diff --git a/clients/cascades-tucson/reports/2026-06-04-caregiver-buckets-and-credentials.md b/clients/cascades-tucson/reports/2026-06-04-caregiver-buckets-and-credentials.md new file mode 100644 index 0000000..08936c8 --- /dev/null +++ b/clients/cascades-tucson/reports/2026-06-04-caregiver-buckets-and-credentials.md @@ -0,0 +1,99 @@ +# Cascades — Restricted vs Non-Restricted buckets + credentials + +**Generated:** 2026-06-04 +**Important on passwords:** Microsoft/Entra NEVER lets you read an existing password. The only known passwords are (a) the documented caregiver bulk-creation password and (b) vaulted individual accounts. Unknowns can only be made known by RESETTING them (User Manager app) — say the word and I'll reset to a known temp. + +Login-password note: the caregiver bulk password was set with `ChangePasswordAtLogon = $false` + `PasswordNeverExpires = $true`, so it is a **working password, NOT a reset-at-login temp.** It is the actual sign-in password (PHS pushes it to M365/Entra, so it works for Windows login, ALIS SSO, and M365). + +--- + +## A. RESTRICTED bucket (caregivers + medtechs) — SG-Caregivers, inside-network only, devices only + +**All 38 bulk-created caregivers share the working password `Cascades2026!`** (not reset-at-login). UPN = sign-in name = required ALIS Email. + +| Name | UPN / sign-in | Password | +|---|---|---| +| Agnes McFerren | a.mcferren@cascadestucson.com | Cascades2026! | +| Ashli Atwood | a.atwood@cascadestucson.com | Cascades2026! | +| Barb Johnson | b.johnson@cascadestucson.com | Cascades2026! | +| Bella Mendoza | b.mendoza@cascadestucson.com | Cascades2026! | +| Charity/Bariffa Sika | b.sika@cascadestucson.com | Cascades2026! | +| Cole Johnson | c.johnson@cascadestucson.com | Cascades2026! | +| Corey Tate | c.tate@cascadestucson.com | Cascades2026! | +| Diana Fierros | d.fierros@cascadestucson.com | Cascades2026! | +| Ederick Yuzon | e.yuzon@cascadestucson.com | Cascades2026! | +| Erica Sanchez | e.sanchez@cascadestucson.com | Cascades2026! | +| Espe/Niyonsaba Esperance | e.esperance@cascadestucson.com | Cascades2026! | +| Gina Williams | g.williams@cascadestucson.com | Cascades2026! | +| Gloria Williford | g.williford@cascadestucson.com | Cascades2026! | +| Jahmeka Clarke | j.clarke@cascadestucson.com | Cascades2026! | +| Jen/Jennifer Higdon | j.higdon@cascadestucson.com | Cascades2026! | +| Jinnelle Dittbenner | j.dittbenner@cascadestucson.com | Cascades2026! | +| Juan Andrade | j.andrade@cascadestucson.com | Cascades2026! | +| Karina Aziakpo | k.aziakpo@cascadestucson.com | Cascades2026! | +| Kasey Flores | k.flores@cascadestucson.com | Cascades2026! | +| Katrina Wyzykowski | k.wyzykowski@cascadestucson.com | Cascades2026! | +| Luke Hogan | l.hogan@cascadestucson.com | Cascades2026! | +| Luriz Fuster | l.fuster@cascadestucson.com | Cascades2026! | +| Maia Baker | m.baker@cascadestucson.com | Cascades2026! | +| Marie Kastner | m.kastner@cascadestucson.com | Cascades2026! | +| Mary Kariuki | m.kariuki@cascadestucson.com | Cascades2026! | +| Monique Lopez | m.lopez@cascadestucson.com | Cascades2026! | +| Patricia Camarena Doran | p.doran@cascadestucson.com | Cascades2026! | +| Richard Flores | r.flores@cascadestucson.com | Cascades2026! | +| Rosa Morales | r.morales@cascadestucson.com | Cascades2026! | +| Roseline Cooper | r.cooper@cascadestucson.com | Cascades2026! | +| Samuel Ramirez | s.ramirez@cascadestucson.com | Cascades2026! | +| Sandra Padilla | s.padilla@cascadestucson.com | Cascades2026! | +| Sarah Carroll | s.carroll@cascadestucson.com | Cascades2026! | +| Shontiel Nunn | s.nunn@cascadestucson.com | Cascades2026! | +| Tele Lassey-Assiakoley | t.lassey-assiakoley@cascadestucson.com | Cascades2026! | +| Thelma Abainza | t.abainza@cascadestucson.com | Cascades2026! | +| Whisper Reed | w.reed@cascadestucson.com | Cascades2026! | +| Zeke Huerta | e.huerta@cascadestucson.com | Cascades2026! | + +**New adds to restricted (existing accounts — password NOT known, RESET needed):** +| Name | UPN | Password | +|---|---|---| +| Veronica Feller | veronica.feller@cascadestucson.com | UNKNOWN — reset needed (confirm on-site first; inventory shows PA) | +| Christine Nyanzunda | christine.nyanzunda@cascadestucson.com | UNKNOWN — reset needed; also fix directory surname typo "Nyanzuda" | + +> Caveat: any of the 38 who voluntarily changed their password (unlikely for shared-phone caregivers) would differ from `Cascades2026!`. If a login fails, reset that one. + +--- + +## B. NON-RESTRICTED bucket (privileged — outside access to ALIS + M365, 2FA offsite) + +NOT in SG-Caregivers. Microsoft offsite access already works (all-users-MFA, trusted-location excluded). For outside ALIS they need ALIS Email = UPN + native 2FA off. + +| Name | Role | UPN | Password | +|---|---|---|---| +| Lois Lane | Health Services Dir (RN) | Lois.Lane@cascadestucson.com | Imbirowicz1$ | +| Megan Hiatt | Sales/Marketing Dir | megan.hiatt@cascadestucson.com | 4PazCas$07 | +| Ashley Jensen | Asst Exec Dir / CFO | Ashley.Jensen@cascadestucson.com | Fall2025! (local pre-domain: ScarlettSky18*) | +| Front Desk (shared) | Reception | frontdesk@cascadestucson.com | sccssccs#3 | +| Karen Rossini | Health Services Mgr (LPN) | karen.rossini@cascadestucson.com | UNKNOWN — reset if needed (ALIS SSO already working for her) | +| Christina DuPras | Resident Svcs / Admin Asst | christina.dupras@cascadestucson.com | UNKNOWN — reset needed | +| Meredith Kuhn | Executive Director | meredith.kuhn@cascadestucson.com | UNKNOWN | +| Lauren Hasselman | Business Office Mgr | lauren.hasselman@cascadestucson.com | UNKNOWN | +| Crystal Rodriguez | Sales | crystal.rodriguez@cascadestucson.com | UNKNOWN (ALIS SSO already working) | +| Shelby Trozzi | MemCare Director | (verify UPN) | UNKNOWN | +| Susan Hicks | Life Enrichment Dir | Susan.Hicks@cascadestucson.com | UNKNOWN | +| Chris Knight | CFO | chris.knight@cascadestucson.com | UNKNOWN | +| Lupe Sanchez | Housekeeping Dir | (verify UPN) | UNKNOWN | +| Alyssa Shestko | Dining Room Mgr | (verify UPN) | UNKNOWN | + +Admin/break-glass (cloud-only, excluded from CA): admin@cascadestucson.com, sysadmin@cascadestucson.com (vaulted). + +--- + +## C. Phased testing — LIVE mechanism +- Group `SG-Caregivers-DeviceTest` (`db5849ec-242d-4b05-9d1b-940a830e7a60`) — members are governed by the **allow-list** (phones + tagged devices) instead of the compliance block. +- Allow-list policy `CSC - Caregivers: allow-listed devices only (TEST GROUP)` (`1b7fd025-...`) = ENABLED, scoped to that group. +- Compliance-block (`ede985e2-...`) now EXCLUDES that group. + +**To test one caregiver:** (1) match their ALIS Email = UPN; (2) add them to `SG-Caregivers-DeviceTest`; (3) on a tagged laptop, log into Windows/Edge with their UPN + `Cascades2026!`, open ALIS -> verify silent SSO; (4) verify they still work on a phone. Expand one at a time. + +**Full cutover (when confident):** point the allow-list policy back to `SG-Caregivers` (all), disable the compliance block, empty/delete the test group. + +Tagged devices so far: Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8. Pending (Win11 25H2): LAPTOP-8P7HDSEI, ASSISTNURSE-PC. Hybrid pending: NURSESTATION-PC. diff --git a/clients/cascades-tucson/session-logs/2026-06-05-session.md b/clients/cascades-tucson/session-logs/2026-06-05-session.md new file mode 100644 index 0000000..6b6a72c --- /dev/null +++ b/clients/cascades-tucson/session-logs/2026-06-05-session.md @@ -0,0 +1,77 @@ +# Cascades of Tucson — Session Log 2026-06-05 + +## User +- **User:** Howard Enos (howard) +- **Machine:** Howard-Home +- **Role:** tech + +## Session Summary + +Two Cascades tasks handled via the GuruRMM agent fleet and the M365 remediation tool suite. + +First, a request to "enable the localadmin account as a local administrator" on NURSESTATION-PC because it was not appearing on the login screen. Recon via RMM showed the account was already enabled and already a member of the local Administrators group (it had even logged in earlier the same day). The actual cause was a `SpecialAccounts\UserList` registry suppression entry (`localadmin = 0`) under the Winlogon key, which deliberately hides the account from the sign-in screen. Removed that entry; account will now appear in the user picker after the next sign-out/reboot. The enable/admin steps in the fix script were idempotent no-ops since both conditions were already true. + +Second, vault hygiene plus an MFA change on the MSP break-glass Global Admin `sysadmin@cascadestucson.com`. Confirmed the vault entry (`clients/cascades-tucson/m365-sysadmin.sops.yaml`) had not been updated since 2026-04-24 and that the live account's `lastPasswordChangeDateTime` was 2026-06-04 — i.e. Mike rotated the password on 2026-06-04 and never vaulted it. Howard supplied Mike's current password; updated the vault entry's password field and rotation-history notes in place via `sops set` (no plaintext on disk), committed, and pushed (required a rebase — remote had advanced). + +Third, added a code-delivery path for Howard on the same GA account. Reading the account's phone methods showed `mobile` (SMS, Mike's) and `alternateMobile` (voice-only) slots both occupied, and the tenant Authentication Methods policy had **Voice call disabled** — which is why sign-in only ever offered text or authenticator (both Mike's). To avoid a tenant-wide change, created a security group containing only `sysadmin@`, enabled the Voice method scoped to that group, and set the account's `alternateMobile` to Howard's number. A voice-call MFA option now appears at sign-in for that account only. All writes against the GA succeeded (no Privileged Auth Admin 403 materialized). + +## Key Decisions + +- Diagnosed the NURSESTATION-PC login-screen issue as a registry hide (`SpecialAccounts\UserList`) rather than an account-state problem, because recon proved the account was already enabled + admin. Fixed the actual cause instead of the stated symptom. +- Did NOT reset the live `sysadmin@` password. Earlier in the session a reset to the vaulted value was prepared, but Howard clarified Mike's 2026-06-04 change was intentional; the correct action was to vault Mike's current password, not revert the account. +- Scoped the Voice MFA method to a dedicated single-member security group rather than enabling it for `all_users`, keeping blast radius to the one account (Howard asked specifically whether it could be limited to that account). +- Left `alternateMobile` set to Howard's number (520-585-1310) after Howard confirmed sign-in worked, rather than reverting to the prior 520-331-5551. +- Used `sops set` for the vault field edits (password + notes) to avoid ever writing the decrypted file to disk. + +## Problems Encountered + +- RMM registry-recon command returned `interrupted` ("Agent restarted during execution") once on NURSESTATION-PC; re-ran and it completed. +- First fix-script dispatch returned an empty `command_id` (transient, around the agent restart). Re-dispatched and it succeeded. +- Group member-add returned 404 immediately after group creation (Entra replication lag); succeeded on retry after a short delay. +- Phone-method update first attempted with `PUT` (405 — "PUT is not supported in v1.0, use PATCH"); reissued as `PATCH` and it succeeded (204). +- Vault `git push` was rejected (remote ahead); resolved with `git pull --rebase` then push. +- `bash` readonly-variable error using `UID` for the user object id; renamed to `OID`. + +## Configuration Changes + +- **NURSESTATION-PC (Cascades, RMM agent):** removed registry value `localadmin` (was `0`) under `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList`. localadmin remains enabled and in Administrators (unchanged). +- **Vault `clients/cascades-tucson/m365-sysadmin.sops.yaml`:** updated `credentials.password` to Mike's current value; rewrote `notes` with a rotation-history block. Committed + pushed to the vault repo. +- **M365 tenant cascadestucson.com:** + - Created security group "MFA - Voice Call Scoped (sysadmin)" (`mfa-voicecall-scoped`), id `304f941e-3594-4705-b8e6-ee676297df11`, single member `sysadmin@`. + - Authentication Methods policy: Voice method `state` set `disabled` → `enabled`, `includeTargets` scoped to group `304f941e-…` (was `all_users`). + - `sysadmin@` `alternateMobile` phone method (`b6332ec1-7057-4abe-9331-3d72feddfe41`) changed from +1 520-331-5551 to +1 520-585-1310. + +## Credentials & Secrets + +- `sysadmin@cascadestucson.com` (Global Admin "Computer Guru Support", object id `471b13dc-3cf8-416b-a132-f5f3bc8d1cc8`): password rotated by Mike 2026-06-04, now vaulted at `clients/cascades-tucson/m365-sysadmin.sops.yaml` (`credentials.password`). Value not reproduced here; retrieve via `vault.sh get-field`. +- No new credentials created. Vault key auto-discovered by sops at `%APPDATA%\sops\age\keys.txt`. + +## Infrastructure & Servers + +- GuruRMM API: `http://172.16.3.30:3001`. NURSESTATION-PC agent id `f5a89784-834f-47b1-82e2-7e3e9dd337ff` (Windows, online), client "Cascades of Tucson". +- M365 tenant `cascadestucson.com` = tenant id `207fa277-e9d8-4eb7-ada1-1064d2221498`. +- Remediation app tiers used: `user-manager` (`64fac46b-8b44-41ad-93ee-7da03927576c`) for user/group/phone-method writes; `tenant-admin` (`709e6eed-0711-4875-9c44-2d3518c47063`) for the auth-methods policy PATCH. +- Account phone methods after change — mobile/SMS: +1 520-289-1912 (ready); alternateMobile/voice: +1 520-585-1310. + +## Commands & Outputs + +- RMM hidden-account discovery: `Get-Item HKLM:\...\Winlogon\SpecialAccounts\UserList` → `localadmin = 0` (the hide flag). +- RMM fix output: "Removed UserList hide entry for localadmin (was 0)" / "UserList hide entry now: ABSENT (will show on login screen)". +- Graph read of GA roles: `GET /users/{id}/memberOf/microsoft.graph.directoryRole` → "Global Administrator [62e90394-69f5-4237-9190-012177145e10]". +- Voice policy before: `{state: disabled, includeTargets:[all_users]}`; after PATCH: `{state: enabled, includeTargets:[group 304f941e-…]}`. +- Vault edit: `sops set '["credentials"]["password"]' '""'` then verified round-trip and `grep -c 'ENC[' = 4` (still encrypted). + +## Pending / Incomplete Tasks + +- NURSESTATION-PC: localadmin will appear in the login picker only after the next sign-out/reboot. If a user is currently signed in, have them sign out to confirm. +- The previous `alternateMobile` number +1 520-331-5551 was overwritten — confirm with Mike that number did not need to remain on the account. +- Consider whether `sysadmin@` (shared break-glass GA) should move to per-admin Authenticator/FIDO2 rather than shared SMS/voice long-term (raised but not actioned). +- Voice MFA is now an available method for the single-member scoped group; if more admins should get voice MFA, add them to group `304f941e-…`. + +## Reference Information + +- Vault entry: `clients/cascades-tucson/m365-sysadmin.sops.yaml`. +- GA account object id: `471b13dc-3cf8-416b-a132-f5f3bc8d1cc8`; alternateMobile method id `b6332ec1-7057-4abe-9331-3d72feddfe41`. +- Scoped Voice group: `304f941e-3594-4705-b8e6-ee676297df11` ("MFA - Voice Call Scoped (sysadmin)"). +- Graph: `/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/Voice`. +- Remediation skill: `.claude/skills/remediation-tool/`; RMM skill: `.claude/commands/rmm` / `/rmm`. diff --git a/wiki/clients/cascades-tucson.md b/wiki/clients/cascades-tucson.md index c8bf1ef..7d618a0 100644 --- a/wiki/clients/cascades-tucson.md +++ b/wiki/clients/cascades-tucson.md @@ -2,7 +2,7 @@ type: client name: cascades-tucson display_name: Cascades of Tucson -last_compiled: 2026-06-04 +last_compiled: 2026-06-05 compiled_by: GURU-BEAST-ROG/claude-main sources: - session-logs/2026-03-24-session.md @@ -36,6 +36,7 @@ sources: - clients/cascades-tucson/session-logs/2026-06-04-howard-email-delivery-investigation.md - clients/cascades-tucson/session-logs/2026-06-04-howard-caregiver-laptop-enrollment.md - clients/cascades-tucson/session-logs/2026-06-04-session.md + - clients/cascades-tucson/session-logs/2026-06-05-session.md - clients/cascades-tucson/docs/overview.md - clients/cascades-tucson/docs/network/topology.md - clients/cascades-tucson/docs/network/vlans.md @@ -108,12 +109,12 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building - **M365 license:** Business Premium (SPB) — 34 seats enabled, 3 consumed, 31 free. Business Standard (O365_BUSINESS_PREMIUM) — **SUSPENDED**, 31 users still assigned. Relicensing 31 users Business Standard → Business Premium is pending and time-sensitive — those users may have degraded service. - **On-prem AD domain:** cascades.local | UPN suffix: cascadestucson.com (added 2026-04-13 for Entra Connect SSO readiness) - **MX / mail flow:** Exchange Online (M365). SPF: `v=spf1 a mx ip4:72.194.62.5 include:spf.protection.outlook.com include:spf-0.secureserver.net -all`. DKIM: both M365 selectors published. DMARC: `p=quarantine;pct=100` — upgraded from p=none. Reports to `info@cascadestucson.com` (unmonitored). No third-party email gateway (EOP direct MX). -- **MFA:** CA policy "Require MFA for all users" is enabled. Caregiver bypass in progress — caregivers cannot satisfy MFA (no personal device), so three scoped CA policies use BLOCK instead. See Patterns section. +- **MFA:** CA policy "Require MFA for all users" is enabled. Caregiver bypass in progress — caregivers cannot satisfy MFA (no personal device), so three scoped CA policies use BLOCK instead. See Patterns section. Voice-call MFA is **disabled tenant-wide** (SMS + Authenticator are the allowed methods). Exception: security group "MFA - Voice Call Scoped (sysadmin)" (id `304f941e-3594-4705-b8e6-ee676297df11`, single member `sysadmin@`) has Voice method enabled — created 2026-06-05 so Howard has a code-delivery path on the shared GA without a tenant-wide change. `sysadmin@` phone methods after 2026-06-05: mobile/SMS +1 520-289-1912 (Mike); alternateMobile/voice +1 520-585-1310 (Howard, was +1 520-331-5551). - **Entra Connect:** Installed on CS-SERVER 2026-04-25. Exited staging 2026-05-14 — actively syncing (last sync confirmed 2026-05-27). OU=Administrative not yet in sync scope; UPN suffix updates for Administrative OU users pending before that OU can be added. - **Break-glass accounts:** Two planned (`breakglass1-csc@cascadestucson.com`, `breakglass2-csc@cascadestucson.com`). Confirmed not yet created as of 2026-05-27 (live tenant check). FIDO2 YubiKeys ordered — arrival unconfirmed. Vault entries not yet created. - **Admin accounts:** - `admin@cascadestucson.com` — Mike's working admin (cloud-only, Connect-excluded by design) - - `sysadmin@cascadestucson.com` — Howard's working admin (cloud-only, Connect-excluded by design) + - `sysadmin@cascadestucson.com` — Howard's working admin (cloud-only, Connect-excluded by design). Object id: `471b13dc-3cf8-416b-a132-f5f3bc8d1cc8`. Password rotated by Mike 2026-06-04; vaulted by Howard 2026-06-05 at `clients/cascades-tucson/m365-sysadmin.sops.yaml`. - **ALIS (clinical SaaS):** https://cascadestucson.alisonline.com — Entra SSO live and working; proven end-to-end with pilot.test on Galaxy A15 caregiver phones. Install key: `d796539d-356b-4190-9c17-35f0f1129376`. Vault: `clients/cascades-tucson/alis-sso-app-registration.sops.yaml` (Entra app reg + ALIS Inbound Connections Basic Auth creds + install key). ALIS application ID `d5108493-cba8-4f08-90b6-1bb0bc09eb2a`, client secret expires 2028-05-06 (rotation reminder — expiry breaks ALIS SSO tenant-wide). Per-caregiver: ALIS staff-record Email must match Entra UPN exactly. BAA with Medtelligent not yet verified — confirm with Meredith. - **Admin consent (2026-06-03):** Tenant-wide admin consent (`AllPrincipals` `User.Read`) granted on ALIS Entra service principal (`e1cae4ad-5beb-44ca-82d4-434c9bd835ad`) via Graph API (`oauth2PermissionGrant` id `reTK4etbykSC1ENMm9g1rTplOyzgVClCofKDVRrn-ds`). This resolved `AADSTS65001` sign-in failures that office/clinical staff (megan.hiatt, karen.rossini, memcarereceptionist) were hitting on non-phone devices. Root cause was missing admin consent — NOT Conditional Access, network, or password. Prior state: only two per-user (`Principal`) consent grants existed, so all other users hit 65001. CA policies had `conditionalAccessStatus: success` on all failing sign-ins; both WAN IPs were trusted Named Locations. - **How to enable ALIS SSO for one user (procedure — confirmed 2026-06-03):** @@ -193,6 +194,8 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building - **fdeploy1.ini flags:** Changed from `Flags=1211` (included `Grant Exclusive Rights` bit 0x400, causing WRITE_DAC failures on new subfolders) to `Flags=187`. File at `{512B43A4-F049-4CE5-BFAC-860AD13E92BE}\User\Documents & Settings\fdeploy1.ini` on CS-SERVER. +- **Login-screen hide (SpecialAccounts\UserList):** An enabled local admin that does not appear in the Windows sign-in picker is a `SpecialAccounts\UserList` suppression, not a disabled account. Registry path: `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList`, value `=0`. Fix: delete the DWORD value (or set it to 1); account reappears after sign-out/reboot. Confirmed on NURSESTATION-PC (RMM agent `f5a89784-834f-47b1-82e2-7e3e9dd337ff`) 2026-06-05 — `localadmin=0` removed; account was already enabled and in Administrators (unchanged). + ### Conditional Access / Caregiver Policies - **Phased rollout — never tenant-wide.** CA policies for caregivers now target `SG-Caregivers` (`8b8d9222-5d71-419a-936d-56d895c6c332`) (Entra Connect exited staging 2026-05-14; SG-Caregivers-Pilot superseded). The legacy "Require MFA for all users" policy stays in place. Expansion to other departments uses PATCH on `excludeGroups`, never replace. Source: `project_cascades_ca_phased_rollout.md`. @@ -319,12 +322,13 @@ Primary active project as of 2026-05-24: dept-by-dept domain migration (Syncro # | 2026-05-26 | Access control vendor meeting onsite (ticket #32324). 0.5h Howard + 0.5h Mike billed against prepaid block. Block at 28.0h. Remote diagnosis of UniFi controller confirmed impossible (no Tailscale route, GuruRMM WebSocket-only, pfSense SSH blocked). | | 2026-06-03 | ALIS AADSTS65001 diagnosed and resolved: granted tenant-wide admin consent (`AllPrincipals` `User.Read`) on ALIS SP `e1cae4ad`. Caregiver device allow-list CA policy created in report-only (`CSC - Caregivers: allow-listed devices only (REPORT-ONLY)`, id `1b7fd025`). Allow-list = CSC- phones + 5 tagged devices (NURSESTATION-PC, Laptop2, LAPTOP-8P7HDSEI, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8). Cutover pending laptop Intune enrollment + validation. Three existing enforced caregiver CA policies left untouched. | | 2026-06-04 | Three same-day tickets: #32381 Tamra scanner (0.5h onsite), #32382 Megan file access (1.5h onsite), #32383 Chris Knight bill.com/BOK email delivery (1.5h remote). Chris Knight mailbox investigation: full EXO/EOP/quarantine/message trace analysis — no tenant config issues found. No Inky in tenant (confirmed). bill.com delivering to other users; zero delivery to chris.knight/c.knight in 90 days. Root cause: wrong address in bill.com/BOK backends + SendGrid suppression on bill.com side. BOK resolved by correcting email in portal (delivery within minutes). bill.com fix requires support call. Resolved externally by Howard; no tenant config changes needed. EXO access token auth method documented (cert not in BEAST cert store). Prepay block: 17.25 → 15.75 hrs. | +| 2026-06-05 | NURSESTATION-PC localadmin login-screen issue: diagnosed as `SpecialAccounts\UserList` hide (`localadmin=0`) — account was already enabled and in Administrators; removed the registry value via RMM (agent `f5a89784-834f-47b1-82e2-7e3e9dd337ff`); account will appear after sign-out/reboot. Vault hygiene: `sysadmin@` GA (object id `471b13dc-3cf8-416b-a132-f5f3bc8d1cc8`) password rotated by Mike 2026-06-04 and vaulted by Howard 2026-06-05 (`clients/cascades-tucson/m365-sysadmin.sops.yaml`). Voice MFA scoped group created: "MFA - Voice Call Scoped (sysadmin)" (`304f941e-3594-4705-b8e6-ee676297df11`), single member `sysadmin@`; Voice method enabled scoped to that group (tenant-wide voice still disabled); `alternateMobile` updated to +1 520-585-1310 (Howard; was +1 520-331-5551). | --- ## Compilation Notes -**Session logs read:** 25 root session logs + client-specific logs in `clients/cascades-tucson/session-logs/` + 7 memory files + 5 structured docs. Date range: 2026-03-06 through 2026-06-04. +**Session logs read:** 25 root session logs + client-specific logs in `clients/cascades-tucson/session-logs/` + 7 memory files + 5 structured docs. Date range: 2026-03-06 through 2026-06-05. **Client folder:** `clients/cascades-tucson/` (NOT `clients/cascades/` — that directory does not exist). diff --git a/wiki/index.md b/wiki/index.md index 78f3844..8e54c7f 100644 --- a/wiki/index.md +++ b/wiki/index.md @@ -1,6 +1,6 @@ # Wiki Index -Last updated: 2026-06-04 +Last updated: 2026-06-05 Compiled by: GURU-BEAST-ROG/claude-main This wiki is LLM-maintained. Do not edit articles manually — run `/wiki-compile` to update. @@ -18,7 +18,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks. | Article | Summary | Last Compiled | |---|---|---| -| [Cascades of Tucson](clients/cascades-tucson.md) | Prepaid block $175/hr, 15.75 hrs remaining; senior living; active domain migration + HIPAA compliance project; single DC on aging R610 hardware; ALIS admin consent granted 2026-06-03 (resolved AADSTS65001); caregiver device allow-list CA policy staged (report-only); open ticket #32370 (eFax + scanner onsite); no Inky in tenant; #32383 bill.com/BOK email delivery — chris.knight issue resolved externally 2026-06-04 (sender-side; bill.com support call still pending) | 2026-06-04 | +| [Cascades of Tucson](clients/cascades-tucson.md) | Prepaid block $175/hr, 15.75 hrs remaining; senior living; active domain migration + HIPAA compliance project; single DC on aging R610 hardware; ALIS admin consent granted 2026-06-03 (resolved AADSTS65001); caregiver device allow-list CA policy staged (report-only); open ticket #32370 (eFax + scanner onsite); no Inky in tenant; #32383 bill.com/BOK email delivery — chris.knight issue resolved externally 2026-06-04 (sender-side; bill.com support call still pending); 2026-06-05: NURSESTATION-PC SpecialAccounts\UserList hide fixed (localadmin=0 removed); sysadmin@ GA password vaulted; voice MFA scoped group created (304f941e) | 2026-06-05 | | [Dataforth Corporation](clients/dataforth.md) | Prepaid block ~$2,099/mo, 34.5 hrs remaining; signal conditioning manufacturer; 64 DOS test stations; 2025 crypto attack recovery + incomplete restore (files dropped across shares — migration-gap audit in progress); 2026-03-27 phishing incident + MFA rollout; active test datasheet pipeline project; Neptune Exchange colocated at D2; 2026-06-04 SP1366 file recovery (19/20 PDFs restored from HGHAUBNER pre-attack backup); GuruRMM fleet 13→45 agents; 2026-06-02 Syncro asset reconciliation (78→20 keep/21 flag/28 remove/9 verify); fleet-wide Syncro agent break ~2025-10-06; Bitdefender phase-off in progress | 2026-06-04 | | [Instrumental Music Center](clients/instrumental-music-center.md) | Prepaid block $175/hr, 12.5 hrs remaining; music retail/repair; AIMsi POS on SQL Server 2019; phantom DC causing slow logons; GuruRMM enrolled (IMC1) | 2026-05-24 | | [Valley Wide Plastering](clients/valleywide.md) | Prepaid block, 10 hrs remaining; plastering/stucco contractor; HP DL360 Gen10 + XenServer; VB6 app modernization project; RDWeb brute-force incident; 11 Yealink phones pending | 2026-05-24 |