---
type: client
name: sombra-residential
display_name: Sombra Residential LLC
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
  - clients/sombra-residential/CONTEXT.md
  - clients/sombra-residential/session-logs/2026-05-06-howard-bryan-sombrahomes-ghost-account-cleanup.md
backlinks:
  - projects/gururmm
---

# Sombra Residential LLC

## Profile

- **Company type:** Residential property management company (Arizona). Formerly operated under the brand/domain `sombrahomes.com`; rebranded to `sombraresidential.com` at some point post-2022.
- **Contract type:** [unverified — managed MSP implied by ACG handling M365 and new-PC setup; no explicit contract type documented]
- **Key contacts:**
  - Amy — caller/office contact (last name not documented)
  - Bryan Menie — employee; accounts `bryan@sombraresidential.com` (current), formerly `bryan@sombrahomes.com`
- **Billing rate:** [unverified]
- **Syncro customer ID:** 32971820

## Infrastructure

### Servers & Services

| Host | IP | Role | OS | Notes |
|---|---|---|---|---|
| Server2013 | `Server2013` (hostname only) | File / application server | Windows Server **2012** (build 9200) — [WARNING] EOL 2023-10-10, running unpatched | Name "Server2013" is a label only; actual product is WS2012. Remote access via ScreenConnect. |
| DESKTOP-UQRN4K3 | [unverified] | Bryan Menie's workstation | Windows (version unverified) | New PC set up by ACG prior to 2026-05-06; data transferred via Transwiz |

### Email & Identity

- **M365 tenant:** sombraresidential.com (primary current domain); former domain sombrahomes.com still exists in legacy identity caches on endpoints
- **MFA status:** [unverified]
- **Office version:** OneNote Free + O365 Business Retail, Click-to-Run, version 16.0.19929.20106 (confirmed on Bryan's PC 2026-05-06)
- **Identity note:** Company rebranded from sombrahomes.com to sombraresidential.com after 2022. Classic Office MAPI profiles and token stores on pre-rebrand machines (or Transwiz-migrated machines) still reference the old domain. New Outlook app uses WAM (unaffected); classic Word/Excel prompt against dead LiveId tokens.

### Network

- **ISP / WAN:** [unverified]
- **Firewall:** [unverified]
- **VPN:** [unverified]

## GuruRMM

- **Client name:** Sombra Residential LLC
- **Client ID:** `4143369f-de59-42e6-b1a0-e9939aa42a2d`
- **Site name:** main office
- **Site ID:** `787d497a-eb1d-4468-a8ac-51d3c23954cb`

### Enrolled Agents

| Agent | Host | OS | Agent ID | Notes |
|---|---|---|---|---|
| Server2013 | Server2013 | Windows Server 2012 | `5383e9c1-56e1-4389-9c89-1991a77bbc3a` (device id `win-e59d7c6c-9bd6-4b49-a892-71788039bf14`) | Enrolled 2026-04-30 |
| DESKTOP-UQRN4K3 | Bryan's workstation | Windows | `6dc0fb03-d6c4-4e3e-a58c-d9d015ff588a` | Used as remote command channel for ghost-account cleanup 2026-05-06 |

## Access

- **ScreenConnect:** Installed on Server2013 and Bryan's PC (ACG SC instance)
- **Server2013 local accounts:**
  - `Administrator` — password at `clients/sombra-residential/server2013.sops.yaml`
  - `sysadmin` — password [WARNING] TBD; not yet vaulted as of CONTEXT.md (2026-04-30). Confirm with Howard or pull from server before next session.
- **Vault path:** `clients/sombra-residential/server2013.sops.yaml`

## Patterns & Known Issues

- **[WARNING] Server2013 is Windows Server 2012 (EOL 2023-10-10):** Running unpatched. EOL risk has not been formally presented to client per available session logs. Mike needs to confirm a refresh/migration recommendation with the client.
- **Transwiz ghost account pattern:** Transwiz migrates M365 identity stores wholesale from the source machine, including DPAPI-bound tokens and Office MAPI profiles. On a domain-rebranded shop (sombrahomes.com → sombraresidential.com), the migrated machine carries dead LiveId entries from the old domain. Symptoms: Word and Excel prompt for `<user>@olddomain.com` credentials on every open; ErrorState=6 (stuck token, cannot refresh). New Outlook app (WAM-based) is unaffected — only classic Win32 Office apps hit this.
  - **Detection:** Check `HKU\<user-SID>\Software\Microsoft\Office\16.0\Common\Identity\Identities` and `ServicesManagerCache\Identities` for LiveId entries with the old domain. Also check classic MAPI Outlook profiles under `15.0` and `16.0` trees.
  - **Fix:** Three-pass cleanup (Identity keys → ServicesManagerCache + OneAuth blobs → classic MAPI profiles). Run with snapshot-first backup + auto-generated revert.ps1. All Office processes must be closed before each pass.
  - **Recommended:** Add a "post-Transwiz Office identity sweep" step to the ACG new-PC checklist for any customer with M365 domain rebrand history.
- **GuruRMM SYSTEM context:** HKCU probes from GuruRMM commands hit the SYSTEM hive, not the logged-in user's. For per-user registry work, resolve the target user's SID from `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList` and read `HKU:\<SID>\` directly.
- **Syncro warranty billing:** Use product `1049360` Labor - Warranty work for work that is a direct side effect of a prior ACG ticket. Do NOT use `1190473` Labor - Remote Business with `billable: false` or a patched price. The warranty product is the correct path.
- **Syncro `billable: false` on timer_entry is silently ignored** — does not prevent a charged line item from being generated. Always pick the correct product.

## Active Work

- **Open items from CONTEXT.md (2026-04-30):**
  - Capture `sysadmin` password for Server2013 into vault
  - Confirm Server 2012 EOL risk with Mike and recommend refresh / migration path
  - Discover and document: workstations, network, primary contact, full business purpose

## History Highlights

| Date | Event |
|---|---|
| Post-2022 | Company rebranded from sombrahomes.com to sombraresidential.com |
| 2026-04-30 | Server2013 enrolled in GuruRMM (agent `5383e9c1`). CONTEXT.md stub created by Howard. New PCs set up for staff (referenced as "the week prior" in 2026-05-06 log). |
| 2026-05-06 | Howard: Bryan's PC (DESKTOP-UQRN4K3) — Word/Excel ghost credential prompt for old domain `bryan@sombrahomes.com`. Root cause: Transwiz-migrated classic MAPI + LiveId entries from pre-rebrand machine. Three-pass registry cleanup via GuruRMM. Billed as warranty ($0) against ticket #32225 (invoice #67572). Revert scripts at `C:\ProgramData\ACG\sombrahomes-cleanup-*` on Bryan's PC. |

## Backlinks

- [[projects/gururmm]] — Server2013 and DESKTOP-UQRN4K3 enrolled (site: main office)