Comprehensive log of the Entra setup work spanning 4/24 evening through 4/25.
Includes a Resume Point at the top so the next session can pick up cleanly.
Highlights:
- Entra Connect Sync installed in staging mode on CS-SERVER, scope OU=Caregivers
- Pilot AD account howard.enos@cascadestucson.com created
- Master plan v2 with explicit drift log (FIDO2/YubiKey injection caught)
- HIPAA retention remediation: 7 mailboxes restored from soft-delete (4/22 deletes
violated 164.316(b)(2)); termination procedures policy + IR-2026-04-24-001 documented
- admin@cascadestucson.com re-promoted to Global Admin (Sandra Fish cleanup had
stripped role); residual profile data cleaned
- Existing Cascades CA architecture discovered (Named Location 72.211.21.217 + all-users
MFA policy from 2026-02-11) — adjusts plan, no duplicate policies needed
- Syncro ticket #32214 'Entra setup' with hidden private rollup (~40-45 billable hrs)
Released session lock; resume point flagged in PROJECT_STATE.md.
Replaced thin Ollama draft with complete show prep:
- Full common thread narrative
- 5-7 talking points per segment (was 2-3)
- Added second story per segment (dot-com playbook, Optimus robot, Adobe/NVIDIA small biz angle)
- Specific facts: NASDAQ -78%, Amazon $107->$5.51, pets.com $82.5M raised
- Tucson-specific angles added throughout
- HTML rewritten with full template CSS matching April 18 show format
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- tenants.md: updated status to PARTIAL with full detail note
- clients/sandteko-machinery/: new client directory with reports/ and session-logs/ scaffolding
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Appended update to 2026-04-24 session log covering the font change
investigation. Checked bash startup files, Windows Terminal settings,
registry console keys, raw PowerShell output bytes, and installed
fonts. No root cause found — user will report next real-time
occurrence for definitive diagnosis.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Index was dead since 2026-04-19 (watcher not running). Fixes:
- Watcher restarted; scheduled task registered for login persistence
- Removed .md 0.6x penalty — markdown is primary content in this repo
- Added session-logs/ 1.3x, .claude/ 1.2x, /clients/ 1.1x relevance bonuses
- CLAUDE.md: grepai_search is now the first step for any context lookup
- OLLAMA.md: documents config overrides + watcher setup for new machines
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Write operations (bill, comment, create) now send a prompt to Ollama
(qwen3:14b) for comment body and billing description drafting. Claude
reviews the output against the rate/prepaid/formatting checklist before
presenting the preview. If neither Ollama endpoint is reachable, Claude
drafts directly — same review and confirmation flow either way.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add local rate table (pulled 2026-04-24) for all 7 labor products; always
set price_retail explicitly — Syncro API does not auto-apply product rates
- Replace vault-based key fetch with inline case block on identity.json user;
both Mike and Howard keys included for correct per-user attribution
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- tenant-sweep.sh line 12: renamed tier `graph` to `investigator` to match
the valid tier name expected by get-token.sh
- tenants.md: updated Kittle Design & Construction consent status from NO
to PARTIAL with notes on what was consented and what remains pending
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Documents the 3-call create pattern (ticket → Initial Issue comment →
appointment), adds problem type and appointment type dropdowns with IDs,
fixes priority format to number-prefixed strings ("2 Normal"), adds Howard
to tech user ID table, and adds asset/contact lookup steps.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds JSON-RPC client, Pydantic schemas, and FastAPI router for
Bitdefender GravityZone. Endpoints: status, companies, endpoints,
quarantine, and security sweep across all 55 managed client companies.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds full GravityZone API integration to ClaudeTools. Key additions:
- api/services/gravityzone_service.py: JSON-RPC client with Basic auth,
methods for company/endpoint/quarantine/licensing data, and security_sweep
which paginates all endpoints, enriches with malware/agent status, and
sorts infected > outdated > clean
- api/schemas/gravityzone.py: Pydantic response models for all endpoints
- api/routers/gravityzone.py: 7 REST endpoints at /api/gravityzone/*,
JWT-protected, returns 502 on downstream GZ errors
- api/config.py: GRAVITYZONE_API_KEY + GRAVITYZONE_API_BASE_URL settings
- api/main.py: router registered under /api/gravityzone
Vault entry: msp-tools/gravityzone.sops.yaml (partner-level key, 14 modules)
Server .env updated, ticktick router synced, service restarted and verified.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Major work from 2026-04-23:
Folder redirection (OU=Life Enrichment):
- Added 5 folders (Desktop, Pictures, Music, Videos, Favorites) to CSC - Folder
Redirection (LE) alongside existing Documents + Downloads. All use Flags=1021
(Basic + create folder per user + move contents + policy-removal: redirect back).
- Created CSC - Always Wait For Network GPO, linked at OU=Workstations. Disables
FLO via correct Winlogon registry path (HKLM\Software\Policies\Microsoft\
Windows NT\CurrentVersion\Winlogon\SyncForegroundPolicy=1). First attempt used
wrong path (Windows\System) which Winlogon ignored.
- Proved GPO FR works for clean-hive users (test user LE.FRTest, now removed).
- Wrote susan-profile-fix.ps1 to repair ProfWiz-poisoned profiles: robocopies
local content to \CS-SERVER\homes\<user>, loads NTUSER.DAT, rewrites User
Shell Folders (legacy + modern GUIDs) to UNC, unloads. Applied to Susan Hicks,
verified via live SMB session + content access.
Share access review doc:
- share-access-matrix-2026-04-23.md drafted for John/Meredith review. One
short block per employee (department + position + folders they can access).
All settled decisions from today's calls captured (Sandra Fish = Meredith-
only, Culinary = kitchen + M/J/A, no chat share, caregivers zero on-prem,
Veronica = Meredith tier, CasAdmin201 retired, pacs empty).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
KB5082142 (Windows Server 21H2 CU) + KB5084071 (.NET Framework CU) triggered
cascading Exchange 2016 failures on NEPTUNE today. External SMTP ingest was
restored after 4 fixes (registry ACL on AssistantsQuarantine, Routing Master
DN, disabled messageconcept ExSBR, hosts entries for dead MAIL server). But
internal pipeline (Submission -> categorizer -> mailbox delivery) remained
broken until 3 more fixes (DNS records on ACG-DC16 for n-hosting1/n-largeboxes
/mail, disabled hung DkimSigner agent, disabled IRM to silence RMS Encryption
Agent timeouts). Submission queue still pinned at ~427 messages pre-reboot;
full Neptune reboot queued to clear edgetransport.exe in-memory DNS cache and
pending KB5082142 reboot actions.
All registry/AD/config backups in C:\BackupBeforeFix\ on Neptune. Post-reboot
verification checklist documented in the log.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Single-doc consolidation of every Cascades doc in the repo: where we are
(what's done, in-flight, ahead), all 48 open questions grouped by recipient
(Meredith, John, Ashley, internal) with T1/T2/T3 urgency, suggested 4-session
sequencing to unblock most work fastest, license/cost summary, and the
5 items Howard can execute right now without answers.
Replaces the piecemeal view across user-account-rollout-plan,
p2-staff-candidates, staff-working-list, hipaa-review, and risk-register docs.
Those remain the detail source; this is the navigation layer.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Deleted 7 former-employee / zombie accounts via Graph user-manager tier.
All verified in soft-delete bin (30-day recovery):
- ann.dery, anna.pitzlin, jeff.bristol, kristiana.dowse, nela.durut-azizi,
nick.pavloff (all were disabled already)
- jodi.ramstack (was a zombie: enabled in M365 with 1 Business Standard
license but deleted from AD 2026-04-13. Freed $12.50/mo seat.)
admin@NETORGFT... (Sandra Fish) confirmed already gone from tenant.
Role-based accounts (accounting@, frontdesk@, hr@, etc.) NOT touched —
pending delegation decisions before shared-mailbox conversion. Stephanie.Devin
left alone pending Meredith confirmation.
Report: reports/2026-04-22-m365-orphan-deletes.md
Docs updated: docs/cloud/m365.md
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Full cpmove transfer verified (62GB, mailboxes, public_html)
- Mailprotector configured on IX (exim.conf.local, DKIM via dsearch, skipsmtpcheckhosts)
- DNS zone updated: A record to IX (72.194.62.5), TTLs lowered to 300s, zone backed up
- .htaccess redirect to jackfurriers.com added to IX public_html
- Delivery server updated in Mailprotector admin, inbound confirmed live
- HTML setup guide created and sent to 23 real user accounts
- Syncro ticket #32199 created (no billing yet)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
CS-SERVER post-reboot verification: time sync, TLS 1.2 enforcement, and
Windows Server Backup feature all persisted cleanly. dcdiag clean. Ready
for Entra Connect install.
Synology cascadesDS permission inventory captured via DSM API (SSH
disabled by default on Synology). 35 users, 4 groups, 10 shares.
Analysis identifies 7 shared-account role logins (HIPAA violation),
8 departed-employee accounts to clean up, and 4 shares needing
Meredith-side confirmation before migration (pacs most sensitive).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Meredith/John returned the staff-editor questionnaire (70 people, 11
departments). CSV ingested to reports/; p2-staff-candidates.md updated
with real persona breakdown. Wrote full AD/M365 user rollout plan (8
personas, license mapping, OU/group layout, CA policies, 4-wave
sequence, 8 open decisions). Drafted follow-up email for remaining open
items — Howard will edit and send.
Britney Thompson and Polett Pinazavala confirmed still employed (were
absent from the CSV return). Christine Nyanzunda confirmed as one
person with two roles. Usernames locked for new accounts:
Alma.Montt, Kyla.QuickTiffany.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Added Teams deployment + HIPAA-appropriate configuration as a tracked
gap (hipaa.md #27) and M365 issue (m365.md #14). Cites transmission
security + BAA requirements and outlines controls needed (retention,
DLP, external sharing lockdown, guest access, meeting consent).
Dependency on Microsoft BAA flagged.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Intune Manager (46986910-...) registered as AzureADMyOrg instead of
AzureADMultipleOrgs, blocking consent in any external tenant. Includes
evidence, PATCH command, and portal steps. Blocks Cascades MDM Phase B.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- UNREGISTERED_MODELS set: 9 model numbers not in Hoffman API catalog; skipped
silently instead of generating errors
- batch-500 fallback: when a bulk batch returns HTTP 500, retry each record
individually so good records get stamped and only truly-bad records count
as errors
- FAIL-parameter filter: records with any FAIL on a parameter line are excluded
from the push before the batch is assembled
- notify.js integration: wired in existing notification module
Files added:
- projects/dataforth-dos/database/upload-to-api.js
- projects/dataforth-dos/database/notify.js
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
