azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c3d87b6083d1cdcb67ea5a46356abbc5489f108d
claudetools/wiki/clients/cascades-tucson.md
Mike Swanson e4d3c1f4c2 wiki/memory: Syncro contact rule is global, not Cascades-specific 
Update cascades-tucson.md Syncro billing pattern to note the blank-contact
rule applies to all customers. Update feedback_syncro_cascades_contact.md
to be incident-detail only (Meredith Kuhn default), pointing to the global
rule in feedback_syncro_blank_contact.md. Update MEMORY.md index entry.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-24 16:40:36 -07:00

18 KiB
Raw Blame History

type, name, display_name, last_compiled, compiled_by, sources, backlinks
type name display_name last_compiled compiled_by sources backlinks
client cascades-tucson Cascades of Tucson 2026-05-24 DESKTOP-0O8A1RL/claude-main
session-logs/2026-03-24-session.md
session-logs/2026-03-31-session.md
session-logs/2026-04-01-session.md
session-logs/2026-04-16-session.md
session-logs/2026-04-16-howard-client-docs-import.md
session-logs/2026-04-17-session.md
session-logs/2026-04-17-howard-session.md
session-logs/2026-04-18-session.md
session-logs/2026-04-20-session.md
session-logs/2026-04-20-mac-session.md
session-logs/2026-04-21-mac-vault-setup.md
session-logs/2026-04-21-howard-remediation-vault-gap.md
session-logs/2026-04-28-session.md
session-logs/2026-04-29-session.md
session-logs/2026-04-30-session.md
session-logs/2026-05-01-session.md
session-logs/2026-05-01-howard-syncro-billing-batch-and-tmp-path-incident.md
session-logs/2026-05-10-session.md
session-logs/2026-05-18-session.md
session-logs/2026-05-18-howard-billing-review-and-ticket-updates.md
session-logs/2026-05-20-session.md
session-logs/2026-05-21-session.md
session-logs/2026-05-23-session.md
session-logs/2026-05-24-GURU-KALI-session.md
clients/cascades-tucson/session-logs/2026-05-22-session.md
clients/cascades-tucson/docs/overview.md
clients/cascades-tucson/docs/network/topology.md
clients/cascades-tucson/docs/network/vlans.md
clients/cascades-tucson/docs/servers/cs-server.md
clients/cascades-tucson/docs/billing-log.md
.claude/memory/project_cascades_admin_accounts.md
.claude/memory/project_cascades_ca_phased_rollout.md
.claude/memory/project_cascades_pilot_cleanup.md
.claude/memory/feedback_syncro_cascades_contact.md
.claude/memory/feedback_cascades_user_security_group.md
.claude/memory/project-cascades-migration-plan.md
.claude/memory/feedback_cascades_folder_redirect.md
projects/gururmm

Cascades of Tucson

Senior living / assisted living facility in Tucson, AZ. Single 6-floor building plus a MemCare (Memory Care) wing on floors 5-6. ACG took over from a previous MSP. Primary compliance driver is HIPAA. Active multi-phase migration project ongoing as of 2026-05-24.

Profile

  • Contract type: Prepaid hour block
  • Key contacts:
    • Winter — front desk / billing; handles invoice processing and prepaid block purchases
    • Meredith Kuhn — Assistant Manager (ASSISTMAN-PC); internal billing contact. NEVER set her as ticket contact in Syncro — she is the wrong default that keeps being selected.
    • John Trozzi — Maintenance staff, Mac at 201cascades@gmail.com (shared facility account)
    • Lauren Hasselman — Accounting
    • Crystal Rodriguez — staff
    • Sharon Edwards — Life Enrichment Assistant (DESKTOP-DLTAGOI)
    • Ashley Jensen — Accountant (DESKTOP-U2DHAP0)
    • Shelby Trozzi — MemCare Director (MDIRECTOR-PC)
  • Billing rate: $175/hr all labor (prepaid block customer)
  • Hours remaining: ~37.5 hrs as of 2026-05-20. Always live-check via GET /customers/20149445 before billing — balance is unreliable across sessions. [verify]
  • Syncro customer ID: 20149445
  • Active tickets:
    • #110680053 — Dept-by-dept domain migration (primary active project; plan: C:\Users\Howard\.claude\plans\wise-discovering-panda.md)
    • #109412123 — Entra setup project (may be invoiced as of 2026-05-18; verify status)
    • #109225085 — Yealink phone inventory
    • #109035475 — John Trozzi desktop WiFi upgrade (billed)

Infrastructure

Servers & Services

Host IP Role OS Notes
CS-SERVER 192.168.2.254 DC, DNS, DHCP (no scopes), File Server, Hyper-V host, Print Server Windows Server 2019 Standard Dell PowerEdge R610 (~2009 hardware, 16+ years old). Single DC — CRITICAL risk. No backup. GuruRMM agent ID: 6766e973-e703-47c1-be56-76950290f87c
CS-SERVER iDRAC 192.168.2.65 Out-of-band management Dell OOB interface
CS-QB (Hyper-V VM on CS-SERVER) 192.168.2.228 VoIP server Phones go down if R610 dies
cascadesDS (Synology NAS) 192.168.0.120 NAS / legacy file storage DSM Port 5000 HTTP. Workgroup name is "CASCADES" — same as AD short name, causing Kerberos auth failures from domain-joined machines. Slated to become backup-only.
pfSense Firewall 192.168.0.1 Perimeter firewall, inter-VLAN routing pfSense 24.0 Dual-WAN. All DHCP served here (CS-SERVER DHCP role has no scopes). MAC: 00:f1:f5:34:b3:4a

[WARNING] CS-SERVER hardware: Dell R610 with mixed SATA laptop drives (OS array, no hot spare) and enterprise SAS drives from 2015-2016. No backup exists. No second DC. Hardware will fail — DC migration is urgent.

[WARNING] HIPAA violation: No backup for CS-SERVER (§164.308(a)(7)). Synology Active Backup for Business is blocked (ext4 filesystem, not Btrfs).

Email & Identity

  • M365 tenant: cascadestucson.com | Tenant ID: 207fa277-e9d8-4eb7-ada1-1064d2221498
  • M365 license: Business Standard (34 seats). Business Premium upgrade proposed (net -$56.50/mo savings after shared mailbox cleanup). 31 SPB seats reportedly free as of 2026-05-22 — relicensing time-sensitive.
  • On-prem AD domain: cascades.local | UPN suffix: cascadestucson.com (added 2026-04-13 for Entra Connect SSO readiness)
  • MX / mail flow: Exchange Online (M365). SPF strict (-all). DKIM: both M365 selectors published. DMARC: p=none (monitoring only) — action needed: upgrade to p=quarantine. DMARC reports to info@cascadestucson.com (unmonitored).
  • MFA: CA policy "Require MFA for all users" is enabled. Caregiver bypass pilot in progress — caregivers cannot satisfy MFA (no personal device), so three scoped CA policies use BLOCK instead. See Patterns section.
  • Entra Connect: Installed on CS-SERVER in staging mode as of 2026-04-25. Not yet exited staging. Exit from staging is a pending task.
  • Break-glass accounts: Two planned (breakglass1-csc@cascadestucson.com, breakglass2-csc@cascadestucson.com). FIDO2 YubiKeys ordered. Vault entries not yet created. [unverified — check if YubiKeys arrived and accounts created]
  • Admin accounts:
    • admin@cascadestucson.com — Mike's working admin (cloud-only, Connect-excluded by design)
    • sysadmin@cascadestucson.com — Howard's working admin (cloud-only, Connect-excluded by design)
  • ALIS (clinical SaaS): https://www.go-alis.com/ — Entra SSO configured but BLOCKED on Medtelligent enabling it on Cascades tenant. App registration values ready in vault: clients/cascades-tucson/alis-sso-app-registration.sops.yaml.
  • Yealink SDM: 16 SIP-T54W phones via YMCS portal. SDM token success 2026-05-08. ~30 phones still to roll as of 2026-05-10. [unverified — check current count]
  • Audit retention: Approved 2026-04-29. Azure Log Analytics (90d) + Storage Account (6yr) in ACG subscription e507e953-2ce9-4887-ba96-9b654f7d3267, RG rg-audit-cascadestucson. Not yet built. Runbook: .claude/skills/remediation-tool/references/audit-retention-runbook.md.

Network

  • ISP / WAN: Dual-WAN Cox Fiber (primary, static 184.191.143.62/30, gateway 184.191.143.61) + Cox Coax (secondary, DHCP 72.211.21.217). Both WAN IPs added as Cascades Named Location in Entra (ID: 061c6b06-b980-40de-bff9-6a50a4071f6f).
  • Firewall: pfSense 24.0 at 192.168.0.1. All DHCP. Inter-VLAN routing. 236 resident room VLANs (per-room /28, 10.[floor].[room].0/28). Staff/infra VLAN 20 (10.0.20.0/24, gateway 10.0.20.1). Guest VLAN 50 (10.0.50.0/24, RFC1918 blocked).
  • Switching: Full UniFi. 82 APs + 5 managed switches (1st Floor USW-48 PoE core; floors 2-4 USW-Pro-24-PoE; MemCare USW-Pro-24-PoE; USW Lite 8 PoE; USW-16-PoE VoIP switch). Floors 2/3/4 switches pending hardware replacement.
  • WiFi SSIDs:
    • CSCNet — staff, VLAN 20
    • CSC ENT — legacy SSID, main LAN (192.168.0.0/22), being deprecated as migration proceeds
    • Guest — isolated, VLAN 50
  • VoIP: AudioCodes phones (8 units) on USW-16-PoE. CS-QB VM at 192.168.2.228. Not MSP-managed but infra must stay static.

Access

  • CS-SERVER: Via ScreenConnect or GuruRMM (agent ID: 6766e973-e703-47c1-be56-76950290f87c)
  • CS-SERVER iDRAC: 192.168.2.65
  • pfSense admin: https://192.168.0.1 — vault: clients/cascades-tucson/pfsense-firewall.sops.yaml
  • Synology DSM: http://192.168.0.120:5000 — vault: clients/cascades-tucson/ (existing entry)
  • M365 admin: admin@cascadestucson.com — vault: clients/cascades-tucson/m365-admin.sops.yaml
  • M365 sysadmin: sysadmin@cascadestucson.com — vault: clients/cascades-tucson/m365-sysadmin.sops.yaml
  • WiFi CSCNet: vault: clients/cascades-tucson/wifi-cscnet.sops.yaml
  • MDM service account: vault: clients/cascades-tucson/mdm-service-account.sops.yaml
  • ALIS SSO app registration: vault: clients/cascades-tucson/alis-sso-app-registration.sops.yaml
  • GuruRMM — RECEPTIONIST-PC: agent ID 9c91d324-1073-449c-8cc0-45c5bccfc218 (flaky WebSocket, may lag fleet updates)
  • Yealink YMCS portal: https://us.ymcs.yealink.com/manager/login — vault: infrastructure/voip-phones.sops.yaml
  • Remediation tool: Still on old app fabb3421 (ComputerGuru - AI Remediation) as of 2026-04-20. New tiered app suite not yet consented. [unverified — check if consented since then]
  • Vault root: clients/cascades-tucson/ in vault repo

Patterns & Known Issues

Syncro / Billing

  • Never set a contact on any Syncro ticket unless explicitly requested. This is a global rule, not Cascades-specific. At Cascades, Meredith Kuhn is the recurring wrong default that Syncro pre-selects — she is not the correct contact. Leave contact_id blank; Syncro routes to the correct distribution emails automatically. Source: feedback_syncro_blank_contact.md.
  • Billing product for prepaid block draw: Use a real labor type (Remote, Onsite, etc.) — NOT "Prepaid project labor" (exempt, won't decrement the block).
  • Always live-check hours before billing: GET /customers/20149445 in Syncro. The 2026-05-01 invoice debit may not have fired correctly — treat all cached hour counts as approximate.

Active Directory / User Management

  • Security group assignment is always explicit. When creating or adding any Cascades user, always ask which security group(s). OU → group auto-mirror was explicitly declined 2026-05-14. OU placement controls Entra Connect sync scope; group membership controls CA policy — two separate deliberate decisions. Source: feedback_cascades_user_security_group.md.

  • New user mandatory order (folder redirection):

    1. Create AD user
    2. Run New-HomeFolder -Username "<sam>" on CS-SERVER (creates root + Desktop/Documents/Downloads/Music/Pictures with correct ACL)
    3. Add to SG-FolderRedirect
    4. THEN first domain logon
    • Skipping step 2 causes fdeploy to cache a failure silently and never retry. Source: feedback_cascades_folder_redirect.md.

  • Folder redirect recovery: If fdeploy cached a failure ("No changes detected"), run clients/cascades-tucson/scripts/fix-shell-redirect.ps1 via GuruRMM while user is logged in. Must set both GUID-based and legacy-name registry keys. Folders must already exist on server.

  • fdeploy1.ini flags: Changed from Flags=1211 (included Grant Exclusive Rights bit 0x400, causing WRITE_DAC failures on new subfolders) to Flags=187. File at {512B43A4-F049-4CE5-BFAC-860AD13E92BE}\User\Documents & Settings\fdeploy1.ini on CS-SERVER.

Conditional Access / Caregiver Pilot

  • Phased rollout — never tenant-wide. CA policies for caregivers target SG-Caregivers-Pilot only (then SG-Caregivers after Entra Connect exits staging). The legacy "Require MFA for all users" policy stays in place. Expansion to other departments uses PATCH on excludeGroups, never replace. Source: project_cascades_ca_phased_rollout.md.
  • Caregiver CA policy set:
    • PATCH legacy MFA-all-users: add SG-Caregivers-Pilot to excludeGroups
    • CREATE CSC - Block caregivers off Cascades network (BLOCK if location not Cascades)
    • CREATE CSC - Block caregivers on non-compliant device (BLOCK if device non-compliant)
    • CREATE CSC - Caregiver sign-in frequency 8h
  • GDAP exclusion: CA policy 3 must exclude "Service provider users" (GDAP foreign principals) + SG-External-Signin-Allowed + SG-Break-Glass, otherwise ACG partner admins lose access at CA cutover.
  • Pilot cleanup required when done: Delete pilot.test@cascadestucson.com, clean up howard.enos@cascadestucson.com, remove SG-Caregivers-Pilot from CA policy targets and delete the group. Source: project_cascades_pilot_cleanup.md.

Security Incidents (historical)

  • Megan Hiatt (2026-04-16): Active credential-stuffing — 126 failed sign-ins, bursts from Belfast GB, Hamburg DE. Password reset and SMTP AUTH disable were action items. Mailbox was clean (not breached).
  • John Trozzi (2026-04-16, 2026-04-20): Investigated twice — both times NO BREACH. First: credential stuffing flag (clean). Second: inbound phishing email (clean). Reports in clients/cascades-tucson/reports/.
  • Crystal Rodriguez (2026-04-19): Phishing investigation. Report: clients/cascades-tucson/reports/2026-04-19-crystal-rodriguez-phish-investigation.md.
  • Canva email delivery (2026-05-20): Alma Montt not receiving Canva invites. Resolved by adding canva.com domains to AllowedSenderDomains in EOP policies.
  • dunedolly21@gmail.com: External guest invited 2026-04-14 by Lauren Hasselman from mobile. Status unknown — confirm with Lauren. [unverified]

HIPAA Compliance

  • Primary objective. Cascades stores PHI on CS-SERVER and uses ALIS for clinical records.
  • Critical open gaps: No backup (§164.308(a)(7)); no audit logging on D:\Homes (§164.312(b)); Object Access auditing disabled; no SMB encryption on homes share; no file access auditing.
  • Restored 7 deleted mailboxes (2026-04-25) for HIPAA §164.316(b)(2) 7-year retention.
  • Termination policy established: Convert to shared mailbox, hide from GAL, retain 7 years.

Active Work

Primary active project as of 2026-05-24: dept-by-dept domain migration (Syncro #110680053).

Migration phase status (approx. as of 2026-05-22):

Machine / User Status
Sharon Edwards (DESKTOP-DLTAGOI) Domain-joined, folder redirect working via registry workaround
Ashley Jensen (DESKTOP-U2DHAP0) Domain-joined, folder redirect incomplete (manually fixed)
RECEPTIONIST-PC (frontdesk) Domain-joined 2026-05-22; loopback Replace mode, no folder redirect by design
NURSESTATION-PC Domain-joined, folder redirect complete
Lauren Hasselman Passwords didn't work 2026-05-21, machine not accessible — pending
DESKTOP-KQSL232, CHEF-PC, SALES4-PC, MDIRECTOR-PC Not yet started

Blocking issues / pending:

  • Entra Connect: exit staging (requires OU=Administrative UPN changes + cascadestucson.com UPN suffix for that OU)
  • M365 relicensing: 31 Business Standard → Business Premium (time-sensitive, 31 SPB seats reportedly free)
  • ALIS SSO: blocked on Medtelligent
  • Break-glass accounts: not created
  • Audit retention infra: not built
  • RECEPTIONIST-PC GuruRMM agent (9c91d324): flaky WebSocket, lagging fleet

History Highlights

Date Event
2026-03-06 ACG onboarding begins. Initial audit (CS-SERVER Dell R610, pfSense, UniFi, Synology). 19 machines. No backup, no HIPAA compliance.
2026-03-09 AD security hardening: Monica Ramirez removed from Domain Admins, lockout policy fixed, AD Recycle Bin enabled, MachineAccountQuota set to 0.
2026-03-31 Cascades onboarded to remediation tool. Tenant ID documented. 50 users, Secure Score 34%.
2026-04-13 Major onsite: 13 stale AD accounts deleted, OU structure cleaned, UPNs migrated to cascadestucson.com, Homes share created, Folder Redirection GPO deployed (registry workaround), first domain joins.
2026-04-14 Sandra Fish global admin revoked. ALIS SSO confirmed. Business Premium proposal created.
2026-04-16 Breach checks: Megan Hiatt (credential stuffing, not breached; password reset). John Trozzi (clean). Crystal Rodriguez phish. /remediation-tool skill built.
2026-04-17 Howard onsite: folder redirect Sharon Edwards diagnosis. John Trozzi WiFi (TP-Link + UniFi roaming instability).
2026-04-25 Entra Connect installed on CS-SERVER (staging mode). 7 deleted mailboxes restored for HIPAA. Dual-WAN discovered.
2026-04-28-29 CA policy reconciliation. Audit retention architecture (ACG-billed, LAW 90d + Storage 6yr). Break-glass design (2 accounts, YubiKeys). Caregiver pilot scope corrected (phased only).
2026-04-30 CA rollout (Report-only mode): 3 caregiver policies created. SDM bootstrap.
2026-05-01 Howard billed 33.5 hrs against prepaid block on Entra project ticket #32214 ($0 invoice).
2026-05-07-08 SDM phone provisioning. SDM token success. ALIS SSO app registration values captured to vault.
2026-05-14-16 Caregiver AD accounts created. Security groups always deliberate (no OU→group automation). Wireless diagnostic.
2026-05-18 Billing review. 39.5 hrs remaining before session. 7 hrs billed separately.
2026-05-20 Canva email delivery resolved (canva.com domains added to EOP).
2026-05-21 Lauren Hasselman + Crystal Rodriguez domain join attempted — passwords didn't work. Comment posted to migration ticket.
2026-05-22 Ashley Jensen domain-joined. RECEPTIONIST-PC domain-joined. GPO ILT fixes (FrontDesk printer + R: drive). cascadesDS auth failure diagnosed (workgroup collision) and deferred.
2026-05-24 RECEPTIONIST-PC GuruRMM agent noted as 0.6.37 straggler while fleet at 0.6.38. Flaky WebSocket.

Compilation Notes

Session logs read: 25 root session logs + client-specific logs in clients/cascades-tucson/session-logs/ + 7 memory files + 5 structured docs. Date range: 2026-03-06 through 2026-05-24.

Client folder: clients/cascades-tucson/ (NOT clients/cascades/ — that directory does not exist).

Open items flagged as unverified:

  • Hour balance — always live-check; 2026-05-01 invoice debit may not have fired correctly
  • New tiered remediation app suite — Cascades still on old fabb3421 as of 2026-04-20; unknown if consented since
  • DMARC p=none — action item from 2026-04-20, no evidence of resolution
  • Break-glass accounts + YubiKeys — decision 2026-04-29, no evidence of execution
  • Audit retention infra — approved 2026-04-29, not yet built
  • dunedolly21@gmail.com guest invite — confirm with Lauren

Backlinks

  • projects/gururmm — RECEPTIONIST-PC enrolled (site CascadesTucson); CS-SERVER enrolled
Reference in New Issue View Git Blame Copy Permalink