azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3d613b58a2214796ac0c5371a1e943b2828a2633
claudetools/wiki/clients/lonestar-electrical.md
Howard Enos 7955e5e8b9 sync: auto-sync from HOWARD-HOME at 2026-06-02 15:12:52 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-02 15:12:52
2026-06-02 15:13:02 -07:00

14 KiB
Raw Blame History

type, name, display_name, last_compiled, compiled_by, sources, backlinks
type name display_name last_compiled compiled_by sources backlinks
client lonestar-electrical Lone Star Electrical Systems LLC 2026-06-02 HOWARD-HOME/claude-main
clients/lonestar-electrical/session-logs/2026-06-02-session.md
clients/lonestar-electrical/session-logs/2026-06-01-session.md
clients/lonestar-electrical/session-logs/2026-05-29-sophos-removal.md
clients/lonestar-electrical/docs/apple-mdm-setup-reference.md
session-logs/2026-03-23-session.md
session-logs/2026-03-24-session.md
credentials.md
clients/lonestar-electrical/google-workspace.sops.yaml (vault)
temp/lonestar-russ-setup.py
temp/lonestar-kyla-reset.py
temp/lonestar-kyla-2fa-fix.py

Lone Star Electrical Systems LLC

Electrical contractor in Tucson, AZ. ACG-managed client. Distinctive in the fleet for being a Google Workspace shop (not Microsoft 365) with mobile devices managed by ManageEngine MDM (Zoho), not Intune. Field-heavy: techs use phones/tablets on job sites.

Profile

  • Company type: Electrical contractor (field service)
  • Contract type: Prepaid hour block
  • Hours remaining: 17.0 hrs as of 2026-06-01 (Syncro live). Always live-check GET /customers/33809612 before billing.
  • Billing rate: (verify — check recent Syncro invoices; not captured in available sources)
  • Syncro customer ID: 33809612 (Lone Star Electrical Systems LLC)
  • Address: 3774 North Warren Avenue, Tucson, AZ
  • Managed assets (Syncro): 1 asset on record
  • Sites: Norris site (location of the LS-1 / LS-2 Win11 workstations)
  • Key contacts:
    • Robin Eneix — robine@lonestarelectrical.net (Syncro primary contact)
    • Jose R. (joser@lonestarelectrical.net) — field user; subject of the 2026-03 personal-phone MDM issue
    • sysadmin@lonestarelectrical.net — Google Workspace admin account (ACG-managed)
    • James — account compromised 2026-03-10 (Syncro #32010); [verify current name/role]
    • Kyla, Russ — GWS user accounts touched via provisioning/2FA scripts (temp/); [verify roles]
    • Main phone on file (Syncro): 520-730-3642
  • Active ticket: None open in Syncro as of 2026-06-01 (see Active Work)

Infrastructure

Email & Identity

  • Platform: Google Workspace (domain lonestarelectrical.net). NOT Microsoft 365 — the M365 remediation tool does not apply here.
  • GWS admin: sysadmin@lonestarelectrical.net
  • GWS mobile management: set to Basic (no Google-native MDM push) — device management is delegated to ManageEngine.
  • ACG management plane: Google Workspace API access via the ACG-MSP-Access (Google Workspace) service account (vault: MSP Tools). lonestarelectrical.net is an onboarded tenant. Service-account key: temp/acg-msp-access-8f72339997e5.json.

Mobile Device Management (MDM)

  • Platform: ManageEngine MDM (Zoho) — https://mdm.manageengine.com/webclient
  • MDM admin: mike@azcomputerguru.com (Zoho account, Super Admin)
  • Enrolled devices: 2 company tablets (named Zach and JOSE), enrolled 2025-12-04 via QR code, fully managed. These are direct enrollments and are unaffected by the Google third-party-EMM integration.

Workstations

  • LS-1, LS-2 — Windows workstations at the Norris site; both upgraded to Win11 on 2026-05-04 (Syncro #32244). Both were inherited from the previous MSP with Sophos Endpoint Protection (managed via the previous MSP's Sophos Central — no ACG access). Sophos removal is in progress (see Patterns and Active Work). Both enrolled in GuruRMM during the 2026-05 removal work; ScreenConnect + GuruRMM agents registered for Safe Mode (SafeBoot\Network).

Unraid Server

  • Status: Running Unraid 7.1.4 as of 2026-06-02 (migrated to new USB flash drive).
  • Hostname: [verify]
  • LAN IP: [verify]
  • License type: [verify — Basic / Plus / Pro]
  • Boot device: New USB flash drive (written via Unraid USB Creator, 7.1.4). Original failed stick: label UNRAID, /dev/sda1, Generic Flash Disk 8GB — retired but kept as temporary backup until new stick confirmed stable.
  • Config: Old config/ folder (array assignments super.dat, shares, network settings, license .key) copied from the failing stick onto the new one. Disk layout and array configuration preserved; only the OS files are fresh.
  • License: Re-registered to the new USB GUID via Unraid webGUI Tools > Registration > Replace Key on 2026-06-02.
  • Root credentials: Carried over from the old config/shadow; root password is NOT yet vaulted for this client. Only ACG's own Unraid boxes are vaulted (infrastructure/jupiter-unraid-primary.sops.yaml, infrastructure/uranus-unraid.sops.yaml). [verify and vault]
  • Array/disk layout: [verify — confirm all disks landed in correct slots from copied super.dat]
  • Health check: Mike's Claude session was running a check on 2026-06-02 post-migration — results pending.

Access

  • Google Workspace admin: sysadmin@lonestarelectrical.net — vault: clients/lonestar-electrical/google-workspace.sops.yaml
  • ManageEngine MDM: mike@azcomputerguru.com (Zoho Super Admin) — https://mdm.manageengine.com/webclient
  • GWS service account (programmatic): ACG-MSP-Access (Google Workspace) (vault: MSP Tools); key file temp/acg-msp-access-8f72339997e5.json
  • Vault root: clients/lonestar-electrical/ in vault repo
  • Unraid server: root credentials not yet vaulted [verify and vault]

Patterns & Known Issues

  • Inherited Sophos with no Central access — kernel-driver tamper-protection removal (execution started 2026-06-02). LS-1 and LS-2 came from the previous MSP running Sophos Endpoint Protection managed via the previous MSP's Sophos Central account — ACG has no Central access, so no remote uninstall and no way to disable tamper protection from the management plane. Tamper protection is enforced by the SophosED.sys kernel boot driver (Start=0, loads before smss.exe), which defeats every user-mode removal: SophosZap (blocked by TP), SophosUninstall.exe (only removes user-mode parts), PendingFileRenameOperations delete (driver loads too early), sc config (kernel callback), and ACL reset (kernel-level). Resolution path is offline via WinRE/PE: delete D:\Windows\System32\drivers\SophosED.sys, load the offline SYSTEM hive and set the Sophos Endpoint Defense service Start=4, reboot, then SophosZap.exe --confirm (TP check now passes). Full step list in the 2026-05-29 session log. Reusable for any inherited-MSP Sophos/CrowdStrike/SentinelOne removal where tamper protection is enforced and the management console is inaccessible. (Related: GuruRMM SPEC-015 safeboot-network-registration aims to automate exactly this remote-Safe-Mode removal flow.)
  • Sophos shell extensions + Datto Cloud Continuity startup conflict (LS-2). Presented as unresponsive desktop mouse clicks (until Ctrl+Alt+Del) and dead Start-menu right-click. Root cause: Sophos shell extensions competing with the Datto Cloud Continuity /pop startup entry during logon. Removing the Datto startup registry entry addressed the logon contention.
  • ManageEngine + Google Workspace dual-EMM trap (resolved 2026-03-24). A personal phone repeatedly prompted for MDM enrollment when the user added their Lonestar Google account. Root cause was two independent triggers: (1) ManageEngine MDM self-enrollment was enabled for all directory groups, AND (2) ManageEngine was configured as a third-party EMM provider inside Google Workspace (Devices > Mobile & endpoints > Settings > Third-party integrations). The Google integration enforces enrollment on any device that adds a Lonestar account — independent of ManageEngine's own self-enrollment setting. Fix required both: disable ManageEngine self-enrollment (Enrollment > Self Enrollment > Disable) AND remove ManageEngine as the third-party EMM in the GWS Admin Console. Disabling only one leaves the prompt in place. Company tablets enrolled directly via QR code are unaffected by either change.
  • Google Workspace, not M365. Reach for GWS Admin Console + the ACG-MSP-Access service account for identity work. The M365 remediation-tool app suite does not apply to this client.
  • Field/mobile-first. Most tickets are phone/tablet/field-device oriented (iPhone field setup, tablet PDF editing). Expect mobile, not desktop, as the primary support surface — the LS-1/LS-2 desktop work is the exception, not the norm.
  • Recurring bzfirmware checksum boot error = failing USB flash drive. Replace the stick (Unraid USB Creator + copy old config/ + re-register license to new GUID). Do NOT just replace the file — if the error recurs after a file-level fix, the stick itself is failing. Reusable for any Unraid box.

Active Work

No open Syncro tickets as of 2026-06-01.

  • Sophos removal on LS-1 / LS-2 (ACTIVELY EXECUTING — LS-1 in progress, LS-2 not yet started). Offline PE removal procedure is underway on LS-1: BitLocker confirmed OFF (verified from normal Windows before booting PE), SophosZap.exe staged in Downloads for post-reboot cleanup. LS-1 is awaiting a drive-letter check from PE (dir C:\Windows & dir D:\Windows & dir E:\Windows) before executing the del /f <drive>\Windows\System32\drivers\SophosED.sys + offline-hive Start=4 disable sequence. LS-2 not yet started. Full offline command set in clients/lonestar-electrical/session-logs/2026-05-29-sophos-removal.md. Coord handoff: msg 689cfb7c (2026-06-01).
    • Pending: Verify or create Syncro ticket "Sophos Endpoint Removal - LS-1 and LS-2" before logging time (prepaid block, live-check GET /customers/33809612).
  • Unraid server USB replacement done (2026-06-02); PENDING:
    • Create Syncro ticket documenting the USB failure, replacement (Unraid 7.1.4 via USB Creator), config copy, and license re-registration.
    • Capture and fold in the results of Mike's server health check (array start state, disk assignments, parity validity, registration status).
    • Verify array integrity: confirm all disks landed in correct slots from the copied super.dat; ensure no unwanted parity rebuild was triggered.
    • Vault the Lonestar Unraid root password and document the server in the wiki (hostname, IP, Unraid 7.1.4, license type).

History Highlights

Date Event
2025-12-04 Two company tablets (Zach, JOSE) enrolled in ManageEngine MDM via QR code, fully managed
2026-03-10 Emergency: James's account hacked (Syncro #32010, resolved)
2026-03-11 Tablet unable to edit PDFs (#32015)
2026-03-23 Lonestar MDM issue investigated — identified ManageEngine self-enrollment as the cause of joser's personal-phone prompt; fix initially blocked by a broken Zoho portal page
2026-03-24 MDM issue RESOLVED — disabled ManageEngine self-enrollment AND removed ManageEngine as GWS third-party EMM. joser's phone stopped prompting immediately
2026-05-04 Win11 upgrades on LS-1 and LS-2 (#32244)
2026-05-05 iPhone field setup (#32251)
2026-05-28/29 Sophos removal on LS-1/LS-2 begun: enrolled in GuruRMM, removed Datto startup conflict (LS-2), registered Safe Mode agents, removed user-mode Sophos; blocked by SophosED.sys kernel driver — WinRE offline removal staged (Ventoy USB), completion pending
2026-06-01 Recovered the (previously unlogged) Sophos removal context, reconstructed it into a session log, and handed the WinRE completion procedure to Howard via coordinator (msg 689cfb7c)
2026-06-02 Unraid server USB flash drive failed (recurring bzfirmware checksum error); migrated to new stick (Unraid 7.1.4 via USB Creator), copied old config/, re-registered license to new GUID
2026-06-02 Began offline (PE) execution of Sophos removal on LS-1 — BitLocker confirmed off, SophosZap staged; SophosED.sys delete + offline-hive disable pending drive-letter check

Compilation Notes

  • Refreshed 2026-06-02 22:10 PT (recompile by HOWARD-HOME/claude-main) to absorb the 22:10 PT update section of the 2026-06-02 session log: updated Active Work Sophos bullet to reflect execution-in-progress on LS-1 (BitLocker confirmed off, SophosZap staged, awaiting drive-letter check before PE delete); updated Patterns wording from "in progress 2026-05-28/29" to "execution started 2026-06-02"; added History Highlights row for the LS-1 PE execution start.
  • Refreshed 2026-06-02 (recompile by HOWARD-HOME/claude-main) to absorb the 2026-06-02 session log: added Unraid server infrastructure subsection, new bzfirmware checksum pattern, history row, and pending Active Work items.
  • Refreshed 2026-06-01 (full recompile) to incorporate the 2026-05-28/29 Sophos removal work, which had previously been lost — it was never written to a session log and survived only in a gitignored temp draft (.claude/tmp/ollama_prompt.txt) and coord message 8a5cb25c. A proper session log was reconstructed at clients/lonestar-electrical/session-logs/2026-05-29-sophos-removal.md before this compile.
  • Seeded 2026-05-26 from two March session logs + credentials.md + vault entry + temp provisioning scripts, enriched with live Syncro data (customer 33809612).
  • Vault slug is lonestar-electrical (matches clients/lonestar-electrical/ in the vault), though session logs and temp scripts use the un-hyphenated lonestar.
  • Lonestar work now lives in both clients/lonestar-electrical/ (docs + session-logs) and root session logs / temp/ scripts.
  • Flagged [verify]: billing rate; exact roles/names for James, Kyla, Russ; full workstation inventory; Unraid server hostname/IP/license type/root credentials.

Backlinks

(none yet)

Reference in New Issue View Git Blame Copy Permalink