azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
56c1d7c66664c30984e54f84df0cecfbcd9ba99a
claudetools/wiki/clients/sombra-residential.md
Mike Swanson 32f64a9561 wiki: seed 9 client articles (internal-infra, peaceful-spirit, cryoweave, glaztech, pavon, grabb-durando, stamback-septic, sombra-residential, birth-biologic) 
Notable findings per article:
- internal-infrastructure: Neptune cert expires 2026-05-31, DkimSigner
  disabled (unsigned outbound mail), Cloudflare tunnel on Jupiter
- peaceful-spirit: L2TP/IPsec RRAS VPN; billing/Syncro ID undocumented
- cryoweave: website redesign pending client assets
- glaztech: phishing bypassed MailProtector via secondary MX (fixed);
  no MFA enforcement yet; do not enable Security Defaults yet
- pavon: OwnCloud cron stacking fixed; Nextcloud migration deferred
- grabb-durando: plaintext DB password in README needs vaulting; AI
  demand review app scoped
- stamback-septic: WS2012 EOL server on network
- sombra-residential: Server2013 is actually WS2012 EOL unpatched
- birth-biologic: Datto→SharePoint migration unconfirmed complete

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-24 19:38:50 -07:00

6.4 KiB
Raw Blame History

type, name, display_name, last_compiled, compiled_by, sources, backlinks
type name display_name last_compiled compiled_by sources backlinks
client sombra-residential Sombra Residential LLC 2026-05-24 DESKTOP-0O8A1RL/claude-main
clients/sombra-residential/CONTEXT.md
clients/sombra-residential/session-logs/2026-05-06-howard-bryan-sombrahomes-ghost-account-cleanup.md
projects/gururmm

Sombra Residential LLC

Profile

  • Company type: Residential property management company (Arizona). Formerly operated under the brand/domain sombrahomes.com; rebranded to sombraresidential.com at some point post-2022.
  • Contract type: [unverified — managed MSP implied by ACG handling M365 and new-PC setup; no explicit contract type documented]
  • Key contacts:
    • Amy — caller/office contact (last name not documented)
    • Bryan Menie — employee; accounts bryan@sombraresidential.com (current), formerly bryan@sombrahomes.com
  • Billing rate: [unverified]
  • Syncro customer ID: 32971820

Infrastructure

Servers & Services

Host IP Role OS Notes
Server2013 Server2013 (hostname only) File / application server Windows Server 2012 (build 9200) — [WARNING] EOL 2023-10-10, running unpatched Name "Server2013" is a label only; actual product is WS2012. Remote access via ScreenConnect.
DESKTOP-UQRN4K3 [unverified] Bryan Menie's workstation Windows (version unverified) New PC set up by ACG prior to 2026-05-06; data transferred via Transwiz

Email & Identity

  • M365 tenant: sombraresidential.com (primary current domain); former domain sombrahomes.com still exists in legacy identity caches on endpoints
  • MFA status: [unverified]
  • Office version: OneNote Free + O365 Business Retail, Click-to-Run, version 16.0.19929.20106 (confirmed on Bryan's PC 2026-05-06)
  • Identity note: Company rebranded from sombrahomes.com to sombraresidential.com after 2022. Classic Office MAPI profiles and token stores on pre-rebrand machines (or Transwiz-migrated machines) still reference the old domain. New Outlook app uses WAM (unaffected); classic Word/Excel prompt against dead LiveId tokens.

Network

  • ISP / WAN: [unverified]
  • Firewall: [unverified]
  • VPN: [unverified]

GuruRMM

  • Client name: Sombra Residential LLC
  • Client ID: 4143369f-de59-42e6-b1a0-e9939aa42a2d
  • Site name: main office
  • Site ID: 787d497a-eb1d-4468-a8ac-51d3c23954cb

Enrolled Agents

Agent Host OS Agent ID Notes
Server2013 Server2013 Windows Server 2012 5383e9c1-56e1-4389-9c89-1991a77bbc3a (device id win-e59d7c6c-9bd6-4b49-a892-71788039bf14) Enrolled 2026-04-30
DESKTOP-UQRN4K3 Bryan's workstation Windows 6dc0fb03-d6c4-4e3e-a58c-d9d015ff588a Used as remote command channel for ghost-account cleanup 2026-05-06

Access

  • ScreenConnect: Installed on Server2013 and Bryan's PC (ACG SC instance)
  • Server2013 local accounts:
    • Administrator — password at clients/sombra-residential/server2013.sops.yaml
    • sysadmin — password [WARNING] TBD; not yet vaulted as of CONTEXT.md (2026-04-30). Confirm with Howard or pull from server before next session.
  • Vault path: clients/sombra-residential/server2013.sops.yaml

Patterns & Known Issues

  • [WARNING] Server2013 is Windows Server 2012 (EOL 2023-10-10): Running unpatched. EOL risk has not been formally presented to client per available session logs. Mike needs to confirm a refresh/migration recommendation with the client.
  • Transwiz ghost account pattern: Transwiz migrates M365 identity stores wholesale from the source machine, including DPAPI-bound tokens and Office MAPI profiles. On a domain-rebranded shop (sombrahomes.com → sombraresidential.com), the migrated machine carries dead LiveId entries from the old domain. Symptoms: Word and Excel prompt for <user>@olddomain.com credentials on every open; ErrorState=6 (stuck token, cannot refresh). New Outlook app (WAM-based) is unaffected — only classic Win32 Office apps hit this.
    • Detection: Check HKU\<user-SID>\Software\Microsoft\Office\16.0\Common\Identity\Identities and ServicesManagerCache\Identities for LiveId entries with the old domain. Also check classic MAPI Outlook profiles under 15.0 and 16.0 trees.
    • Fix: Three-pass cleanup (Identity keys → ServicesManagerCache + OneAuth blobs → classic MAPI profiles). Run with snapshot-first backup + auto-generated revert.ps1. All Office processes must be closed before each pass.
    • Recommended: Add a "post-Transwiz Office identity sweep" step to the ACG new-PC checklist for any customer with M365 domain rebrand history.
  • GuruRMM SYSTEM context: HKCU probes from GuruRMM commands hit the SYSTEM hive, not the logged-in user's. For per-user registry work, resolve the target user's SID from HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList and read HKU:\<SID>\ directly.
  • Syncro warranty billing: Use product 1049360 Labor - Warranty work for work that is a direct side effect of a prior ACG ticket. Do NOT use 1190473 Labor - Remote Business with billable: false or a patched price. The warranty product is the correct path.
  • Syncro billable: false on timer_entry is silently ignored — does not prevent a charged line item from being generated. Always pick the correct product.

Active Work

  • Open items from CONTEXT.md (2026-04-30):
    • Capture sysadmin password for Server2013 into vault
    • Confirm Server 2012 EOL risk with Mike and recommend refresh / migration path
    • Discover and document: workstations, network, primary contact, full business purpose

History Highlights

Date Event
Post-2022 Company rebranded from sombrahomes.com to sombraresidential.com
2026-04-30 Server2013 enrolled in GuruRMM (agent 5383e9c1). CONTEXT.md stub created by Howard. New PCs set up for staff (referenced as "the week prior" in 2026-05-06 log).
2026-05-06 Howard: Bryan's PC (DESKTOP-UQRN4K3) — Word/Excel ghost credential prompt for old domain bryan@sombrahomes.com. Root cause: Transwiz-migrated classic MAPI + LiveId entries from pre-rebrand machine. Three-pass registry cleanup via GuruRMM. Billed as warranty ($0) against ticket #32225 (invoice #67572). Revert scripts at C:\ProgramData\ACG\sombrahomes-cleanup-* on Bryan's PC.

Backlinks

  • projects/gururmm — Server2013 and DESKTOP-UQRN4K3 enrolled (site: main office)
Reference in New Issue View Git Blame Copy Permalink