azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: azcomputerguru:814310c9e1af3e0300499e4720b4e88ff1d249dd
Branches Tags
azcomputerguru:main azcomputerguru:feature/real-time-tunnel azcomputerguru:ad2
...
compare: azcomputerguru:main
Branches Tags
azcomputerguru:main azcomputerguru:feature/real-time-tunnel azcomputerguru:ad2

18 Commits
814310c9e1 ... main

Author SHA1 Message Date
Mike Swanson
098e1d4156 sync: auto-sync from DESKTOP-0O8A1RL at 2026-05-20 10:58:31 
Author: Mike Swanson
Machine: DESKTOP-0O8A1RL
Timestamp: 2026-05-20 10:58:31
 2026-05-20 10:58:35 -07:00
Mike Swanson
1f8a9dbc8d Session log: EOP access fix + Alma Montt mailbox investigation (Cascades Tucson) 
- Fixed Exchange.ManageAsApp missing from Security Investigator app registration
- Granted role directly in Cascades tenant via Graph API
- Investigated Alma Montt mailbox: no delivery blocks found, specific sender TBD

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-20 10:39:15 -07:00
Mike Swanson
020ae0cc1c feat: Discord bot — per-session rules, user identity, and DISCORD_CLAUDE.md 
- Add DISCORD_CLAUDE.md as the Discord bot's dedicated system prompt,
  replacing the main CLAUDE.md for bot sessions. Covers: no-interactive
  rules, Discord user authorization, vault/remediation guidance, /save
  after every task, and formatting rules for Discord.

- config.py: add discord_system_prompt field (default: projects/discord-bot/
  DISCORD_CLAUDE.md, overridable via env var).

- client.py: _load_system_prompt() now loads discord_system_prompt path
  with fallback to CLAUDE.md if file is missing.

- message_handler.py: inject [DISCORD_CONTEXT] header into every agent
  message containing Discord username, display name, user ID, channel,
  and guild so the agent always knows who is asking.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-20 10:11:36 -07:00
Mike Swanson
377ab3a63f sync: auto-sync from DESKTOP-0O8A1RL at 2026-05-20 09:02:03 
Author: Mike Swanson
Machine: DESKTOP-0O8A1RL
Timestamp: 2026-05-20 09:02:03
 2026-05-20 09:02:06 -07:00
Mike Swanson
f4b935b394 sync: auto-sync from DESKTOP-0O8A1RL at 2026-05-20 08:25:48 
Author: Mike Swanson
Machine: DESKTOP-0O8A1RL
Timestamp: 2026-05-20 08:25:48
 2026-05-20 08:25:53 -07:00
Mike Swanson
35ee135b0f sync: auto-sync from DESKTOP-0O8A1RL at 2026-05-20 07:37:32 
Author: Mike Swanson
Machine: DESKTOP-0O8A1RL
Timestamp: 2026-05-20 07:37:32
 2026-05-20 07:37:43 -07:00
Mike Swanson
35c1270941 sync: auto-sync from DESKTOP-0O8A1RL at 2026-05-20 06:52:41 
Author: Mike Swanson
Machine: DESKTOP-0O8A1RL
Timestamp: 2026-05-20 06:52:41
 2026-05-20 06:52:58 -07:00
Mike Swanson
5b99e4b80b sync: auto-sync from DESKTOP-0O8A1RL at 2026-05-20 05:51:25 
Author: Mike Swanson
Machine: DESKTOP-0O8A1RL
Timestamp: 2026-05-20 05:51:25
 2026-05-20 05:51:29 -07:00
Mike Swanson
7bca175176 sync: auto-sync from DESKTOP-0O8A1RL at 2026-05-20 05:10:44 
Author: Mike Swanson
Machine: DESKTOP-0O8A1RL
Timestamp: 2026-05-20 05:10:44
 2026-05-20 05:13:16 -07:00
Mike Swanson
d246992d09 Session log: Coordination hook auto-initialization fix 
Comprehensive session log documenting the fix for broken coordination hooks
across all machines. The UserPromptSubmit hook now auto-creates the required
.claude/current-mode file with "general" as default if missing.

Session highlights:
- Root cause analysis of missing machine-local mode file
- Implementation of auto-creation logic in check-messages.sh
- Documentation updates in CLAUDE.md and ONBOARDING.md
- Successful deployment and sync with 15 remote commits
- Zero manual setup required for future machines

Impact: Fixes coordination hooks permanently, prevents fresh-clone failures

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-05-20 05:10:24 -07:00
Howard Enos
b62ea2d4e7 sync: auto-sync from HOWARD-HOME at 2026-05-19 22:36:25 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-19 22:36:25
 2026-05-19 22:36:27 -07:00
Howard Enos
7da6a81aa4 fix: add C:/claudetools to sync.sh candidate path list 
HOWARD-HOME installs to C: not D:, causing sync.sh to fail with
"Not in a git working tree" on that machine.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-19 22:33:04 -07:00
Howard Enos
468f4287bf client/cascades: session log + AD doc update 2026-05-20 
Phase 2.5 complete. Folder redirection GPO decision documented — deferred
to Phase 3 (blocked on domain joins). Pending items carried forward.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-19 22:32:20 -07:00
Howard Enos
3328a24742 client/cascades: Phase 2.5 AD groups and shares — COMPLETE 
Created SG-Mgmt-RW, SG-Sales-RO, SG-Activities-RW in OU=Groups.
Created SMB shares Management, Sales, Activities, Server on D:\Shares
with ABE enabled and correct NTFS ACLs per group.
Scripts run on CS-SERVER via GuruRMM 2026-05-20. AD doc updated to live state.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-19 22:32:20 -07:00
Mike Swanson
d5d2580dd5 chore: update gururmm submodule — PS format specifier fix 
Points to 8404a3c: fix AddToGroup/RemoveFromGroup Windows build error.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-19 19:09:21 -07:00
Mike Swanson
4b5bf0e7a9 chore: update gururmm submodule — agent compile fix 
Points to e1ea40a: fix agent compile errors from audit remediation.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-19 19:02:28 -07:00
Mike Swanson
9ac26b0963 chore: update gururmm submodule — audit remediation 
Points submodule to 9d917c3: security, quality, and three new UI pages
from the 2026-05-19 audit pass.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-19 18:55:27 -07:00
Mike Swanson
7a23101a59 audit: GuruRMM end-to-end audit 2026-05-19 — 1 CRITICAL, 11 HIGH, 18 MEDIUM, 8 LOW 
Updates guru-rmm submodule pointer to include the audit report
(reports/2026-05-19-rmm-audit.md) and updated UI_GAPS.md living doc
from the /rmm-audit skill run.

Note: .claude/CLAUDE.md (/rmm-audit command row) and
.claude/skills/rmm-audit/SKILL.md were committed in the prior
sync at 5ead5d4.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-19 18:20:29 -07:00
15 changed files with 1631 additions and 247 deletions
Expand all files Collapse all files

2
.claude/scheduled_tasks.lock
View File

@@ -1 +1 @@
{"sessionId":"541d4004-8c45-4290-89f5-0ba9ee4e64a9","pid":23068,"acquiredAt":1778772467880}
{"sessionId":"d91f202e-ddd5-46d7-b674-f848eb78aa8e","pid":17204,"acquiredAt":1779243065349}

13
.claude/scripts/sync.sh
View File

@@ -22,13 +22,20 @@ TIMESTAMP=$(date "+%Y-%m-%d %H:%M:%S")
echo -e "${GREEN}[OK]${NC} Starting ClaudeTools sync from $MACHINE at $TIMESTAMP"
# Navigate to ClaudeTools directory (check common locations)
for candidate in "$HOME/ClaudeTools" "/d/ClaudeTools" "D:/ClaudeTools" "/d/claudetools" "D:/claudetools"; do
if [ -d "$candidate" ]; then
# Navigate to ClaudeTools directory
# First check: are we already in the repo (or a subdirectory of it)?
REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null || true)
if [ -n "$REPO_ROOT" ]; then
cd "$REPO_ROOT"
else
# Fall back to known candidate paths
for candidate in "$HOME/ClaudeTools" "/d/ClaudeTools" "D:/ClaudeTools" "/d/claudetools" "D:/claudetools" "C:/claudetools" "/c/claudetools"; do
if [ -d "$candidate/.git" ]; then
cd "$candidate"
break
fi
done
fi
if [ ! -d ".git" ]; then
echo -e "${RED}[ERROR]${NC} Not in a git working tree"

97
clients/cascades-tucson/docs/migration/scripts/phase2-ad-groups-new.ps1 Normal file
View File

@@ -0,0 +1,97 @@
#Requires -RunAsAdministrator
<#
.SYNOPSIS
Phase 2.5a: Create new AD security groups for staged share rollout.
.DESCRIPTION
Creates three new global security groups for the new share structure.
Groups are created EMPTY — members are added per-department when each
department is ready to cut over to the new shares.
Also removes Tamra.Matthews from SG-Sales-RW (she moves to SG-Sales-RO).
No other changes are made to existing groups or members.
.NOTES
IDEMPOTENT — safe to re-run. Existing groups are skipped, not overwritten.
Run on CS-SERVER via GuruRMM remote execution.
Verify $GroupOU before running:
Get-ADGroup SG-Management-RW | Select DistinguishedName
The OU in $GroupOU must match the OU where existing SG- groups live.
#>
Import-Module ActiveDirectory -ErrorAction Stop
# --- VERIFY THIS MATCHES WHERE EXISTING SG- GROUPS LIVE ---
# Check with: Get-ADGroup SG-Management-RW | Select DistinguishedName
$GroupOU = "OU=Groups,DC=cascades,DC=local"
Write-Host "=== Phase 2.5a: New AD Security Groups ===" -ForegroundColor Cyan
Write-Host ""
# ============================================================
# STEP 1: Create new groups (empty — members added later)
# ============================================================
Write-Host "--- Creating New Security Groups ---" -ForegroundColor Yellow
$newGroups = @(
@{ Name = "SG-Mgmt-RW"; Description = "Management share - Read/Write" }
@{ Name = "SG-Sales-RO"; Description = "Sales share - Read Only" }
@{ Name = "SG-Activities-RW"; Description = "Activities share - Read/Write" }
)
foreach ($g in $newGroups) {
try {
$existing = Get-ADGroup -Filter "Name -eq '$($g.Name)'" -ErrorAction SilentlyContinue
if (-not $existing) {
New-ADGroup `
-Name $g.Name `
-GroupScope Global `
-GroupCategory Security `
-Path $GroupOU `
-Description $g.Description `
-ErrorAction Stop
Write-Host " [OK] Created: $($g.Name)" -ForegroundColor Green
} else {
Write-Host " [SKIP] $($g.Name) already exists" -ForegroundColor DarkGray
}
}
catch {
Write-Host " [ERROR] Failed to create $($g.Name): $_" -ForegroundColor Red
}
}
# ============================================================
# STEP 2: Remove Tamra.Matthews from SG-Sales-RW
# ============================================================
Write-Host "`n--- Adjusting SG-Sales-RW Membership ---" -ForegroundColor Yellow
try {
$isMember = Get-ADGroupMember -Identity "SG-Sales-RW" -ErrorAction Stop |
Where-Object { $_.SamAccountName -eq "Tamra.Matthews" }
if ($isMember) {
Remove-ADGroupMember -Identity "SG-Sales-RW" -Members "Tamra.Matthews" -Confirm:$false -ErrorAction Stop
Write-Host " [OK] Removed Tamra.Matthews from SG-Sales-RW" -ForegroundColor Green
} else {
Write-Host " [SKIP] Tamra.Matthews is not a member of SG-Sales-RW" -ForegroundColor DarkGray
}
}
catch {
Write-Host " [ERROR] Failed to adjust SG-Sales-RW: $_" -ForegroundColor Red
}
# ============================================================
# SUMMARY: All SG- groups with member counts
# ============================================================
Write-Host "`n=== SG- Group Summary ===" -ForegroundColor Cyan
Write-Host ""
Get-ADGroup -Filter 'Name -like "SG-*"' -ErrorAction SilentlyContinue |
Sort-Object Name |
ForEach-Object {
$count = (Get-ADGroupMember $_ -ErrorAction SilentlyContinue | Measure-Object).Count
Write-Host (" {0,-25} {1,2} member(s)" -f $_.Name, $count) -ForegroundColor Cyan
}
Write-Host ""
Write-Host "=== AD Groups Complete ===" -ForegroundColor Cyan
Write-Host "Next: Run phase2-new-shares.ps1 to create the folder structure and SMB shares" -ForegroundColor Green

173
clients/cascades-tucson/docs/migration/scripts/phase2-new-shares.ps1 Normal file
View File

@@ -0,0 +1,173 @@
#Requires -RunAsAdministrator
<#
.SYNOPSIS
Phase 2.5b: Create new share folders, NTFS permissions, and SMB shares on CS-SERVER.
.DESCRIPTION
Builds the folder structure for the staged share rollout. Folders are created
empty — data sync runs separately after this script. Sets NTFS permissions with
broken inheritance and creates SMB shares with Access-Based Enumeration enabled.
Shares created: Management, Sales, Activities, Server.
Does NOT touch: D:\Shares\homes, D:\Shares\Culinary, D:\Shares\Receptionist,
D:\Shares\directoryshare, D:\Shares\IT, D:\Shares\chat, D:\Shares\Public,
or any other existing shares.
.NOTES
IDEMPOTENT — safe to re-run. NTFS permissions are always reapplied (not skipped).
Existing SMB shares have their description updated; share-level permissions are
left alone on re-run.
Requires the ActiveDirectory module and must be run as Administrator on CS-SERVER.
Run AFTER phase2-ad-groups-new.ps1.
#>
Import-Module ActiveDirectory -ErrorAction Stop
$DestRoot = "D:\Shares"
Write-Host "=== Phase 2.5b: New Share Folders & Permissions ===" -ForegroundColor Cyan
Write-Host ""
# --- Share definitions ---
# RWGroup and ROGroup may be $null. $null means that ACE is omitted.
$shares = @(
@{
Name = "Management"
Path = "$DestRoot\Management"
RWGroup = "CASCADES\SG-Mgmt-RW"
ROGroup = $null
Desc = "Management share (Directors only)"
},
@{
Name = "Sales"
Path = "$DestRoot\Sales"
RWGroup = "CASCADES\SG-Sales-RW"
ROGroup = "CASCADES\SG-Sales-RO"
Desc = "Sales share"
},
@{
Name = "Activities"
Path = "$DestRoot\Activities"
RWGroup = "CASCADES\SG-Activities-RW"
ROGroup = $null
Desc = "Activities share (Life Enrichment)"
},
@{
Name = "Server"
Path = "$DestRoot\Server"
RWGroup = "CASCADES\SG-IT-RW"
ROGroup = "CASCADES\Domain Users"
Desc = "Server share (IT tools and scripts)"
}
)
foreach ($s in $shares) {
Write-Host "`n--- $($s.Name) ---" -ForegroundColor Yellow
# Create folder if it doesn't exist
try {
if (-not (Test-Path $s.Path)) {
New-Item -Path $s.Path -ItemType Directory -Force | Out-Null
Write-Host " [OK] Created folder: $($s.Path)" -ForegroundColor Green
} else {
Write-Host " [SKIP] Folder already exists: $($s.Path)" -ForegroundColor DarkGray
}
}
catch {
Write-Host " [ERROR] Failed to create folder $($s.Path): $_" -ForegroundColor Red
continue
}
# Set NTFS permissions (always reapplied — not skipped on re-run)
try {
$acl = New-Object System.Security.AccessControl.DirectorySecurity
# Break inheritance and discard all inherited entries
$acl.SetAccessRuleProtection($true, $false)
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
"SYSTEM",
"FullControl",
"ContainerInherit,ObjectInherit",
"None",
"Allow"
)))
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
"CASCADES\Domain Admins",
"FullControl",
"ContainerInherit,ObjectInherit",
"None",
"Allow"
)))
if ($s.RWGroup) {
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
$s.RWGroup,
"Modify",
"ContainerInherit,ObjectInherit",
"None",
"Allow"
)))
}
if ($s.ROGroup) {
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
$s.ROGroup,
"ReadAndExecute",
"ContainerInherit,ObjectInherit",
"None",
"Allow"
)))
}
Set-Acl -Path $s.Path -AclObject $acl -ErrorAction Stop
Write-Host " [OK] NTFS permissions set" -ForegroundColor Green
}
catch {
Write-Host " [ERROR] NTFS permissions failed on $($s.Path): $_" -ForegroundColor Red
continue
}
# Create or update SMB share
try {
$existingShare = Get-SmbShare -Name $s.Name -ErrorAction SilentlyContinue
if (-not $existingShare) {
New-SmbShare `
-Name $s.Name `
-Path $s.Path `
-Description $s.Desc `
-FullAccess "Authenticated Users" `
-FolderEnumerationMode AccessBased `
-ErrorAction Stop
Write-Host " [OK] Created SMB share: \\CS-SERVER\$($s.Name) (ABE enabled)" -ForegroundColor Green
} else {
# Update description only; share-level permissions are left alone
Set-SmbShare -Name $s.Name -Description $s.Desc -Force -ErrorAction Stop
Write-Host " [SKIP] SMB share already exists — description updated" -ForegroundColor DarkGray
}
}
catch {
Write-Host " [ERROR] SMB share failed for $($s.Name): $_" -ForegroundColor Red
}
}
# ============================================================
# SUMMARY
# ============================================================
Write-Host "`n=== New Shares Summary ===" -ForegroundColor Cyan
Write-Host "`nAll SMB shares on D:\:" -ForegroundColor Yellow
Get-SmbShare | Where-Object { $_.Path -like "D:\*" } |
Select-Object Name, Path, Description, FolderEnumerationMode |
Format-Table -AutoSize -Wrap
Write-Host "NTFS permissions on new folders:" -ForegroundColor Yellow
foreach ($s in $shares) {
if (Test-Path $s.Path) {
Write-Host "`n $($s.Path):" -ForegroundColor Cyan
& icacls $s.Path
}
}
Write-Host "`n=== New Share Setup Complete ===" -ForegroundColor Cyan
Write-Host "Folders are empty — sync data separately before activating each department." -ForegroundColor Green

499
clients/cascades-tucson/docs/servers/active-directory.md
View File

@@ -8,67 +8,132 @@
- Sites: Default-First-Site-Name
- No trusts configured
## AD Users (42 total — 40 enabled, 2 disabled) — cleaned 2026-04-13
## AD Users (updated 2026-05-19)
**New since last doc update:** Allison Reibschied (2026-03-13), Lauren Hasselman (2026-02-26)
**Changes since 2026-04-13:**
- Alma.Montt added to OU=Administrative (provisioned 2026-05-19) — cloud-only M365 account also created same day; needs reconciliation (see Pending Issues)
- Kyla.QuickTiffany confirmed in OU=Resident Services (was listed as "needs account" in prior doc)
- Zachary.Nelson confirmed: Accounting Assistant (replacing Allison.Reibschied)
- Allison.Reibschied: no longer employed — account disabled in DC 2026-05-19
- 38 caregiver accounts active in OU=Caregivers (new dedicated OU, all syncing to Entra)
- s.nunn confirmed as the correct Shontiel Nunn account (Caregivers/MedTech). Shontiel.Nunn (old format, OU=Resident Services) to be disabled.
### Enabled Accounts — HR Roster (updated 2026-04-13)
| Name | SamAccountName | Position | Department | Shared Email | Notes |
|------|---------------|----------|------------|-------------|-------|
| Administrator | Administrator | — | — | — | Built-in |
| localadmin | localadmin | — | — | — | Local admin |
| Sysadmin | sysadmin | — | — | — | System admin |
| Howard Dax | howard | Home Office | Administrative | first.last@ | MSP technician |
| Meredith Kuhn | Meredith.Kuhn | Executive Director | Administrative | first.last@ | |
| John Trozzi | John.Trozzi | Maintenance Director | Maintenance | first.last@ | PC: MAINTENANCE-PC |
| Lupe Sanchez | Lupe.Sanchez | Housekeeping Director | Housekeeping | first.last@ | Renamed from Guadalupe.Sanchez, duplicate deleted (2026-04-13) |
| Megan Hiatt | Megan.Hiatt | Sales Director | Marketing | first.last@, Sales@ | |
| Crystal Rodriguez | Crystal.Rodriguez | Sales Associate | Marketing | first.last@, Sales@ | PC: CRYSTAL-PC |
| Tamra Matthews | Tamra.Matthews | Move-In Coordinator | Marketing | first.last@ | Renamed from Tamra.Johnson (2026-04-13) |
| Lois Lane | Lois.Lane | Health Services Director | Care, Assisted Living | first.last@, Nurses@ | |
| Christina DuPras | Christina.DuPras | Resident Services Director | Resident Services | first.last@ | |
| Christine Nyanzunda | Christine.Nyanzunda | Memory Care Admin Assistant | Care, Memory Care | first.last@ | |
| Susan Hicks | Susan.Hicks | Life Enrichment Director | Life Enrichment | first.last@ | PC: DESKTOP-ROK7VNM |
| Ashley Jensen | Ashley.Jensen | Assistant Executive Director | Administrative | first.last@, Accounting@ | |
| Veronica Feller | Veronica.Feller | Care, Assisted Living Aide | Care, Assisted Living | first.last@ | |
| Sebastian Leon | Sebastian.Leon | RS Courtesy Patrol | Resident Services | Frontdesk@, Courtesypatrol@ | |
| JD Martin | JD.Martin | Culinary Director | Culinary | first.last@ | |
| Alyssa Brooks | Alyssa.Brooks | Dining Manager | Culinary | first.last@ | Renamed from Alyssa.Shestko, duplicate deleted (2026-04-13) |
| Matt Brooks | Matt.Brooks | Memory Care Receptionist | Maintenance | first.last@ | Dept says Maintenance (HR data) |
| Ramon Castaneda | Ramon.Castaneda | Kitchen Manager | Culinary | first.last@ | |
| Michelle Shestko | Michelle.Shestko | Resident Services Receptionist | Resident Services | MC Front Desk | |
| Sharon Edwards | Sharon.Edwards | Life Enrichment Assistant | Life Enrichment | first.last@ | PC: DESKTOP-DLTAGOI |
| Britney Thompson | britney.thompson | Memory Care Nurse | Care, Assisted Living | first.last@, Nurses@ | **DEPARTED 2026-04-22 per John — disable account + harvest license** |
| Shelby Trozzi | Shelby.Trozzi | Memory Care Director | Care, Memory Care | first.last@ | Renamed from strozzi (2026-04-13) |
| Karen Rossini | karen.rossini | Health Services Manager | Care, Assisted Living | first.last@, Nurses@ | lowercase SamAccountName |
| Sheldon Gardfrey | Sheldon.Gardfrey | RS Courtesy Patrol | Resident Services | Frontdesk@, Courtesypatrol@ | |
| Cathy Kingston | Cathy.Kingston | Resident Services Receptionist | Resident Services | Frontdesk@ | |
| Shontiel Nunn | Shontiel.Nunn | Resident Services Receptionist | Resident Services | Frontdesk@ | |
| Ray Rai | Ray.Rai | RS Courtesy Patrol | Resident Services | Frontdesk@ | |
| Richard Adams | Richard.Adams | Driver | Transportation | Transportation@ | **2026-04-22: disable — drivers no longer get IT access** |
| Julian Crim | Julian.Crim | Driver | Transportation | Transportation@ | **2026-04-22: disable — drivers no longer get IT access** |
| Christopher Holick | Christopher.Holick | Driver | Transportation | Transportation@ | Fixed from Holik (2026-04-13). **2026-04-22: disable — drivers no longer get IT access** |
| Lauren Hasselman | lauren.hasselman | Business Office Director | Administrative | first.last@, Accounting@ | Replaced Jeff Bristol. lowercase SamAccountName |
| Allison Reibschied | Allison.Reibschied | Accounting Assistant | Administrative | first.last@ | Added 2026-03-13. PC: ACCT2-PC |
| QBDataServiceUser34 | QBDataServiceUser34 | — | — | — | QuickBooks service account |
| Culinary | Culinary | — | — | — | Generic department account — replace Phase 5 |
| RECEPTIONIST | Receptionist | — | — | — | Generic role account — replace Phase 5 |
| saleshare | saleshare | — | — | — | Shared sales resource — replace Phase 5 |
| directoryshare | directoryshare | — | — | — | Shared directory resource — replace Phase 5 |
### Enabled Accounts — Staff (updated 2026-05-19)
### Not in AD — Needs Account Created
| Name | Position | Department | Shared Email | Notes |
|------|----------|------------|-------------|-------|
| Kyla Quick Tiffany | Resident Services Receptionist | Resident Services | Frontdesk@ | New — needs AD + M365 account |
**OU=Administrative**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| Meredith.Kuhn | Meredith Kuhn | Executive Director | |
| Ashley.Jensen | Ashley Jensen | Assistant Executive Director | M365: Accounting@ |
| lauren.hasselman | Lauren Hasselman | Business Office Director | lowercase SAM. Replaced Jeff Bristol. M365: Accounting@ |
| Alma.Montt | Alma Montt | Life Enrichment | Provisioned 2026-05-19. **Cloud-only M365 account also created same day — reconcile before next Entra sync** (see Pending Issues) |
| Zachary.Nelson | Zachary Nelson | Accounting Assistant | Confirmed 2026-05-19. Replacing Allison.Reibschied. |
| ~~Allison.Reibschied~~ | ~~Allison Reibschied~~ | ~~Accounting Assistant~~ | **Disabled 2026-05-19 — no longer employed.** |
**OU=Care-Assisted Living**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| Lois.Lane | Lois Lane | Health Services Director | M365: Nurses@ |
| karen.rossini | Karen Rossini | Health Services Manager | lowercase SAM. M365: Nurses@ |
| Veronica.Feller | Veronica Feller | Care Assisted Living Aide | |
| britney.thompson | Britney Thompson | Memory Care Nurse | **DEPARTED 2026-04-22 — still enabled. Disable + harvest license.** |
**OU=Care-Memorycare**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| Christine.Nyanzunda | Christine Nyanzunda | Memory Care Admin Assistant | |
| Shelby.Trozzi | Shelby Trozzi | Memory Care Director | Renamed from strozzi (2026-04-13) |
**OU=Caregivers** — 38 accounts, all shift caregivers/medtechs, all in SG-Caregivers, all syncing to Entra. See Caregiver Accounts section below.
**OU=Culinary**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| JD.Martin | JD Martin | Culinary Director | |
| Alyssa.Brooks | Alyssa Brooks | Dining Manager | Renamed from Alyssa.Shestko (2026-04-13) |
| Ramon.Castaneda | Ramon Castaneda | Kitchen Manager | |
**OU=Housekeeping**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| Lupe.Sanchez | Lupe Sanchez | Housekeeping Director | Renamed from Guadalupe.Sanchez, duplicate deleted (2026-04-13) |
**OU=Life Enrichment**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| Sharon.Edwards | Sharon Edwards | Life Enrichment Assistant | PC: DESKTOP-DLTAGOI |
| Susan.Hicks | Susan Hicks | Life Enrichment Director | PC: DESKTOP-ROK7VNM |
**OU=Maintenance**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| John.Trozzi | John Trozzi | Maintenance Director | PC: MAINTENANCE-PC |
| Matt.Brooks | Matt Brooks | Memory Care Receptionist | Dept listed as Maintenance in HR data |
**OU=Marketing**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| Megan.Hiatt | Megan Hiatt | Sales Director | M365: Sales@ |
| Crystal.Rodriguez | Crystal Rodriguez | Sales Associate | PC: CRYSTAL-PC. M365: Sales@ |
| Tamra.Matthews | Tamra Matthews | Move-In Coordinator | Renamed from Tamra.Johnson (2026-04-13) |
**OU=Resident Services**
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| Christina.DuPras | Christina DuPras | Resident Services Director | |
| Cathy.Kingston | Cathy Kingston | RS Receptionist | M365: Frontdesk@ |
| Kyla.QuickTiffany | Kyla Quick Tiffany | RS Receptionist | M365: Frontdesk@. Previously listed as "needs account" — now confirmed in AD |
| Michelle.Shestko | Michelle Shestko | RS Receptionist | M365: MC Front Desk |
| Ray.Rai | Ray Rai | RS Courtesy Patrol | M365: Frontdesk@ |
| Sebastian.Leon | Sebastian Leon | RS Courtesy Patrol | M365: Frontdesk@, Courtesypatrol@ |
| Sheldon.Gardfrey | Sheldon Gardfrey | RS Courtesy Patrol | M365: Frontdesk@, Courtesypatrol@ |
| Shontiel.Nunn | Shontiel Nunn | RS Receptionist | M365: Frontdesk@. **Disable — s.nunn (Caregivers) is the correct current account (confirmed 2026-05-19)** |
**OU=Transportation** — accounts still enabled but flagged for disable
| SamAccountName | Name | Position | Notes |
|---------------|------|----------|-------|
| Christopher.Holick | Christopher Holick | Driver | Fixed from Holik (2026-04-13). **Disable — drivers no longer get IT access** |
| Julian.Crim | Julian Crim | Driver | **Disable — drivers no longer get IT access** |
| Richard.Adams | Richard Adams | Driver | **Disable — drivers no longer get IT access** |
**CN=Users — Service Accounts**
| SamAccountName | Notes |
|---------------|-------|
| Administrator | Built-in |
| localadmin | Local admin |
| sysadmin | System admin (IT) |
| MSOL_12be42ce1269 | Entra Connect service account |
| QBDataServiceUser34 | QuickBooks service account |
**OU=Excluded-From-Sync — Shared/Generic Accounts** (intentionally not syncing to Entra)
| SamAccountName | Notes |
|---------------|-------|
| Culinary | Generic dept account — replace Phase 5 |
| directoryshare | Shared resource — replace Phase 5 |
| RECEPTIONIST | Generic role account — replace Phase 5 |
| saleshare | Shared resource — replace Phase 5 |
**OU=ServiceAccounts**
| SamAccountName | Notes |
|---------------|-------|
| svc-audit-upload | GuruRMM audit upload service account |
### Disabled Accounts
| SamAccountName | Notes |
|---------------|-------|
| Guest | Built-in — correct to leave disabled |
| krbtgt | Built-in Kerberos — **password 569+ days old as of 2026-03-20, needs rotation** |
### Accounts Deleted (2026-04-13 cleanup)
Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, Isabella.Islas, ann.dery, alyssa.brooks (duplicate), Lupe.Sanchez (duplicate), jeff.bristol
Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, Isabella.Islas, ann.dery, alyssa.brooks (lowercase duplicate), Lupe.Sanchez (duplicate), jeff.bristol
### Disabled Accounts (2) — cleaned 2026-04-13
| Name | SamAccountName | Notes |
|------|---------------|-------|
| Guest | Guest | Built-in — correct to leave disabled |
| krbtgt | krbtgt | Built-in Kerberos — correct to leave disabled. **Password 569+ days old — needs rotation** |
## Caregiver Accounts (OU=Caregivers)
38 accounts, all shift caregivers/medtechs, first-initial-last format (e.g., a.mcferren). All members of SG-Caregivers. All syncing to Entra ID (full-domain sync scope includes this OU).
a.atwood, a.mcferren, b.johnson, b.mendoza, b.sika, c.johnson, c.lassey, c.tate, d.fierros, e.esperance, e.huerta, e.sanchez, e.yuzon, g.williams, g.williford, j.andrade, j.clarke, j.dittbenner, j.higdon, k.aziakpo, k.flores, k.wyzykowski, l.fuster, l.hogan, m.baker, m.kariuki, m.kastner, m.lopez, p.doran, p.sandoval-beck, r.cooper, r.flores, r.morales, s.carroll, s.nunn, s.padilla, s.ramirez, t.abainza, t.lassey-assiakoley, w.reed
s.nunn confirmed as the correct account (2026-05-19). Shontiel.Nunn (OU=Resident Services) is the old-format account — disable it.
## Domain-Joined Computers (8)
@@ -82,7 +147,7 @@ Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, Haris.Durut, Nuri
|----------|------|
| CS-QB | Hyper-V VM — VoIP server |
### OU=Staff PCs,OU=Workstations (moved 2026-04-13)
### OU=Staff PCs,OU=Workstations
| Computer | User | Role |
|----------|------|------|
| ACCT2-PC | Allison Reibschied | Accounting |
@@ -92,103 +157,77 @@ Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, Haris.Durut, Nuri
| DESKTOP-DLTAGOI | Sharon Edwards | Life Enrichment Assistant |
| DESKTOP-ROK7VNM | Susan Hicks | Life Enrichment Director |
### Missing from AD (listed in overview but NOT domain-joined)
- **SALES4-PC** — Sales workstation (10.0.20.203) — NOT in AD
- **CHEF-PC** — Kitchen workstation (10.0.20.232) — NOT in AD
- **MDIRECTOR-PC** — MemCare Director (192.168.3.20) — NOT in AD
- **DESKTOP-KQSL232** — Unknown (10.0.20.227) — NOT in AD
### OU=Shared PCs,OU=Workstations
Empty — created for future shared/rotation workstations (GPO: CSC - Shared Workstation).
These 4 machines are on the network but not domain-joined. They may be workgroup machines or were never joined to the domain.
### Not Domain-Joined (on network but workgroup/unjoined)
- **SALES4-PC** — Sales workstation (10.0.20.203)
- **CHEF-PC** — Kitchen workstation (10.0.20.232)
- **MDIRECTOR-PC** — MemCare Director (192.168.3.20)
- **DESKTOP-KQSL232** — Unknown (10.0.20.227)
## Organizational Units
Domain join for these machines planned in Phase 3 (OU=Staff PCs,OU=Workstations).
## Organizational Units (current state — 2026-05-19)
OU cleanup is **complete**. All root-level duplicate OUs have been deleted. The structure below reflects live state.
### Current State (pre-cleanup)
```
cascades.local
├── Builtin (system)
├── Computers (default container) ← 5 PCs here: ACCT2-PC, CRYSTAL-PC, CS-QB, DESKTOP-1ISF081, DESKTOP-H6QHRR7
├── Users (default container) ← 20 accounts dumped here (system + stale + needs placement)
├── Computers (default) — CS-QB (VoIP VM)
├── Users (default) — service accounts: Administrator, localadmin, MSOL_12be42ce1269, QBDataServiceUser34, sysadmin
├── Domain Controllers
│ └── CS-SERVER
├── Managment ← MISSPELLED, empty — DELETE
├── Sales ← empty — DELETE
├── MemCare ← empty — DELETE
├── Administrative ← ROOT DUPLICATE of Departments\Administrative — DELETE
├── Care-Assisted Living ← ROOT DUPLICATE — DELETE
├── Care-Memorycare ← ROOT DUPLICATE — DELETE
├── Culinary ← ROOT DUPLICATE — DELETE
├── Housekeeping ← ROOT DUPLICATE — DELETE
├── Life Enrichment ← ROOT DUPLICATE — DELETE
├── Maintenance ← ROOT DUPLICATE — DELETE
├── Marketing ← ROOT DUPLICATE — DELETE
├── Resident Services ← ROOT DUPLICATE — DELETE
── Transportation ← ROOT DUPLICATE — DELETE
── Departments
├── Administrative (6 users)
├── Care-Assisted Living (4 users)
│ └── Nurses (sub-OU, empty)
├── Care-Memorycare (2 users)
── Culinary (4 users)
├── Housekeeping (1 user)
├── Life Enrichment (2 users)
├── Maintenance (2 users)
├── Marketing (4 users)
├── Resident Services (7 users)
└── Transportation (3 users)
├── Departments
│ ├── Administrative — Alma.Montt, Ashley.Jensen, lauren.hasselman, Meredith.Kuhn, Zachary.Nelson
├── Care-Assisted Living — britney.thompson, karen.rossini, Lois.Lane, Veronica.Feller
└── Nurses (empty sub-OU)
├── Caregivers — 38 accounts (shift caregivers/medtechs, first.last format)
├── Care-Memorycare — Christine.Nyanzunda, Shelby.Trozzi
├── Culinary — Alyssa.Brooks, JD.Martin, Ramon.Castaneda
├── Housekeeping — Lupe.Sanchez
├── Life Enrichment — Sharon.Edwards, Susan.Hicks
├── Maintenance — John.Trozzi, Matt.Brooks
├── Marketing — Crystal.Rodriguez, Megan.Hiatt, Tamra.Matthews
├── Resident Services — Cathy.Kingston, Christina.DuPras, Kyla.QuickTiffany, Michelle.Shestko, Ray.Rai, Sebastian.Leon, Sheldon.Gardfrey, Shontiel.Nunn
│ └── Transportation — Christopher.Holick, Julian.Crim, Richard.Adams
── Excluded-From-Sync — Culinary, directoryshare, RECEPTIONIST, saleshare
├── Groups — SG-* groups + AuditUploaders (see Security Groups section)
├── ServiceAccounts — svc-audit-upload
└── Workstations
├── Shared PCs (empty)
── Staff PCs — domain-joined workstations
```
### Target State (after cleanup — Phase 2.1 + 2.2)
```
cascades.local
├── Builtin (system)
├── Computers (default container) ← CS-QB stays here (VM, not staff PC)
├── Users (default container) ← system/service accounts only
├── Domain Controllers
│ └── CS-SERVER
├── Workstations ← NEW
│ ├── Staff PCs ← NEW — CRYSTAL-PC, ACCT2-PC, DESKTOP-H6QHRR7, DESKTOP-1ISF081, DESKTOP-DLTAGOI, DESKTOP-ROK7VNM
│ └── Shared PCs ← NEW — shared/rotation workstations (GPO: CSC - Shared Workstation)
└── Departments
├── Administrative (6 users)
├── Care-Assisted Living (4 users)
│ └── Nurses (sub-OU)
├── Care-Memorycare (2 users)
├── Culinary (4 users)
├── Housekeeping (1 user)
├── Life Enrichment (2 users)
├── Maintenance (2 users)
├── Marketing (4 users)
├── Resident Services (7 users)
└── Transportation (3 users)
```
**Historical note:** Prior to 2026-04-13, 13 root-level OUs existed (10 duplicate department OUs + Managment misspelled + MemCare + Sales, all empty). All deleted as part of Phase 2.1 cleanup.
### Cleanup Scripts
- `migration/scripts/phase2-ou-cleanup.ps1` — Audit + delete 13 root-level OUs, handle CN=Users accounts
- `migration/scripts/phase2-ad-setup.ps1` — Security fixes, create Workstations OU, security groups, move computers
## Security Groups (OU=Groups — live state 2026-05-20)
## Group Policy (as of 2026-03-07 export)
GPOs exist but effectiveness is limited since most PCs aren't domain-joined.
| GPO | Created | Modified | Settings | Notes |
|-----|---------|----------|----------|-------|
| Default Domain Policy | Aug 2024 | Mar 2026 | Password: 7-char min, 42-day max, complexity on, 24 history. **Lockout: 5 attempts / 30 min** (fixed 2026-03-09). Kerberos defaults. | OK |
| Default Domain Controllers Policy | Aug 2024 | Oct 2024 | IIS app pool audit rights, print operator driver loading. Standard. | OK |
| Power Options | Jul 2025 | Jul 2025 | "Cascades Default" power plan: never sleep/hibernate, display off 15 min (plugged in) / 10 min (battery), password on wake. | Reasonable — keep |
| ~~CopyRoomPrinter~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** |
| ~~Nurses-Kiosk~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** |
| ~~MemCareMedTechPrinter~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** |
**GPO Review (2026-03-07):** All 3 Dec 2025 GPOs are completely empty shells — no computer or user settings, not linked to any OU. Safe to delete with zero impact. The Default Domain Policy has account lockout disabled (threshold = 0), allowing unlimited password brute-force attempts — this needs to be fixed in the security baseline GPO.
## RDS Licensing
- **Mode: NotConfigured**
- **License Servers: None**
- RDS roles are installed on CS-SERVER (Connection Broker, Session Host, Web Access) but licensing is NOT configured.
- **Compliance risk:** Windows Server allows a 120-day grace period for RDS without licensing. After that, connections may be refused. Since the server was installed 8/4/2024 (~19 months ago), the grace period has long expired. RDS may be running in non-compliant mode.
## Existing AD Groups (Custom)
| Group | Members | Notes |
|-------|---------|-------|
| SG-Activities-RW | 0 | Activities share — Read/Write (Life Enrichment). Created 2026-05-20. |
| SG-CA-BreakGlass | 0 | Conditional Access break-glass group |
| SG-Caregivers | 38 | All shift caregivers/medtechs — syncing to Entra |
| SG-Chat-RW | 0 | Chat share access — legacy |
| SG-CourtesyPatrol | 0 | Courtesy patrol dept |
| SG-Culinary-RW | 0 | Culinary share access |
| SG-Directory-RW | 0 | Directory share access |
| SG-Drivers | 0 | Transportation drivers |
| SG-External-Signin-Allowed | 0 | CA policy — allowed external sign-in |
| SG-FrontDesk | 0 | Front desk dept |
| SG-IT-RW | 0 | IT share access |
| SG-Management-RW | 0 | Management share — OLD group, superseded by SG-Mgmt-RW. Do not use for new share. |
| SG-Mgmt-RW | 0 | Management share — Read/Write. Replaces SG-Management-RW. Created 2026-05-20. |
| SG-Office-PHI-External | 0 | PHI-authorized external access |
| SG-Office-PHI-Internal | 0 | PHI-authorized internal access |
| SG-Receptionist-RW | 0 | Receptionist share access |
| SG-Sales-RO | 0 | Sales share — Read Only. Created 2026-05-20. |
| SG-Sales-RW | 0 | Sales share — Read/Write |
| SG-Server-RW | 0 | Server share — OLD group, do not use for new Server share |
| AuditUploaders | 0 | GuruRMM audit upload service |
**Legacy groups (CN=Users, not in OU=Groups):**
| Group | Members | Notes |
|-------|---------|-------|
| QuickBooks Access | Meredith.Kuhn, Megan.Hiatt, Ashley.Jensen, lauren.hasselman | Renamed from "Quickboosk acccess" on 2026-03-09 |
@@ -196,110 +235,111 @@ GPOs exist but effectiveness is limited since most PCs aren't domain-joined.
| MemoryCareDepartment | (empty) | Never populated |
| KitchenAdmin | (empty) | Never populated |
## Migration Plan — AD Changes (Phase 2.2 + 2.6 + 3)
## Entra Connect (live state 2026-05-19)
See `migration/phase2-server-prep.md` and `migration/scripts/phase2-ad-setup.ps1`.
Entra Connect is installed and running on CS-SERVER in production mode.
### Security Fixes (immediate)
- Remove disabled Monica.Ramirez from **Domain Admins** (security risk)
- Disable Haris.Durut (still enabled, not employed)
- Fix "Quickboosk acccess" → "QuickBooks Access"
- Add lauren.hasselman to QuickBooks Access (replaced Jeff Bristol)
| Setting | Value |
|---------|-------|
| Installed on | CS-SERVER |
| Staging mode | FALSE (live production sync) |
| Scheduler | Enabled — next run: Delta |
| AD connector | cascades.local |
| Entra connector | NETORGFT4257522.onmicrosoft.com |
| OU sync scope | Full domain (dnList empty — unfiltered) |
| Service account | MSOL_12be42ce1269 (CN=Users) |
### OU Changes
- **DELETE 10 root-level duplicate OUs** (Administrative, Care-Assisted Living, Care-Memorycare, Culinary, Housekeeping, Life Enrichment, Maintenance, Marketing, Resident Services, Transportation) — duplicates of Departments sub-OUs
- **DELETE 3 empty root-level OUs** (Managment, MemCare, Sales) — unused
- Create: `OU=Workstations,DC=cascades,DC=local`
- Create: `OU=Staff PCs,OU=Workstations,DC=cascades,DC=local`
**OU=Excluded-From-Sync** is explicitly excluded from sync. The shared accounts (Culinary, directoryshare, RECEPTIONIST, saleshare) placed there do not appear in Entra ID.
### Security Groups (created with members from Synology permission mapping)
All other OUs — including OU=Caregivers — are within scope and sync to Entra.
| Group | Members |
|-------|---------|
| SG-Management-RW | Meredith.Kuhn, Ashley.Jensen, Megan.Hiatt, Crystal.Rodriguez, Tamra.Matthews, britney.thompson, Veronica.Feller, strozzi, Alyssa.Brooks, lauren.hasselman |
| SG-Sales-RW | Megan.Hiatt, Crystal.Rodriguez, Tamra.Matthews |
| SG-Server-RW | Ashley.Jensen, britney.thompson, Christina.DuPras, Veronica.Feller, Meredith.Kuhn |
| SG-Chat-RW | Ashley.Jensen, britney.thompson, Veronica.Feller |
| SG-Culinary-RW | JD.Martin, Ramon.Castaneda, Alyssa.Brooks |
| SG-IT-RW | howard, sysadmin |
| SG-Receptionist-RW | Cathy.Kingston, Shontiel.Nunn, Ray.Rai, Sebastian.Leon, Michelle.Shestko |
| SG-Directory-RW | Cathy.Kingston, Shontiel.Nunn, Christina.DuPras |
| SG-AllShares-RO | (populated as needed) |
**Historical note:** As of the 2026-04-13 doc, Entra Connect was planned as Phase 2.7 (blocked on AD cleanup). Cleanup is now complete and Entra Connect is deployed.
### Account Removals (client confirmed)
## SMB Shares (live — D:\ on CS-SERVER)
**Already disabled — delete:** Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, jeff.bristol
Full share details, permissions, and drive letter mappings are in `docs/servers/cs-server.md`.
**Enabled but not in HR — disable + delete:** Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, alyssa.brooks, Isabella.Islas, ann.dery
| Share | Path | Notes |
|-------|------|-------|
| AuditDrop$ | D:\Shares\AuditDrop | GuruRMM audit drop — hidden share, write-only |
| Culinary | D:\Shares\Culinary | |
| directoryshare | D:\Shares\directoryshare | |
| homes | D:\Homes | NOTE: D:\Homes, not D:\Shares\Homes |
| IT | D:\Shares\IT | |
| Activities | D:\Shares\Activities | ABE enabled. NTFS: SG-Activities-RW (Modify), Domain Admins (Full). Created 2026-05-20. |
| Management | D:\Shares\Management | ABE enabled. NTFS: SG-Mgmt-RW (Modify), Domain Admins (Full). Created 2026-05-20. |
| Receptionist | D:\Shares\Receptionist | |
| Sales | D:\Shares\Sales | ABE enabled. NTFS: SG-Sales-RW (Modify), SG-Sales-RO (ReadAndExecute). Created 2026-05-20. |
| Server | D:\Shares\Server | ABE enabled. NTFS: SG-IT-RW (Modify), Domain Users (ReadAndExecute). Created 2026-05-20. |
| Shares | D:\Shares | Root share |
**Keep:** lauren.hasselman (replaced Bristol as Business Office Director)
**Printers shared from CS-SERVER:**
| Share | Device |
|-------|--------|
| RecRoom-Canon | 1F-132-RecRoom-Canon |
| MemCare Director Printer | MF451CDW |
| MemCare MedTech Printer | Brother MFC-L8900CDW |
### CN=Users — HR Verified (2026-03-10)
## Group Policy (as of 2026-05-20)
HR (Meredith) responded. All accounts resolved:
GPOs exist but effectiveness is limited since most PCs are not domain-joined.
| Account | Enabled | Last Logon | Action |
|---------|---------|-----------|--------|
| Lupe.Sanchez | Yes | Never | **Keep** — confirmed same person as Guadalupe.Sanchez (M365: lupe.sanchez@). Merge or delete duplicate |
| Receptionist | Yes | 2/22/2026 | Shared account — keep until Phase 5 replacement |
| directoryshare | Yes | 2/26/2026 | Shared/service account — keep until Phase 5 replacement |
| GPO | Created | Modified | Settings | Notes |
|-----|---------|----------|----------|-------|
| Default Domain Policy | Aug 2024 | Mar 2026 | Password: 7-char min, 42-day max, complexity on, 24 history. Lockout: 5 attempts / 30 min (fixed 2026-03-09). Kerberos defaults. | OK |
| Default Domain Controllers Policy | Aug 2024 | Oct 2024 | IIS app pool audit rights, print operator driver loading. Standard. | OK |
| Power Options | Jul 2025 | Jul 2025 | "Cascades Default" power plan: never sleep/hibernate, display off 15 min (plugged in) / 10 min (battery), password on wake. | Keep |
| CSC - Folder Redirection (LE) | Apr 2026 | Apr 2026 | Documents + Downloads → `\\CS-SERVER\homes\%USERNAME%\`. GrantExclusive=false, MoveContents=true. Linked to OU=Life Enrichment. | LIVE — Sharon Edwards + Susan Hicks |
| ~~CopyRoomPrinter~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** |
| ~~Nurses-Kiosk~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** |
| ~~MemCareMedTechPrinter~~ | Dec 2025 | Dec 2025 | EMPTY | **DELETED 2026-03-09** |
**Confirmed DELETE by HR:**
- Anna.Pitzlin (disabled) — was forwarded to Meredith, OK to delete now
- Nela.Durut-Azizi (disabled) — was forwarded to Meredith, OK to delete now
- Jodi.Ramstack (disabled)
- Monica.Ramirez (disabled, already removed from Domain Admins)
- Kristiana.Dowse — M365 only, not in AD. Delete M365 account + remove license
**Already confirmed for removal (not current employees, never logged in):**
Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, Isabella.Islas, ann.dery, alyssa.brooks (lowercase duplicate)
**System/service accounts staying in CN=Users:**
Administrator, Guest, krbtgt, localadmin, sysadmin, QBDataServiceUser34
### Domain Join (Phase 3)
Join these PCs to cascades.local in OU=Staff PCs,OU=Workstations:
- DESKTOP-KQSL232 (first)
- CHEF-PC
- SALES4-PC
- MDIRECTOR-PC (last)
### GPOs to Create (Phase 2.6)
**GPOs to Create (Phase 2.6 — not yet run):**
1. **CSC - Drive Mappings** — S:, M:, T:, K:, I:, R:, P: with item-level targeting
2. **CSC - Printer Deployment** — Deploy printers by OU/group targeting (Life Enrichment first: 1F-132-RecRoom-Canon + CopyRoom)
3. **CSC - Security Baseline** — 12-char passwords, complexity, lockout 5/30, screen lock 15 min
4. **CSC - Windows Update** — Auto download, Sundays 3 AM, no auto-restart
5. **CSC - Folder Redirection**Desktop, Documents, Downloads → `\\CS-SERVER\homes\%username%\`
6. **CSC - Shared Workstation** — Linked to Shared PCs OU; ILT by computer name for reception drive (R:), front desk printer, Outlook online mode, shared mailbox auto-mount. Blocked on: M365 tenant details, onsite PC identification.
5. **CSC - Folder Redirection**Single GPO linked at `OU=Departments`, covering all staff OUs. Same settings as the LE GPO: Documents + Downloads + Desktop `\\CS-SERVER\homes\%USERNAME%\<Folder>`, GrantExclusive=false, MoveContents=true. **Blocked on Phase 3 domain joins** — most dept machines not joined yet. Life Enrichment already covered by existing LE GPO. CRITICAL: check for OneDrive KFM on each machine before applying; use GPMC close-and-reopen workaround between folder adds (see 2026-04-17 session log for full procedure).
6. **CSC - Shared Workstation** — Linked to Shared PCs OU; ILT by computer name for reception drive (R:), front desk printer, Outlook online mode, shared mailbox auto-mount
### Entra Connect (Phase 2.7 — NEW)
- Install Entra Connect on CS-SERVER for AD → M365 sync + SSO
- **BLOCKED ON:** AD cleanup (renames, deletions, duplicate resolution) must complete first
- See `cloud/m365.md` → "Entra Connect — SSO Setup Plan" for full prerequisites and steps
- Enables: single sign-on, one password, auto Office/Edge activation per user, roaming experience without roaming profiles
## RDS Licensing
### Shared Account Replacement (Phase 5)
Replace Culinary, Receptionist, saleshare, directoryshare with security group access.
- **Mode: NotConfigured**
- **License Servers: None**
- RDS roles installed on CS-SERVER (Connection Broker, Session Host, Web Access) but licensing is NOT configured.
- Compliance risk: grace period is 120 days. Server installed 2024-08-04 (~21 months ago as of 2026-05-19). Grace period expired. RDS is running non-compliant.
- Decision deferred to Phase 5.
## Domain Admins (from 2026-03-07 export)
## Domain Admins
| Account | Status | Action Needed |
|---------|--------|---------------|
| Account | Status | Notes |
|---------|--------|-------|
| Administrator | Enabled | OK (built-in) |
| Meredith.Kuhn | Enabled | **REMOVE** — administrative staff, not IT |
| John.Trozzi | Enabled | **REMOVE** — maintenance, not IT |
| ~~Monica.Ramirez~~ | **Disabled** | **REMOVED 2026-03-09** |
| Meredith.Kuhn | Enabled | Should be removed — administrative staff, not IT |
| John.Trozzi | Enabled | Should be removed — maintenance, not IT |
| ~~Monica.Ramirez~~ | Removed | Removed 2026-03-09 (account was disabled) |
| sysadmin | Enabled | OK (IT account) |
## Login Activity (audit 2026-03-20)
## Pending Issues (discovered 2026-05-19 audit)
Only 12 of 49 enabled accounts have ever logged in. Most staff have never used their AD accounts because their PCs aren't domain-joined.
| Issue | Account | Action Needed |
|-------|---------|---------------|
| Still enabled — departed | britney.thompson | Disable — departed 2026-04-22. Harvest M365 license. |
| Still enabled — flagged for disable | Richard.Adams, Julian.Crim, Christopher.Holick | Disable — drivers no longer get IT access (flagged 2026-04-22, not yet done) |
| Old-format account — superseded | Shontiel.Nunn (OU=Resident Services) | **Disable** — s.nunn (OU=Caregivers) confirmed as the correct account 2026-05-19 |
| AD + cloud-only M365 conflict | Alma.Montt | AD account exists in OU=Administrative (will sync via Entra Connect). Cloud-only M365 account also created 2026-05-19. **Delete the cloud-only M365 account and let AD sync create it properly** — otherwise Entra Connect will create a duplicate and both will break. |
| krbtgt password age | krbtgt | 569+ days old as of 2026-03-20. Needs rotation. |
| Meredith.Kuhn + John.Trozzi in Domain Admins | Both | Non-IT staff — remove from Domain Admins |
## Login Activity (audit 2026-03-20 — historical/stale)
Data below is from the 2026-03-20 audit. Only 12 of 49 enabled accounts had ever logged in at that time. Most staff had never used AD accounts because their PCs were not domain-joined.
| Account | Last Logon | Notes |
|---------|-----------|-------|
| sysadmin | 2026-03-16 | |
| QBDataServiceUser34 | 2026-03-14 | QuickBooks service |
| Allison.Reibschied | 2026-03-13 | **NEW** Administrative |
| Allison.Reibschied | 2026-03-13 | Administrative |
| lauren.hasselman | 2026-03-12 | Business Office Director |
| Administrator | 2026-03-11 | |
| Receptionist | 2026-03-11 | Shared account |
@@ -307,23 +347,20 @@ Only 12 of 49 enabled accounts have ever logged in. Most staff have never used t
| localadmin | 2026-03-09 | |
| Crystal.Rodriguez | 2026-03-09 | CRYSTAL-PC |
| Culinary | 2026-02-20 | Shared account |
| saleshare | 2025-12-08 | Shared account |
| Christina.DuPras | 2026-01-06 | |
| Monica.Ramirez | 2024-11-04 | **Disabled** |
| saleshare | 2025-12-08 | Shared account |
| Monica.Ramirez | 2024-11-04 | Disabled — now deleted |
**37 enabled accounts have NEVER logged in** — most have never set a password either.
37 accounts had never logged in as of 2026-03-20. Login activity will improve as more PCs are domain-joined (Phase 3).
## Issues Found
1. **Only 6 computers domain-joined** — At least 4 known staff PCs are NOT in AD. (Migration Phase 3 will fix)
2. **3 GPOs from Dec 2025 undocumented** — CopyRoomPrinter, Nurses-Kiosk, MemCareMedTechPrinter. Need to review settings and linkage. Previous MSP or sysadmin created these.
3. **RDS licensing not configured** — Compliance risk, grace period expired ~17 months ago. (Phase 5 decision)
4. **12 accounts to remove** — 5 disabled + 7 former employees still enabled. (Phase 2.1/2.2)
5. **4 shared/generic accounts** (Culinary, Receptionist, saleshare, directoryshare) — To be replaced. (Phase 5)
6. **Monica.Ramirez (disabled) still in Domain Admins** — Security risk, fix immediately. (Phase 2.2)
7. **Meredith.Kuhn and John.Trozzi in Domain Admins** — Non-IT staff should not be DAs. (Phase 2.2)
8. **"Managment" OU misspelled** — To be deleted (empty). (Phase 2.1)
9. **"Quickboosk acccess" group typo** — To be fixed. (Phase 2.2)
10. **13 junk root-level OUs** — 10 duplicate department OUs + Managment + MemCare + Sales, all empty. Delete in Phase 2.1.
11. **20 accounts in CN=Users** — Mix of system, stale, and misplaced. Clean up in Phase 2.1.
12. **5 computers in CN=Computers** — Move 4 staff PCs to Workstations OU. CS-QB stays. (Phase 2.2)
13. **Lupe.Sanchez** — In CN=Users, possible duplicate of Guadalupe.Sanchez (Housekeeping). Flag for onsite review.
## Migration Plan Reference
See `migration/phase2-server-prep.md` for full phase details. Scripts referenced throughout this doc:
- `migration/scripts/phase2-ou-cleanup.ps1` — OU audit + delete (COMPLETE)
- `migration/scripts/phase2-ad-setup.ps1` — Security fixes, Workstations OU, security groups, move computers (COMPLETE)
- `migration/scripts/phase2-ad-groups-new.ps1` — New SG- groups (SG-Mgmt-RW, SG-Sales-RO, SG-Activities-RW) — COMPLETE 2026-05-20
- `migration/scripts/phase2-new-shares.ps1` — New SMB shares (Management, Sales, Activities, Server) — COMPLETE 2026-05-20
**Phase 3 domain joins** (pending): DESKTOP-KQSL232, CHEF-PC, SALES4-PC, MDIRECTOR-PC — all to OU=Staff PCs,OU=Workstations.
**Phase 5** (deferred): Replace shared accounts (Culinary, Receptionist, saleshare, directoryshare) with group-based access. RDS licensing decision.

74
clients/cascades-tucson/reports/2026-05-20-canva-email-delivery.md Normal file
View File

@@ -0,0 +1,74 @@
# Email Delivery Investigation: Canva Emails Not Arriving — Alma Montt
**Date:** 2026-05-20
**Tenant:** cascadestucson.com (207fa277-e9d8-4eb7-ada1-1064d2221498)
**Reported by:** Alma Montt (alma.montt@cascadestucson.com)
**Issue:** Not receiving emails from Canva (team invite + future notifications)
---
## Root Cause
**New mailbox provisioning race condition.** Alma's mailbox is brand-new (first email received 2026-05-19 21:11 UTC). The Canva team invite was sent before or shortly after provisioning, during a window when the mailbox was not yet fully available to external senders. The email was rejected/dropped at the SMTP layer — it never entered EOP processing.
Confirmed: No quarantined messages found for Alma.Montt@cascadestucson.com.
**Contributing factor (hardened anti-spam config):**
The tenant has the Standard Preset Security Policy active since 2026-04-17 with:
- `BulkThreshold: 6` (aggressive — BCL ≥ 6 treated as bulk spam)
- `HighConfidenceSpamAction: Quarantine` (high-confidence spam goes to org quarantine, not junk)
Canva invite emails route via Amazon SES (`mail.canva.com`) and would be at risk of hitting BCL 6 threshold under this policy for future invites.
---
## Findings
| Check | Result |
|---|---|
| Mailbox exists | Yes — `Alma.Montt@cascadestucson.com`, UserMailbox |
| Inbox rules | None |
| Junk email | Empty |
| Quarantine (org-level) | 0 messages for Alma |
| Blocked senders | None |
| Other users receiving Canva | Yes — crystal.rodriguez receives `marketing@engage.canva.com` |
| MX record | Correct (cascadestucson-com.mail.protection.outlook.com) |
| Canva SPF | Valid (`_spf1-9.canva.com` include chain) |
| Active anti-spam preset | Standard Preset Security Policy (since 2026-04-17) |
---
## Remediation Applied
1. **`Set-HostedContentFilterPolicy` — Default policy**
Added `AllowedSenderDomains`: `canva.com`, `mail.canva.com`, `engage.canva.com`
[CONFIRMED] Verified via `Get-HostedContentFilterPolicy`
2. **`Set-HostedContentFilterPolicy` — Standard Preset Security Policy**
Added same three domains to `AllowedSenderDomains`
[CONFIRMED] Verified — note: Microsoft warned "All recommended properties will be controlled by Microsoft" (preset policy managed by MS; override may be reset if Microsoft changes the preset)
3. **`Set-MailboxJunkEmailConfiguration` — Alma's mailbox**
Added `TrustedSendersAndDomains`: `canva.com`, `mail.canva.com`, `engage.canva.com`
[CONFIRMED] Verified via `Get-MailboxJunkEmailConfiguration`
4. **Historical search submitted**
Job ID: `21325332-a2a1-49c0-abb8-d0c6b88c7b0f`
Scope: All mail to `Alma.Montt@cascadestucson.com` from Canva senders, May 1820
Results will be emailed to `admin@cascadestucson.com`
---
## Action Required
**Crystal Rodriguez needs to resend the Canva team invite to alma.montt@cascadestucson.com.**
The original invite was lost to a new-mailbox provisioning race. The direct join link Crystal already provided in email (RE: canva info, 2026-05-19) still works and Alma can use it immediately.
For future invites and Canva email notifications: the org allow list changes will ensure delivery.
---
## Vault Paths Accessed
- `clients/cascades-tucson/m365-admin.sops.yaml` — tenant ID, admin credentials
- `msp-tools/computerguru-security-investigator.sops.yaml` — Graph read token
- `msp-tools/computerguru-exchange-operator.sops.yaml` — EXO write token

94
clients/cascades-tucson/session-logs/2026-05-20-howard-phase2-ad-groups-and-shares.md Normal file
View File

@@ -0,0 +1,94 @@
# Cascades of Tucson — Phase 2.5 AD Groups and Shares
**Date:** 2026-05-20
**Syncro tickets:** none opened this session
## User
- **User:** Howard Enos (howard)
- **Machine:** HOWARD-HOME
- **Role:** tech
---
## Session Summary
Resumed from a crash mid-session on 2026-05-19. Context was recovered from the prior session log and `active-directory.md`. A live verification against CS-SERVER via GuruRMM confirmed the Phase 2.5 scripts had not run before the crash.
Ran both Phase 2.5 scripts on CS-SERVER via GuruRMM remote PowerShell:
**phase2-ad-groups-new.ps1** — Created three new security groups in `OU=Groups,DC=cascades,DC=local`:
- `SG-Mgmt-RW` — Management share Read/Write (replaces old SG-Management-RW)
- `SG-Sales-RO` — Sales share Read Only
- `SG-Activities-RW` — Activities share Read/Write
Tamra.Matthews was not in SG-Sales-RW so no removal was needed (SKIP result — expected).
**phase2-new-shares.ps1** — Created four new SMB shares on `D:\Shares`, all with ABE enabled and broken inheritance:
- `Management` — NTFS: SG-Mgmt-RW (Modify), Domain Admins (Full)
- `Sales` — NTFS: SG-Sales-RW (Modify), SG-Sales-RO (ReadAndExecute)
- `Activities` — NTFS: SG-Activities-RW (Modify), Domain Admins (Full)
- `Server` — NTFS: SG-IT-RW (Modify), Domain Users (ReadAndExecute)
All folders are empty — data sync and group membership population are separate steps per department when each is ready to cut over.
Discussed folder redirection for the new shares. Decision: create a single `CSC - Folder Redirection` GPO linked at `OU=Departments` rather than per-OU GPOs. Blocked on Phase 3 domain joins — most affected machines are not domain-joined yet. Life Enrichment is already covered by the existing `CSC - Folder Redirection (LE)` GPO. Will return to this after Phase 3.
---
## Key Decisions
- **Single domain-wide folder redirection GPO** — Link at `OU=Departments` rather than duplicating the LE GPO per department. As machines get domain-joined in Phase 3 they pick it up automatically. Blocked until Phase 3 domain joins are further along.
- **phase2-new-shares.ps1 sent as base64 EncodedCommand** — Direct JSON serialization of the script caused a `Missing closing '}'` parser error. Workaround: encode as UTF-16LE base64 and launch via `powershell.exe -EncodedCommand`. This pattern should be used for any multi-line PS scripts sent via the GuruRMM command API.
---
## Problems Encountered
- **phase2-new-shares.ps1 parser error via GuruRMM API** — Sending the script as a raw JSON string caused PowerShell to fail with `Missing closing '}'`. Root cause: JSON serialization mangled backtick line continuations. Fixed by encoding the script as UTF-16LE base64 and using `-EncodedCommand`.
---
## Configuration Changes
| File | Change |
|------|--------|
| `clients/cascades-tucson/docs/migration/scripts/phase2-ad-groups-new.ps1` | New — committed |
| `clients/cascades-tucson/docs/migration/scripts/phase2-new-shares.ps1` | New — committed |
| `clients/cascades-tucson/docs/servers/active-directory.md` | Updated: SG- groups table, SMB shares table, GPO section, script status |
---
## Infrastructure Changes on CS-SERVER
| Object | Type | Action |
|--------|------|--------|
| SG-Mgmt-RW | AD Security Group | Created in OU=Groups |
| SG-Sales-RO | AD Security Group | Created in OU=Groups |
| SG-Activities-RW | AD Security Group | Created in OU=Groups |
| D:\Shares\Management | Folder + SMB share | Created, ABE enabled, NTFS set |
| D:\Shares\Sales | Folder + SMB share | Created, ABE enabled, NTFS set |
| D:\Shares\Activities | Folder + SMB share | Created, ABE enabled, NTFS set |
| D:\Shares\Server | Folder + SMB share | Created, ABE enabled, NTFS set |
---
## Pending / Incomplete Tasks
| Item | Status | Notes |
|------|--------|-------|
| Populate new SG- groups with members | Pending | Per-dept when each cuts over to new shares |
| CSC - Folder Redirection GPO (all depts) | Pending | Blocked on Phase 3 domain joins. Check OneDrive KFM on each machine before applying. Use GPMC close-and-reopen workaround (see 2026-04-17 session log). |
| `n.castro` — block M365 sign-in | Pending (from 2026-05-18) | `Update-MgUser -UserId n.castro@cascadestucson.com -AccountEnabled:$false` |
| `Shontiel.Nunn` old account — disable | Pending (from 2026-05-18) | s.nunn is the correct account |
| `britney.thompson` — disable + harvest M365 license | Pending | Departed 2026-04-22 |
| `Alma.Montt` — AD + cloud-only M365 conflict | Pending | Delete cloud-only account, let Entra Connect sync the AD account |
| `k.flores`, `g.williford`, `m.kariuki` — employment status | On hold | Unconfirmed |
| Phase 3 domain joins | Pending | DESKTOP-KQSL232, CHEF-PC, SALES4-PC, MDIRECTOR-PC → OU=Staff PCs |
---
## Reference
- Prior session log: `clients/cascades-tucson/session-logs/2026-05-19-howard-alma-montt-account-completion.md`
- Folder redirection procedure: `clients/cascades-tucson/session-logs/2026-04-17-howard-cascades-onboarding-and-folder-redirection.md`
- AD structure: `clients/cascades-tucson/docs/servers/active-directory.md`

152
clients/cascades-tucson/session-logs/2026-05-20-mike-eop-access-test-alma-montt-mailbox.md Normal file
View File

@@ -0,0 +1,152 @@
# Session Log — Cascades Tucson: EOP Access Test & Alma Montt Mailbox Investigation
**Date:** 2026-05-20
**Channel:** #alma.montt-at-cascades-reports-not-receiving-email
## User
- **User:** Mike Swanson (mike)
- **Machine:** GURU-BEAST-ROG (Discord bot session)
- **Role:** admin
---
## Session Summary
The session began with testing the EOP access remediation skill for Cascades Tucson at the request of Mike Swanson via Discord. The vault was confirmed accessible at `C:/Users/guru/vault`, and credentials were retrieved for both the Cascades Tucson M365 tenant and the ComputerGuru Security Investigator MSP app. An investigator-exo token was successfully acquired for the Cascades tenant. Graph API access was verified as working, and the EXO `adminapi/beta/InvokeCommand` endpoint was tested, returning 401 Unauthorized.
The root cause was identified: the Security Investigator app had `full_access_as_app` (EWS, role ID `dc890d15`) granted on Exchange Online, but the InvokeCommand REST endpoint requires `Exchange.ManageAsApp` (role ID `dc50a0fb`). Mike granted admin consent via URL, but consent only covered the existing permission set since `Exchange.ManageAsApp` had not yet been added to the app registration. The app registration was updated via PATCH using a tenant-admin Graph token in the MSP tenant, and the role was directly granted in the Cascades tenant via POST. After clearing the token cache, the new token contained both roles and InvokeCommand returned 200 OK.
The investigation then pivoted to Alma Montt's mailbox, as she had reported not receiving email. The mailbox was confirmed active (she had logged in and interacted today at ~17:00 UTC). No forwarding, suspicious inbox rules, blocked senders, or transport rule blocks were found. MX records correctly point to EOP. Message trace returned zero results (likely a permissions gap with the reporting role rather than actual zero mail flow — her inbox had 29 items). Quarantine check returned Invalid Operation due to the same permissions gap. The most notable finding was `EmailAddressPolicyEnabled: False` and only one SMTP address on the mailbox — no onmicrosoft.com alias — suggesting manual provisioning that may have missed standard alias setup.
---
## Key Decisions
- **Added Exchange.ManageAsApp via Graph API rather than waiting for re-consent**: Mike had consented, but the permission wasn't in the app registration yet, so consent had no effect. PATCH to the app registration in the MSP tenant + POST grant in Cascades was cleaner and immediate.
- **Used tenant-admin tier for both the PATCH and the role grant**: Security Investigator app (investigator tier) doesn't have `AppRoleAssignment.ReadWrite.All`, so tenant-admin was required for the Cascades grant. MSP tenant-admin was required for the app registration PATCH.
- **Did not attempt to fix Alma's mailbox without a confirmed root cause**: Message trace and quarantine access failed due to permissions, leaving the specific missing email unidentified. Reported findings and left detailed EAC follow-up steps rather than guessing.
- **This fix needs to be applied to all other client tenants**: The app registration change is done (MSP tenant), but the `Exchange.ManageAsApp` app role grant must be done per-tenant. Other clients still only have `full_access_as_app`.
---
## Problems Encountered
- **EXO InvokeCommand returned 401**: App had `full_access_as_app` (EWS) but not `Exchange.ManageAsApp` (REST cmdlet API). Resolved by patching app registration and granting role directly via Graph.
- **Admin consent did not include Exchange.ManageAsApp**: Consent was granted before the permission was added to the app registration, so it had no effect. Resolved by programmatic grant using tenant-admin.
- **Get-MessageTraceV2 returned 0 results for all queries (including no-filter tenant-wide)**: Likely the SP lacks the `Compliance Management` or `View-Only Recipients` role needed for trace data access. Not resolved this session — flagged for follow-up.
- **Get-QuarantineMessage returned Invalid Operation**: Same permissions gap. Not resolved this session.
---
## Infrastructure & Credentials
### Cascades Tucson Tenant
- **Tenant ID:** `207fa277-e9d8-4eb7-ada1-1064d2221498`
- **Domain:** `cascadestucson.com`
- **MX:** `cascadestucson-com.mail.protection.outlook.com` (EOP, correct)
- **Vault:** `clients/cascades-tucson/m365-admin.sops.yaml`
- **Admin UPN:** `admin@cascadestucson.com`
### MSP App — Security Investigator (updated this session)
- **App ID:** `bfbc12a4-f0dd-4e12-b06d-997e7271e10c`
- **App Object ID (MSP tenant):** `2ca484d4-5b38-4fa5-b8f7-08a70304a54d`
- **SP Object ID in Cascades:** `c64ee5c1-a607-46cb-81b8-42de3de98d48`
- **Vault:** `msp-tools/computerguru-security-investigator.sops.yaml`
- **Auth method used:** client_secret (cert also available)
### Exchange Online SP in Cascades
- **SP Object ID:** `072df88c-1f1f-4910-a9b2-b27144fde653`
- **Display Name:** Office 365 Exchange Online
### App Role IDs (Exchange Online resource `00000002-0000-0ff1-ce00-000000000000`)
| Role | ID |
|---|---|
| `full_access_as_app` (EWS) | `dc890d15-9560-4a4c-9b7f-a736ec74ec40` |
| `Exchange.ManageAsApp` (REST cmdlets) | `dc50a0fb-09a3-484d-be87-e023b12c6440` |
| `Exchange.ManageAsAppV2` | `ea3d980d-ebc7-4be4-8298-a167e5b8797c` |
---
## Commands Run
### Token acquisition
```bash
bash "$SKILL_DIR/scripts/get-token.sh" "207fa277-e9d8-4eb7-ada1-1064d2221498" "investigator-exo"
# Result: success, token TTL 55 min, cached at /tmp/remediation-tool/{tenant-id}/investigator-exo.jwt
```
### Patch app registration (MSP tenant)
```
PATCH https://graph.microsoft.com/v1.0/applications/2ca484d4-5b38-4fa5-b8f7-08a70304a54d
Authorization: Bearer <tenant-admin token for MSP tenant ce61461e-81a0-4c84-bb4a-7b354a9a356d>
Body: requiredResourceAccess with Exchange.ManageAsApp (dc50a0fb) added alongside existing full_access_as_app
Result: 204 No Content
```
### Grant role in Cascades
```
POST https://graph.microsoft.com/v1.0/servicePrincipals/072df88c-1f1f-4910-a9b2-b27144fde653/appRoleAssignedTo
Authorization: Bearer <tenant-admin token for Cascades>
Body: { principalId: c64ee5c1, resourceId: 072df88c, appRoleId: dc50a0fb }
Result: 201 Created — ComputerGuru - Security Investigator / Office 365 Exchange Online
```
### Confirmed working
```
POST https://outlook.office365.com/adminapi/beta/207fa277-e9d8-4eb7-ada1-1064d2221498/InvokeCommand
Body: { CmdletInput: { CmdletName: "Get-AcceptedDomain" } }
Result: 200 OK — cascadestucson.com returned
```
---
## Alma Montt Mailbox Findings
| Property | Value |
|---|---|
| PrimarySmtpAddress | `Alma.Montt@cascadestucson.com` |
| RecipientType | UserMailbox |
| EmailAddressPolicyEnabled | **False** (manually provisioned) |
| Email addresses | Only `Alma.Montt@cascadestucson.com` — no onmicrosoft alias |
| DeliverToMailboxAndForward | False |
| ForwardingAddress | None |
| LitigationHoldEnabled | False |
| HiddenFromAddressLists | False |
| LastLogonTime | 2026-05-20 17:01 UTC (today) |
| LastInteractionTime | 2026-05-20 17:17 UTC (today) |
| ItemCount | 128 |
| TotalSize | ~5MB |
| Inbox items | 29 |
| Junk Email items | 0 |
| Inbox rules | 1 (built-in Junk E-mail Rule only, no custom rules) |
| Hidden inbox rules | None |
| Blocked senders | None |
| TrustedListsOnly | False |
| Transport rules blocking | None (only rule: Fax Forward BCC) |
| Quarantine | Not checked — Get-QuarantineMessage returned Invalid Operation |
| Message trace (7d) | 0 results — SP likely needs Compliance Management role for trace data |
### What's known
Mail is reaching the mailbox — she logged in today and has 29 inbox items. No obvious delivery block found at EOP level.
### Likely next step
The missing email is probably specific (a particular sender or domain). Check via Exchange Admin Center:
- `https://admin.exchange.microsoft.com/#/messagetrace` → filter by recipient `Alma.Montt@cascadestucson.com` and the expected sender
- Check quarantine at `https://security.microsoft.com/quarantine` for her address
- Consider adding onmicrosoft alias via `Set-Mailbox -EmailAddresses @{Add="SMTP:alma.montt@cascadestucson.onmicrosoft.com"}` if senders may be using the old routing address
---
## Pending / Follow-Up
- [ ] **Apply Exchange.ManageAsApp grant to all other client tenants** — app registration updated, but each tenant needs the role granted individually. Can be done via `onboard-tenant.sh` or direct Graph POST per tenant.
- [ ] **Investigate Alma's specific missing email** — need to know which sender/domain she's not receiving from. Run targeted message trace in EAC or give SP the Compliance Management role for trace access.
- [ ] **Add Compliance Management or View-Only Recipients role to Security Investigator SP** in client tenants so message trace works via InvokeCommand.
- [ ] **Add onmicrosoft alias to Alma's mailbox** if confirmed she should have it (`EmailAddressPolicyEnabled: False` is unusual).
- [ ] **Update vault permissions list** for Security Investigator — vault entry currently lists `full_access_as_app (EXO)` but app now also has `Exchange.ManageAsApp`.
---
## Vault Paths Accessed
- `clients/cascades-tucson/m365-admin.sops.yaml`
- `msp-tools/computerguru-security-investigator.sops.yaml`
- `msp-tools/computerguru-tenant-admin.sops.yaml`

170
projects/discord-bot/DISCORD_CLAUDE.md Normal file
View File

@@ -0,0 +1,170 @@
# ClaudeTools Discord Bot — Operating Instructions
## What You Are
You are the ClaudeTools Discord Bot, running as a Windows service on BEAST (GURU-BEAST-ROG).
Working directory: `C:/Users/guru/ClaudeTools`
You are a fully capable Claude Code agent invoked by Discord messages. You complete tasks
autonomously and return results in a single turn. You are NOT the interactive coordinator
Claude — you have no back-and-forth loop.
---
## CRITICAL: No Interactive Interaction
**You are running inside a Discord bot. There is no mechanism for mid-task clarification.**
NEVER:
- Use AskUserQuestion or any interactive prompt
- Pause mid-task to ask "should I proceed?" or "which option?"
- Request confirmation before taking action
- Ask the user to supply information that is in the vault or derivable from context
ALWAYS:
- State any assumption you made at the top of your response, then proceed
- Complete the full task in one turn
- If a task is genuinely impossible (e.g., requires info that doesn't exist anywhere),
state why clearly and stop — do not ask what to do next
- Prefer doing something reasonable over asking what to do
---
## Who Is Asking: Discord User Identity
Every message is prefixed with a `[DISCORD_CONTEXT]` block containing the sender's Discord
username, display name, and user ID. Always read this block to determine who is asking.
### Known Team Members — Full Access
| Person | Discord Username | Notes |
|--------|-----------------|-------|
| Mike Swanson | (note on first interaction) | Owner, admin |
| Howard Enos | (note on first interaction) | Technician, full trust |
When a team member identifies themselves, note their Discord username in your session log
so future sessions can recognize them without re-introduction.
**Full access:** all tools, file operations, shell commands, git, M365 actions, vault reads,
service restarts, and all skills.
### Unknown Users — Restricted
Read-only and informational responses only. No file writes, no git operations, no system
changes, no M365 actions, no vault access. State clearly: "I can only provide informational
responses for unrecognized users."
---
## Vault Access
All credentials are in the SOPS vault. Use the vault wrapper — never hardcode paths:
```bash
VAULT="C:/Users/guru/ClaudeTools/.claude/scripts/vault.sh"
bash "$VAULT" search "keyword" # search without decrypting
bash "$VAULT" get-field <path> <field> # get one field
bash "$VAULT" get <path> # decrypt full entry
bash "$VAULT" list # list all entries
```
Vault structure:
- `msp-tools/` — MSP app credentials (remediation tool, CIPP, Syncro, etc.)
- `clients/` — Per-client M365, server, and device creds
- `infrastructure/` — Server, firewall, hosting creds
- `services/` — SaaS API keys
- `projects/` — Per-project credentials
**You can and should retrieve credentials from the vault directly.** Do not ask the user
for credentials that exist in the vault.
---
## Remediation Tool (/remediation-tool)
The remediation skill handles M365 investigation and gated remediation. It auto-triggers
for: "check X's mailbox", "breach check", "tenant sweep", "inbox rules", "credential
stuffing", "foreign sign-in", "risky user", "oauth consent".
### How to Use It Effectively From Discord
1. **Identify the client** from the request (e.g., "check Cascades Tucson" → client slug
`cascades-tucson`).
2. **Pull credentials from vault** before invoking the skill — do not wait for the skill
to ask:
- M365 tenant admin: `clients/<slug>/m365-admin.sops.yaml` or `m365.sops.yaml`
- MSP app certs (5 apps):
- `msp-tools/computerguru-security-investigator.sops.yaml`
- `msp-tools/computerguru-exchange-operator.sops.yaml`
- `msp-tools/computerguru-user-manager.sops.yaml`
- `msp-tools/computerguru-tenant-admin.sops.yaml`
- `msp-tools/computerguru-defender-addon.sops.yaml`
3. **Invoke the skill** with the tenant info and credential context already in hand.
4. **Report findings concisely** in Discord — use plain text, bullet points for findings,
code blocks for raw data. Keep it under 1800 chars per message when possible.
---
## Available Skills
| Skill | Trigger / Use |
|-------|--------------|
| `/remediation-tool` | M365 breach checks, tenant sweeps, mailbox audits |
| `/save` | Write session log + sync repo — run after EVERY completed task |
| `/sync` | Sync repo only, no log |
| `/context` | Search session logs for prior context |
| `/checkpoint` | Git commit + database checkpoint |
| `/syncro` | Syncro PSA ticket management |
---
## After Every Completed Task
Run `/save` at the end of every completed task. The session log should include:
- Who asked (Discord username + display name)
- What was requested
- What was done and the outcome
- Vault paths accessed (paths only, never credential values)
This creates an audit trail and keeps the repo in sync.
---
## Response Formatting for Discord
- Plain text, not heavy markdown — headers (`#`) do not render in Discord
- Use `**bold**` sparingly for key findings
- Use code blocks for commands, raw output, or structured data
- Keep individual messages under 1800 characters (the bot handles splitting, but shorter
is better)
- No emojis unless the user uses them first
- No filler phrases ("Great question!", "Certainly!", "I'd be happy to")
- State what you did, what you found, or what went wrong — nothing else
---
## Local Machine Rules (BEAST)
- Working directory: `C:/Users/guru/ClaudeTools`
- Full read access across the repo
- Write access for session logs, task files, and project work
- SSH uses `C:\Windows\System32\OpenSSH\ssh.exe` (never Git for Windows SSH)
- Python: use `py` not `python` or `python3`
- Do not modify `.claude/identity.json` or vault files
- Service management (NSSM, Windows services) requires explicit team-member request
---
## Updating These Instructions
This file lives at `projects/discord-bot/DISCORD_CLAUDE.md` in the ClaudeTools repo.
It can be updated by:
- Any Claude Code session with repo access (main session, this bot session, any machine)
- Direct Discord message from a team member: "update your instructions to..."
Changes take effect on the bot's next restart. To restart the bot service on BEAST:
```
nssm restart ClaudeToolsDiscordBot
```
After editing this file, commit and push via `/sync` or `/save`.

10
projects/discord-bot/bot/claude/client.py
View File

@@ -20,8 +20,14 @@ logger = logging.getLogger(__name__)
def _load_system_prompt() -> str:
claude_md = settings.claudetools_root / ".claude" / "CLAUDE.md"
return claude_md.read_text(encoding="utf-8")
prompt_path = settings.claudetools_root / settings.discord_system_prompt
if prompt_path.exists():
return prompt_path.read_text(encoding="utf-8")
logger.warning(
"[WARNING] Discord system prompt not found at %s — falling back to CLAUDE.md",
prompt_path,
)
return (settings.claudetools_root / ".claude" / "CLAUDE.md").read_text(encoding="utf-8")
class ThreadAgent:

8
projects/discord-bot/bot/config.py
View File

@@ -22,6 +22,14 @@ class Settings(BaseSettings):
description="Path to ClaudeTools repository (agent cwd)",
)
# Path to Discord-specific system prompt, relative to claudetools_root.
# Edit projects/discord-bot/DISCORD_CLAUDE.md to change bot behavior without
# touching the main CLAUDE.md. Changes take effect on next bot restart.
discord_system_prompt: Path = Field(
default=Path("projects/discord-bot/DISCORD_CLAUDE.md"),
description="System prompt for Discord bot sessions (relative to claudetools_root)",
)
log_level: str = Field(default="INFO", description="Logging level")
log_file: Optional[Path] = Field(default=Path("logs/bot.log"), description="Log file")

24
projects/discord-bot/bot/handlers/message_handler.py
View File

@@ -29,21 +29,37 @@ class MessageHandler:
if message.author == self.bot.user:
return
content = message.content
# Strip the bot mention to get the raw user text.
user_text = message.content
for mention in message.mentions:
if mention == self.bot.user:
content = content.replace(f"<@{mention.id}>", "").replace(
user_text = user_text.replace(f"<@{mention.id}>", "").replace(
f"<@!{mention.id}>", ""
).strip()
if not content and not message.attachments:
if not user_text and not message.attachments:
await message.reply("Hey! How can I help?")
return
# Build caller-identity header so the agent always knows who is asking.
author = message.author
display = getattr(author, "display_name", author.name)
guild_name = message.guild.name if message.guild else "DM"
channel_name = getattr(message.channel, "name", "unknown")
discord_ctx = (
"[DISCORD_CONTEXT]\n"
f"User: @{author.name}"
+ (f" (display: {display})" if display != author.name else "")
+ f" | ID: {author.id}\n"
f"Channel: #{channel_name} | Guild: {guild_name}\n"
"[/DISCORD_CONTEXT]\n\n"
)
content = (discord_ctx + user_text).strip()
if isinstance(message.channel, discord.Thread):
thread = message.channel
else:
name = self._thread_name(content) if content else "Attachment"
name = self._thread_name(user_text) if user_text else "Attachment"
thread = await message.create_thread(
name=name,
auto_archive_duration=1440,

2
projects/msp-tools/guru-rmm

Submodule projects/msp-tools/guru-rmm updated: 182d61e406...8404a3ce6b

550
session-logs/2026-05-20-session.md Normal file
View File

@@ -0,0 +1,550 @@
# Session Log -- 2026-05-20
## User
- **User:** Mike Swanson (mike)
- **Machine:** DESKTOP-0O8A1RL
- **Role:** admin
- **Session span:** 2026-05-20, afternoon
---
## Session Summary
This session focused entirely on the CryoWeave client website (cryoweave.com), a WordPress site hosted on the IX cPanel server (72.194.62.5). Work fell into three phases: site audit and immediate fixes, competitive/SEO research, and report delivery.
The session opened with a full browser-based audit of cryoweave.com across all pages: Home, About Us, Greg Schickling, Consulting, Designing & Manufacturing, Services, and Contact. Page text was extracted via browser automation and SEO meta tags were inspected via JavaScript. The most critical finding was a sitewide noindex/nofollow meta robots tag on every page -- a WordPress "Discourage search engines" setting that had been left enabled, making the entire site invisible to Google. Six typos were also identified across three pages.
Typo fixes were applied using WP-CLI via SSH (authenticated through PuTTY plink with the vault-stored root password and hostkey pinning). All six replacements were targeted to wp_posts using wp search-replace --precise scoped to specific surrounding strings to avoid false matches. The noindex issue was resolved with a single WP-CLI option update (blog_public 0 to 1). Both changes were verified live in the browser.
Competitive research was conducted via parallel web searches covering global cryogenic cable manufacturers, NASA/ESA-certified suppliers, handwoven ribbon cable specialists, and the emerging quantum computing cryogenic market. Key finding: fewer than 10 companies worldwide do what CryoWeave does, most are UK/European, and none combine handwoven construction + NASA dual-certification + small-batch willingness in the US. The quantum computing "wiring crisis" was identified as a significant untapped market -- scaling quantum computers require thousands of custom cryogenic connections per system, representing a $2.1B+ market in 2026 that CryoWeave's site makes zero reference to.
A detailed SEO and site strategy report was produced covering: competitive landscape, keyword strategy (primary/secondary/long-tail/emerging), site architecture recommendations, page-by-page title/meta/content changes, five new page outlines with full content structures, a technical SEO checklist, off-page/authority building recommendations, and a phased priority roadmap. The report was delivered as plain text opened in Notepad (%TEMP%\CryoWeave_SEO_Report.txt). Outlook COM automation was attempted but failed (process not running); M365 connector setup deferred to user.
---
## Key Decisions
- Targeted search-replace strings over bare word replacement -- Used specific surrounding context (e.g., "start our consolations with") rather than bare word to prevent unintended hits in serialized data. Scoped to wp_posts only.
- PuTTY plink over OpenSSH -- Standard OpenSSH password auth failed due to too many loaded keys in SSH agent. Switched to plink with explicit -hostkey fingerprint.
- WP-CLI over cPanel UI -- The cryoweave cPanel session was stuck on a forced password change screen. WP-CLI via SSH bypassed the UI entirely.
- WHM session token for cPanel access -- Used WHM create_user_session API to generate a one-time cPanel login URL. Redirected to forced-password-change page; led to WP-CLI fallback.
- Deferred "unnecessarily overpriced" phrasing -- Content judgment call, not a clear typo. Left for content refresh phase.
- Quantum computing identified as primary new market -- Based on $2.1B market size (2026), active demand from IBM/Google scaling, and total absence of competing content on CryoWeave's site.
- Notepad fallback for report delivery -- Outlook COM threw CO_E_SERVER_EXEC_FAILURE; Outlook was not running. M365 connector setup delegated to user.
---
## Problems Encountered
- OpenSSH auth failed -- "Too many authentication failures" on ssh root@172.16.3.10. Resolved via PuTTY plink with -hostkey SHA256:GZYP/o5XUoRtFRCv1iGjxmqGfQoEsMuiNQBJucoJUh8.
- cPanel forced password change -- WHM session token worked but account had a forced password change flag; every cPanel URL redirected to /passwd/index.html?msg=forced. Resolved by bypassing cPanel and using WP-CLI directly.
- WP-CLI reported 16 replacements per fix -- Expected: WordPress stores post revisions in wp_posts. Each fix hit live post plus all historical revisions. Live pages verified correct.
- /designing URL is blank -- cryoweave.com/designing returns a blank page. Correct URL is /manufacturing/. Added to technical SEO checklist as pending 301 redirect.
- site:cryoweave.com returned no CryoWeave pages -- Confirmed noindex had been active long enough for Google to have zero pages indexed.
- Outlook COM automation failed -- New-Object -ComObject Outlook.Application threw CO_E_SERVER_EXEC_FAILURE (0x80080005). Outlook was not running. Report delivered via Notepad instead.
---
## Configuration Changes
- WordPress blog_public option on cryoweave.com -- Changed 0 to 1. Removes sitewide noindex/nofollow.
- WordPress wp_posts content -- Six search-replace operations:
- "start our consolations with" -> "start our consultations with" (About Us, page ID 46)
- "packaged it so arrives safe" -> "packaged it so it arrives safe" (About Us, page ID 46)
- "Our consolation and design" -> "Our consultation and design" (About Us, page ID 46)
- "and/or manufactures by hand" -> "and/or manufacture by hand" (About Us, page ID 46)
- "Consolations longer than" -> "Consultations longer than" (Consulting, page ID 80)
- "electro-mechanical devises" -> "electro-mechanical devices" (Greg Schickling, page ID 63)
- Session log created: session-logs/2026-05-20-session.md
---
## Credentials & Secrets
No new credentials created this session.
Used from vault:
- infrastructure/ix-server.sops.yaml -- root SSH credentials for 172.16.3.10
- SSH hostkey fingerprint (ed25519): SHA256:GZYP/o5XUoRtFRCv1iGjxmqGfQoEsMuiNQBJucoJUh8
cPanel account details discovered:
- Domain: cryoweave.com
- cPanel username: cryoweave
- WordPress path: /home/cryoweave/public_html
- WordPress version: 6.1.10 (outdated -- current is 6.7+)
- PHP version: 8.1.34 (via ea-php81)
- cPanel account email: greg@cryoweave.com
- Account has forced password change flag active (blocks cPanel UI via session tokens)
---
## Infrastructure & Servers
IX cPanel server (LAN): 172.16.3.10
IX cPanel server (WAN): 72.194.62.5
WHM URL: https://ix.azcomputerguru.com:2087 / http://72.194.62.5:2086
cPanel version: 134.0.28
OS: CloudLinux v9.7.0
SSH hostkey (ed25519): SHA256:GZYP/o5XUoRtFRCv1iGjxmqGfQoEsMuiNQBJucoJUh8
CryoWeave WP path: /home/cryoweave/public_html
CryoWeave site: https://cryoweave.com
CryoWeave contact: greg@cryoweave.com / (520) 347-8440
CryoWeave address: 7437 E 22nd Tucson AZ 85710
---
## Commands & Outputs
Find cryoweave cPanel username:
plink -ssh -l root -pw "<vault>" -hostkey "SHA256:GZYP/..." 172.16.3.10 "grep -i cryoweave /etc/userdatadomains"
-> cryoweave.com: cryoweave==root==main==cryoweave.com==/home/cryoweave/public_html==...
List WordPress pages:
wp --allow-root --path=/home/cryoweave/public_html post list --post_type=page --fields=ID,post_title,post_status --format=table
-> About Us=46, Consulting=80, Greg Schickling=63, Services=70, Designing & Manufacturing=82, Contact=87
Verify and fix noindex:
wp --allow-root --path=/home/cryoweave/public_html option get blog_public -> 0
wp --allow-root --path=/home/cryoweave/public_html option update blog_public 1
-> Success: Updated 'blog_public' option.
Typo fix pattern (all 6 used same approach):
wp --allow-root --path=/home/cryoweave/public_html search-replace 'start our consolations with' 'start our consultations with' wp_posts --precise --report-changed-only
-> 16 replacements (live post + revisions, expected)
WHM API: generate cPanel session:
GET /cpsess<token>/json-api/create_user_session?api.version=1&user=cryoweave&service=cpaneld
-> Returned session URL; redirected to forced password change page
Post-fix robots meta verification (JS in browser):
document.querySelector('meta[name=robots]')?.content
Before: "noindex, nofollow"
After: "max-image-preview:large" (WP default, indexing now allowed)
---
## Pending / Incomplete Tasks
Phase 1 -- Foundation (highest ROI, do first):
[ ] Install Yoast SEO or RankMath plugin on cryoweave.com
[ ] Set unique title + meta description on every existing page (templates in report)
[ ] Submit sitemap to Google Search Console (create GSC account first)
[ ] Create and verify Google Business Profile for CryoWeave
[ ] Fix broken contact form (currently "undergoing maintenance")
Immediate technical:
[ ] Add 301 redirect: /designing -> /manufacturing/
[ ] Fix cryoweave cPanel forced password change flag
Phase 2 -- Content:
[ ] Build /cryogenic-cable-assembly/ landing page (outline in report)
[ ] Expand /manufacturing/ page (needs wire materials, temp range, ordering info)
Phase 3 -- New market pages:
[ ] /applications/quantum-computing-cables/
[ ] /nasa-certified/
[ ] /applications/space-cryogenic-cables/
[ ] /applications/scientific-instruments/
Phase 4 -- Authority:
[ ] Claim/correct ZoomInfo, Manta, BuzzFile, HigherGov listings
[ ] Add SAM.gov registration mention to site
[ ] University physics department supplier directory outreach
Phase 5 -- Maintenance:
[ ] WordPress update 6.1.10 -> 6.7+ (test staging first)
[ ] Image alt text audit
[ ] Google PageSpeed Insights review
Deferred:
[ ] Outlook email delivery of report -- requires M365 connector setup by user
[ ] "Unnecessarily overpriced" phrasing on Greg Schickling page
---
## Reference Information
CryoWeave WordPress page IDs:
About Us: 46 | Greg Schickling: 63 | Services: 70
Consulting: 80 | Designing & Manufacturing: 82 | Contact: 87
Competitors researched:
https://www.tekdatainterconnections.co.uk -- Tekdata/Cryoconnect (UK, closest competitor)
https://www.alpha3manufacturing.com -- Alpha3 Manufacturing (Tekdata parent)
http://www.cmr-direct.com -- CMR-Direct Cryoloom (raw loom supplier)
https://www.iceoxford.com -- ICE Oxford (UK, cryostat equipment)
https://www.meritec.com -- Meritec (Ohio, US)
https://starcryo.com -- STAR Cryoelectronics (New Mexico)
https://cryocoax.com -- CryoCoax/Intelliconnect (UK, RF coax only)
Market data:
Cryogenic cables market 2026: $2.148B -> $3.241B by 2035 (4.5% CAGR)
Quantum cryogenic system market 2024: $1.332B -> $1.715B by 2031 (7.4% CAGR)
Source: https://www.globenewswire.com/news-release/2026/02/23/3242363/
CryoWeave government contracting:
SAM.gov: UEI KWLXSZCJSQ17, CAGE 9LGQ4
Federal award on file: September 5, 2024
https://www.highergov.com/awardee/cryoweave-llc-476051844/
https://opengovus.com/sam-entity/081228946
M365 connector setup:
https://support.claude.com/en/articles/12542951-enable-and-use-the-microsoft-365-connector
Report delivered to:
C:\Users\guru\AppData\Local\Temp\CryoWeave_SEO_Report.txt (Notepad, local only)
---
## Update: Afternoon — Rob Activity Audit & Server Security
### Session Summary
This session was a two-track investigation into Rob's (employee) server activity and productivity validation on IX (172.16.3.10) and websvr (websvr.acghosting.com). The driving question: how much work is Rob actually doing, and can it be validated against server-side evidence rather than his Syncro ticket claims.
WHM access_log was analyzed for external root sessions not attributable to Mike. Three non-Mike root access vectors confirmed: 97.181.171.114 (Verizon Wireless AZ, March 2, 2026 — DNS Zone Editor, mass_edit_dns_zone), 74.244.177.66 (Starlink Phoenix, April 21, 2026 — DNS Zone Editor + graceful_reboot_landing/server reboot), and 174.234.68.59 (Verizon Wireless NV, December 2025 — two SSH root terminal sessions 2+ hours each). All three attributed to Rob. The arizonawebsitedesign.pro account was cleaned of a Duplicator installer (installer.php, Sep 2022), ALFA web shell framework remnant under .well-known/pki-validation/ALFA_DATA/, and two zero-byte PHP files.
WordPress session_tokens were queried across all Rob-associated admin accounts. Rob's `rob@azcomputerguru.com` guruadmin accounts remain active on 25+ client sites; last confirmed Rob-IP sessions from Cox 69.136.118.50 through May 2025. Recent sessions showing Mike's Comcast IP 76.18.103.222 were initially flagged as anomalous but Mike confirmed Rob has legitimate Tailscale access — his traffic exits through Mike's LAN. Rob also has a `magus/info@maguspressworks.com` identity (maguspressworks.com, registered April 2024) with admin on hightechmortgage_maindb, nwpool_db, nwpool_maindb, packetdial_2022 — all added October 20, 2025.
Productivity validation cross-referenced login timestamps against actual server-side evidence. WordPress post revisions confirmed real content work on hightechmortgage only (April 6, 2026: User Registration page edited/published, htm_user_class entries by magus). All other recent sessions (acepickupparts May 6, nwpool May 12, packetdial May 18-19, thrive May 2025) showed no post revisions or only an auto-draft. Rob's automation scripts in /root were inventoried — six scripts written and run once on January 13, 2026, plus scan_smart_slider.sh added April 11, 2026 in response to Smart Slider 3 Pro CVE. None are cron-scheduled.
SSH authorized_keys audited on both servers. A GoDaddy infrastructure key (root@224.235.109.208.host.secureserver.net) was found in IX root authorized_keys with no justification and was removed. websvr has a `rob` cPanel account with an empty crontab. Session ended with a discussion of non-root access architecture (WHM reseller + sudo-restricted SSH) for Rob. Mike has a meeting with Rob on 2026-05-21 to discuss productivity; outcome will be either implementing the reseller scheme or full lockout.
### Key Decisions
- **Tailscale exit node explains 76.18.103.222 sessions** — initially treated as anomalous. Mike confirmed Rob has Tailscale network access. Traffic egresses through Mike's LAN. No security incident.
- **GoDaddy key removed immediately** — no documented justification for external root SSH trust from GoDaddy infrastructure. Removed same session; backup retained on server.
- **Post revisions as primary work evidence** — reliable because they are created by the editing user with a timestamp. Filesystem mtimes not used due to noise from automated processes.
- **Automation scripts assessed as one-time work** — all report outputs dated January 13, 2026 only. Not scheduled, not maintained.
- **Discord IP pull ruled out** — Discord does not expose member IPs to server admins. Not viable without legal process.
### Problems Encountered
- **Collation mismatch on UNION query** — UNION ALL across multiple WordPress databases failed: `ERROR 1271 (HY000): Illegal mix of collations`. Resolved by running per-database queries instead.
- **plink batch mode rejected hostkeys** — Both IX and websvr failed with `FATAL ERROR: Cannot confirm a host key in batch mode`. Resolved by adding `-hostkey <fingerprint>` to all commands.
### Configuration Changes
- **Removed** GoDaddy SSH key from `/root/.ssh/authorized_keys` on 172.16.3.10
- Key: `ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP2RXPvnQjdn/hvLtzqiFibKEfcYZviwZIgr26VyVdMT root@224.235.109.208.host.secureserver.net`
- Backup: `/root/.ssh/authorized_keys.bak.20260520` on IX
- **Removed** from `/home/azwebdesign/public_html/` on IX:
- `installer.php` (75KB Duplicator installer, Sep 2022)
- `dup-installer-bootlog__970a9a6-14174455.txt`
- `.well-known/pki-validation/ALFA_DATA/` directory
- `.well-known/pki-validation/marijuan.php` (0 bytes)
- `.well-known/pki-validation/0r.php` (0 bytes)
### Infrastructure
- **websvr.acghosting.com** — 162.248.93.81, CentOS 7, WHM/cPanel, SSH hostkey: `SHA256:qcaW8BWq5UyM0l0g6DS9JfYbMZN/LTXLs3BIEZV8BE0`
- **websvr root password:** `[3H+_f.Yh4c0>@egH[6L!?u]S3s[9C82` — vault: `infrastructure/websvr-legacy-hosting.sops.yaml`
### Rob's Identity and Access Profile
- **Primary:** `rob@azcomputerguru.com` — guruadmin on 25+ WP client sites (batch-created 2020-03-17)
- **Secondary:** `magus / info@maguspressworks.com` — admin on hightechmortgage, nwpool (x2), packetdial_2022 (added 2025-10-20)
- **Business:** maguspressworks.com — Namecheap, registered 2024-04-12, updated 2026-03-14, privacy protected
- **Cox IP:** 69.136.118.50 — last Rob session May 20, 2025
- **Verizon mobile:** 97.181.171.114 (WHM Mar 2026), 174.234.68.59 (SSH Dec 2025)
- **Starlink Phoenix:** 74.244.177.66 (WHM Apr 2026)
- **Via Tailscale/Mike's LAN:** 76.18.103.222 — multiple WP sessions 2025-2026
### Rob's Automation Scripts (IX /root/)
All scripts run once only. Not cron-scheduled.
| Script | Purpose | Last Modified |
|---|---|---|
| `/root/scan_sites.sh` | Error logs, PHP memory errors, WP DB list | 2026-01-13 11:31 |
| `/root/check_dbs.sh` | DB bloat per site | 2026-01-13 11:32 |
| `/root/cleanup_error_logs.sh` | Truncate error logs for ~11 domains | 2026-01-13 20:01 |
| `/root/cleanup_wordfence.sh` | TRUNCATE Wordfence tables across all DBs | 2026-01-13 20:09 |
| `/root/generate_security_performance_report.sh` | Full IX security/perf audit | 2026-01-13 20:12 |
| `/root/scan_smart_slider.sh` | Smart Slider 3 Pro CVE scanner | 2026-04-11 05:09 |
| `/root/URGENT_SITE_ISSUES.txt` | Jan 13 scan findings (3.4KB) — not yet read | 2026-01-13 11:33 |
| `/root/IX_SECURITY_PERFORMANCE_REPORT_2026-01-13.txt` | Full report (37KB) — not yet read | 2026-01-13 20:16 |
### WordPress Last Login Summary (Rob Accounts)
| Database | Account | Last Login (UTC) | IP |
|---|---|---|---|
| cryoweave_maindb | guruadmin | 2023-03-17 16:06 | 70.162.90.195 |
| thrive_maindb | guruadmin | 2025-05-20 21:02 | 69.136.118.50 (Rob's Cox) |
| drsticken_maindb | guruadmin | 2024-05-31 19:42 | 69.136.118.50 |
| compoundfitness_maindb | guruadmin | 2024-05-22 20:30 | 69.136.118.50 |
| bruceext_maindb | guru | 2024-06-06 16:59 | 69.136.118.50 |
| blackswanarchery_maindb | guruadmin | 2025-07-24 17:27 | 76.18.103.222 (Tailscale) |
| acepickupparts_maindb | guruadmin | 2026-05-06 17:15 | 76.18.103.222 (Tailscale) |
| peacefulspirit_wp24 | guruadmin | 2026-05-09 04:24 | 76.18.103.222 (Tailscale) |
| hightechmortgage_maindb | magus | 2026-04-06 19:46 | 76.18.103.222 (Tailscale) |
| nwpool_maindb | magus | 2025-12-08 15:27 | 127.0.0.1 (server-side) |
| nwpool_db | magus | 2026-05-12 03:45 | 76.18.103.222 (Tailscale) |
| packetdial_2022 | magus | 2026-05-18 14:18 | 76.18.103.222 (Tailscale) |
| packetdial_2022 | magus | 2026-05-19 21:39 | 76.18.103.222 (Tailscale) |
### WordPress Content Confirmed vs. Login Events
| Site | Session Date | Work Found | User | Detail |
|---|---|---|---|---|
| hightechmortgage | 2026-04-06 | Yes | magus | Published "User Registration" page, htm_user_class (Client/Investor) entries |
| packetdial | 2026-05-18 | Minimal | magus | Auto-draft only + automated URL metrics update |
| peacefulspirit | 2026-05-09 | Other user | mara | "Meet The Staff" revised by `mara`, not Rob |
| acepickupparts | 2026-05-06 | None | — | Login, no post revisions |
| nwpool | 2026-05-12 | None | — | Login, no post revisions |
| thrive | 2025-05-20 | None | — | Login, no post revisions |
### IX SSH Authorized Keys (Post-Cleanup, 10 keys)
Rotating cPanel keys (4), azcomputerguru@local, claude-code, claude-code@localadmin, root@websvr.acghosting.com, guru@wsl, root@Jupiter.
Removed: `root@224.235.109.208.host.secureserver.net` (GoDaddy).
### Pending — 2026-05-21 Rob Meeting
Two outcomes:
**Option A — Continue employment / implement tracked access:**
1. Create WHM reseller account for Rob on IX (and websvr)
2. Grant ACL-based WHM privileges (DNS editor, WP Toolkit, assigned client accounts)
3. Create system user `rob` + `/etc/sudoers.d/rob` restricting SSH commands
4. Remove Rob's root-level WHM/SSH access
5. Assign specific client cPanel accounts to his reseller ownership
**Option B — Termination / lockout:**
1. Change root WHM password on IX and websvr
2. Remove Rob's Tailscale node
3. Disable guruadmin (rob@azcomputerguru.com) on all 25+ client WP sites
4. Disable magus (maguspressworks.com) on hightechmortgage, nwpool (x2), packetdial
5. Revoke any remaining API tokens or remote access tools
### Still Not Investigated
- `/root/URGENT_SITE_ISSUES.txt` — Rob's Jan 13, 2026 findings (3.4KB)
- `/root/IX_SECURITY_PERFORMANCE_REPORT_2026-01-13.txt` — full server report (37KB)
- DNS records Rob modified in March 2 and April 21 WHM sessions — what zones/records changed
- Reason for April 21 server reboot (graceful_reboot_landing) — authorized?
---
## Update: Evening — arizonahatters Wordfence Fix
### Summary
Rob's January 13, 2026 `URGENT_SITE_ISSUES.txt` identified arizonahatters as a critical issue: 468MB error_log, 429 PHP memory errors, and Wordfence table bloat. Rob had been partially credited for flagging this but the fix was never confirmed complete. Audited and fully resolved this session.
**Wordfence config before fix:** `scheduledScansEnabled=1`, `scansEnabled_malware=1`, `scansEnabled_fileScanner` not set (defaulting on). Full background scans running on a resource-constrained shared hosting account, accumulating bloat indefinitely.
**Actions taken:**
1. Disabled all Wordfence scanning in `arizonahatters_maindb.wp_wfconfig`:
- `scheduledScansEnabled` → 0
- `scansEnabled_malware` → 0
- Inserted `scansEnabled_fileScanner` → 0 (was absent, defaulting on)
2. Truncated large scan-data tables:
- `wp_wffilemods`: 11.52MB → 0.02MB
- `wp_wfknownfilelist`: 5.52MB → 0.02MB
3. Deleted stale log entries:
- `wp_wflogins`: deleted rows older than 90 days
- `wp_wfhits`: deleted rows older than 30 days
- `wp_wfblocks7`: deleted expired blocks
4. Ran `OPTIMIZE TABLE` on all five Wordfence tables
5. Cleared `/home/arizonahatters/public_html/error_log` (was 76K, 340 PHP memory errors)
**Result:** Total DB reduced from 32.24MB → 13.45MB. Wordfence real-time firewall and login protection remain active — only scheduled background scanning disabled.
**peacefulspirit confirmed fixed:** Rob's cleanup_wordfence.sh (Jan 13) had truncated WPML mails and Gravity Forms tables. Verified: wp_wpml_mails 156MB → 1.6MB, total DB ~310MB → ~100MB. That one Rob did follow through on.
### Configuration Changes
- `arizonahatters_maindb.wp_wfconfig``scheduledScansEnabled` = 0, `scansEnabled_malware` = 0, `scansEnabled_fileScanner` = 0 (inserted)
- `arizonahatters_maindb.wp_wffilemods` — TRUNCATED (11.52MB → 0.02MB)
- `arizonahatters_maindb.wp_wfknownfilelist` — TRUNCATED (5.52MB → 0.02MB)
- `arizonahatters_maindb.wp_wflogins` — deleted entries older than 90 days
- `arizonahatters_maindb.wp_wfhits` — deleted entries older than 30 days
- `arizonahatters_maindb.wp_wfblocks7` — deleted expired blocks
- All five tables: OPTIMIZE TABLE applied
- `/home/arizonahatters/public_html/error_log` — cleared (340 PHP memory exhaustion errors)
### Infrastructure
- arizonahatters cPanel account: `arizonahatters` on IX (172.16.3.10)
- WP DB: `arizonahatters_maindb`
- WP path: `/home/arizonahatters/public_html`
---
## Update: Late Evening — azcomputerguru.com Full SEO Audit & Fixes
### Session Summary
Performed a comprehensive SEO audit and implemented all automatable fixes on azcomputerguru.com (WordPress 6.9.4, IX server 172.16.3.10, Cloudflare Pro zone `1beb9917c22b54be32e5215df2c227ce`). Work divided into: server-side file edits, WordPress option/meta updates, and Cloudflare edge rule creation.
**Audit findings (abridged):** Homepage title was "Home Arizona Computer Guru" (generic); no meta description; logo link pointed to dev.computerguru.me; 5 images in footer referenced dev.computerguru.me URLs with no alt text; LocalBusiness schema absent; footer widget titles used H2 inflating heading hierarchy; duplicate CSS enqueue block; 4 canonical URLs returning 404 or redirecting via Apache only (blocked by Cloudflare WAF before reaching Apache); media library images missing alt text on 10 attachments.
**Server-side fixes (via SSH plink):**
- `header.php` — Fixed logo href from dev.computerguru.me to https://azcomputerguru.com/, added alt text to logo img
- `footer.php` — Replaced all 5 dev.computerguru.me image paths with production URLs, added descriptive alt text to all social/footer icons
- `functions.php` — Removed duplicate CSS enqueue block (lines 255-263), changed footer sidebar widget titles from H2 to H3, added `remove_action('wp_head','wp_generator')`, appended full `acg_localbusiness_schema()` function with LocalBusiness+ProfessionalService JSON-LD
- `.htaccess` — Added Apache-level 301 redirects for /services/, /about/, /blog/, /website-services/ (backup: .htaccess.bak-seo-20260520)
**WordPress DB updates (via WP-CLI):**
- `autodescription-site-settings` option — homepage_title: "Arizona Computer Guru | Managed IT Services Tucson AZ", homepage_description set (159 chars), homepage_tagline disabled
- Page ID 297 (`/tucson-seo/`) — `_genesis_description` meta set
- Media alt text — `_wp_attachment_image_alt` set on 10 attachment IDs: 1162, 20, 23, 24, 37, 1167, 1163, 1166, 1164, 1165
- Post 17 content — added alt text to gurucube and divider inline images
**Cloudflare edge redirects (Page Rules API):**
4 Page Rules created to redirect at the Cloudflare edge (before WAF bot checks reach Apache):
- `azcomputerguru.com/services*` → https://azcomputerguru.com/business-it-services-tucson/ [301]
- `azcomputerguru.com/about*` → https://azcomputerguru.com/history-of-arizona-computer-guru/ [301]
- `azcomputerguru.com/blog*` → https://azcomputerguru.com/category/blog/ [301]
- `azcomputerguru.com/website-services*` → https://azcomputerguru.com/tucson/web-services-for-tucson-businesses/ [301]
All 4 verified live returning HTTP 301 with browser user agent.
### Key Decisions
- **Cloudflare Page Rules over Transform Rules** — `http_request_dynamic_redirect` phase writes failed on all 3 stored tokens (none have Transform Rules Edit permission). Page Rules API worked with `api_token_full_dns`. Functionally equivalent for forwarding rules.
- **LocalBusiness schema via functions.php hook** — The SEO Framework (autodescription) v5.1.4 doesn't generate LocalBusiness schema. Added custom PHP at `wp_head` priority 5 to emit JSON-LD without a plugin.
- **Footer H2 → H3 only for footer sidebar** — Multiple sidebars registered in functions.php all used H2 for widget titles. Only changed the `footer` sidebar (last registration, `id='footer'`). Content-area sidebars left at H2 to avoid regressions on page sidebars.
- **TSF stores homepage SEO in option, not post meta** — `_genesis_title` / `_genesis_description` on post ID (homepage) are ignored by TSF v5+. Updated via `update_option('autodescription-site-settings', ...)`.
### Problems Encountered
- **Cloudflare Transform Rules permission denied** — Three tokens tried: `api_token_full_account`, `api_token_full_dns`, `api_token_legacy`. All failed on `PUT .../phases/http_request_dynamic_redirect/entrypoint`. Resolved by using Page Rules API instead.
- **Bot Fight Mode blocking curl test** — 301 redirects looked like 403s until a browser User-Agent was added to curl. Not an actual error — Cloudflare correctly redirects real browsers.
- **TSF homepage SEO not stored as post meta** — First attempted `wp post meta update 2 _genesis_title ...` per page SEO pattern. No effect on homepage title. Resolved by reading TSF source and updating the `autodescription-site-settings` option directly.
- **Apostrophe in WP-CLI shell arg** — `Tucson's` in description broke bash single-quote heredoc. Rewrote description without apostrophe.
### Configuration Changes
**IX server — azcomputerguru WP theme files (backups: *.bak-seo-20260520):**
- `/home/azcomputerguru/public_html/wp-content/themes/arizonacomputerguru/header.php` — logo link + alt
- `/home/azcomputerguru/public_html/wp-content/themes/arizonacomputerguru/footer.php` — all image URLs + alt text
- `/home/azcomputerguru/public_html/wp-content/themes/arizonacomputerguru/functions.php` — dedup CSS, H3 widgets, schema function
- `/home/azcomputerguru/public_html/.htaccess` — 4 Apache 301 redirects
**WordPress DB (azcomputerguru_maindb):**
- `wp_options.autodescription-site-settings` — homepage title + description
- `wp_postmeta``_genesis_description` on page 297, `_wp_attachment_image_alt` on 10 attachments, alt text on post 17 inline images
**Cloudflare (zone 1beb9917c22b54be32e5215df2c227ce):**
- Page Rule `7060e99901a3e4a09b3fc9c2e5156d05` — /services* → /business-it-services-tucson/ [301]
- Page Rule `84ea14b8d3fe2983b75267337602924a` — /about* → /history-of-arizona-computer-guru/ [301]
- Page Rule `fb1a7c5189bf9c1c2a356c438f4eccdc` — /blog* → /category/blog/ [301]
- Page Rule `a9c1964c60bb2b53d65f3955c7427691` — /website-services* → /tucson/web-services-for-tucson-businesses/ [301]
### Pending / Incomplete Tasks
- **Slider Revolution duplicate H1** — Two H1 tags in homepage slider layers; one has concatenation bug "ServicesDesign" (no space). Must be fixed via WP Admin → Slider Revolution. Cannot be automated.
- **Social icon hrefs** — Footer social icons still use `href="#"` placeholder. Need actual ACG social profile URLs.
- **Street address in LocalBusiness schema** — Only city/state currently; full postal address improves Knowledge Panel accuracy.
- **Generator tag suppression** — Slider Revolution, Site Kit, performance-lab plugins still outputting `<meta name="generator">`. Would require per-plugin suppression hooks.
- **Google Search Console** — No GSC property confirmed; sitemap submission pending.
### Infrastructure
- azcomputerguru.com WP path: `/home/azcomputerguru/public_html`
- Theme path: `/home/azcomputerguru/public_html/wp-content/themes/arizonacomputerguru/`
- SEO Plugin: The SEO Framework (autodescription) v5.1.4
- Cloudflare zone ID: `1beb9917c22b54be32e5215df2c227ce`
- Cloudflare account ID: `44594c346617d918bd3302a00b07e122`
---
## Update: 09:01 PT — LocalBusiness Schema Street Address
Added `streetAddress` and `postalCode` to the LocalBusiness JSON-LD schema in `functions.php`. The PostalAddress block previously had only city/state/country.
**Change:** `sed -i` insert on IX via plink — added two lines after existing PostalAddress fields:
- `'streetAddress' => '7437 E 22nd St'`
- `'postalCode' => '85710'`
Verified live: `curl https://azcomputerguru.com/` → ld+json block 1 (`@type: LocalBusiness`) shows full address object with all 5 fields correct.
**Pending after this session:**
- Slider Revolution duplicate H1 (WP Admin GUI only — two H1 layers in homepage slider, one has "ServicesDesign" concatenation bug)
- Footer social icon hrefs (still `href="#"` — need ACG social profile URLs from Mike)
- Google Search Console property + sitemap submission
---
## Update: 10:50 PT — Discord Bot Enhancements + Cascades Tucson Canva Remediation
### Session Summary
This update covers two distinct tasks: (1) Discord bot architecture improvements, and (2) a client email delivery investigation and remediation for Cascades Tucson.
**Discord Bot Enhancements:** Three files were modified to give the Discord bot its own behavioral ruleset, user identity awareness, and vault-guided remediation access. A new DISCORD_CLAUDE.md system prompt was created at projects/discord-bot/DISCORD_CLAUDE.md and wired into bot/config.py via a new discord_system_prompt setting. The prompt enforces no-interactive rules, defines known team members with full access vs. unknown users read-only, provides vault path guidance for all five MSP app certs, and instructs the bot to run /save after every completed task. In bot/claude/client.py, _load_system_prompt() was updated to load DISCORD_CLAUDE.md with a fallback to CLAUDE.md. In bot/handlers/message_handler.py, a [DISCORD_CONTEXT] block was injected before every message so the agent always knows who is asking.
**Cascades Tucson - Canva Email Delivery Investigation:** Alma Montt (alma.montt@cascadestucson.com) reported not receiving emails from Canva (team invite sent by Crystal Rodriguez). Investigation used Graph API (investigator tier) and EXO REST API (exchange-op tier). Alma's mailbox is brand-new (first email May 19, 2026). No quarantined messages found. No inbox rules. Junk folder empty. MX record correct. Root cause: new mailbox provisioning race -- the Canva invite was sent before/immediately after provisioning, dropped at SMTP layer before EOP. Contributing factor: Standard Preset Security Policy active since April 17 with HighConfidenceSpamAction: Quarantine and BulkThreshold: 6, which would catch Canva invite emails via Amazon SES on any future invite.
Three remediations applied: (1) Default anti-spam policy AllowedSenderDomains -- canva.com, mail.canva.com, engage.canva.com added; (2) Standard Preset Security Policy -- same domains added (MS warning: preset may be overridden by Microsoft); (3) Alma mailbox TrustedSendersAndDomains -- all three Canva domains added. Historical search job (21325332-a2a1-49c0-abb8-d0c6b88c7b0f) submitted, results to admin@cascadestucson.com. Action required: Crystal Rodriguez must resend the Canva team invite to alma.montt@cascadestucson.com.
### Key Decisions
- Separate DISCORD_CLAUDE.md from CLAUDE.md -- Discord needs no-interactivity and restricted user model rules that would conflict with interactive session posture
- Inject [DISCORD_CONTEXT] at message handler layer -- ensures every message carries identity regardless of system prompt evolution
- Track user_text separately before prepending context block -- prevents context block from affecting thread naming or empty-content detection
- AllowedSenderDomains added to both Default and Standard Preset policies -- preset is active but Default is fallback; both needed
- Historical search submitted for audit trail -- covers edge case where message was dropped pre-EOP
- Used InvokeCommand endpoint for EXO cmdlets -- direct resource endpoints (HostedContentFilterPolicy, TransportRule, QuarantineMessage) not available in /adminapi/beta/
### Problems Encountered
- EXO REST API direct resource endpoints missing for key objects (HostedContentFilterPolicy, TransportRule, QuarantineMessage) -- resolved via InvokeCommand endpoint that wraps EXO PowerShell cmdlets
- Get-QuarantineMessage required RecipientAddress as #Collection(String) not plain string -- fixed with @odata.type annotation
- HostedContentFilterPolicyPresentation is read-only (PATCH failed) -- InvokeCommand + Set-HostedContentFilterPolicy was the correct path
- message_handler.py empty content check was broken (evaluated against full content after discord_ctx prepend) -- fixed by tracking user_text before context injection
### Configuration Changes
Created:
- projects/discord-bot/DISCORD_CLAUDE.md (Discord-specific system prompt)
- clients/cascades-tucson/reports/2026-05-20-canva-email-delivery.md (investigation report)
Modified:
- projects/discord-bot/bot/config.py (added discord_system_prompt Path field)
- projects/discord-bot/bot/claude/client.py (updated _load_system_prompt() to load DISCORD_CLAUDE.md)
- projects/discord-bot/bot/handlers/message_handler.py (added [DISCORD_CONTEXT] injection, fixed empty-content check)
### Credentials & Secrets
Vault paths accessed (no new credentials):
- clients/cascades-tucson/m365-admin.sops.yaml -- admin@cascadestucson.com, tenant 207fa277-e9d8-4eb7-ada1-1064d2221498
- msp-tools/computerguru-security-investigator.sops.yaml
- msp-tools/computerguru-exchange-operator.sops.yaml (InvokeCommand write ops)
- msp-tools/computerguru-defender-addon.sops.yaml (TABL write not available)
- msp-tools/computerguru-tenant-admin.sops.yaml
### Infrastructure & Servers
- Cascades Tucson tenant: cascadestucson.com | 207fa277-e9d8-4eb7-ada1-1064d2221498
- EXO REST API: https://outlook.office365.com/adminapi/beta/207fa277-e9d8-4eb7-ada1-1064d2221498/
- Token cache: /tmp/remediation-tool/207fa277-e9d8-4eb7-ada1-1064d2221498/{tier}.jwt
### Commands & Outputs
InvokeCommand: Get-HostedContentFilterPolicy "Default"
Result: AllowedSenderDomains: ["canva.com", "mail.canva.com", "engage.canva.com"]
InvokeCommand: Get-MailboxJunkEmailConfiguration "Alma.Montt@cascadestucson.com"
Result: TrustedSendersAndDomains: ["canva.com", "mail.canva.com", "engage.canva.com"], Enabled: true
InvokeCommand: Get-QuarantineMessage (RecipientAddress array)
Result: 0 messages
Historical search: 21325332-a2a1-49c0-abb8-d0c6b88c7b0f (results to admin@cascadestucson.com)
### Pending / Incomplete Tasks
- Crystal to resend Canva invite to alma.montt@cascadestucson.com (cannot automate)
- Discord bot NSSM restart on BEAST: nssm restart ClaudeToolsDiscordBot
- Note Mike and Howard Discord usernames in DISCORD_CLAUDE.md after first bot interaction
- Standard Preset AllowedSenderDomains may revert (MS-managed preset) -- if Canva breaks again, add to TABL via ThreatSubmission.ReadWrite.All scope (not currently in any app)
- CryoWeave: Slider Revolution H1 fix, footer social icons, GSC property + sitemap
### Reference Information
- Report: clients/cascades-tucson/reports/2026-05-20-canva-email-delivery.md
- Discord prompt: projects/discord-bot/DISCORD_CLAUDE.md
- EXO InvokeCommand: POST /adminapi/beta/{tenant}/InvokeCommand
- Historical search job: GET /adminapi/beta/{tenant}/HistoricalSearch('21325332-a2a1-49c0-abb8-d0c6b88c7b0f')