azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
claudetools/clients/sombra-residential/session-logs/2026-05-06-howard-bryan-sombrahomes-ghost-account-cleanup.md
Howard Enos d63dcde679 sync: auto-sync from HOWARD-HOME at 2026-05-06 15:10:59 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-06 15:10:59
2026-05-06 15:11:04 -07:00

7.7 KiB
Raw Permalink Blame History

Sombra Residential -- Bryan sombrahomes ghost account cleanup -- 2026-05-06

User

  • User: Howard Enos (howard)
  • Machine: Howard-Home
  • Role: tech

Summary

Amy at Sombra Residential called reporting that Word would not close on Bryan's PC (DESKTOP-UQRN4K3, one of the two new computers we set up the week prior). The error stated "Word could not close because it had an open dialog box" but no dialog was visible. Howard force-closed Word via Task Manager, reopened it, and saw a credential prompt asking for bryan@sombrahomes.com -- the company's old email domain from before the rebrand to sombraresidential.com. Same prompt appeared on opening Excel. New Outlook app worked fine.

Investigation traced the prompts to stale Microsoft 365 identity references that Transwiz had carried over from Bryan's old machine during the new-PC setup, all bound to the pre-rebrand bryan@sombrahomes.com account. Removed the stale data in stages, with full backups + auto-generated revert scripts at each step. After the final cleanup pass (classic MAPI Outlook profiles, both 15.0 and 16.0 trees), the prompts stopped. Verified by Howard with all Office apps + reboot + retest.

Total time on the issue: ~30 min remote diagnostic + cleanup. Billed against ticket #32225 (the original new-PC setup ticket) as warranty / no-charge -- the issue is a direct side effect of the data transfer we performed during that ticket. New invoice #67572 generated at $0 against the warranty product.

Customer + machine context

  • Customer: Sombra Residential LLC (Syncro customer 32971820)
  • Caller: Amy
  • Affected user: Bryan Menie -- accounts now bryan@sombraresidential.com, formerly bryan@sombrahomes.com
  • Machine: DESKTOP-UQRN4K3
  • Bryan's SID: S-1-5-21-2758790109-566389284-3601084329-1002
  • GuruRMM agent ID: 6dc0fb03-d6c4-4e3e-a58c-d9d015ff588a (site 787d497a-eb1d-4468-a8ac-51d3c23954cb "main office")
  • Office product: OneNote Free + O365 Business Retail, Click-to-Run, version 16.0.19929.20106

Diagnostic findings

The ghost prompts came from data Transwiz had carried over wholesale from Bryan's old machine. Key root cause: company rebranded sombrahomes.com -> sombraresidential.com at some point post-2022, but Bryan's classic Office identity store still had the old bryan@sombrahomes.com LiveId entries persisted (ErrorState=6 -- stuck token, can't refresh). Office apps walk that store on startup and try to refresh the dead tokens, which is what surfaced as a credential prompt.

Notable diagnostic data points (from probe runs via GuruRMM):

Probe pass Key finding
v1 (HKCU as SYSTEM) Empty -- agent runs as nt authority\system, so HKCU was the SYSTEM hive, not Bryan's. Confirmed HKLM was clean (413 MB dump, 0 matches).
v3 (HKU<bryan-sid>) Found stale 8a2ca986c32435e4_LiveId in Office\15.0\Common\Identity\ with EmailAddress=bryan@sombrahomes.com. Plus AutoDiscover XMLs and PB4S config files.
v4b (HKU full grep) Word/Excel kept prompting after first cleanup; full hive grep found additional refs in Office\15.0\Common\ServicesManagerCache\Identities\8a2ca986c32435e4_LiveId\ (the splash-screen "connected accounts" cache) and in classic MAPI Outlook profiles Outlook + Outlook20221013 under both 15.0 and 16.0 trees, all bound to the old account.

The new Outlook app uses WAM tokens (separate from classic config) and was correctly authenticated with bryan@sombraresidential.com (19 valid .tbacct files). That's why only Word and Excel showed the ghost prompt and the new Outlook app did not.

Cleanup performed

Three cleanup passes, each with snapshot-first backup + auto-generated revert.ps1 + manifest.json under C:\ProgramData\ACG\sombrahomes-cleanup-<timestamp>\. Office processes confirmed closed before each pass (script refused to run otherwise).

Pass Backup folder Targets removed
v2 sombrahomes-cleanup-20260506-135723 3 reg keys (Office\15.0\Common\Identity\Identities\8a2ca986c32435e4_LiveId, Profiles\8a2ca986c32435e4_LiveId, DocToIdMapping\8a2ca986c32435e4_LiveId) + 2 files (AutoD.bryan@sombrahomes.com.xml, PB4S-Configuration-bryan@sombrahomes.com.xml)
v3 sombrahomes-cleanup-20260506-142613 ServicesManagerCache\Identities\8a2ca986c32435e4_LiveId + MSOIdentityCRL\UserExtendedProperties\microsoftonline.com::customerservice@sombrahomes.com + OneAuth Bryan@SombraHomes.com_identity_provider blob
v4 sombrahomes-cleanup-20260506-143518 4 classic MAPI Outlook profiles (Outlook + Outlook20221013 in both 15.0 and 16.0 trees, total ~245 KB of registry data)

After v3 the prompt persisted in Word/Excel only; v4 cleared it. Howard verified after v4: opened Word, Excel, all other Office apps, rebooted, retested -- no prompts. New Outlook app continues working with bryan@sombraresidential.com.

Each backup folder contains a self-contained revert.ps1 that re-imports all registry exports and copies files back. Reverting any single pass is one command.

Billing

Ticket Comment Time Product Invoice Total
#32225 Customer-visible follow-up describing issue + cleanup 0.5 hr 1049360 Labor- Warranty work #67572 $0.00 (warranty)

Initial billing attempt (now corrected) had used product 1190473 Labor - Remote Business with billable: false and patched the price to $0. Howard caught it -- warranty has its own dedicated product (1049360 Labor- Warranty work) and that's what should be selected. Patching price_retail to convert one labor product into another is wrong. Fixed: removed wrong line + timer, regenerated against the correct warranty product. Documented as feedback_syncro_warranty_product.md; updated .claude/commands/syncro.md rate table + workflow.

Files / state changes

  • C:\ProgramData\ACG\sombrahomes-cleanup-20260506-* -- 3 backup folders on Bryan's PC. All three include manifest.json + revert.ps1.
  • Local cleanup scripts staged at C:\claudetools\.claude\tmp\sombra-cleanup-v2.ps1 / v3.ps1 / v4.ps1 (and probes v1-v4b). Not committed -- one-off diagnostic.
  • New feedback memory: .claude/memory/feedback_syncro_warranty_product.md
  • Updated: .claude/commands/syncro.md (rate table + warranty workflow + never-patch-price rule)
  • Updated: .claude/memory/MEMORY.md (index entry)

Note for Mike + Winter

Couple of observations from this session that may be relevant elsewhere:

  1. Transwiz drag-along: Whenever we use Transwiz on a domain-rebranded shop, expect this exact ghost-account symptom on the destination machine. Quickest indicator: classic Office MAPI profile name, HKU\<sid>\Software\Microsoft\Office\16.0\Outlook\DefaultProfile, and the ServicesManagerCache LiveId entries. Worth adding a "post-Transwiz Office identity sweep" step to our new-PC checklist.

  2. GuruRMM SYSTEM context: The agent runs as nt authority\system. Probes that read HKCU or $env:USERPROFILE will hit SYSTEM's hive/profile, not the actual user's. For per-user investigations, resolve the target user's SID via HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList and read from HKU:\<sid>\ and C:\Users\<user>\ directly.

  3. Syncro billable: false on timer_entry is silently ignored. Setting billable: false does NOT prevent Syncro from generating a $-charged line item. The skill memory has been updated to reflect this -- always pick the correct product (warranty for warranty, etc.) rather than trying to neutralize a billable product with a flag or a patched price.

Tools used

  • GuruRMM: agent command POST + result polling. Read-only probes + targeted cleanup commands. SYSTEM context.
  • Syncro REST API: ticket comment, timer_entry, charge_timer_entry, invoice CRUD.
  • No write actions on any M365 tenant.
Reference in New Issue View Git Blame Copy Permalink