azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-06-05 10:26:08

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-05 10:26:08
This commit is contained in:
Howard Enos
2026-06-05 10:26:18 -07:00
parent 21043d42bd
commit e18792ecf7
4 changed files with 186 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

99
clients/cascades-tucson/reports/2026-06-04-caregiver-buckets-and-credentials.md Normal file
View File

@@ -0,0 +1,99 @@
# Cascades — Restricted vs Non-Restricted buckets + credentials
**Generated:** 2026-06-04
**Important on passwords:** Microsoft/Entra NEVER lets you read an existing password. The only known passwords are (a) the documented caregiver bulk-creation password and (b) vaulted individual accounts. Unknowns can only be made known by RESETTING them (User Manager app) — say the word and I'll reset to a known temp.
Login-password note: the caregiver bulk password was set with `ChangePasswordAtLogon = $false` + `PasswordNeverExpires = $true`, so it is a **working password, NOT a reset-at-login temp.** It is the actual sign-in password (PHS pushes it to M365/Entra, so it works for Windows login, ALIS SSO, and M365).
---
## A. RESTRICTED bucket (caregivers + medtechs) — SG-Caregivers, inside-network only, devices only
**All 38 bulk-created caregivers share the working password `Cascades2026!`** (not reset-at-login). UPN = sign-in name = required ALIS Email.
| Name | UPN / sign-in | Password |
|---|---|---|
| Agnes McFerren | a.mcferren@cascadestucson.com | Cascades2026! |
| Ashli Atwood | a.atwood@cascadestucson.com | Cascades2026! |
| Barb Johnson | b.johnson@cascadestucson.com | Cascades2026! |
| Bella Mendoza | b.mendoza@cascadestucson.com | Cascades2026! |
| Charity/Bariffa Sika | b.sika@cascadestucson.com | Cascades2026! |
| Cole Johnson | c.johnson@cascadestucson.com | Cascades2026! |
| Corey Tate | c.tate@cascadestucson.com | Cascades2026! |
| Diana Fierros | d.fierros@cascadestucson.com | Cascades2026! |
| Ederick Yuzon | e.yuzon@cascadestucson.com | Cascades2026! |
| Erica Sanchez | e.sanchez@cascadestucson.com | Cascades2026! |
| Espe/Niyonsaba Esperance | e.esperance@cascadestucson.com | Cascades2026! |
| Gina Williams | g.williams@cascadestucson.com | Cascades2026! |
| Gloria Williford | g.williford@cascadestucson.com | Cascades2026! |
| Jahmeka Clarke | j.clarke@cascadestucson.com | Cascades2026! |
| Jen/Jennifer Higdon | j.higdon@cascadestucson.com | Cascades2026! |
| Jinnelle Dittbenner | j.dittbenner@cascadestucson.com | Cascades2026! |
| Juan Andrade | j.andrade@cascadestucson.com | Cascades2026! |
| Karina Aziakpo | k.aziakpo@cascadestucson.com | Cascades2026! |
| Kasey Flores | k.flores@cascadestucson.com | Cascades2026! |
| Katrina Wyzykowski | k.wyzykowski@cascadestucson.com | Cascades2026! |
| Luke Hogan | l.hogan@cascadestucson.com | Cascades2026! |
| Luriz Fuster | l.fuster@cascadestucson.com | Cascades2026! |
| Maia Baker | m.baker@cascadestucson.com | Cascades2026! |
| Marie Kastner | m.kastner@cascadestucson.com | Cascades2026! |
| Mary Kariuki | m.kariuki@cascadestucson.com | Cascades2026! |
| Monique Lopez | m.lopez@cascadestucson.com | Cascades2026! |
| Patricia Camarena Doran | p.doran@cascadestucson.com | Cascades2026! |
| Richard Flores | r.flores@cascadestucson.com | Cascades2026! |
| Rosa Morales | r.morales@cascadestucson.com | Cascades2026! |
| Roseline Cooper | r.cooper@cascadestucson.com | Cascades2026! |
| Samuel Ramirez | s.ramirez@cascadestucson.com | Cascades2026! |
| Sandra Padilla | s.padilla@cascadestucson.com | Cascades2026! |
| Sarah Carroll | s.carroll@cascadestucson.com | Cascades2026! |
| Shontiel Nunn | s.nunn@cascadestucson.com | Cascades2026! |
| Tele Lassey-Assiakoley | t.lassey-assiakoley@cascadestucson.com | Cascades2026! |
| Thelma Abainza | t.abainza@cascadestucson.com | Cascades2026! |
| Whisper Reed | w.reed@cascadestucson.com | Cascades2026! |
| Zeke Huerta | e.huerta@cascadestucson.com | Cascades2026! |
**New adds to restricted (existing accounts — password NOT known, RESET needed):**
| Name | UPN | Password |
|---|---|---|
| Veronica Feller | veronica.feller@cascadestucson.com | UNKNOWN — reset needed (confirm on-site first; inventory shows PA) |
| Christine Nyanzunda | christine.nyanzunda@cascadestucson.com | UNKNOWN — reset needed; also fix directory surname typo "Nyanzuda" |
> Caveat: any of the 38 who voluntarily changed their password (unlikely for shared-phone caregivers) would differ from `Cascades2026!`. If a login fails, reset that one.
---
## B. NON-RESTRICTED bucket (privileged — outside access to ALIS + M365, 2FA offsite)
NOT in SG-Caregivers. Microsoft offsite access already works (all-users-MFA, trusted-location excluded). For outside ALIS they need ALIS Email = UPN + native 2FA off.
| Name | Role | UPN | Password |
|---|---|---|---|
| Lois Lane | Health Services Dir (RN) | Lois.Lane@cascadestucson.com | Imbirowicz1$ |
| Megan Hiatt | Sales/Marketing Dir | megan.hiatt@cascadestucson.com | 4PazCas$07 |
| Ashley Jensen | Asst Exec Dir / CFO | Ashley.Jensen@cascadestucson.com | Fall2025! (local pre-domain: ScarlettSky18*) |
| Front Desk (shared) | Reception | frontdesk@cascadestucson.com | sccssccs#3 |
| Karen Rossini | Health Services Mgr (LPN) | karen.rossini@cascadestucson.com | UNKNOWN — reset if needed (ALIS SSO already working for her) |
| Christina DuPras | Resident Svcs / Admin Asst | christina.dupras@cascadestucson.com | UNKNOWN — reset needed |
| Meredith Kuhn | Executive Director | meredith.kuhn@cascadestucson.com | UNKNOWN |
| Lauren Hasselman | Business Office Mgr | lauren.hasselman@cascadestucson.com | UNKNOWN |
| Crystal Rodriguez | Sales | crystal.rodriguez@cascadestucson.com | UNKNOWN (ALIS SSO already working) |
| Shelby Trozzi | MemCare Director | (verify UPN) | UNKNOWN |
| Susan Hicks | Life Enrichment Dir | Susan.Hicks@cascadestucson.com | UNKNOWN |
| Chris Knight | CFO | chris.knight@cascadestucson.com | UNKNOWN |
| Lupe Sanchez | Housekeeping Dir | (verify UPN) | UNKNOWN |
| Alyssa Shestko | Dining Room Mgr | (verify UPN) | UNKNOWN |
Admin/break-glass (cloud-only, excluded from CA): admin@cascadestucson.com, sysadmin@cascadestucson.com (vaulted).
---
## C. Phased testing — LIVE mechanism
- Group `SG-Caregivers-DeviceTest` (`db5849ec-242d-4b05-9d1b-940a830e7a60`) — members are governed by the **allow-list** (phones + tagged devices) instead of the compliance block.
- Allow-list policy `CSC - Caregivers: allow-listed devices only (TEST GROUP)` (`1b7fd025-...`) = ENABLED, scoped to that group.
- Compliance-block (`ede985e2-...`) now EXCLUDES that group.
**To test one caregiver:** (1) match their ALIS Email = UPN; (2) add them to `SG-Caregivers-DeviceTest`; (3) on a tagged laptop, log into Windows/Edge with their UPN + `Cascades2026!`, open ALIS -> verify silent SSO; (4) verify they still work on a phone. Expand one at a time.
**Full cutover (when confident):** point the allow-list policy back to `SG-Caregivers` (all), disable the compliance block, empty/delete the test group.
Tagged devices so far: Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8. Pending (Win11 25H2): LAPTOP-8P7HDSEI, ASSISTNURSE-PC. Hybrid pending: NURSESTATION-PC.

77
clients/cascades-tucson/session-logs/2026-06-05-session.md Normal file
View File

@@ -0,0 +1,77 @@
# Cascades of Tucson — Session Log 2026-06-05
## User
- **User:** Howard Enos (howard)
- **Machine:** Howard-Home
- **Role:** tech
## Session Summary
Two Cascades tasks handled via the GuruRMM agent fleet and the M365 remediation tool suite.
First, a request to "enable the localadmin account as a local administrator" on NURSESTATION-PC because it was not appearing on the login screen. Recon via RMM showed the account was already enabled and already a member of the local Administrators group (it had even logged in earlier the same day). The actual cause was a `SpecialAccounts\UserList` registry suppression entry (`localadmin = 0`) under the Winlogon key, which deliberately hides the account from the sign-in screen. Removed that entry; account will now appear in the user picker after the next sign-out/reboot. The enable/admin steps in the fix script were idempotent no-ops since both conditions were already true.
Second, vault hygiene plus an MFA change on the MSP break-glass Global Admin `sysadmin@cascadestucson.com`. Confirmed the vault entry (`clients/cascades-tucson/m365-sysadmin.sops.yaml`) had not been updated since 2026-04-24 and that the live account's `lastPasswordChangeDateTime` was 2026-06-04 — i.e. Mike rotated the password on 2026-06-04 and never vaulted it. Howard supplied Mike's current password; updated the vault entry's password field and rotation-history notes in place via `sops set` (no plaintext on disk), committed, and pushed (required a rebase — remote had advanced).
Third, added a code-delivery path for Howard on the same GA account. Reading the account's phone methods showed `mobile` (SMS, Mike's) and `alternateMobile` (voice-only) slots both occupied, and the tenant Authentication Methods policy had **Voice call disabled** — which is why sign-in only ever offered text or authenticator (both Mike's). To avoid a tenant-wide change, created a security group containing only `sysadmin@`, enabled the Voice method scoped to that group, and set the account's `alternateMobile` to Howard's number. A voice-call MFA option now appears at sign-in for that account only. All writes against the GA succeeded (no Privileged Auth Admin 403 materialized).
## Key Decisions
- Diagnosed the NURSESTATION-PC login-screen issue as a registry hide (`SpecialAccounts\UserList`) rather than an account-state problem, because recon proved the account was already enabled + admin. Fixed the actual cause instead of the stated symptom.
- Did NOT reset the live `sysadmin@` password. Earlier in the session a reset to the vaulted value was prepared, but Howard clarified Mike's 2026-06-04 change was intentional; the correct action was to vault Mike's current password, not revert the account.
- Scoped the Voice MFA method to a dedicated single-member security group rather than enabling it for `all_users`, keeping blast radius to the one account (Howard asked specifically whether it could be limited to that account).
- Left `alternateMobile` set to Howard's number (520-585-1310) after Howard confirmed sign-in worked, rather than reverting to the prior 520-331-5551.
- Used `sops set` for the vault field edits (password + notes) to avoid ever writing the decrypted file to disk.
## Problems Encountered
- RMM registry-recon command returned `interrupted` ("Agent restarted during execution") once on NURSESTATION-PC; re-ran and it completed.
- First fix-script dispatch returned an empty `command_id` (transient, around the agent restart). Re-dispatched and it succeeded.
- Group member-add returned 404 immediately after group creation (Entra replication lag); succeeded on retry after a short delay.
- Phone-method update first attempted with `PUT` (405 — "PUT is not supported in v1.0, use PATCH"); reissued as `PATCH` and it succeeded (204).
- Vault `git push` was rejected (remote ahead); resolved with `git pull --rebase` then push.
- `bash` readonly-variable error using `UID` for the user object id; renamed to `OID`.
## Configuration Changes
- **NURSESTATION-PC (Cascades, RMM agent):** removed registry value `localadmin` (was `0`) under `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList`. localadmin remains enabled and in Administrators (unchanged).
- **Vault `clients/cascades-tucson/m365-sysadmin.sops.yaml`:** updated `credentials.password` to Mike's current value; rewrote `notes` with a rotation-history block. Committed + pushed to the vault repo.
- **M365 tenant cascadestucson.com:**
- Created security group "MFA - Voice Call Scoped (sysadmin)" (`mfa-voicecall-scoped`), id `304f941e-3594-4705-b8e6-ee676297df11`, single member `sysadmin@`.
- Authentication Methods policy: Voice method `state` set `disabled``enabled`, `includeTargets` scoped to group `304f941e-…` (was `all_users`).
- `sysadmin@` `alternateMobile` phone method (`b6332ec1-7057-4abe-9331-3d72feddfe41`) changed from +1 520-331-5551 to +1 520-585-1310.
## Credentials & Secrets
- `sysadmin@cascadestucson.com` (Global Admin "Computer Guru Support", object id `471b13dc-3cf8-416b-a132-f5f3bc8d1cc8`): password rotated by Mike 2026-06-04, now vaulted at `clients/cascades-tucson/m365-sysadmin.sops.yaml` (`credentials.password`). Value not reproduced here; retrieve via `vault.sh get-field`.
- No new credentials created. Vault key auto-discovered by sops at `%APPDATA%\sops\age\keys.txt`.
## Infrastructure & Servers
- GuruRMM API: `http://172.16.3.30:3001`. NURSESTATION-PC agent id `f5a89784-834f-47b1-82e2-7e3e9dd337ff` (Windows, online), client "Cascades of Tucson".
- M365 tenant `cascadestucson.com` = tenant id `207fa277-e9d8-4eb7-ada1-1064d2221498`.
- Remediation app tiers used: `user-manager` (`64fac46b-8b44-41ad-93ee-7da03927576c`) for user/group/phone-method writes; `tenant-admin` (`709e6eed-0711-4875-9c44-2d3518c47063`) for the auth-methods policy PATCH.
- Account phone methods after change — mobile/SMS: +1 520-289-1912 (ready); alternateMobile/voice: +1 520-585-1310.
## Commands & Outputs
- RMM hidden-account discovery: `Get-Item HKLM:\...\Winlogon\SpecialAccounts\UserList``localadmin = 0` (the hide flag).
- RMM fix output: "Removed UserList hide entry for localadmin (was 0)" / "UserList hide entry now: ABSENT (will show on login screen)".
- Graph read of GA roles: `GET /users/{id}/memberOf/microsoft.graph.directoryRole` → "Global Administrator [62e90394-69f5-4237-9190-012177145e10]".
- Voice policy before: `{state: disabled, includeTargets:[all_users]}`; after PATCH: `{state: enabled, includeTargets:[group 304f941e-…]}`.
- Vault edit: `sops set <file> '["credentials"]["password"]' '"<value>"'` then verified round-trip and `grep -c 'ENC[' = 4` (still encrypted).
## Pending / Incomplete Tasks
- NURSESTATION-PC: localadmin will appear in the login picker only after the next sign-out/reboot. If a user is currently signed in, have them sign out to confirm.
- The previous `alternateMobile` number +1 520-331-5551 was overwritten — confirm with Mike that number did not need to remain on the account.
- Consider whether `sysadmin@` (shared break-glass GA) should move to per-admin Authenticator/FIDO2 rather than shared SMS/voice long-term (raised but not actioned).
- Voice MFA is now an available method for the single-member scoped group; if more admins should get voice MFA, add them to group `304f941e-…`.
## Reference Information
- Vault entry: `clients/cascades-tucson/m365-sysadmin.sops.yaml`.
- GA account object id: `471b13dc-3cf8-416b-a132-f5f3bc8d1cc8`; alternateMobile method id `b6332ec1-7057-4abe-9331-3d72feddfe41`.
- Scoped Voice group: `304f941e-3594-4705-b8e6-ee676297df11` ("MFA - Voice Call Scoped (sysadmin)").
- Graph: `/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/Voice`.
- Remediation skill: `.claude/skills/remediation-tool/`; RMM skill: `.claude/commands/rmm` / `/rmm`.