---
type: client
name: rednour
display_name: Rednour Law Offices
last_compiled: 2026-06-02
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
  - clients/rednour/reports/2026-05-31-onboard-and-rename-emma-to-carla.md
  - clients/rednour/reports/2026-06-01-carla-password-set.md
  - clients/rednour/reports/2026-06-02-carrie-emma-display-name-stale-pin.md
  - clients/rednour/session-logs/2026-06-02-session.md
  - session-logs/2026-05-31-mike-rednour-and-claudetools-infra.md
  - clients/rednour/onboarding-baselines/FRONTDESKRECEPT-20260529T195614.md
  - clients/rednour/onboarding-baselines/LEGALASST-20260529T200647.md
  - clients/rednour/onboarding-baselines/REDNOURCARRIEVI-20260529T202250.md
---

# Rednour Law Offices

## Profile

- **Business type:** Law firm (Arizona)
- **Syncro Customer ID:** 1224246
- **Billing model:** Time and materials [billing rate unverified — not stated in session logs]
- **Contract status:** Active MSP client
- **Primary ticket:** Syncro #32343 (id 111409967) — M365 onboarding + email account changes. Status: Resolved. URL: https://computerguru.syncromsp.com/tickets/111409967

## Contacts

| Name | Role | UPN / Email | Object ID | Notes |
|---|---|---|---|---|
| Carrie Rednour | Owner / attorney; M365 Global Admin | crednour@rednourlaw.com, sysadmin@rednourlaw.com | a0fc8517-1c2a-4d72-b774-c0d5c929167a | sysadmin@ is an alias on the same account; communicates via text with Mike directly |
| Carla Skinner | Legal assistant / employee | carla@rednourlaw.com | 93074d1a-6db2-4794-8f7d-c84a619e4494 | Renamed from Emma on 2026-05-31; emma@ + dgarcia@ + alee@ aliases retained by design (see below) |
| Nick Pafford | Employee | npafford@rednourlaw.com, nick@rednourlaw.com | fe859088-bcbc-49dc-aaea-4c6e68f7d5bb | nick@ added as alias on 2026-05-31; shared-drive access still pending |
| receptionist | Shared mailbox | receptionist@rednourlaw.com | — | No personal contact; 34 contacts in mailbox as of 2026-06-02 sweep |

System recipient: DiscoverySearchMailbox (Exchange system object — not a user).

## Infrastructure

### Network

- **Topology:** Workgroup (no on-prem AD, no domain join). All three enrolled machines report `PartOfDomain=False`.
- **LAN subnet:** 192.168.10.0/24, default gateway 192.168.10.1.
- **ZeroTier:** Present on REDNOURCARRIEVI (IP: 10.147.17.253 / fcfb:1c63:8659:2d21:d189::1). Not documented on other workstations.

### Workstations (GuruRMM enrolled)

All three machines were enrolled by 2026-05-29. Onboarding diagnostic grade: RED across the board (foreign agents, patch gaps — see open items).

| Hostname | Model | CPU | RAM | OS | IP | Agent ID | Grade |
|---|---|---|---|---|---|---|---|
| FRONTDESKRECEPT | Dell OptiPlex 3080 | i5-10505 6c/12t | 15.8 GB | Win 11 Pro build 26200 | 192.168.10.115 | 04765560-3e8a-46e5-a507-c5f5f4ead6eb | RED |
| LEGALASST | Generic OEM | AMD Ryzen 3 3200G 4c/4t | 5.9 GB | Win 10 Pro build 19045 | 192.168.10.213 | 18825ea7-df58-47bb-b492-822cb16fb5ec | RED |
| REDNOURCARRIEVI | Generic OEM | i3-9100 4c/4t | 7.7 GB | Win 10 Pro build 19045 | 192.168.10.194 | 8e4e2221-7e2a-4a6f-9eda-864568539961 | RED |

**Common issues across all three at onboarding:**
- ScreenConnect (ConnectWise Control) running — prior MSP remote-access agent, not yet removed
- Splashtop Streamer running — prior MSP remote-access agent, not yet removed
- Syncro agent running — prior MSP agent, not yet removed
- No backup agent detected on any workstation

**LEGALASST additional:**
- Win 10 22H2 (build 19045) — EOL since 2025-10-14; no longer receives security patches
- 43 days uptime, reboot pending
- Local admins include stale accounts `Ale` and `Emma` (pre-rename artifact)

**REDNOURCARRIEVI additional:**
- Win 10 22H2 (build 19045) — EOL since 2025-10-14
- Defender real-time protection OFF + antimalware service not running at baseline (critical)
- Datto RMM running — prior MSP agent, not yet removed
- C: drive at 11.7% free (54.4 GB of 465.1 GB)
- Last hotfix: 2025-12-20 (severely behind on patches as of 2026-05-29)
- 151 installed programs, 19 non-MS scheduled tasks — elevated attack surface

**FRONTDESKRECEPT additional:**
- BitLocker off on OS volume
- 2 pending Windows updates
- Local admin account `guru` present (ACG account, expected)

### GuruRMM Site

- **Site name:** Main Office
- **Enrollment key vault path:** `clients/rednour/` (enrollment key GREEN-FALCON-7214 in vault per index entry)

## Cloud / M365

- **Tenant domain:** rednourlaw.com
- **Tenant ID:** `4a4ca18a-f516-478b-99da-2e0722c5dc18`
- **Onboarded to ComputerGuru MSP suite:** 2026-05-31 (bootstrapped by Mike during Emma→Carla rename session)

### MSP Service Principals

All five ComputerGuru SPs are fully consented as of 2026-05-31:

| SP Name | App ID | SP Object ID | Role(s) Assigned |
|---|---|---|---|
| Tenant Admin | 709e6eed-0711-4875-9c44-2d3518c47063 | 671a2ace-be9e-440c-a7d6-5ff982e4500c | Conditional Access Administrator |
| Security Investigator | bfbc12a4-f0dd-4e12-b06d-997e7271e10c | 704da463-7f4e-484c-b1da-40e447615d52 | Exchange Administrator |
| Exchange Operator | b43e7342-5b4b-492f-890f-bb5a4f7f40e9 | 59a68ba9-5e1e-4a56-92ae-507a9a669a79 | Exchange Administrator |
| User Manager | 64fac46b-8b44-41ad-93ee-7da03927576c | dc3b79a2-638b-42fe-8ecb-51592db7d40f | User Administrator + Authentication Administrator |
| Defender Add-on | dbf8ad1a-54f4-4bb8-8a9e-ea5b9634635b | 052da8aa-1ca5-4f60-b9c5-7aafcb74264b | None |

[WARNING] No MDE license in this tenant. Defender Add-on is consented but calling Defender ATP endpoints returns AADSTS650052. Skip the `defender` tier for all remediation work against this tenant.

### Mailboxes

| Display Name | UPN | Object ID | Notes |
|---|---|---|---|
| Carla Skinner | carla@rednourlaw.com | 93074d1a-6db2-4794-8f7d-c84a619e4494 | Renamed from Emma on 2026-05-31; aliases: emma@, dgarcia@, alee@, dgarcia@rednourlaw.onmicrosoft.com |
| Carrie Rednour | crednour@rednourlaw.com | a0fc8517-1c2a-4d72-b774-c0d5c929167a | Global Admin; sysadmin@ is also hers |
| Nick Pafford | npafford@rednourlaw.com | fe859088-bcbc-49dc-aaea-4c6e68f7d5bb | nick@ alias added 2026-05-31 |
| receptionist | receptionist@rednourlaw.com | — | 34 contacts in mailbox |
| DiscoverySearchMailbox | (system) | — | Exchange system object |

**Carla's retained aliases:** The mailbox mailNickname was historically `dgarcia` (prior employee Garcia → passed to Emma → now Carla). Both `dgarcia@` and `alee@` were kept by operator's explicit choice on 2026-05-31. The `emma@` alias was kept so mail to emma@ continues to reach Carla. Revisit only if the firm requests decommissioning of these addresses.

## Syncro

- **Customer:** Rednour Law Offices, id `1224246`
- **Primary ticket:** #32343 (id 111409967), Status: Resolved
  - 0.5h remote labor (line item 42654682, $75.00, non-taxable, attributed to Mike user_id 1735) — not yet invoiced as of 2026-05-31; pending final close-out after Nick's shared-drive piece
  - Comments: 415513323 (hidden/internal), 415514647 (customer-visible), 416427937 (internal — 2026-06-02 follow-up contact fix)

## History

### 2026-05-29 — GuruRMM enrollment + onboarding baselines

Three workstations enrolled in GuruRMM site "Main Office": FRONTDESKRECEPT, LEGALASST, REDNOURCARRIEVI. Onboarding diagnostic baselines captured (all graded RED). Prior MSP agents (ScreenConnect, Splashtop, Syncro, Datto RMM on Carrie's machine) still present — not yet removed.

### 2026-05-31 — M365 onboarding + Emma → Carla rename

**Syncro ticket #32343.** Operator: Mike Swanson.

Tenant had never been fully onboarded to the ComputerGuru MSP suite — only Tenant Admin was consented, and Exchange Operator lacked Exchange Administrator role. Root cause surfaced as an HTTP 403 when attempting Get-Mailbox during the rename. Resolution: Mike clicked the Tenant Admin admin-consent URL as Global Admin (Carrie's account), then ran `onboard-tenant.sh rednourlaw.com` to consent the remaining four SPs and assign directory roles.

After Exchange role propagation (~60s), the rename was executed in three calls:
1. `Set-Mailbox` via Exchange REST — updated EmailAddresses (carla@ as primary, emma@/dgarcia@/alee@ as aliases)
2. Graph `PATCH /users/{id}` — updated UPN, displayName, mailNickname, givenName, surname
3. `POST /users/{id}/revokeSignInSessions` — invalidated active tokens

Nick Pafford already existed as `npafford@`; `smtp:nick@rednourlaw.com` was added as an alias on his existing mailbox (no UPN change, no session revoke). Ticket set to Resolved; shared-drive access for Nick deferred.

### 2026-06-01 — Carla password set (client-directed)

Carla's account password set administratively via Graph User Manager app at client direction (`forceChangePasswordNextSignIn: false`, no session revocation). Password quality flagged to operator as weak (dictionary word + sequential digits) but applied as directed.

### 2026-06-02 — Stale pinned contact fix (Carrie's mailbox)

Carrie reported inbound mail from Carla still showed "Emma - Rednour Law". Server-side state was correct; root cause was a leftover pinned contact (`IPF.Contact.MOC.QuickContacts`) in Carrie's own mailbox mapping `emma@rednourlaw.com` → display name "Emma - Rednour Law". Because `emma@` is a live proxy alias on Carla's mailbox, Outlook resolved Carla's new mail to this stale pin.

Fix: deleted the pin via EWS (`ExchangeImpersonation` of crednour@rednourlaw.com using Exchange Operator SP `full_access_as_app`; `DeleteItem` with `MoveToDeletedItems` — recoverable). Graph contacts call (403) confirmed no `Contacts.Read` scope in any suite app; EWS was the correct path.

All four real-user mailboxes swept — only Carrie was affected:

| Mailbox | Contacts scanned | Stale entries found |
|---|---|---|
| Carrie Rednour | 237 (across 10 folders) | 1 — deleted |
| Nick Pafford | 0 (empty) | none |
| receptionist | 34 (across 10 folders) | none |
| Carla Skinner | 40 (across 9 folders) | none |

No time billed on this follow-up per Mike's standing rule (never log time without explicit minutes + labor type).

## Patterns & Known Issues

- **EWS required for personal contact work.** No app in the ComputerGuru suite holds `Contacts.Read` or `Contacts.ReadWrite` on Graph. Personal contact folder reads and modifications must go through EWS (`full_access_as_app` on the Exchange Operator SP with `ExchangeImpersonation`).
- **Security Investigator EXO token unreliable on this tenant.** The `investigator` SP's EXO token (aud=outlook.office365.com) returned 401 on InvokeCommand during the 2026-06-02 session; the Exchange Operator SP token worked. Prefer Exchange Operator for EXO InvokeCommand on rednourlaw.com.
- **Stale-pin shadowing pattern:** `IPF.Contact.MOC.QuickContacts` folder entries override the GAL for display-name resolution in Outlook/Teams. If any user reports a renamed sender still showing the old name, run the EWS contact-folder sweep against that user's mailbox.
- **emma@ alias is live by design.** Mail to emma@rednourlaw.com routes to Carla Skinner. Do not remove unless the firm explicitly requests it.
- **No MDE license — skip Defender tier.** Defender Add-on is consented but ATP endpoints 650052. Do not attempt Defender-tier calls for this tenant.
- **Prior MSP agents still installed.** ScreenConnect, Splashtop, and Syncro on all workstations; Datto RMM on REDNOURCARRIEVI. Not yet remediated as of 2026-06-02.
- **LEGALASST and REDNOURCARRIEVI are on Win 10 22H2 (EOL).** No security updates since 2025-10-14. Plan OS upgrade to Win 11 or Win 10 newer build.
- **REDNOURCARRIEVI: Defender was off at onboarding.** Confirm it has been re-enabled; it is a critical finding.

## Active Work / Open Items

| Priority | Action | Owner | Notes |
|---|---|---|---|
| P1 | Re-enable Defender on REDNOURCARRIEVI | Howard/Mike | Was off at onboarding 2026-05-29; confirm current state |
| P1 | Remove prior MSP agents (ScreenConnect, Splashtop, Syncro, Datto RMM) | Mike/Howard | Present on all 3 machines; Datto RMM on REDNOURCARRIEVI only |
| P1 | Upgrade LEGALASST and REDNOURCARRIEVI to a supported OS | Mike | Both on Win 10 22H2 (EOL 2025-10-14) |
| P2 | Shared-drive access for Nick Pafford | Mike | Deferred from #32343; ticket Resolved without it |
| P2 | Final invoice on Syncro #32343 | Mike | 0.5h remote labor (line item 42654682) sitting on Resolved ticket |
| P2 | Address BitLocker gap on FRONTDESKRECEPT | Mike/Howard | OS volume unencrypted at onboarding |
| P3 | Remove stale local admin accounts (Ale, Emma on LEGALASST) | Howard | Left from prior user assignment |
| P3 | emma@ alias — revisit if firm wants it decommissioned | Mike | Retained by design; currently serves as Carla's legacy address |

## Backlinks

- [[projects/gururmm]] — FRONTDESKRECEPT, LEGALASST, REDNOURCARRIEVI enrolled (site: Main Office)