azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f2ece8eccf0af2bf03c35b7de4e8d7d4fb3d9941
claudetools/wiki/clients/peaceful-spirit.md
Mike Swanson 32f64a9561 wiki: seed 9 client articles (internal-infra, peaceful-spirit, cryoweave, glaztech, pavon, grabb-durando, stamback-septic, sombra-residential, birth-biologic) 
Notable findings per article:
- internal-infrastructure: Neptune cert expires 2026-05-31, DkimSigner
  disabled (unsigned outbound mail), Cloudflare tunnel on Jupiter
- peaceful-spirit: L2TP/IPsec RRAS VPN; billing/Syncro ID undocumented
- cryoweave: website redesign pending client assets
- glaztech: phishing bypassed MailProtector via secondary MX (fixed);
  no MFA enforcement yet; do not enable Security Defaults yet
- pavon: OwnCloud cron stacking fixed; Nextcloud migration deferred
- grabb-durando: plaintext DB password in README needs vaulting; AI
  demand review app scoped
- stamback-septic: WS2012 EOL server on network
- sombra-residential: Server2013 is actually WS2012 EOL unpatched
- birth-biologic: Datto→SharePoint migration unconfirmed complete

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-24 19:38:50 -07:00

155 lines
13 KiB
Markdown
Raw Blame History

---
type: client
name: peaceful-spirit
display_name: Peaceful Spirit Therapeutic Massage
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- clients/peaceful-spirit/session-logs/2026-05-10-session.md
- clients/peaceful-spirit/session-logs/2026-05-11-session.md
- clients/peaceful-spirit/session-logs/2026-05-22-session.md
backlinks:
- projects/gururmm
---
# Peaceful Spirit Therapeutic Massage
Massage therapy practice with at least two sites: Country Club (primary, all work performed here) and a Northwest (NW) site. On-premises Windows Server 2016 Essentials domain environment. Domain-joined workstations for Mara (owner/operator) and other staff. Active VPN and identity infrastructure work as of May 2026.
---
## Profile
- **Contract type:** Break-fix / project [unverified — no contract details found in session logs]
- **Key contacts:**
- Mara — primary point of contact; owner/operator; personal Microsoft account `mara.concordia@gmail.com` (OneDrive). Domain user: `mara` (password reset to SpiritWalk26! on 2026-05-22, PasswordNeverExpires=true).
- Bridgette — staff member with home computer (BridgettePSHomeComputer); no contact details captured.
- **Billing rate:** [unverified — not documented in session logs]
- **Syncro customer ID:** [unverified — not found in session logs]
- **Active tickets:** [unverified — no Syncro ticket numbers found in session logs]
---
## Infrastructure
### Servers & Services
| Host | IP | Role | OS | Notes |
|---|---|---|---|---|
| PST-SERVER | 192.168.0.2 | DC, DNS, RRAS (L2TP/IPsec VPN), NPS, Enterprise Root CA (AD CS) | Windows Server 2016 Essentials (build 14393) | GuruRMM agent ID: `6b6106a7-8515-4b6b-857d-0dc6ede53f35`. Win32-OpenSSH installed 2026-05-11. |
| UCG-PST-CC | 192.168.0.10 (LAN) / 98.190.129.150 (WAN) | UniFi Cloud Gateway — perimeter router + DNAT for VPN | UniFi OS | SSH: root@98.190.129.150 (not accessible from office WAN; use UCG cloud portal or on-site). VPN termination was formerly UCG-hosted (strongSwan/xl2tpd) — abandoned 2026-05-22 in favor of RRAS on PST-SERVER. |
**Note:** An NW (Northwest) site exists with a separate UCG that previously had an OpenVPN server at 64.139.88.249:1194 (TCP). No further NW site details are documented.
### Domain & Identity
- **Domain:** PEACEFULSPIRIT.local
- **Domain admins:** `sysadmin` (password: vault) — this is the domain admin account. `pst-admin` is a domain user (not domain admin) with VPN dial-in permission.
- **AD domain SID base:** S-1-5-21-1105246401-3156558273-4088333098
- **CA:** PEACEFULSPIRIT-PST-SERVER-CA — Enterprise Root CA on PST-SERVER. Thumbprint: 56DAF43C60F246BF2C80A671EE9812C727D8C298 (valid to 3/8/2061).
- **VPN-eligible users (WseRemoteAccessUsers):** Domain Admins (group), PSTAdmin, pst-admin, LMT, Mara.
- **OneDrive:** pst-admin uses personal OneDrive (mara.concordia@gmail.com, cid: 25f0851177ceabfd). Per-machine OneDrive (v26.063.0405.0002) deployed to Maras-HP-Laptop on 2026-05-11 via `/allusers` install.
- **Email / M365:** [unverified — no M365 tenant found; practice likely uses personal or third-party email]
### Network
- **WAN IP:** 98.190.129.150 (Country Club site, UCG)
- **LAN subnet:** 192.168.0.0/24
- **DNS / DC:** 192.168.0.2 (PST-SERVER)
- **VPN (current — L2TP/IPsec):**
- Endpoint: PST-SERVER RRAS at 192.168.0.2, exposed via UCG DNAT (UDP 500, 4500, ESP)
- PSK: vault (`clients/peaceful-spirit/vpn.sops.yaml`)
- Auth: MSCHAPv2, user pst-admin
- IP pool: 192.168.0.240+ (observed: .241)
- VPN profile name on clients: "Peaceful Spirit VPN" (AllUserConnection, split tunnel, 192.168.0.0/24 route, NRPT for .peacefulspirit.local → 192.168.0.2)
- UCG persistence: `/data/on_boot.d/10-vpn-portforward.sh`
- **GPO:** "Block New Outlook" — GUID {577028AF-0901-4BDF-A283-CD1156F313D9}, linked to domain root. Disables new Outlook experience across all domain machines.
### Client Workstations
| Machine | Role | GuruRMM Agent ID | Notes |
|---|---|---|---|
| MaraHomeNew | Mara's home desktop | `c778b6a3-c646-4454-a065-8c8bdcb1578e` | Domain-joined. VPN working (confirmed via rasdial 2026-05-11). Machine cert installed (D067E07B, CN=MaraHomeNew.PEACEFULSPIRIT.local, valid to 5/10/2027). |
| Maras-HP-Laptop | Mara's HP laptop | `13cb3629-5043-4bd6-b977-6968eeccf804` | Domain-joined. VPN deployed 2026-05-22 (PSK set on-site by Mike). OneDrive per-machine deployed 2026-05-11. pst-admin profile wiped and rebuilt 2026-05-11. |
| PST-SURFACE | Surface device | `4a993b61-59b3-42f4-bdb5-d4362941f7d6` | Domain-joined. VPN deployed 2026-05-22 (PSK set on-site by Mike). |
| BridgettePSHomeComputer | Bridgette's home PC | [unverified] | Was offline during 2026-05-22 session. VPN profile not yet deployed. |
---
## GuruRMM Enrollment
- **Client name in RMM:** Peaceful Spirit
- **Client ID:** `00015eae-50e5-4102-93fa-ab0fdb135c08`
- **Site name:** Country Club
- **Site ID:** `7b32983d-982a-4a5c-af07-45a23453f589`
**Enrolled agents:**
| Host | Agent ID | Enrolled | Last Known Status |
|---|---|---|---|
| PST-SERVER | `6b6106a7-8515-4b6b-857d-0dc6ede53f35` | 2026-05-10 23:19 UTC | Active (2026-05-11 01:29 UTC) |
| MaraHomeNew | `c778b6a3-c646-4454-a065-8c8bdcb1578e` | [unverified date] | — |
| Maras-HP-Laptop | `13cb3629-5043-4bd6-b977-6968eeccf804` | [unverified date] | — |
| PST-SURFACE | `4a993b61-59b3-42f4-bdb5-d4362941f7d6` | [unverified date] | — |
BridgettePSHomeComputer agent status unknown.
---
## Access
- **PST-SERVER SSH:** `ssh -i ~/.ssh/id_ed25519 sysadmin@192.168.0.2` — requires OpenVPN or L2TP VPN to Country Club site active. Win32-OpenSSH at `C:\Program Files\OpenSSH\OpenSSH-Win64\`. SCP paths use Unix format (`/C:/path/to/file`).
- **UCG SSH:** `ssh -i ~/.ssh/pst-cc-ucg root@98.190.129.150` — NOT accessible from office WAN. Requires on-site or UCG cloud portal (unifi.ui.com).
- **GuruRMM (external):** https://rmm.azcomputerguru.com
- **Vault paths:**
- `clients/peaceful-spirit/server.sops.yaml` — PST-SERVER credentials, UCG details
- `clients/peaceful-spirit/vpn.sops.yaml` — VPN PSK, user credentials, network details
---
## Patterns & Known Issues
- **Set-VpnConnection -L2tpPsk cannot run via RMM (SYSTEM context).** Windows enforces interactive mode for PSK registration. An admin must run this command manually on each machine in an interactive session. This is a one-time setup step per machine.
- **NRPT instead of VPN DNS suffix push.** `Add-VpnConnectionTriggerDnsConfiguration` fails for AllUserConnection profiles. Use `Add-DnsClientNrptRule -Namespace ".peacefulspirit.local" -NameServers "192.168.0.2"` instead.
- **cmdkey as SYSTEM for pre-login credential persistence.** Machine credential store entries (cmdkey in SYSTEM context) are available at the Windows login screen; per-user cmdkey entries are not.
- **Stale hosts file.** During 2026-05-22 on-site, MaraHomeNew (and likely other machines) had a stale hosts entry mapping PST-SERVER to 72.194.62.5 (Mara's router's bogus DNS response). This caused name resolution failures even with VPN up. A GuruRMM cleanup script was deployed; verify no residual entries if name resolution issues recur. The hosts-file path encoding bug (`driverstc` artifact) means the cleanup script may not have fully run on all machines.
- **UCG iptables DNAT required — UniFi Traffic Rules are firewall-allow only, NOT DNAT.** Port-forward rules must be placed via CLI in `/data/on_boot.d/10-vpn-portforward.sh` for persistence across reboots.
- **UCG SSH unreachable from office WAN.** All remote UCG administration must go through GuruRMM (for PST-SERVER) or the UniFi cloud portal (for UCG itself).
- **GuruRMM PowerShell invocation quirk.** Running `command_type: powershell` fails on PST machines with "-OutputEncoding is not recognized." Use `command_type: cmd` and call `powershell.exe` explicitly within the script body.
- **Machine cert template (PEACEFULSPIRIT-PST-SERVER-CA / Machine template).** `msPKI-Certificate-Name-Flag` was changed from `0x18000000` to `0x1` (ENROLLEE_SUPPLIES_SUBJECT) on 2026-05-11. This is a domain-wide template change. New machine certs will use the CSR Subject/SAN rather than the submitting machine's AD DNS identity. RRAS UserAuthProtocolAccepted now includes Certificate (added 2026-05-11).
- **OneDrive KFM on WSE folder-redirected profiles.** Machines formerly managed by Windows Server Essentials had WSE-specific non-standard GUID variants in User Shell Folders (different from standard Known Folder GUIDs). Direct HKU writes alone do not clear the shell's internal known folder policy state — `SHSetKnownFolderPath` must be called with `flags=0` (not 0x4000) in user session context. If KFM still fails after registry cleanup, wipe the profile and redeploy with per-machine OneDrive (`/allusers`).
- **pst-admin vs sysadmin distinction.** `pst-admin` is a domain user (in WseRemoteAccessUsers, VPN-eligible). `sysadmin` is domain admin. Many early session failures were caused by using pst-admin credentials for domain admin operations.
---
## Active Work
As of 2026-05-22 session end:
- **BridgettePSHomeComputer VPN:** Was offline during 2026-05-22 on-site. When online: deploy full VPN script via RMM, then Mike must run `Set-VpnConnection -L2tpPsk` interactively on-site or via remote session with the user logged in as an admin.
- **Pre-login VPN verification:** Confirmed working on MaraHomeNew via rasdial. Maras-HP-Laptop and PST-SURFACE need verification at the Windows login screen specifically.
- **Hosts file cleanup verification:** The GuruRMM cleanup script had a path encoding bug (`driverstc` instead of `drivers\etc`) — DNS was flushed but hosts entries may not have been removed on all machines. Verify if name resolution issues recur.
- **PST-SERVER temp file cleanup:** `C:\ProgramData\`: gen_certs.ps1, fix_acl.ps1, acl_result.txt, verify_acl.ps1, acl_verify.txt, and all *.inf, *.req, *.cer, *.pfx files. Also remove temporary firewall rules TEMP-CertEnroll-RPC (TCP 135) and TEMP-CertEnroll-DCOM (TCP 49152-65535).
- **Vault update:** pst-admin and mara passwords were reset to SpiritWalk26! on 2026-05-22; vault entries need updating (`clients/peaceful-spirit/vpn.sops.yaml`).
- **Machine cert VPN path (IKEv2) — deferred.** Machine certs were generated for MaraHomeNew (D067E07B), Maras-HP-Laptop (4CADDE8F, CA RequestId 66), and PST-SURFACE (197FF22A, CA RequestId 67) and PFXs (password: PstVpn2026!) were created. This IKEv2 machine-cert approach was superseded by the L2TP/RRAS decision on 2026-05-22. The certs and PFXs remain on PST-SERVER and DESKTOP-0O8A1RL — determine if IKEv2 path should be completed, abandoned, or the certs revoked.
---
## History Highlights
| Date | Event |
|---|---|
| 2026-05-10 | GuruRMM agent installed on PST-SERVER. UCG-PST-CC reconfigured for IKEv2 in prior (unlogged) session. IKEv2 error 812 diagnosed — NPS rejecting nonexistent user `apst-admin` (typo in stored credential). NPS order-0 test policy (PST-VPN-Test) added. Credential Manager corrected on DESKTOP-0O8A1RL. |
| 2026-05-10 | GuruRMM agents enrolled on MaraHomeNew, Maras-HP-Laptop, PST-SURFACE. AllUserConnection IKEv2 "Peaceful Spirit VPN" profiles deployed to all three Mara machines. |
| 2026-05-11 AM | PST-VPN-Test NPS policy removed. AutoEnroll ACL on Machine cert template fixed (Domain Computers, sysadmin scheduled task). Catch-22 identified: machine cert enrollment requires LAN access which requires a cert. OpenVPN on MaraHomeNew chosen as bootstrap path. |
| 2026-05-11 PM | Machine cert auth working on MaraHomeNew. Win32-OpenSSH installed on PST-SERVER. msPKI-Certificate-Name-Flag changed to 0x1 (ENROLLEE_SUPPLIES_SUBJECT). RRAS UserAuthProtocolAccepted updated to include Certificate. PFX certs generated for Maras-HP-Laptop and PST-SURFACE. |
| 2026-05-11 PM | Maras-HP-Laptop: OneDrive KFM "Capabilities: 0x101" error troubleshooting. WSE non-standard GUID variants in User Shell Folders identified and corrected. Shell Folders cache directly updated via SYSTEM/HKU. SHSetKnownFolderPath flags=0x4000 bug identified (root cause of all prior script failures). |
| 2026-05-11 Evening | pst-admin profile on Maras-HP-Laptop wiped entirely (WMI). Per-machine OneDrive deployed. "Block New Outlook" GPO created and linked to domain root. |
| 2026-05-22 | L2TP/IPsec VPN successfully deployed to MaraHomeNew, Maras-HP-Laptop, PST-SURFACE during on-site visit at Mara's house. UCG-hosted strongSwan/xl2tpd abandoned; RRAS on PST-SERVER became the VPN endpoint. UCG DNAT rules created for UDP 500/4500/ESP. Stale hosts file entries removed. pst-admin and mara passwords reset to SpiritWalk26!. BridgettePSHomeComputer offline — VPN pending. |
---
## Backlinks
- [[projects/gururmm]] — PST-SERVER, MaraHomeNew, Maras-HP-Laptop, PST-SURFACE enrolled (site: Country Club)
Reference in New Issue View Git Blame Copy Permalink