azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d6fc1cf5be681c5bc66e3c05446a6c9e0682d38a
claudetools/clients/cascades-tucson/CONTEXT.md
Howard Enos d6fc1cf5be session: Cascades phone verification & closeout — Entra Connect staging exited, CA policies re-pointed to AD-synced SG-Caregivers 
- Full tenant verification sweep: all Intune/Entra objects match session logs
- Entra Connect staging mode exited; 17 AD groups synced to cloud
- CA policies (Block-off-network, Sign-in-frequency-8h, Block-non-compliant) patched from SG-Caregivers-Pilot to AD-synced SG-Caregivers
- Registration Campaign exclusion updated to SG-Caregivers
- Deleted test accounts: howard.enos (AD) and pilot.test (M365)
- Documented Christine Nyanzunda collision risk, Ederick Yuzon open item, standing security-group rule
- Session log written

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-14 17:45:30 -07:00

135 lines
11 KiB
Markdown
Raw Blame History

# Cascades of Tucson — Client Context
**Last updated:** 2026-05-05 (Howard) — refreshed GuruRMM agent roster (was stale at 2 agents; live count is 27).
## Identity
- Business: Cascades of Tucson (senior living community)
- Syncro customer ID: **20149445**
- Primary contact: Meredith Kuhn — meredith.kuhn@cascadestucson.com — (520) 886-3171
- Location: 201 N Jessica Ave, Tucson AZ 85710
Full contact list + Wi-Fi, KPAX, M365 admin, UniFi hardware MACs, GoDaddy are in the Syncro customer notes field for 20149445.
## Infrastructure
| Resource | Address | Vault path |
|---|---|---|
| pfSense firewall | 192.168.0.1 | `clients/cascades-tucson/pfsense-firewall.sops.yaml` |
| Synology NAS `cascadesds` | 192.168.0.120:5000 (DSM) | `clients/cascades-tucson/synology-cascadesds.sops.yaml` |
| CS-SERVER (DC + file server) | reachable at 192.168.2.254 from the Wi-Fi-2 subnet on DLTAGOI; domain `cascades.local` | `clients/cascades-tucson/cs-server.sops.yaml` |
| `svc-audit-upload` | service account for Syncro audit upload to `AuditDrop$` share | `clients/cascades-tucson/svc-audit-upload.sops.yaml` |
| `\\CS-SERVER\homes` | file share at `D:\Homes`; per-user subfolders for folder redirection. Domain Users: Change. Domain Admins: Full. **EncryptData currently false — HIPAA workitem to flip on.** | — |
## M365 admin model
Tenant ID: `207fa277-e9d8-4eb7-ada1-1064d2221498`
Mike's design intent (confirmed 2026-04-29): **the cloud admin layer is fully separated from the on-prem AD admin layer.**
| Account | Layer | Synced via Connect? | Purpose |
|---|---|---|---|
| On-prem AD `Administrator` | On-prem only | No (separate identity layer) | DC + file server admin, GPO, on-prem services. Never authenticates to M365. |
| `admin@cascadestucson.com` | Cloud-only | **No — intentionally Connect-excluded** | Cascades day-to-day cloud GA |
| `sysadmin@cascadestucson.com` | Cloud-only | **No — intentionally Connect-excluded** | Howard's tech account / cloud admin work |
| ACG GDAP partner principals | Foreign principals | N/A | MSP delivery (Mike + Howard from `@azcomputerguru.com`) |
| `breakglass1-csc@cascadestucson.com` | Cloud-only | No (definitionally) | Emergency primary — FIDO2 YubiKey at Cascades sealed envelope |
| `breakglass2-csc@cascadestucson.com` | Cloud-only | No (definitionally) | Emergency secondary — FIDO2 YubiKey at ACG safe |
**When Entra Connect exits staging mode** (Wave 0.5 G3-G5), admin@ and sysadmin@ stay cloud-only — they must remain in the Connect filter exclusion. Verify after every Connect sync rule change.
CA targeting consequences:
- admin@/sysadmin@: subject to all Cascades CA; must be in `SG-External-Signin-Allowed` for off-network admin work
- `SG-Break-Glass`: excluded from all CA (must add exclusion to every new policy)
- ACG GDAP foreign principals: excluded from blocking policies via the "Service provider users" condition (Microsoft's CA UI), NOT via group membership
## User onboarding — security group is a deliberate decision
**Rule (2026-05-14):** When any Cascades user is created (AD or M365), the security group(s) they belong to must be **asked and decided explicitly** at creation time — never auto-derived from the OU, department, or title.
- **OU placement** is mechanical — it controls whether the account syncs (Entra Connect scope). Caregivers go in `OU=Caregivers`.
- **Security group membership** is an access-control decision — it controls what permissions and Conditional Access policies apply, and is reviewed/chosen per user.
An `OU=Caregivers` -> `SG-Caregivers` auto-mirror script was considered and explicitly declined — the deliberate per-user review is the point. For caregivers: create in `OU=Caregivers` (sync) AND deliberately add to `SG-Caregivers` (CA coverage). Two separate, intentional steps.
## GuruRMM
- Client: **Cascades of Tucson** (code `CASC`, id `42e1b0e3-f8b7-4fc5-86bd-06bdbb073b7f`)
- Site: **CascadesTucson** (code `GOLD-MOON-4620`, id `c157c399-82d3-4581-979a-b9fad70f4fef`)
- Agent enrollment key: encrypted at `clients/cascades-tucson/gururmm-site-main.sops.yaml` (shown once by the API; do not regenerate unless compromised — agents using the current key keep working on regeneration only if the server rotates atomically)
### Agents currently enrolled
**27 agents enrolled at site CascadesTucson.** Mass-enrolled 2026-04-18 onward via ScreenConnect Commands tab. Roster snapshot below from GuruRMM API on 2026-05-05; status reflects heartbeat at query time and will drift — query the API for live status.
Live query:
```bash
curl -H "Authorization: Bearer $TOKEN" \
"https://rmm-api.azcomputerguru.com/api/agents?site_id=c157c399-82d3-4581-979a-b9fad70f4fef" \
| jq '[.[] | {hostname, id, status, os_version}] | sort_by(.hostname)'
```
| Hostname | Role / User | Agent ID | OS | Status (2026-05-05) |
|---|---|---|---|---|
| ACCT2-PC | Accounting workstation #2 | `9b51e554-45d8-4737-96f5-116c1b1a7589` | Win 11 (26200) | online |
| ANN-PC | (unmapped) | `ac99eec0-0db5-49d7-98ce-22c0375c50c7` | Win 11 (26200) | online |
| ASSISTMAN-PC | Assistant Manager workstation | `b4aed953-94e9-4abe-9dc9-1b879b1ace55` | Win 11 (26200) | online |
| ASSISTNURSE-PC | Assistant Nurse workstation | `a289145a-dea9-4948-b495-50fc71397612` | Win 10 (19045) | online |
| CHEF-PC | Kitchen workstation (Chef JD; chefs Castaneda/Sabia) | `a2cedfea-8239-4cab-bff7-54d99c417ed1` | Win 11 (26200) | online |
| CRYSTAL-PC | Crystal Rodriguez | `ca805b36-ef07-4947-b653-8dc6d08dffdc` | Win 11 (22631) | online |
| CS-SERVER | Domain controller / file server (`cascades.local`) | `6766e973-e703-47c1-be56-76950290f87c` | Win Server (17763) | online |
| DESKTOP-DLTAGOI | Life Enrichment test workstation (Sharon Edwards) | `0ed72c1c-40c7-4bd4-afed-e0bcb198936f` | Win 11 (26200) | online |
| DESKTOP-H6QHRR7 | (unmapped — needs hostname rename) | `42fc36f8-cb44-478b-a847-d539db2c1d98` | Win 11 (26200) | online |
| DESKTOP-KQSL232 | (unmapped — needs hostname rename) | `6ed34a4b-8edb-4d9c-81c9-172dba1e34de` | Win 10 (19045) | online |
| DESKTOP-LPOPV30 | (unmapped — needs hostname rename) | `82002bac-09fd-49ba-97ab-8ea138d36d83` | Win 11 (26200) | online |
| DESKTOP-MD6UQI3 | (unmapped — needs hostname rename) | `ebaea7db-f2b6-4205-9aea-1043a9db38b8` | Win 11 (26200) | offline |
| DESKTOP-ROK7VNM | (unmapped — needs hostname rename) | `7272ac19-818e-4ab5-b5e6-baed04281e64` | Win 11 (26200) | online |
| DESKTOP-TRCIEJA | (unmapped — needs hostname rename) | `6bac1935-ba7c-41e1-8fab-be20a7c33570` | Win 11 (22000) | offline |
| DESKTOP-U2DHAP0 | (unmapped — needs hostname rename) | `14ff2427-f376-4aed-859f-37946cf5f679` | Win 11 (26200) | offline |
| LAPTOP-8P7HDSEI | (unmapped — needs hostname rename) | `9b74852c-623a-4d4a-bdda-1709ee75ae44` | Win 10 (19045) | online |
| LAPTOP-DRQ5L558 | (unmapped — needs hostname rename) | `f9e25b3b-da63-40ff-94a6-8cec3b9a19ce` | Win 11 (26200) | online |
| LAPTOP-E0STJJE8 | (unmapped — needs hostname rename) | `4ac00700-9a9b-4e7f-a7aa-c51857b77661` | Win 11 (26200) | online |
| Laptop2 | (unmapped) | `dc8daf71-a2e6-4181-8cf2-c463c95dcd7d` | Win 11 (26200) | online |
| Laptop4 | (unmapped) | `3d45b8d1-3d23-438c-ab0d-1889fc09b4bf` | Win 11 (26100) | offline |
| MAINTENANCE-PC | Maintenance workstation | `d0a9694d-1525-4db8-9f12-e33e3538be13` | Win 11 (26200) | online |
| MDIRECTOR-PC | Memory Care Director (Shelby Trozzi) | `018663fc-c676-4374-8c10-086a47d034eb` | Win 11 (26200) | online |
| MEMRECEPT-PC | Memory Care reception | `797e5cd1-0f57-4ead-9c7b-355041750026` | Win 10 (19045) | online |
| NURSESTATION-PC | Nurse station workstation | `8164c6fa-62e7-4aa5-88e4-624f2f656932` | Win 11 (26200) | online |
| NurseAssist | Nursing assist workstation | `367abfd7-2ca8-4097-ad05-03ac89d3f5c1` | Win 11 (26200) | offline |
| RECEPTIONIST-PC | Front reception | `9c91d324-1073-449c-8cc0-45c5bccfc218` | Win 11 (26200) | online |
| SALES4-PC | Sales workstation #4 | `74256841-02a6-452b-987a-4bdfb42df6e1` | Win 11 (26200) | online |
**Notes:**
- Hostnames matching `DESKTOP-*` / `LAPTOP-*` / `LaptopN` patterns retain manufacturer defaults — flagged for fleet-wide rename to a Cascades convention; ties into the M365 Intune naming work.
- Every workstation onboarded since 2026-04-18 still has the previous-MSP agent stack running concurrently (Datto RMM/AV/EDR/Infocyte + Syncro RMM + Splashtop). See parent fleet-cleanup decision pending Mike's call (logged 2026-05-05 chef-pc-slow log, "Note for Mike").
### Agent deployment (ScreenConnect)
```powershell
$u='https://rmm-api.azcomputerguru.com/downloads/gururmm-agent-windows-amd64-latest.exe';
$d='C:\Windows\Temp\gururmm-agent.exe';
Invoke-WebRequest $u -UseBasicParsing -OutFile $d;
& $d install --server-url 'wss://rmm-api.azcomputerguru.com/ws' --api-key 'grmm_3gGYreG0u_QCvt5v3lDVKwLhZDAzF4On'
```
Run via ScreenConnect Commands tab (SYSTEM context). Agent heartbeats within ~60 seconds.
## Active project — folder redirection GPO rollout
**Goal:** HIPAA-compliant user data storage. Everyone's Documents/Downloads/Desktop/Pictures on `\\CS-SERVER\homes\<username>\`, driven by per-OU folder redirection GPOs.
**Status:** pattern validated on one user (Sharon Edwards in Life Enrichment). Documents + Downloads successfully redirecting through GPO `CSC - Folder Redirection (LE)` ({889BE7BE-202E-4153-89AD-B5DB62A52D25}). Explorer sidebar working. Detailed journey in `session-logs/2026-04-17-howard-cascades-onboarding-and-folder-redirection.md`.
**Next:** second LE machine end-to-end tomorrow, then Desktop + other folders, then matching GPOs for other departments.
### Known traps
- **Every ProfWiz-migrated user has potentially poisoned `User Shell Folders`** pointing at `C:\Windows\system32\config\systemprofile\...`. Check first, clean before testing redirection. Script: `scripts/hive-cleanup-shellfolders.ps1`.
- **GPMC on Server 2019/2022 writes `fdeploy1.ini` incorrectly when adding + modifying entries in the same editor session.** Workaround: one folder per save, close/reopen editor between adds.
- **Explorer sidebar uses the KnownFolder GUID form** (`{FDD39AD0-...}` for Documents, `{374DE290-...}` for Downloads), not legacy names. CSE may set only the legacy name — manually mirror to the GUID form if sidebar doesn't resolve. Script: `scripts/fix-live-shellfolders.ps1`.
- **Some machines have Documents/Desktop in OneDrive (Known Folder Move).** Don't apply the GPO until OneDrive KFM is unlinked and data is migrated back to local — otherwise data leaves OneDrive's scope and may be orphaned.
### GPO backups
On CS-SERVER: `C:\GPO-Backups\pre-fix-20260417-221701\` — broken-state backup ID `9c6ff7c9-0942-4cfb-b4a5-936913a3da87`. `Restore-GPO -BackupId 9c6ff7c9-... -Path C:\GPO-Backups\pre-fix-20260417-221701 -TargetGuid 889be7be-202e-4153-89ad-b5db62a52d25` to roll back.
Reference in New Issue View Git Blame Copy Permalink