azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6582f73f87d1dfdfd4da5ff9e8c6abd5eae9a630
claudetools/wiki/clients/bg-builders.md
Mike Swanson f4fb131529 wiki: seed remaining clients and projects (batch 3) 
Adds 11 client articles and 5 project articles:

Clients: kittle, khalsa, anaise, azcomputerguru.com, bg-builders,
evs, furrier, horseshoe-management, kittle-design, scileppi-law,
western-tire

Projects: discord-bot, radio-show, msp-pricing, wrightstown-smarthome,
wrightstown-solar

Updates wiki/index.md with all new entries, cross-references, and
removes seeded client:birthbiologic from compilation queue.

Critical findings surfaced:
- Kittle: WS2025 EVAL license, no backups, 3 plaintext creds in Syncro
- Western Tire: SSL cert *.westerntire.com expires 2026-05-30
- Kittle Design: active compromise (Ken inbox rule unresolved)
- Horseshoe Mgmt: plaintext creds for 5+ users in Syncro notes

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-24 19:59:40 -07:00

129 lines
5.6 KiB
Markdown
Raw Blame History

---
type: client
name: bg-builders
display_name: BG Builders LLC
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- clients/bg-builders/session-logs/2026-03-09-session.md
---
# BG Builders LLC
## Overview
- **Business type:** Construction / building contractor [unverified beyond name]
- **M365 tenant:** bgbuildersllc.com
- **Billing model:** Unknown — no billing data in session log
- **Contract status:** Unknown
- **CIPP Name:** sonorangreenllc.com (alternate tenant name in CIPP)
## Contacts
| Name | UPN | Access | Notes |
|---|---|---|---|
| Barry | barry@bgbuildersllc.com | FullAccess + SendAs on Lesley's mailbox | Set from original termination |
| Shelly | Shelly@bgbuildersllc.com | FullAccess + SendAs on Lesley's mailbox | Set from re-enable script 2026-02-27 |
| Lesley Roth | lesley@bgbuildersllc.com | Disabled | Terminated employee; account preserved per client request |
## Infrastructure
*(not documented — session was M365 account disable/wipe focused; no on-premises infrastructure captured)*
## Network
*(not documented)*
## Cloud / M365
| Property | Value |
|---|---|
| Tenant domain | bgbuildersllc.com |
| Tenant ID | ededa4fb-f6eb-4398-851d-5eb3e11fab27 |
| CIPP Name | sonorangreenllc.com |
| Admin UPN | sysadmin@bgbuildersllc.com |
| Admin credentials | Vault only — do NOT hardcode |
| Intune / Business Premium | No — no Intune-managed devices |
| Lesley account state | Disabled (AccountEnabled: False), Litigation Hold: True, licenses still assigned |
> [WARNING] Session log contained plaintext M365 admin credentials (sysadmin@bgbuildersllc.com). Use vault only: `vault.sh get-field clients/bg-builders/m365`.
### Lesley Roth — account state as of 2026-03-09
| Property | Value |
|---|---|
| AccountEnabled | False (was already False from 2026-02-27 prior termination) |
| Mailbox type | UserMailbox |
| Litigation Hold | True |
| Licenses | Still assigned (per client request — not removed) |
| Barry access | FullAccess + SendAs |
| Shelly access | FullAccess + SendAs |
| iPhone 16 Pro (iOS 26.3.1) | AccountOnlyDeviceWipePending (active device, last sync 2026-03-09) |
| iPhone 14 Pro (iOS 18.5) | AccountOnlyDeviceWipePending (stale — last sync 2025-06-27, may never acknowledge) |
| OneDrive | Not addressed |
### 72-hour mail activity report (Lesley, 2026-03-06 to 2026-03-09)
- No suspicious activity found — no suspicious sent/deleted mail, no inbox rules, no forwarding configured.
- Report saved to: `D:\ClaudeTools\scripts\bgb-lesley-mail-report-20260309.txt`
### M365 PowerShell technical notes
- `Get-MessageTrace` deprecated Sep 2025 — use `Get-MessageTraceV2` (no `-PageSize` parameter).
- `Search-MailboxAuditLog` deprecated Jan 2026 — use `Search-UnifiedAuditLog`.
- Exchange Online `-Device` auth switch requires PowerShell 7 (`pwsh`), NOT Windows PowerShell 5.1.
- WAM broker auth requires a visible PowerShell window — cannot run from bash or non-interactive shell.
### Scripts created (2026-03-09)
| Script | Purpose |
|---|---|
| `scripts/bgb-lesley-disable-wipe.ps1` | Disable account + device email wipe |
| `scripts/bgb-lesley-mail-report.ps1` | 72-hour mail activity report |
| `scripts/bgb-lesley-verify-wipe.ps1` | Verify device wipe status |
## GuruRMM
*(not documented)*
## Active Projects / Open Items
| Priority | Item | Owner |
|---|---|---|
| P1 | iPhone 16 Pro (active) — wipe should have completed; verify status | Howard / Mike |
| P1 | iPhone 14 Pro (stale since 2025-06-27) — wipe likely never acknowledged; verify or close | Howard / Mike |
| P2 | Lesley's OneDrive access not addressed in this session | Mike |
| P3 | sysadmin password reset — admin lacked privilege to reset Lesley's password via script (403); was done manually via M365 Admin Center. Verify sysadmin role assignments are sufficient for future terminations | Mike |
## Key Events / History
### 2026-02-27 — First termination (prior session, minimal detail)
- Lesley's account was previously disabled and sessions revoked.
- Litigation hold was enabled.
- Barry given FullAccess + SendAs.
### 2026-03-09 — Employee disable and device wipe
Lesley Roth (lesley@bgbuildersllc.com) terminated employee offboarding:
- Account already disabled (AccountEnabled was already False from 2026-02-27).
- Sessions re-revoked (belt-and-suspenders).
- Password manually reset via M365 Admin Center to `bgb-pass-reset-2026!!` (script failed 403 — sysadmin lacked privilege). Store in vault; rotate if account still exists.
- AccountOnly device wipe initiated on both iPhones (removes M365 email only; personal data preserved).
- Shelly given FullAccess + SendAs (added this session via re-enable script logic).
- 72-hour mail activity report: nothing suspicious.
- Account NOT converted to shared mailbox; licenses NOT removed — per client request.
## Anti-Patterns / Warnings
- [WARNING] Plaintext M365 admin credentials in session log — use vault only.
- [WARNING] sysadmin account has insufficient privileges to programmatically reset user passwords (403 on password reset). Plan for Global Admin or verify role assignments before future offboardings.
- BG Builders has NO Intune / Business Premium — device management is via EAS ActiveSync only. AccountOnly wipes (not full Intune wipes) are the only available device action.
- iPhone 14 Pro last synced 2025-06-27 — wipe will never complete if device stays offline. Do not wait on it.
- Do NOT delete Lesley's account or remove licenses without explicit client instruction — client requested account preservation.
- CIPP name for this tenant is `sonorangreenllc.com` — use this when looking up the tenant in CIPP.
## Backlinks
- *(no related wiki articles yet)*
Reference in New Issue View Git Blame Copy Permalink