wiki: compile cascades-tucson (full) — Alma offboarding + PAA item, CARF plan, CSC-ENT consolidation, Syncro refresh (47.75h, 5 open)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-06-25 14:22:00 -07:00
parent befd2650c8
commit df75a86518
2 changed files with 24 additions and 10 deletions

View File

@@ -2,7 +2,7 @@
type: client
name: cascades-tucson
display_name: Cascades of Tucson
last_compiled: 2026-06-24
last_compiled: 2026-06-25
compiled_by: HOWARD-HOME/claude-main
sources:
- session-logs/2026-03-24-session.md
@@ -90,6 +90,11 @@ sources:
- clients/cascades-tucson/session-logs/2026-06/2026-06-23-howard-cascades-planned-outage-shutdown-verify.md
- clients/cascades-tucson/session-logs/2026-06/2026-06-24-howard-ticket-review-and-cascades-consolidation.md
- clients/cascades-tucson/docs/REMAINING-WORK-PLAN.md
- clients/cascades-tucson/session-logs/2026-06/2026-06-24-howard-carf-technology-plan.md
- clients/cascades-tucson/session-logs/2026-06/2026-06-24-howard-csc-ent-voice-helpany-consolidation-plan.md
- clients/cascades-tucson/session-logs/2026-06/2026-06-25-howard-synology-skill-verify-fixes.md
- clients/cascades-tucson/session-logs/2026-06/2026-06-25-howard-alma-offboarding-recovery-verify.md
- clients/cascades-tucson/docs/security/offboarding-2026-06-25-alma-montt.md
backlinks:
- projects/gururmm
- wiki/systems/uos-server
@@ -157,10 +162,10 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn
- Lupe Sanchez -- staff (DESKTOP-TRCIEJA). EOL workstation (Gateway ZX6971 AIO, i3-2120, 8 GB RAM, Win11 unsupported). **Decision 2026-06-18: replace machine** (dual-AV + EOL hardware causing slow Excel; no remediation on current box). GuruRMM agent `c9bf1a2d-bfdc-401e-9cc8-f9e90bb19587` (resolve live by hostname; UUIDs change on re-enroll).
- **Syncro contact emails (authoritative):** ashley.jensen@, jd.martin@, crystal.rodriguez@, John.trozzi@, meredith.kuhn@, accounting@/accountingassistant@cascadestucson.com.
- **Billing rate:** $175/hr all labor (prepaid block customer)
- **Hours remaining:** **48.25 hrs as of 2026-06-24 (live Syncro).** Most recent draw: 0.5h remote 2026-06-24 Executive restricted share #32193 (48.75->48.25). Prior: 7h remote+onsite 2026-06-19 voice VLAN + RF optimization (ticket #32444, 55.75->48.75). Prior: 0.5h remote 2026-06-12 shared mailboxes (ticket #32417, 56.25->55.75); 0.5h remote 2026-06-10 Meredith locked Word doc (ticket #32403, 56.75->56.25). Always live-check via `GET /customers/20149445` before billing.
- **Hours remaining:** **47.75 hrs as of 2026-06-25 (live Syncro).** Prior: 48.25 hrs as of 2026-06-24; 0.5h remote 2026-06-24 Executive restricted share #32193 (48.75->48.25). Prior: 7h remote+onsite 2026-06-19 voice VLAN + RF optimization (ticket #32444, 55.75->48.75). Prior: 0.5h remote 2026-06-12 shared mailboxes (ticket #32417, 56.25->55.75); 0.5h remote 2026-06-10 Meredith locked Word doc (ticket #32403, 56.75->56.25). Always live-check via `GET /customers/20149445` before billing.
- **Syncro customer ID:** 20149445
- **Managed devices (Syncro):** 29 (live 2026-06-23)
- **Active tickets:** 6 open Syncro tickets as of 2026-06-24 (#32194 spare machine, #32230 Karen->ALDOCS, #32254 Chef-PC reinstall, #32319 WiFi rm343, #32342 Copy Room switch, #32370 eFax+scanner) -- all folded into `docs/REMAINING-WORK-PLAN.md`. See Active Work for open non-ticketed projects.
- **Managed devices (Syncro):** 29 (live 2026-06-25)
- **Active tickets:** 5 open work tickets as of 2026-06-25 (#32194 spare machine, #32254 Chef-PC reinstall, #32319 WiFi rm343, #32342 Copy Room switch, #32370 eFax+scanner) -- all folded into `docs/REMAINING-WORK-PLAN.md`. **#32230 (Karen->ALDOCS) RESOLVED.** Separately, 4 hardware items are Invoiced (work done): #32440 server SSDs, #32439 MemCare UPS, #32443 Front Desk battery backup, #32330 Chris Knight PC. See Active Work for open non-ticketed projects.
- #110680053 / #32303 -- Entra / domain migration project. Status: **Invoiced** as of 2026-06-05. Plan: `C:\Users\Howard\.claude\plans\wise-discovering-panda.md`
- #109412123 -- Entra setup project (verify status)
- #32403 -- Meredith locked Word doc (0.5h remote, billed 2026-06-10, Invoiced)
@@ -209,7 +214,7 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn
### Email & Identity
- **M365 tenant:** cascadestucson.com | Tenant ID: `207fa277-e9d8-4eb7-ada1-1064d2221498`
- **M365 license:** Business Premium (SPB) -- 34 seats enabled, 3 consumed, 31 free. Business Standard (O365_BUSINESS_PREMIUM) -- **SUSPENDED**, 31 users still assigned. Relicensing 31 users Business Standard -> Business Premium is pending and time-sensitive.
- **M365 license:** Business Premium (SPB) -- 34 seats enabled, 3 consumed, 31 free. Business Standard (O365_BUSINESS_PREMIUM) -- **SUSPENDED**, 31 users still assigned. Relicensing 31 users Business Standard -> Business Premium is pending and time-sensitive. (Alma Montt's SPB seat was freed on offboarding 2026-06-25.)
- **On-prem AD domain:** cascades.local | UPN suffix: cascadestucson.com (added 2026-04-13 for Entra Connect SSO readiness)
- **MX / mail flow:** Exchange Online (M365). SPF: `v=spf1 a mx ip4:72.194.62.5 include:spf.protection.outlook.com include:spf-0.secureserver.net -all`. DKIM: both M365 selectors published. DMARC: `p=quarantine;pct=100` -- upgraded from p=none. Reports to `info@cascadestucson.com` (unmonitored). No third-party email gateway (EOP direct MX).
- **MFA:** CA policy "Require MFA for all users" is enabled. Caregiver bypass in progress -- caregivers cannot satisfy MFA (no personal device), so three scoped CA policies use BLOCK instead. Voice-call MFA is **disabled tenant-wide** (SMS + Authenticator are the allowed methods). Exception: security group "MFA - Voice Call Scoped (sysadmin)" (id `304f941e-3594-4705-b8e6-ee676297df11`, single member `sysadmin@`) has Voice method enabled.
@@ -305,6 +310,8 @@ Cascades' line-of-business / reporting SaaS (the systems they pull data OUT of,
- **GuruRMM -- ASSISTMAN-PC (Meredith Kuhn):** agent ID `cf86fa5e-96a2-494d-9cb1-8be22a518ad0`
- **GuruRMM -- DESKTOP-TRCIEJA (Lupe Sanchez):** agent ID `c9bf1a2d-bfdc-401e-9cc8-f9e90bb19587` (resolve live by hostname; UUIDs change on re-enroll)
- **Remediation tool:** Full tiered app suite consented 2026-04-21. All six apps active: Security Investigator, Exchange Operator, User Manager, Tenant Admin, Defender Add-on, Intune Manager.
- **[SECURITY -- OPEN 2026-06-25] Tenant Admin SP holds a STANDING Privileged Authentication Administrator (PAA) role.** During Alma Montt's offboarding the `ComputerGuru - Tenant Admin` SP was JIT-elevated to PAA to reset her password; Graph then blocked the automatic teardown ("removing self from built-in role is not allowed"), leaving the role assigned. Needs a Global Admin to remove in Entra (Roles & admins -> Privileged Authentication Administrator -> remove the SP); **leave its standing Conditional Access Administrator role (intentional)**. Pending Mike's decision (coord message sent 2026-06-25). Recommended posture: keep JIT, fix the teardown so resets stop stranding PAA.
- **Alma Montt -- OFFBOARDED 2026-06-25** (terminated; MC Life Enrichment; no PHI/ALIS access). M365 sign-in blocked, 0 licenses, mailbox -> SharedMailbox (Shelby Trozzi FullAccess+AutoMap), hidden from GAL, groups removed; on-prem AD disabled + moved to `OU=Excluded-From-Sync`. No litigation hold (no PHI). Verified live end-to-end and reconciled out of all active plans/rosters. Emergency password: vault `clients/cascades-tucson/alma-montt` (do NOT re-enable without authorization). Record: `docs/security/offboarding-2026-06-25-alma-montt.md`.
- **ComputerGuru Exchange Operator MSP app:** `b43e7342-5b4b-492f-890f-bb5a4f7f40e9` -- vault: `msp-tools/computerguru-exchange-operator.sops.yaml`.
- **Vault root:** `clients/cascades-tucson/` in vault repo
@@ -466,9 +473,10 @@ Full design: `docs/network/phase1-voice-qos-design.md`. Status DESIGN -- nothing
> **Canonical remaining-work plan: `docs/REMAINING-WORK-PLAN.md`** (built 2026-06-24 from a live
> AD+RMM domain-join diff). 7 sequenced workstreams + every open ticket mapped to one. Work from it.
Syncro live pull 2026-06-24: **6 open tickets** -- #32194 (spare machine for new hire), #32230
(Karen Rossini -> ALDOCS, recheck when she's in), #32254 (Chef-PC reinstall), #32319 (WiFi Room 343),
#32342 (Copy Room switch), #32370 (eFax + scanner). #32193 (Executive restricted share) closed/billed 2026-06-24.
Syncro live pull 2026-06-25: **5 open work tickets** -- #32194 (spare machine for new hire),
#32254 (Chef-PC reinstall), #32319 (WiFi Room 343), #32342 (Copy Room switch), #32370 (eFax + scanner).
**#32230 (Karen Rossini -> ALDOCS) now RESOLVED.** #32193 (Executive restricted share) closed/billed 2026-06-24.
Invoiced hardware (work done): #32440 server SSDs, #32439 MemCare UPS, #32443 Front Desk battery backup, #32330 Chris Knight PC.
**Device-readiness for domain migration (2026-06-24 live audit, 15 un-joined online machines):**
- **READY to join** (Pro/Enterprise, internal): DESKTOP-LPOPV30 (Karen), MAINTENANCE-PC (Bruce), LAPTOP-E0STJJE8; after a reboot: ASSISTMAN-PC (Meredith), ANN-PC, Laptop2; CHEF-PC after #32254.
@@ -477,7 +485,10 @@ Syncro live pull 2026-06-24: **6 open tickets** -- #32194 (spare machine for new
- **LAPTOP-DRQ5L558** is off the Cascades LAN (public DNS, no DC reach) -- get on-site before join.
- **Decision 2026-06-24:** caregivers stay TEST-scoped -- do NOT flip the lockdown to go-live until all devices are domain-ready first.
**Non-Syncro follow-ups open as of 2026-06-23:**
**Non-Syncro follow-ups open as of 2026-06-25:**
- **[SECURITY -- needs Global Admin] Remove the standing Privileged Authentication Administrator role from the `ComputerGuru - Tenant Admin` SP** (left over from Alma's offboarding password reset; Graph blocked the auto-teardown). Entra -> Roles & admins -> Privileged Authentication Administrator -> remove the SP; leave its Conditional Access Administrator role. Pending Mike's decision (coord message sent 2026-06-25). See Access section.
- **[PLANNED -- CARF accreditation] Technology and System Plan deliverable** (requested by Ashley Jensen 2026-06-24). One of the five required CARF Section-1 plans (Aging Services); must be an action document covering 8 canonical areas (hardware, software, security, confidentiality, backup, assistive technology, disaster recovery, virus protection) with per-area current tech + projected need + timeline + vendor + cost + responsible person + target/completion date, annual dated leadership sign-off. Done: gap analysis, project memory `project_cascades_carf_tech_plan`, an on-brand PDF first pass (via `impeccable`), and a pre-filled CARF intake worksheet with a costed open-items table. **Next: gather Cascades' inputs, then build the final plan branded as Cascades' (ACG as preparer); confirm the exact standard citation + review cadence against their Aging Services manual year.** NOTE standing rule: all client/vendor-facing deliverables run through the `impeccable` skill before delivery.
- **[TODAY 2026-06-23 ~09:00] Planned-outage bring-up + monitoring.** Power returns ~09:00 MST; John Trozzi powers on CS-SERVER + Synology. Howard monitors bottom-up: pfSense (verify SINGLE dhcpd `pgrep -f "dhcpd -user" | wc -l`==1, WAN up -- **reboot Cox modem if WAN doesn't establish**, the missed 6/17 step) -> switches/APs re-adopt (watch UOS controller for 12/12 switches + 77/77 APs) -> CS-SERVER (AD/DNS, DHCP, Hyper-V CS-QB, shares) -> Synology -> straggler sweep (known: kitchen thermal printer). **Watch-list (6/17 casualties):** Switch 2nd Floor #2 (USL24PB 192.168.2.193, one-way L2 break -- reset+re-adopt if floors 2/3/4 don't return); duplicate dhcpd. Clean shutdown verified at 05:31 (CS-SERVER offline via RMM cloud). Runbook: `docs/runbooks/2026-06-23-planned-power-outage.md`.
- **[OPEN -- from runbook pre-flight] Confirm pfSense + core/PoE switches are on the BATTERY side of the UPS.** pfSense was on surge-only on 6/17 until Mike moved it; the other gear's battery-vs-surge placement was still "TODO -- John/onsite" at the 2026-06-22 pre-flight. Verify onsite.
@@ -583,6 +594,9 @@ Syncro live pull 2026-06-24: **6 open tickets** -- #32194 (spare machine for new
| 2026-06-23 | **Planned power outage (05:30-09:00 MST) -- clean shutdown executed + verified.** Building electrical work; to avoid the 6/17 dirty-shutdown damage (and given CS-SERVER's degraded OS mirror), all three core devices were armed 6/22 ~19:06 to self-shut-down on local schedules (CS-SERVER task 05:28, Synology 05:28, pfSense 05:30) -- firing independent of any remote session/tunnel, UPS carrying them through the cut. Verified clean at 05:31: CS-SERVER offline via RMM cloud (last_seen 05:29:49 MST); pfSense/Synology unreachable as expected (pfSense = VPN endpoint). Pre-flight confirmed cloud backup last full SUCCESS (0 errors), iDRAC AC-recovery + Synology auto-restart backstops ON. Bring-up (~09:00, John onsite) pending. Runbook: `docs/runbooks/2026-06-23-planned-power-outage.md`. |
| 2026-06-24 | **Syncro ticket review + #32193 Executive share + device-readiness audit + consolidated plan.** Reviewed/closed a batch of tickets; built restricted share `\\cs-server\Executive` for Ashley.Jensen + Meredith.Kuhn (NTFS+share scoped, E: mapped both machines RW-verified, billed 0.5h block, invoice #1650785728, block 48.75->48.25). Diagnosed two real RMM gotchas (UNC `\\` eaten in dispatch -> build from [char]92; mapped drive not shown until SHChangeNotify DRIVEADD). Fixed malformed priority on #32193/#32194 (Winter flag -> memory). Live AD+RMM domain-join diff: 12 staff PCs joined, ~17 to migrate; **5 on Windows Home blocked until Home->Pro** (Howard handling). Built `docs/REMAINING-WORK-PLAN.md` (7 workstreams). Decision: caregivers stay TEST-scoped until all devices domain-ready. |
| 2026-06-24 | **CS-SERVER RAID live-verified -- the "degraded/failing" flag was STALE; mirror is healthy.** Howard onsite ready to hot-swap a failing drive; live Dell OMSA (`omreport` via RMM) showed both virtual disks Ok, all 5 physical disks Online/Ok, Failure Predicted No, all LEDs green. The 6/15 "degraded" (PD 0:0:3 WD) self-recovered after a power cycle (ESM log shows repeated drive remove/install across the outages). The "5th unused drive" (1:0:4) is the **GLOBAL HOT SPARE** for the D: mirror -- NOT removable. Also surfaced: **PSU redundancy lost** (one PSU not delivering). Backup verified running (last run Success, 0 failed, 575 GB baseline; confirm BMR/system-state). **Outcome:** no drive pulled; the 2x enterprise SSD already purchased become a *planned* upgrade, not an emergency. Lesson logged: always pull live OMSA/iDRAC before acting on a stale hardware flag. Service Tag 9MQFTK1. |
| 2026-06-24 | **CARF Technology and System Plan deliverable started (Ashley Jensen request).** Built a first-pass technology-plan packet mapped to the 8 areas, then -- after the user clarified it is for **CARF accreditation** (Aging Services) -- verified the actual CARF standard via web research, produced a conformance gap analysis, an on-brand client PDF (via the `impeccable` skill, ACG design tokens), and a pre-filled CARF intake worksheet with a costed open-items table. Established a standing rule: all outbound client/vendor deliverables run through `impeccable` (memory `feedback_impeccable_on_outbound`). Project memory `project_cascades_carf_tech_plan`. Status: gathering inputs before building the final plan. |
| 2026-06-24 | **CSC ENT device-island consolidation plan (voice + Helpany).** Merged the Poly 5 GHz fix with the Helpany "Paul" sensor rollout: repurpose the existing CSC ENT SSID as a permanent 5 GHz-only WPA2 PPSK "device island" carrying both the Poly voice handsets (PPSK -> VLAN 30) and the Helpany radar sensors (PPSK -> new VLAN 40), separated at the VLAN layer; both vendors transition their devices remotely. Onsite gate: verify per-room 5 GHz coverage before the band flip. CSC ENT is NOT deleted -- it becomes the WPA2 island that later unblocks moving CSCNet to WPA3/WiFi7/6 GHz. Plan: `docs/network/csc-ent-device-island-plan.md`. |
| 2026-06-25 | **Alma Montt OFFBOARDED (terminated; MC Life Enrichment; no PHI/ALIS).** M365: sessions revoked, sign-in blocked, password reset+vaulted, mailbox -> SharedMailbox (Shelby Trozzi FullAccess+AutoMap), SPB license removed (seat freed), hidden from GAL, removed from groups. On-prem AD: disabled, groups stripped, moved to `OU=Excluded-From-Sync`. No litigation hold (no PHI). **Verified live end-to-end** (Graph + EXO + AD via RMM) and reconciled out of all active plans/rosters. Left a tenant-security item for Mike: the Tenant Admin SP still holds a standing Privileged Authentication Administrator role (Graph blocked the JIT teardown) -- needs GA removal. Record: `docs/security/offboarding-2026-06-25-alma-montt.md`. |
---

View File

@@ -18,7 +18,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks.
| Article | Summary | Last Compiled |
|---|---|---|
| [Cascades of Tucson](clients/cascades-tucson.md) | Prepaid block $175/hr, **48.25 hrs remaining** (live 2026-06-24); senior living; active domain migration + HIPAA caregiver-lockdown project (GPOs deployed; Entra Hybrid Join + CA allow-list + ALIS SSO model proven); single DC (CS-SERVER) on aging R610 -- RAID **live-verified HEALTHY 2026-06-24** (the 6/15 "degraded" self-recovered; both mirrors Ok, 1:0:4 = global hot spare; consumer 320GB drives + lost-PSU-redundancy are planned follow-ups, NOT an emergency); cloud backup verified running; **Planned power outage 2026-06-23** clean self-shutdown executed + verified (bring-up ~09:00, John onsite); **Voice VLAN 30 migration COMPLETE 2026-06-19** (~38 devices: 29 Poly + 8 AudioCodes + desktop; awaiting Vertical to set Poly 5GHz-only); **UniFi RF optimized 2026-06-19** (77 U7-Pro APs/~587 clients: 2.4GHz power->Medium on 47 radios + 5GHz clean-DFS 40MHz channel plan -> 5GHz retry halved; 6GHz blocked by WPA3 on PPSK SSID); Syncro 6 open tickets, device-readiness audit done (5 PCs on Win Home need Home->Pro before join); remaining-work plan: docs/REMAINING-WORK-PLAN.md | 2026-06-24 |
| [Cascades of Tucson](clients/cascades-tucson.md) | Prepaid block $175/hr, **47.75 hrs remaining** (live 2026-06-25); senior living; active domain migration + HIPAA caregiver-lockdown project (GPOs deployed; Entra Hybrid Join + CA allow-list + ALIS SSO model proven); single DC (CS-SERVER) on aging R610 -- RAID **live-verified HEALTHY 2026-06-24** (the 6/15 "degraded" self-recovered; both mirrors Ok, 1:0:4 = global hot spare; consumer 320GB drives + lost-PSU-redundancy are planned follow-ups, NOT an emergency); cloud backup verified running; **Planned power outage 2026-06-23** clean self-shutdown executed + verified (bring-up ~09:00, John onsite); **Voice VLAN 30 migration COMPLETE 2026-06-19** (~38 devices: 29 Poly + 8 AudioCodes + desktop; awaiting Vertical to set Poly 5GHz-only); **UniFi RF optimized 2026-06-19** (77 U7-Pro APs/~587 clients: 2.4GHz power->Medium on 47 radios + 5GHz clean-DFS 40MHz channel plan -> 5GHz retry halved; 6GHz blocked by WPA3 on PPSK SSID); Syncro 5 open work tickets, device-readiness audit done (5 PCs on Win Home need Home->Pro before join); **Alma Montt offboarded 2026-06-25** (Tenant Admin SP left holding a standing PAA role -- removal pending Mike); **CARF Technology & System Plan** deliverable in progress for Ashley Jensen; remaining-work plan: docs/REMAINING-WORK-PLAN.md | 2026-06-25 |
| [Dataforth Corporation](clients/dataforth.md) | Prepaid block ~$2,099/mo, **31.5 hrs remaining** (live 2026-06-23); signal-conditioning manufacturer; 64 DOS test stations; 2025 ransomware recovery + incomplete file restore (migration-gap audit); 2026-03 phishing + MFA rollout; test-datasheet pipeline (DSCA cert publish via Hoffman API + testdatadb UI on AD2); mail stack INKY->Mailprotector CloudFilter->EXO; FreePBX 17 outage fixed 2026-06-08/09 (qualify_frequency=0; no RTP-forward); shares-ACL project (all open to staff; Phase 2 target-state strawman drafted 2026-06-22); Syncro asset reconciliation 2026-06-02; GuruRMM fleet ~45; Bitdefender phase-off | 2026-06-23 |
| [Instrumental Music Center](clients/instrumental-music-center.md) | Prepaid block $175/hr, 12.5 hrs remaining; music retail/repair; AIMsi POS on SQL Server 2019; phantom DC causing slow logons; GuruRMM enrolled (IMC1) | 2026-05-24 |
| [Jimmy Company](clients/jimmy.md) | Break-fix, $150/hr; single aging workstation BLASTER2 (Win10 22H2 EOL, i5-3470/3.8GB — replace); backups the recurring theme (QuickBooks data); onboarded to GuruRMM 2026-06-19 (RDP NLA + Kaseya removal + cleanup); MSP360 local backup drive full, 90-day retention set, space reclaim pending in console (cloud B2 healthy) | 2026-06-19 |