on #32303 (will draw 57.75→56.75). Always live-check via `GET /customers/20149445` before billing — balance is unreliable across sessions.
- **Hours remaining:** **55.75 hrs (live Syncro pull 2026-06-13).** Most recent draws: 1.0h onsite for ASSISTNURSE-PC Win11 reinstall on #32303 (implied by balance chain 57.75→56.75; no dedicated session log captured); 0.5h remote 2026-06-10 Meredith locked Word doc (ticket #32403, invoice $0.00 prepaid, 56.75→56.25); 0.5h remote 2026-06-12 shared mailboxes Grievances+Surveys (ticket #32417, invoice $0.00 prepaid, 56.25→55.75). Always live-check via `GET /customers/20149445` before billing — balance is unreliable across sessions.
- **Syncro customer ID:** 20149445
- **Active tickets:**
- **Managed devices (Syncro):** 29 (live pull 2026-06-13)
- **Active tickets:** Syncro full pull 2026-06-13 shows **one real open ticket**#32370 [New] (eFax/scanner onsite). #32414 [New] is an automated "payment on the way" notification stub, not work.
- #110680053 / #32303 — Entra / domain migration project ("Domain setup-entra sync"). Status: **Invoiced** as of 2026-06-05. Latest billing: 7.0h onsite 2026-06-05, invoice #67782 ($0.00 prepaid). Monday caregiver cutover will generate further work on this ticket. Plan: `C:\Users\Howard\.claude\plans\wise-discovering-panda.md`
- #109412123 — Entra setup project (may be invoiced as of 2026-05-18; verify status)
- #109035475 — John Trozzi desktop WiFi upgrade (billed)
- #32370 — eFax setup on Karen's and Christin's machines + portable scanner setup on both (Howard onsite; no appointment scheduled yet; ticket open/pending 2026-06-02)
- #32370 **[New] / open (confirmed live 2026-06-13)** — eFax setup on Karen's and Christin's machines + portable scanner setup on both. No appointment scheduled as of 2026-06-02.
- #32381 — Tamra scanner onsite (0.5h onsite, billed 2026-06-04, prepaid block)
- #32382 — Megan file access onsite (1.5h onsite, billed 2026-06-04, prepaid block)
- #32383 — Chris Knight bill.com / BOK email delivery (1.5h remote, billed 2026-06-04, prepaid block; Syncro id 112201209)
- #32383 **Resolved (confirmed live 2026-06-13)** Chris Knight bill.com / BOK email delivery (1.5h remote, billed 2026-06-04, prepaid block; Syncro id 112201209). Fix was sender-side (bill.com support call + SendGrid suppression clear; BOK portal correction); ticket since closed.
- #32403 — Meredith locked Word doc / stale owner files (0.5h remote, billed 2026-06-10, prepaid block; Invoiced)
- #32417 — Shared mailboxes Grievances+Surveys (0.5h remote, billed 2026-06-12, prepaid block; Invoiced)
---
@@ -168,6 +175,7 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn
- **Audit retention:** Approved 2026-04-29. Azure Log Analytics (90d) + Storage Account (6yr) in ACG subscription `e507e953-2ce9-4887-ba96-9b654f7d3267`, RG `rg-audit-cascadestucson`. **Not yet built.** Runbook: `.claude/skills/remediation-tool/references/audit-retention-runbook.md`.
- **Inky:** No Inky deployment exists in this tenant. No connector, no transport rule, no OAuth app, no add-in. Confirmed 2026-06-04.
- **EXO MSP app auth note (2026-06-04):** When the MSP app cert is not in the Windows cert store on a given machine, use client_credentials flow to obtain an EXO-scoped access token and connect via `Connect-ExchangeOnline -AccessToken`. This bypasses both the cert requirement and interactive MFA. App: ComputerGuru Exchange Operator (`b43e7342-5b4b-492f-890f-bb5a4f7f40e9`). Vault: `msp-tools/computerguru-exchange-operator.sops.yaml`.
- **Shared mailboxes (created 2026-06-12):** `grievances@cascadestucson.com` (DisplayName "Grievances") and `Surveys@cascadestucson.com` (DisplayName "Surveys") — both SharedMailbox type, cloud-only, no license consumed (under 50 GB). Delegated to Meredith Kuhn (`meredith.kuhn@`) and Ashley Jensen (`ashley.jensen@`) with FullAccess (auto-mapping enabled) + SendAs on each (Send As chosen over Send on Behalf so outbound mail appears strictly from the shared address). Created via ComputerGuru Exchange Operator MSP app (`b43e7342`), cert-based EXO access token auth, `get-token.sh` tier `exchange-op`. `ExchangeOnlineManagement` module v3.10.0 was installed on Howard-Home (PSGallery, CurrentUser scope) for this session — it was not previously present on that machine. All 8 permission grants verified with `Get-MailboxPermission` / `Get-RecipientPermission` post-creation. Ticket #32417, 0.5h remote, invoice $0.00 prepaid.
### Network
@@ -200,6 +208,7 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn
- **svc-scan (scan-to-folder service account):** vault: `clients/cascades-tucson/svc-scan.sops.yaml` (`credentials.password`). AD account on CS-SERVER for the Accounting Brother's SMB scans — see Patterns -> File Shares & Scan-to-Folder.
- **ALIS SSO app registration:** vault: `clients/cascades-tucson/alis-sso-app-registration.sops.yaml`
- **GuruRMM — RECEPTIONIST-PC:** agent ID `9c91d324-1073-449c-8cc0-45c5bccfc218` (flaky WebSocket, may lag fleet updates)
- **GuruRMM — ASSISTMAN-PC (Meredith Kuhn):** agent ID `cf86fa5e-96a2-494d-9cb1-8be22a518ad0`
- **Remediation tool:** Full tiered app suite consented 2026-04-21. All six apps active: Security Investigator, Exchange Operator, User Manager, Tenant Admin, Defender Add-on, Intune Manager. Old app `fabb3421` (ComputerGuru - AI Remediation) still present but superseded.
- **ComputerGuru Exchange Operator MSP app:** `b43e7342-5b4b-492f-890f-bb5a4f7f40e9` — vault: `msp-tools/computerguru-exchange-operator.sops.yaml`. Use access token auth when cert not in store (see Email & Identity section).
- **Vault root:** `clients/cascades-tucson/` in vault repo
@@ -252,6 +261,19 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn
- **[NETWORK] CS-SERVER cannot reach the VLAN-20 printers** — main-LAN `192.168.2.x` -> VLAN 20 `10.0.20.x` is blocked at pfSense. Verified: CS-SERVER -> `10.0.20.220`:80/443/445 all fail. So you **cannot configure a 10.0.20.x printer's web UI from CS-SERVER** — use a VLAN-20 PC's browser (e.g. ACCT2-PC `10.0.20.209`) or go onsite. The reverse (printer -> CS-SERVER:445) **is** open, which is all scan-to-folder needs (svc-scan SMB write verified from ACCT2-PC).
- **Persistent drive maps to `\\cs-server\AcctDept`** (per-user, via RMM `user_session`): Chris (DESKTOP-N5G1ROO) **Y:**, Zachary (ACCT2-PC) **Y:**, Lauren (DESKTOP-H6QHRR7) **X:** (Y: was already in use on hers).
### Synology NAS (cascadesDS) / Shared File Access
- **Stale Word owner (lock) files on cascadesDS shares:** Word creates a hidden `~$<truncated filename>` owner file when a document is opened; if the user's session ends without cleanly closing Word (crash, logoff with file open), the `~$` file is orphaned. Any later open of the same document displays "locked for editing by [name]" even with no live session. Confirmed 2026-06-10: five `~$` files dated 2024 on `\\cascadesds\Public\Company Web Docs\Staff Trainings\` caused false lock messages across several training docs. **Diagnosis:** list the folder for `~$` files; check the timestamp — if hours or days old with no matching active session, it is stale. **Fix:** delete the `~$` file(s). If the file is still locked after deleting orphaned owner files, check Synology DSM -> File Services -> Resource Monitor for a live SMB handle and clear it there.
- **Accessing cascadesDS from RMM — always use a user session, not CS-SERVER SYSTEM.** The domain-joined CS-SERVER machine account cannot authenticate to the Synology `Public` share because cascadesDS uses workgroup "CASCADES" (same short name as the AD domain), causing Kerberos auth failures. CS-SERVER SYSTEM → `\\cascadesds\*` returns access denied. Workaround: run the command in the `user_session` context of a machine where the target user is actively logged in (e.g. ASSISTMAN-PC agent `cf86fa5e` for Meredith-accessible shares). When constructing UNC paths in PowerShell over the RMM transport, use char-code path construction to avoid backslash loss across bash → jq → agent → PowerShell (`[char]92` for `\`).
### Browser / Edge
- **[BUG - FLEET] Edge 149 cannot open Office files via download-list when Downloads is a UNC-redirected folder (Chromium issue 519243472).** A regression introduced in Chromium 149 (feature `LaunchShellExecuteViaExplorer`) prepends `\\?\` to UNC paths without converting to the correct `\\?\UNC\` form, producing a malformed path (`\\?\\\cs-server\...`). **Symptom:** clicking an `.xlsx` or `.docx` in the Edge download panel shows "Windows cannot find '\\?\\\cs-server\homes\<user>\Downloads\<file>'." Text files and PDFs open fine from the same panel (PDF uses Edge's built-in viewer and does not invoke ShellExecute; Office routes through the broken external-launch path). The same Office file double-clicked from File Explorer opens normally. **Trigger:** Downloads folder redirected via GPO Folder Redirection to a UNC path with **no mapped drive letter** (`\\cs-server\homes\<user>\Downloads`) — exactly Cascades' Homes-share redirect configuration. **Affected build:** Edge stable 149.0.4022.52 (Chromium 149 base); last known-good: Chromium 148 (148.0.7778.217). **Cascades exposure as of 2026-06-08:** Ashley Jensen (DESKTOP-U2DHAP0) and Lois Lane (DESKTOP-KQSL232) confirmed on 149.0.4022.52; fleet-wide for any Cascades user whose Downloads is redirected to `\\cs-server\homes` and who is running Edge 149. **Fix options (none applied as of 2026-06-08 session; decision left to Howard):**
1. Update Edge forward past the fix (Chromium fix crrev 7900033 "Correctly handle UNC paths in InvokeShellExecute," merged M149/M150, verified Chromium 151.0.7875.0 — preferred when a patched stable ships).
2. Interim feature flag: add `--disable-features=LaunchShellExecuteViaExplorer` to the Edge shortcut target (quit Edge fully first; applies only to launches from that shortcut).
3. Zero-config workaround: use "Show in folder" in the Edge download panel, then double-click from File Explorer.
4. Supported 149→148 rollback (one major back is in-bounds): download 148 stable MSI from https://www.microsoft.com/en-us/edge/business/download; set `HKLM\SOFTWARE\Policies\Microsoft\Edge\RollbackToTargetVersion` (DWORD) = 1 **before** install; pin via `HKLM\SOFTWARE\Policies\Microsoft\EdgeUpdate\TargetVersionPrefix{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}` = `148.` and `Update{56EB18F8-...}` = 2; unwind the pin once a fixed 149.x/150 ships. Edge stable app GUID: `{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}`. Note: pinning to 148 forfeits 149 security fixes; prefer option 1 or 3 for HIPAA machines.
### Conditional Access / Caregiver Policies
- **Phased rollout — never tenant-wide.** CA policies for caregivers now target `SG-Caregivers` (`8b8d9222-5d71-419a-936d-56d895c6c332`) (Entra Connect exited staging 2026-05-14; SG-Caregivers-Pilot superseded). The legacy "Require MFA for all users" policy stays in place. Expansion to other departments uses PATCH on `excludeGroups`, never replace. Source: `project_cascades_ca_phased_rollout.md`.
@@ -321,7 +343,7 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn
## Active Work
Primary active project as of 2026-05-24: dept-by-dept domain migration (Syncro #110680053).
Primary active project as of 2026-05-24: dept-by-dept domain migration (Syncro #110680053). Syncro full pull 2026-06-13: one real open ticket — #32370 (eFax/scanner onsite); #32414 [New] is an automated payment-notification stub.
**Migration phase status (as of 2026-05-26):**
@@ -344,13 +366,14 @@ Primary active project as of 2026-05-24: dept-by-dept domain migration (Syncro #
- RECEPTIONIST-PC GuruRMM agent (9c91d324): flaky WebSocket, lagging fleet
- Entra Connect: OU=Administrative not yet in sync scope; UPN suffix updates for that OU pending
- NURSESTATION-PC: reboot required to activate `CSC - Caregiver Device Lockdown` GPO (deployed 2026-06-05, linked to `OU=Caregiver Devices`; startup script runs at boot — verify lock@3min, 90s warning, sign-out@15min, never-sleep)
- #32370 (open): Howard onsite — eFax setup on Karen's and Christin's machines; portable scanner setup on both. No appointment scheduled as of 2026-06-02.
- #32383 (open — pending customer action): bill.com email delivery for Chris Knight. Cascades must CALL bill.com support to update account email to `chris.knight@cascadestucson.com` AND clear it from the SendGrid suppression list (cannot be done via web UI). BOK side near-resolved (address corrected; Chris to complete registration). Ticket logged 2026-06-04; investigation billed 1.5h remote.
- Caregiver device allow-list: 4 laptops need Entra-join + Intune-enroll + `extensionAttribute1` tagging before cutover (see Patterns section)
- #32370 [New / open — confirmed live 2026-06-13]: Howard onsite — eFax setup on Karen's and Christin's machines; portable scanner setup on both. No appointment scheduled as of 2026-06-02.
- Caregiver device allow-list: ASSISTNURSE-PC needs re-join + re-tag after Win11 reinstall; LAPTOP-8P7HDSEI Win11 upgrade + join/tag still pending; then cutover (enable allow-list policy, disable compliance-block)
- ALIS office/privileged standardization: move office/managers/nurses to ALIS SSO-only; disable ALIS-native 2FA per-user then globally (separate workstream)
- Fix stale `SG-Caregivers-Pilot` exclude-group on `Require MFA for all users` policy (known bug, see Known Issues)
- LAPTOP-8P7HDSEI: upgrade Win 10 → Win 11 before PHI use
- Chris Knight bill.com/BOK Financial addresses: confirm updated in bill.com backend and at BOK Financial (resolved externally 2026-06-04 but no confirmation of actual address update on vendor side)
- Edge UNC download bug (Chromium 149): decide fix path for Ashley Jensen + Lois Lane and fleet (see Patterns -> Browser / Edge); no fix applied as of 2026-06-08
- ALIS app session timeout: lower from 20 to 15 min (Howard, ALIS admin) — PENDING
---
@@ -381,36 +404,44 @@ Primary active project as of 2026-05-24: dept-by-dept domain migration (Syncro #
| 2026-05-26 | Access control vendor meeting onsite (ticket #32324). 0.5h Howard + 0.5h Mike billed against prepaid block. Block at 28.0h. Remote diagnosis of UniFi controller confirmed impossible (no Tailscale route, GuruRMM WebSocket-only, pfSense SSH blocked). |
| 2026-06-03 | ALIS AADSTS65001 diagnosed and resolved: granted tenant-wide admin consent (`AllPrincipals` `User.Read`) on ALIS SP `e1cae4ad`. Caregiver device allow-list CA policy created in report-only (`CSC - Caregivers: allow-listed devices only (REPORT-ONLY)`, id `1b7fd025`). Allow-list = CSC- phones + 5 tagged devices (NURSESTATION-PC, Laptop2, LAPTOP-8P7HDSEI, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8). Cutover pending laptop Intune enrollment + validation. Three existing enforced caregiver CA policies left untouched. |
| 2026-06-04 | Three same-day tickets: #32381 Tamra scanner (0.5h onsite), #32382 Megan file access (1.5h onsite), #32383 Chris Knight bill.com/BOK email delivery (1.5h remote). Chris Knight mailbox investigation: full EXO/EOP/quarantine/message trace analysis — no tenant config issues found. No Inky in tenant (confirmed). bill.com delivering to other users; zero delivery to chris.knight/c.knight in 90 days. Root cause: wrong address in bill.com/BOK backends + SendGrid suppression on bill.com side. BOK resolved by correcting email in portal (delivery within minutes). bill.com fix requires support call. Resolved externally by Howard; no tenant config changes needed. EXO access token auth method documented (cert not in BEAST cert store). Prepay block: 17.25 → 15.75 hrs. |
| 2026-06-09 | **Accounting scan-to-folder built + billing reconciliation.** Created `D:\Shares\Accounting` + `\Scans` on CS-SERVER (NTFS locked to `lauren.hasselman`/`chris.knight`/`zachary.nelson` = Modify, no Everyone; `svc-scan` = Modify on `\Scans` only), shared as `\\CS-SERVER\AcctDept` (named AcctDept because a Canon MF455DW *printer* share already owns "Accounting" — restored that share after a grant collision). New vaulted AD service account `svc-scan` for the Brother's SMB auth. Brother MFC-L8900CDW (10.0.20.220) Scan-to-Network profile → `\\192.168.2.254\AcctDept\Scans` (NTLMv2, `cascades\svc-scan`); **test scan confirmed**. Found pfSense blocks main-LAN→VLAN-20 (can't reach VLAN-20 printer WBM from CS-SERVER; printer→server:445 open). Persistent drive maps to the share: Chris (Y:), Zachary on ACCT2-PC (Y:), Lauren (X:). Also reconciled crashed-session billing: #32330 (Chris Knight computer) was already invoiced (#67790) — fixed status Resolved→Invoiced; live prepay confirmed **57.75h** (prior 7.75 was pre-top-up). Updated machine inventory (ASSISTNURSE-PC reinstall, caregiver device table) in this wiki. |
| 2026-06-08 | **Chris Knight workstation setup (onsite).** Discovered his AD account `chris.knight` already existed (created 2026-05-27, OU=Administrative) but was incomplete; finished it to match Lauren Hasselman — `New-HomeFolder`, added to `SG-FolderRedirect`, set `mail`, reset AD password to `Cascades2026!` (change-at-logon cleared). Confirmed mailbox is cloud-only/unsynced (so are Lauren/Ashley/Meredith/Zachary/Alma — Entra Connect include-list is Caregivers+Groups+Caregiver Devices only; OU=Administrative NOT in scope). Machine **DESKTOP-N5G1ROO** domain-joined + GuruRMM-enrolled (agent `205025ee...`), Office installed, Chris logged in. **MAJOR: root-caused why folder redirection has failed on every machine** — the FR GPO's targets were in a misnamed `fdeploy1.ini`; Windows reads `fdeploy.ini` (absent) → empty path → silent no-op → manual registry workaround every time. Fixed by writing a correct `fdeploy.ini` to GPO `{512B43A4}` + version bump 917506→983042 (GPT.INI + AD versionNumber); backup at `C:\Windows\Temp\frfix-20260608-161144`. LE GPO found completely empty too. CS-SERVER live RMM agent is now `c39f1de7-...` (was `6766e973`). Billed 1.0h onsite (computer setup, ticket #111216087). |
| 2026-06-08 | **ASSISTNURSE-PC reinstalled (Win10→Win11).** Howard did a clean Windows 11 install (machine was Win10 19045; in-place upgrade attempts failed, clean install the only option) using our key, then reinstalled the RMM agent. Claude (RMM): deleted the stale pre-reinstall agent `88891eb8` (Win10, offline) — HTTP 204; kept the new agent `62d108d6` (`Assistnurse-pc`, Win11 Pro for Workstations 24H2, v0.6.57, online). Deployed 3 caregiver app shortcuts as `.url` files to `C:\Users\Public\Desktop` (machine-wide) matching the team's GPP definitions: ALIS `https://cascadestucson.alisonline.com/Login`, LinkRx `https://pharmcare.linkrxnow.com/Login.aspx`, Helpany `https://app.safe-living.com/login`. Heads-up: reinstall = new Entra device object → needs re-join + re-tag `CSCCaregiverDevice` (+ clean old Entra record) at caregiver cutover. Billing for the 1.0h onsite reinstall: **pending on #32303** as of 2026-06-09. |
| 2026-06-05 | NURSESTATION-PC localadmin login-screen issue: `SpecialAccounts\UserList` hide (`localadmin=0`) — removed via RMM (agent `f5a89784`); account was already enabled + admin. Vault hygiene: `sysadmin@` GA password vaulted (`clients/cascades-tucson/m365-sysadmin.sops.yaml`); voice MFA scoped group "MFA - Voice Call Scoped (sysadmin)" (`304f941e`) created; `alternateMobile` updated to +1 520-585-1310 (Howard). Caregiver test rig built: `SG-Caregivers-DeviceTest` (`db5849ec`, full rule set), `Cascades - Caregiver Devices` (`02c6f698`, static), `SG-Intune-Enrollment` (`13d94f6e`), `pilot.test@cascadestucson.com` (`d26e0e5a`, ephemeral). Hybrid Entra Join enabled in Entra Connect (SCP `ConfigureSCP.ps1`; `OU=Caregiver Devices` added to sync scope). NURSESTATION re-domain-joined (Win11 25H2) + hybrid-registered as `trustType: ServerAd`, new deviceId `d3bf931f-f128-4261-8398-b46c34a4b342` (object `de199a15`). Caregiver access model proven end-to-end on desktop: pilot.test + NURSESTATION — ALIS via silent SSO, CA off-network block + device allow-list holding. CA 53003 on `extensionAttribute1` tag lag (>70 min); resolved by adding deviceId directly to allow-list rule (immediate). Windows Hello does NOT auto-provision on hybrid-joined machines (`WillNotProvision: PolicyEnabled NO`). GPO `CSC - Caregiver Workstation` (`{3B5CD9A6-A278-4676-A9FD-9396D21A8261}`, User config GPP): 3 desktop shortcuts (ALIS, LinkRx, Helpany) + 6 `\\CS-SERVER\` printers with location-based default (Nurses for `SG-PC-MainTower`, MCMedTech for `SG-PC-MemoryCare`, computer-context ILT) + `LegacyDefaultPrinterMode=1` — built, linked at `OU=Caregivers`, security-filtered to `SG-Caregivers-Test` (pilot.test only), validated on NURSESTATION. GPO `CSC - Caregiver Device Lockdown` (`{E6174988-2721-4D96-ADF5-F5BB44E92769}`, computer-only): startup script (lock 3 min / auto sign-out 15 min / 90s warning / never sleep) + psscripts.ini in SYSVOL — deployed + linked at `OU=Caregiver Devices` (takes effect on next NURSESTATION reboot). Intune enrollment blocked tenant-wide (`INTUNE_A: PendingInput` on newly-licensed accounts); MS case open; GPO path used instead. Ticket #32303 billing reconciliation: work summary posted as customer-visible resolution note (comment 417582473); 7.0h onsite line item (42750851) + invoice #67782 ($0.00 prepaid); prepay block 15.75 → 8.75 hrs; ticket status → Invoiced. |
| 2026-06-08 | **Chris Knight workstation setup (onsite).** Discovered his AD account `chris.knight` already existed (created 2026-05-27, OU=Administrative) but was incomplete; finished it to match Lauren Hasselman — `New-HomeFolder`, added to `SG-FolderRedirect`, set `mail`, reset AD password to `Cascades2026!` (change-at-logon cleared). Confirmed mailbox is cloud-only/unsynced (so are Lauren/Ashley/Meredith/Zachary/Alma — Entra Connect include-list is Caregivers+Groups+Caregiver Devices only; OU=Administrative NOT in scope). Machine **DESKTOP-N5G1ROO** domain-joined + GuruRMM-enrolled (agent `205025ee...`), Office installed, Chris logged in. **MAJOR: root-caused why folder redirection has failed on every machine** — the FR GPO's targets were in a misnamed `fdeploy1.ini`; Windows reads `fdeploy.ini` (absent) → empty path → silent no-op → manual registry workaround every time. Fixed by writing a correct `fdeploy.ini` to GPO `{512B43A4}` + version bump 917506→983042 (GPT.INI + AD versionNumber); backup at `C:\Windows\Temp\frfix-20260608-161144`. LE GPO found completely empty too. CS-SERVER live RMM agent is now `c39f1de7-...` (was `6766e973`). Billed 1.0h onsite (computer setup, ticket #111216087). |
| 2026-06-08 | **ASSISTNURSE-PC reinstalled (Win10→Win11).** Howard did a clean Windows 11 install (machine was Win10 19045; in-place upgrade attempts failed, clean install the only option) using our key, then reinstalled the RMM agent. Claude (RMM): deleted the stale pre-reinstall agent `88891eb8` (Win10, offline) — HTTP 204; kept the new agent `62d108d6` (`Assistnurse-pc`, Win11 Pro for Workstations 24H2, v0.6.57, online). Deployed 3 caregiver app shortcuts as `.url` files to `C:\Users\Public\Desktop` (machine-wide) matching the team's GPP definitions: ALIS `https://cascadestucson.alisonline.com/Login`, LinkRx `https://pharmcare.linkrxnow.com/Login.aspx`, Helpany `https://app.safe-living.com/login`. Heads-up: reinstall = new Entra device object → needs re-join + re-tag `CSCCaregiverDevice` (+ clean old Entra record) at caregiver cutover. Billing for the 1.0h onsite reinstall: billed on #32303 (drew 57.75→56.75; implied by subsequent balance chain). |
| 2026-06-08 | **Edge UNC download bug diagnosed (no fix applied).** Ashley Jensen (DESKTOP-U2DHAP0) and Lois Lane (DESKTOP-KQSL232) both on Edge 149.0.4022.52 could not open Office files (.xlsx, .docx) from the Edge download panel when Downloads is redirected via folder redirection to `\\cs-server\homes\<user>\Downloads`. Root cause: Chromium 149 regression (issue 519243472) in `LaunchShellExecuteViaExplorer` — prepends `\\?\` to UNC paths without converting to `\\?\UNC\`, producing malformed paths. PDF and text files unaffected (different launch path). Fix options documented in Patterns section; fix path decision left to Howard. Fleet-wide exposure for any Cascades user with Downloads folder-redirected to the Homes share on Edge 149. |
| 2026-06-09 | **Accounting scan-to-folder built + billing reconciliation.** Created `D:\Shares\Accounting` + `\Scans` on CS-SERVER (NTFS locked to `lauren.hasselman`/`chris.knight`/`zachary.nelson` = Modify, no Everyone; `svc-scan` = Modify on `\Scans` only), shared as `\\CS-SERVER\AcctDept` (named AcctDept because a Canon MF455DW *printer* share already owns "Accounting" — restored that share after a grant collision). New vaulted AD service account `svc-scan` for the Brother's SMB auth. Brother MFC-L8900CDW (10.0.20.220) Scan-to-Network profile → `\\192.168.2.254\AcctDept\Scans` (NTLMv2, `cascades\svc-scan`); **test scan confirmed**. Found pfSense blocks main-LAN→VLAN-20 (can't reach VLAN-20 printer WBM from CS-SERVER; printer→server:445 open). Persistent drive maps to the share: Chris (Y:), Zachary on ACCT2-PC (Y:), Lauren (X:). Also reconciled crashed-session billing: #32330 (Chris Knight computer) was already invoiced (#67790) — fixed status Resolved→Invoiced; live prepay confirmed **57.75h** (prior 7.75 was pre-top-up). Updated machine inventory (ASSISTNURSE-PC reinstall, caregiver device table) in this wiki. |
| 2026-06-10 | **Meredith Kuhn locked Word doc — stale owner files on cascadesDS.** Five orphaned Word `~$` owner files dated 2024 in `\\cascadesds\Public\Company Web Docs\Staff Trainings\` caused false "locked for editing" messages on training documents with no active session. Diagnosed and deleted all 5 via RMM in Meredith's `user_session` on ASSISTMAN-PC (agent `cf86fa5e`) — CS-SERVER SYSTEM cannot authenticate to cascadesDS (workgroup/Kerberos mismatch). Howard's post-reboot check on the Synology confirmed no live handles. Ticket #32403 (id 112502876), 0.5h remote, invoice $0.00 prepaid, block 56.75→56.25. |
| 2026-06-12 | **Created shared mailboxes grievances@ + Surveys@ and delegated to Meredith & Ashley.** `grievances@cascadestucson.com` and `Surveys@cascadestucson.com` created as SharedMailbox (cloud-only, no license consumed), each delegated to Meredith Kuhn and Ashley Jensen with FullAccess (auto-mapping) + SendAs. Work done via ComputerGuru Exchange Operator MSP app cert auth (EXO module v3.10.0 installed on Howard-Home for this session). All 8 permission grants verified post-creation. Ticket #32417 (id 112597225), 0.5h remote, invoice #1650665832 $0.00 prepaid, block 56.25→55.75; ticket Invoiced. |
---
## Compilation Notes
**Session logs read:** 25 root session logs + client-specific logs in `clients/cascades-tucson/session-logs/` (through 2026-06-05-howard-cascades-entra-ticket-billing.md) + 7 memory files + 5 structured docs. Date range: 2026-03-06 through 2026-06-05.
**Session logs read:** 28 root session logs + client-specific logs in `clients/cascades-tucson/session-logs/` (through 2026-06-12 shared-mailbox session) + 7 memory files + 5 structured docs. Date range: 2026-03-06 through 2026-06-12.
**Client folder:** `clients/cascades-tucson/` (NOT `clients/cascades/` — that directory does not exist).
**Open items flagged as unverified:**
- Hour balance — always live-check; treat cached counts as approximate (8.75 hrs derived from billing session log 2026-06-05; not a live Syncro pull)
- Break-glass accounts + YubiKeys — confirmed not created as of 2026-05-27; YubiKey arrival unconfirmed
- Audit retention infra — approved 2026-04-29, not yet built
- dunedolly21@gmail.com guest invite — confirm with Lauren
- Windows MDM auto-enroll scope — confirm in portal (Entra → Devices → Mobility → Microsoft Intune → MDM user scope)
- #32381 / #32382 ticket details (Tamra scanner, Megan file access) — referenced in 2026-06-04 session log reference table only; full ticket details not documented in session logs
- Chris Knight bill.com/BOK Financial vendor-side address updates — resolved externally but no confirmation of actual update on vendor side
- #32370 — confirmed [New]/open in Syncro 2026-06-13 (eFax/scanner onsite, not yet scheduled)
- Edge UNC download bug fix path — no fix applied as of 2026-06-08; decision pending Howard
- ALIS BAA with Medtelligent — not yet verified; confirm with Meredith
- JD Martin (jd.martin@cascadestucson.com) — confirmed Syncro contact; role not yet documented
**Resolved since last compile:**
**Resolved since last compile (2026-06-05 → 2026-06-13):**
- New tiered remediation app suite — confirmed consented 2026-04-21 (all 6 apps active)
- DMARC — confirmed upgraded to p=quarantine;pct=100
- ALIS AADSTS65001 sign-in failures — resolved 2026-06-03 by granting admin consent
- BOK Financial email delivery for Chris Knight — resolved 2026-06-04 by correcting email in BOK portal (bill.com side still requires support call); no tenant config changes needed
- Chris Knight bill.com / BOK email delivery (#32383) — Resolved (confirmed live 2026-06-13); BOK corrected in portal 2026-06-04, bill.com fixed sender-side (support + SendGrid suppression clear)
- `CSC - Caregiver Device Lockdown` GPO — deployed 2026-06-05 (was blocked/pending in prior compile)
- Hybrid Entra Join on NURSESTATION-PC — proven 2026-06-05; Intune-to-GPO pivot complete; full caregiver desktop access model validated end-to-end
- Ticket #32303 billing — 7.0h billed 2026-06-05, invoice #67782 ($0.00 prepaid); prepay block 15.75 → 8.75 hrs; ticket status Invoiced
- Ticket #32303 billing — 7.0h billed 2026-06-05, invoice #67782 ($0.00 prepaid); ASSISTNURSE-PC reinstall 1.0h billed on same ticket (implied by balance chain 57.75→56.75); ticket Invoiced
- Folder redirection root cause found and fixed (2026-06-08): `fdeploy.ini` written to GPO `{512B43A4}`; native FR now works for new users
- Stale Word owner files on cascadesDS cleared (2026-06-10): 5 orphaned `~$` files deleted via RMM ASSISTMAN-PC session; ticket #32403 Invoiced
- Shared mailboxes grievances@ + Surveys@ created and delegated (2026-06-12): ticket #32417 Invoiced; prepay block now 55.75h (confirmed live pull 2026-06-13)
## Backlinks

4
wiki/index.md
View File

@@ -1,6 +1,6 @@
# Wiki Index
Last updated: 2026-06-10
Last updated: 2026-06-13
Compiled by: GURU-BEAST-ROG/discord-bot
This wiki is LLM-maintained. Do not edit articles manually — run `/wiki-compile` to update.
@@ -18,7 +18,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks.
| Article | Summary | Last Compiled |
|---|---|---|
| [Cascades of Tucson](clients/cascades-tucson.md) | Prepaid block $175/hr, **8.75 hrs remaining**; senior living; active domain migration + HIPAA compliance project; single DC on aging R610 hardware; caregiver restricted-access model PROVEN 2026-06-05: Hybrid Entra Join + CA allow-list + ALIS SSO validated on NURSESTATION-PC/pilot.test; GPO `CSC - Caregiver Workstation` (shortcuts + printers) built + validated; GPO `CSC - Caregiver Device Lockdown` deployed (HIPAA auto-logoff, activates on reboot); INTUNE_A PendingInput tenant-wide (MS case open; GPO path used instead); ticket #32303 Invoiced (7.0h onsite 2026-06-05, invoice #67782); Monday cutover to real caregivers pending; open ticket #32370 (eFax + scanner); bill.com support call still pending for chris.knight | 2026-06-05 |
| [Cascades of Tucson](clients/cascades-tucson.md) | Prepaid block $175/hr, **55.75 hrs remaining** (live 2026-06-13); senior living; active domain migration + HIPAA compliance project; single DC on aging R610 hardware; caregiver restricted-access model PROVEN 2026-06-05: Hybrid Entra Join + CA allow-list + ALIS SSO validated on NURSESTATION-PC/pilot.test; GPO `CSC - Caregiver Workstation` (shortcuts + printers) built + validated; GPO `CSC - Caregiver Device Lockdown` deployed (HIPAA auto-logoff, activates on reboot); INTUNE_A PendingInput tenant-wide (MS case open; GPO path used instead); folder-redirection root cause fixed 2026-06-08 (fdeploy.ini); shared mailboxes grievances@/Surveys@ created + delegated 2026-06-12 (#32417); Monday cutover to real caregivers pending; open ticket #32370 (eFax + scanner); #32383 (bill.com/BOK chris.knight) Resolved | 2026-06-13 |
| [Dataforth Corporation](clients/dataforth.md) | Prepaid block ~$2,099/mo, 34.5 hrs remaining; signal conditioning manufacturer; 64 DOS test stations; 2025 crypto attack recovery + incomplete restore (files dropped across shares — migration-gap audit in progress); 2026-03-27 phishing incident + MFA rollout; active test datasheet pipeline project; Neptune Exchange colocated at D2; 2026-06-04 SP1366 file recovery (19/20 PDFs restored from HGHAUBNER pre-attack backup); GuruRMM fleet 13→45 agents; 2026-06-02 Syncro asset reconciliation (78→20 keep/21 flag/28 remove/9 verify); fleet-wide Syncro agent break ~2025-10-06; Bitdefender phase-off in progress | 2026-06-04 |
| [Instrumental Music Center](clients/instrumental-music-center.md) | Prepaid block $175/hr, 12.5 hrs remaining; music retail/repair; AIMsi POS on SQL Server 2019; phantom DC causing slow logons; GuruRMM enrolled (IMC1) | 2026-05-24 |
| [Valley Wide Plastering](clients/valleywide.md) | Prepaid block, 10 hrs remaining; plastering/stucco contractor; HP DL360 Gen10 + XenServer; VB6 app modernization project; RDWeb brute-force incident; 11 Yealink phones pending | 2026-05-24 |