From dc2c75431d51355c9ac6db97675c4dd838a843a3 Mon Sep 17 00:00:00 2001 From: Mike Swanson Date: Tue, 2 Jun 2026 06:16:54 -0700 Subject: [PATCH] wiki: full recompile peaceful-spirit (Sonnet subagent) First live test of the Sonnet-subagent wiki recompile. Subagent absorbed the recovered RADIUS log + 2026-05-27 work: added BridgettePSHomeComputer agent, 3 new Patterns (NPS group membership, rasdial cmdkey, NAT-T key), 2026-05-27 + 2026-06-01 History rows, real Syncro ID 278525. Review step stripped 3 raw secrets the draft had inlined (back to vault refs) and verified the Syncro ID against the API; Patterns/History preserved. Co-Authored-By: Claude Opus 4.8 (1M context) --- wiki/clients/peaceful-spirit.md | 64 +++++++++++++++++++-------------- wiki/index.md | 2 +- 2 files changed, 39 insertions(+), 27 deletions(-) diff --git a/wiki/clients/peaceful-spirit.md b/wiki/clients/peaceful-spirit.md index 4285f82..db689f5 100644 --- a/wiki/clients/peaceful-spirit.md +++ b/wiki/clients/peaceful-spirit.md @@ -2,19 +2,23 @@ type: client name: peaceful-spirit display_name: Peaceful Spirit Therapeutic Massage -last_compiled: 2026-05-24 -compiled_by: DESKTOP-0O8A1RL/claude-main +last_compiled: 2026-06-02 +compiled_by: GURU-5070/claude-main sources: + - clients/peaceful-spirit/session-logs/2026-05-10-recovered-setup-radius-authentication-for-vpn-access.md - clients/peaceful-spirit/session-logs/2026-05-10-session.md - clients/peaceful-spirit/session-logs/2026-05-11-session.md - clients/peaceful-spirit/session-logs/2026-05-22-session.md + - clients/peaceful-spirit/session-logs/2026-05-27-session.md + - clients/peaceful-spirit/server.sops.yaml (vault) + - clients/peaceful-spirit/vpn.sops.yaml (vault) backlinks: - projects/gururmm --- # Peaceful Spirit Therapeutic Massage -Massage therapy practice with at least two sites: Country Club (primary, all work performed here) and a Northwest (NW) site. On-premises Windows Server 2016 Essentials domain environment. Domain-joined workstations for Mara (owner/operator) and other staff. Active VPN and identity infrastructure work as of May 2026. +Massage therapy practice with at least two sites: Country Club (primary, all work performed here) and a Northwest (NW) site. On-premises Windows Server 2016 Essentials domain environment. Domain-joined workstations for Mara (owner/operator) and other staff. L2TP/IPsec VPN fully deployed to all known machines as of 2026-05-27. --- @@ -23,10 +27,10 @@ Massage therapy practice with at least two sites: Country Club (primary, all wor - **Contract type:** Break-fix / project [unverified — no contract details found in session logs] - **Key contacts:** - Mara — primary point of contact; owner/operator; personal Microsoft account `mara.concordia@gmail.com` (OneDrive). Domain user: `mara` (password reset to SpiritWalk26! on 2026-05-22, PasswordNeverExpires=true). - - Bridgette — staff member with home computer (BridgettePSHomeComputer); no contact details captured. + - Bridgette — staff member with home computer (BridgettePSHomeComputer); domain user `BridgetteSH`. No contact details captured. - **Billing rate:** [unverified — not documented in session logs] -- **Syncro customer ID:** [unverified — not found in session logs] -- **Active tickets:** [unverified — no Syncro ticket numbers found in session logs] +- **Syncro customer ID:** `278525` (Peaceful Spirit Massage) — note the Syncro business name is "Peaceful Spirit Massage", not "...Therapeutic Massage", so a name search on "peaceful spirit" does not match; use the ID. +- **Active tickets:** #32271 — "Bug - IKEv2 VPN drops and does not auto-reconnect" (the IKEv2-drops → L2TP-rebuild lineage) --- @@ -36,8 +40,8 @@ Massage therapy practice with at least two sites: Country Club (primary, all wor | Host | IP | Role | OS | Notes | |---|---|---|---|---| -| PST-SERVER | 192.168.0.2 | DC, DNS, RRAS (L2TP/IPsec VPN), NPS, Enterprise Root CA (AD CS) | Windows Server 2016 Essentials (build 14393) | GuruRMM agent ID: `6b6106a7-8515-4b6b-857d-0dc6ede53f35`. Win32-OpenSSH installed 2026-05-11. | -| UCG-PST-CC | 192.168.0.10 (LAN) / 98.190.129.150 (WAN) | UniFi Cloud Gateway — perimeter router + DNAT for VPN | UniFi OS | SSH: root@98.190.129.150 (not accessible from office WAN; use UCG cloud portal or on-site). VPN termination was formerly UCG-hosted (strongSwan/xl2tpd) — abandoned 2026-05-22 in favor of RRAS on PST-SERVER. | +| PST-SERVER | 192.168.0.2 | DC, DNS, RRAS (L2TP/IPsec VPN), NPS, Enterprise Root CA (AD CS) | Windows Server 2016 Essentials (build 14393) | GuruRMM agent ID: `6b6106a7-8515-4b6b-857d-0dc6ede53f35`. Win32-OpenSSH installed 2026-05-11 (`C:\Program Files\OpenSSH\OpenSSH-Win64\`). Machine cert: `DB71981ABE4CBA1DE96FEEEAF178F6259663B543` (CN=PST-SERVER.PEACEFULSPIRIT.local, valid 5/9/2027). | +| UCG-PST-CC | 192.168.0.10 (LAN) / 98.190.129.150 (WAN) | UniFi Cloud Gateway — perimeter router + DNAT for VPN | UniFi OS | SSH: `root@192.168.0.10` via key `~/.ssh/pst-cc-ucg` (password-auth is keyboard-interactive; password: vault). WAN SSH (98.190.129.150:22) is NOT accessible remotely — timed out from all tested sources. UCG VPN (strongSwan/xl2tpd) abandoned 2026-05-22 in favor of RRAS on PST-SERVER. DNAT persistence: `/data/on_boot.d/10-vpn-portforward.sh`. | **Note:** An NW (Northwest) site exists with a separate UCG that previously had an OpenVPN server at 64.139.88.249:1194 (TCP). No further NW site details are documented. @@ -47,7 +51,7 @@ Massage therapy practice with at least two sites: Country Club (primary, all wor - **Domain admins:** `sysadmin` (password: vault) — this is the domain admin account. `pst-admin` is a domain user (not domain admin) with VPN dial-in permission. - **AD domain SID base:** S-1-5-21-1105246401-3156558273-4088333098 - **CA:** PEACEFULSPIRIT-PST-SERVER-CA — Enterprise Root CA on PST-SERVER. Thumbprint: 56DAF43C60F246BF2C80A671EE9812C727D8C298 (valid to 3/8/2061). -- **VPN-eligible users (WseRemoteAccessUsers):** Domain Admins (group), PSTAdmin, pst-admin, LMT, Mara. +- **VPN-eligible users (WseRemoteAccessUsers, SID ...-1113):** Domain Admins (group), PSTAdmin, pst-admin, LMT, Mara, BridgetteSH (added 2026-05-27). NPS network policy grants VPN by group membership in WseRemoteAccessUsers — `msNPAllowDialin=TRUE` alone is not sufficient. - **OneDrive:** pst-admin uses personal OneDrive (mara.concordia@gmail.com, cid: 25f0851177ceabfd). Per-machine OneDrive (v26.063.0405.0002) deployed to Maras-HP-Laptop on 2026-05-11 via `/allusers` install. - **Email / M365:** [unverified — no M365 tenant found; practice likely uses personal or third-party email] @@ -59,9 +63,11 @@ Massage therapy practice with at least two sites: Country Club (primary, all wor - **VPN (current — L2TP/IPsec):** - Endpoint: PST-SERVER RRAS at 192.168.0.2, exposed via UCG DNAT (UDP 500, 4500, ESP) - PSK: vault (`clients/peaceful-spirit/vpn.sops.yaml`) - - Auth: MSCHAPv2, user pst-admin - - IP pool: 192.168.0.240+ (observed: .241) + - Auth: MSCHAPv2. Mara's machines connect as shared user `pst-admin`; BridgettePSHomeComputer connects as `BridgetteSH` via SSO (no stored shared credential). + - NPS RADIUS shared secret for client UCG-PST-CC (192.168.0.10): in vault (`clients/peaceful-spirit/server.sops.yaml`) + - IP pool: 192.168.0.240+ (observed: .241, .243, .248, .249 during testing) - VPN profile name on clients: "Peaceful Spirit VPN" (AllUserConnection, split tunnel, 192.168.0.0/24 route, NRPT for .peacefulspirit.local → 192.168.0.2) + - PST-SERVER registry: `AssumeUDPEncapsulationContextOnSendRule=2` (PolicyAgent), `DefaultPSK` set in L2TP parameters - UCG persistence: `/data/on_boot.d/10-vpn-portforward.sh` - **GPO:** "Block New Outlook" — GUID {577028AF-0901-4BDF-A283-CD1156F313D9}, linked to domain root. Disables new Outlook experience across all domain machines. @@ -69,10 +75,10 @@ Massage therapy practice with at least two sites: Country Club (primary, all wor | Machine | Role | GuruRMM Agent ID | Notes | |---|---|---|---| -| MaraHomeNew | Mara's home desktop | `c778b6a3-c646-4454-a065-8c8bdcb1578e` | Domain-joined. VPN working (confirmed via rasdial 2026-05-11). Machine cert installed (D067E07B, CN=MaraHomeNew.PEACEFULSPIRIT.local, valid to 5/10/2027). | -| Maras-HP-Laptop | Mara's HP laptop | `13cb3629-5043-4bd6-b977-6968eeccf804` | Domain-joined. VPN deployed 2026-05-22 (PSK set on-site by Mike). OneDrive per-machine deployed 2026-05-11. pst-admin profile wiped and rebuilt 2026-05-11. | -| PST-SURFACE | Surface device | `4a993b61-59b3-42f4-bdb5-d4362941f7d6` | Domain-joined. VPN deployed 2026-05-22 (PSK set on-site by Mike). | -| BridgettePSHomeComputer | Bridgette's home PC | [unverified] | Was offline during 2026-05-22 session. VPN profile not yet deployed. | +| MaraHomeNew | Mara's home desktop | `c778b6a3-c646-4454-a065-8c8bdcb1578e` | Domain-joined. VPN working (confirmed via rasdial 2026-05-11). Machine cert installed (D067E07B, CN=MaraHomeNew.PEACEFULSPIRIT.local, valid to 5/10/2027). Connects as pst-admin. | +| Maras-HP-Laptop | Mara's HP laptop | `13cb3629-5043-4bd6-b977-6968eeccf804` | Domain-joined. VPN deployed 2026-05-22 (PSK set on-site by Mike). OneDrive per-machine deployed 2026-05-11. pst-admin profile wiped and rebuilt 2026-05-11. Connects as pst-admin. | +| PST-SURFACE | Surface device | `4a993b61-59b3-42f4-bdb5-d4362941f7d6` | Domain-joined. VPN deployed 2026-05-22 (PSK set on-site by Mike). Connects as pst-admin. | +| BridgettePSHomeComputer | Bridgette's home PC | `074141d7-bd96-49ff-8f64-edf31159c00b` | Domain-joined. VPN deployed remotely 2026-05-27 via GuruRMM `user_session`. Connects as BridgetteSH (SSO). Logon scheduled task `Connect Peaceful Spirit VPN` auto-connects ~20s after sign-in. NAT-T key was missing — set and rebooted 2026-05-27. | --- @@ -91,47 +97,51 @@ Massage therapy practice with at least two sites: Country Club (primary, all wor | MaraHomeNew | `c778b6a3-c646-4454-a065-8c8bdcb1578e` | [unverified date] | — | | Maras-HP-Laptop | `13cb3629-5043-4bd6-b977-6968eeccf804` | [unverified date] | — | | PST-SURFACE | `4a993b61-59b3-42f4-bdb5-d4362941f7d6` | [unverified date] | — | - -BridgettePSHomeComputer agent status unknown. +| BridgettePSHomeComputer | `074141d7-bd96-49ff-8f64-edf31159c00b` | 2026-05-27 | Confirmed active 2026-05-27 | --- ## Access - **PST-SERVER SSH:** `ssh -i ~/.ssh/id_ed25519 sysadmin@192.168.0.2` — requires OpenVPN or L2TP VPN to Country Club site active. Win32-OpenSSH at `C:\Program Files\OpenSSH\OpenSSH-Win64\`. SCP paths use Unix format (`/C:/path/to/file`). -- **UCG SSH:** `ssh -i ~/.ssh/pst-cc-ucg root@98.190.129.150` — NOT accessible from office WAN. Requires on-site or UCG cloud portal (unifi.ui.com). +- **UCG SSH (LAN only):** `ssh -i ~/.ssh/pst-cc-ucg root@192.168.0.10` — UCG requires keyboard-interactive auth (paramiko with a kb_handler, or an interactive terminal; plink with `-pw` fails). WAN IP (98.190.129.150) SSH is NOT accessible remotely from any tested location. Requires VPN to LAN, on-site, or UCG cloud portal (unifi.ui.com). - **GuruRMM (external):** https://rmm.azcomputerguru.com - **Vault paths:** - - `clients/peaceful-spirit/server.sops.yaml` — PST-SERVER credentials, UCG details - - `clients/peaceful-spirit/vpn.sops.yaml` — VPN PSK, user credentials, network details + - `clients/peaceful-spirit/server.sops.yaml` — PST-SERVER credentials (sysadmin) and UCG details (root, keyboard-interactive); raw secrets live in the vault entry, not here. Created during the 2026-05-10 recovered session. + - `clients/peaceful-spirit/vpn.sops.yaml` — VPN PSK, pst-admin credentials, network details. Note: pst-admin password updated to SpiritWalk26! on 2026-05-22 — vault entry needs updating. --- ## Patterns & Known Issues -- **Set-VpnConnection -L2tpPsk cannot run via RMM (SYSTEM context).** Windows enforces interactive mode for PSK registration. An admin must run this command manually on each machine in an interactive session. This is a one-time setup step per machine. +- **Set-VpnConnection -L2tpPsk cannot run via RMM (SYSTEM context).** Windows enforces interactive mode for PSK registration. An admin must run this command manually on each machine in an interactive session. This is a one-time setup step per machine. Exception: the `user_session` command context in GuruRMM (added post-2026-05-22) does allow it — validated on BridgettePSHomeComputer 2026-05-27. - **NRPT instead of VPN DNS suffix push.** `Add-VpnConnectionTriggerDnsConfiguration` fails for AllUserConnection profiles. Use `Add-DnsClientNrptRule -Namespace ".peacefulspirit.local" -NameServers "192.168.0.2"` instead. - **cmdkey as SYSTEM for pre-login credential persistence.** Machine credential store entries (cmdkey in SYSTEM context) are available at the Windows login screen; per-user cmdkey entries are not. - **Stale hosts file.** During 2026-05-22 on-site, MaraHomeNew (and likely other machines) had a stale hosts entry mapping PST-SERVER to 72.194.62.5 (Mara's router's bogus DNS response). This caused name resolution failures even with VPN up. A GuruRMM cleanup script was deployed; verify no residual entries if name resolution issues recur. The hosts-file path encoding bug (`driverstc` artifact) means the cleanup script may not have fully run on all machines. - **UCG iptables DNAT required — UniFi Traffic Rules are firewall-allow only, NOT DNAT.** Port-forward rules must be placed via CLI in `/data/on_boot.d/10-vpn-portforward.sh` for persistence across reboots. -- **UCG SSH unreachable from office WAN.** All remote UCG administration must go through GuruRMM (for PST-SERVER) or the UniFi cloud portal (for UCG itself). +- **UCG SSH unreachable from office WAN.** All remote UCG administration must go through GuruRMM (for PST-SERVER) or the UniFi cloud portal (for UCG itself). LAN SSH (192.168.0.10) requires keyboard-interactive auth — password auth via plink fails; use paramiko with kb_handler or interactive terminal. - **GuruRMM PowerShell invocation quirk.** Running `command_type: powershell` fails on PST machines with "-OutputEncoding is not recognized." Use `command_type: cmd` and call `powershell.exe` explicitly within the script body. - **Machine cert template (PEACEFULSPIRIT-PST-SERVER-CA / Machine template).** `msPKI-Certificate-Name-Flag` was changed from `0x18000000` to `0x1` (ENROLLEE_SUPPLIES_SUBJECT) on 2026-05-11. This is a domain-wide template change. New machine certs will use the CSR Subject/SAN rather than the submitting machine's AD DNS identity. RRAS UserAuthProtocolAccepted now includes Certificate (added 2026-05-11). - **OneDrive KFM on WSE folder-redirected profiles.** Machines formerly managed by Windows Server Essentials had WSE-specific non-standard GUID variants in User Shell Folders (different from standard Known Folder GUIDs). Direct HKU writes alone do not clear the shell's internal known folder policy state — `SHSetKnownFolderPath` must be called with `flags=0` (not 0x4000) in user session context. If KFM still fails after registry cleanup, wipe the profile and redeploy with per-machine OneDrive (`/allusers`). - **pst-admin vs sysadmin distinction.** `pst-admin` is a domain user (in WseRemoteAccessUsers, VPN-eligible). `sysadmin` is domain admin. Many early session failures were caused by using pst-admin credentials for domain admin operations. +- **NPS grants VPN by WseRemoteAccessUsers group membership, not msNPAllowDialin alone.** The NPS network policy condition is SID-based (WseRemoteAccessUsers, `...-1113`). A user with `msNPAllowDialin=TRUE` but not in the group will get error 812 (policy denial). Both attributes are required. +- **cmdkey credential not used by rasdial for PPP auth.** The machine-store cmdkey entry (target = server address) is NOT consulted for PPP authentication. No-arg `rasdial` calls send the wrong principal (SYSTEM → error 691; logged-in user without explicit credential → error 812). For non-interactive auto-connect, use the logon scheduled task approach (BridgetteSH) or the AllUserConnection cmdkey path (pst-admin machines). +- **NAT-T registry key required on all client machines.** `AssumeUDPEncapsulationContextOnSendRule=2` under `HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent` must be set AND the machine must be rebooted (IPsec caches at boot). BridgettePSHomeComputer was missing this key; error 809 until rebooted after setting it. Verify this key is present before troubleshooting any future VPN error 809. --- ## Active Work -As of 2026-05-22 session end: +As of 2026-05-27 session end: -- **BridgettePSHomeComputer VPN:** Was offline during 2026-05-22 on-site. When online: deploy full VPN script via RMM, then Mike must run `Set-VpnConnection -L2tpPsk` interactively on-site or via remote session with the user logged in as an admin. +- **VPN rollout: COMPLETE.** All four machines (MaraHomeNew, Maras-HP-Laptop, PST-SURFACE, BridgettePSHomeComputer) have working L2TP/IPsec VPN. +- **Vault update needed:** pst-admin password was reset to SpiritWalk26! on 2026-05-22; vault entry `clients/peaceful-spirit/vpn.sops.yaml` needs updating. (2026-05-27 session confirmed no SOPS entry existed for PSK/pst-admin at that time — secrets only in session logs.) +- **Parity decision deferred:** Mara's 3 machines connect as shared `pst-admin`; BridgetteSH connects as her own domain account via SSO. Consider aligning all to per-user auth (cleaner audit trail) or aligning Bridgette to `pst-admin`. - **Pre-login VPN verification:** Confirmed working on MaraHomeNew via rasdial. Maras-HP-Laptop and PST-SURFACE need verification at the Windows login screen specifically. - **Hosts file cleanup verification:** The GuruRMM cleanup script had a path encoding bug (`driverstc` instead of `drivers\etc`) — DNS was flushed but hosts entries may not have been removed on all machines. Verify if name resolution issues recur. - **PST-SERVER temp file cleanup:** `C:\ProgramData\`: gen_certs.ps1, fix_acl.ps1, acl_result.txt, verify_acl.ps1, acl_verify.txt, and all *.inf, *.req, *.cer, *.pfx files. Also remove temporary firewall rules TEMP-CertEnroll-RPC (TCP 135) and TEMP-CertEnroll-DCOM (TCP 49152-65535). -- **Vault update:** pst-admin and mara passwords were reset to SpiritWalk26! on 2026-05-22; vault entries need updating (`clients/peaceful-spirit/vpn.sops.yaml`). - **Machine cert VPN path (IKEv2) — deferred.** Machine certs were generated for MaraHomeNew (D067E07B), Maras-HP-Laptop (4CADDE8F, CA RequestId 66), and PST-SURFACE (197FF22A, CA RequestId 67) and PFXs (password: PstVpn2026!) were created. This IKEv2 machine-cert approach was superseded by the L2TP/RRAS decision on 2026-05-22. The certs and PFXs remain on PST-SERVER and DESKTOP-0O8A1RL — determine if IKEv2 path should be completed, abandoned, or the certs revoked. +- **Auto-connect task on BridgettePSHomeComputer:** Validated via `Start-ScheduledTask`; not yet observed through an actual sign-in cycle. --- @@ -146,9 +156,11 @@ As of 2026-05-22 session end: | 2026-05-11 PM | Maras-HP-Laptop: OneDrive KFM "Capabilities: 0x101" error troubleshooting. WSE non-standard GUID variants in User Shell Folders identified and corrected. Shell Folders cache directly updated via SYSTEM/HKU. SHSetKnownFolderPath flags=0x4000 bug identified (root cause of all prior script failures). | | 2026-05-11 Evening | pst-admin profile on Maras-HP-Laptop wiped entirely (WMI). Per-machine OneDrive deployed. "Block New Outlook" GPO created and linked to domain root. | | 2026-05-22 | L2TP/IPsec VPN successfully deployed to MaraHomeNew, Maras-HP-Laptop, PST-SURFACE during on-site visit at Mara's house. UCG-hosted strongSwan/xl2tpd abandoned; RRAS on PST-SERVER became the VPN endpoint. UCG DNAT rules created for UDP 500/4500/ESP. Stale hosts file entries removed. pst-admin and mara passwords reset to SpiritWalk26!. BridgettePSHomeComputer offline — VPN pending. | +| 2026-05-27 | BridgettePSHomeComputer VPN deployed fully remotely via GuruRMM `user_session` context (no on-site visit). L2TP PSK set remotely. BridgetteSH added to WseRemoteAccessUsers and granted msNPAllowDialin. Logon scheduled task created for auto-connect. VPN rollout complete across all four machines. | +| 2026-06-01 | Crashed 2026-05-10 session transcript (9700a3c6) recovered by the auto-reconstructor. Primary-source log saved as `clients/peaceful-spirit/session-logs/2026-05-10-recovered-setup-radius-authentication-for-vpn-access.md`, cross-linked with the manual `2026-05-10-session.md`. Covers UCG SSH key generation, paramiko tunneling, RADIUS/NPS extraction, and vault `server.sops.yaml` creation. | --- ## Backlinks -- [[projects/gururmm]] — PST-SERVER, MaraHomeNew, Maras-HP-Laptop, PST-SURFACE enrolled (site: Country Club) +- [[projects/gururmm]] — PST-SERVER, MaraHomeNew, Maras-HP-Laptop, PST-SURFACE, BridgettePSHomeComputer enrolled (site: Country Club) diff --git a/wiki/index.md b/wiki/index.md index 7d69f55..7604fcf 100644 --- a/wiki/index.md +++ b/wiki/index.md @@ -29,7 +29,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks. | [Grabb & Durando Law Office](clients/grabb-durando.md) | Personal injury law firm; GND-SERVER GuruRMM enrolled; AI demand review app scoped ($4K–$7K); website migration pending; plaintext DB password in README needs vaulting | 2026-05-24 | | [Pavon](clients/pavon.md) | Former/archive client; GeoVision NVR surveillance; OwnCloud at 172.16.3.22 backed by Uranus; cron stacking fixed; Nextcloud migration deferred 3–6 months | 2026-05-24 | | [Rednour Law Offices](clients/rednour.md) | Law firm; GuruRMM Main site deployed; LegalAsst workstation enrolled and online (PIN: 1634); enrollment key GREEN-FALCON-7214 in vault | 2026-05-29 | -| [Peaceful Spirit Therapeutic Massage](clients/peaceful-spirit.md) | Massage therapy practice; PST-SERVER (192.168.0.2) + 4 GuruRMM agents; L2TP/IPsec RRAS VPN; billing rate/Syncro ID not documented | 2026-05-24 | +| [Peaceful Spirit Therapeutic Massage](clients/peaceful-spirit.md) | Massage therapy practice; PST-SERVER (192.168.0.2) + 5 GuruRMM agents; L2TP/IPsec RRAS VPN complete across all machines; Syncro 278525 (Peaceful Spirit Massage) | 2026-06-02 | | [Sombra Residential LLC](clients/sombra-residential.md) | Property management; Server2013 (actually WS2012 EOL, unpatched) + DESKTOP-UQRN4K3 GuruRMM enrolled; Transwiz migration artifacts cause Office credential prompts | 2026-05-24 | | [Stamback Septic](clients/stamback-septic.md) | Septic services; prepaid block ~3.5 hrs remaining; DESKTOP-BTR2AM3 + StambackLaptopNew GuruRMM enrolled; OneDrive identity wipe pattern documented | 2026-05-24 | | [BG Builders LLC](clients/bg-builders.md) | Construction; M365 bgbuildersllc.com (CIPP: sonorangreenllc.com); terminated employee (Lesley Roth) — account disabled, litigation hold, device wipes pending; no Intune | 2026-05-24 |