azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f2ece8eccf0af2bf03c35b7de4e8d7d4fb3d9941
claudetools/wiki/clients/sombra-residential.md
Mike Swanson 32f64a9561 wiki: seed 9 client articles (internal-infra, peaceful-spirit, cryoweave, glaztech, pavon, grabb-durando, stamback-septic, sombra-residential, birth-biologic) 
Notable findings per article:
- internal-infrastructure: Neptune cert expires 2026-05-31, DkimSigner
  disabled (unsigned outbound mail), Cloudflare tunnel on Jupiter
- peaceful-spirit: L2TP/IPsec RRAS VPN; billing/Syncro ID undocumented
- cryoweave: website redesign pending client assets
- glaztech: phishing bypassed MailProtector via secondary MX (fixed);
  no MFA enforcement yet; do not enable Security Defaults yet
- pavon: OwnCloud cron stacking fixed; Nextcloud migration deferred
- grabb-durando: plaintext DB password in README needs vaulting; AI
  demand review app scoped
- stamback-septic: WS2012 EOL server on network
- sombra-residential: Server2013 is actually WS2012 EOL unpatched
- birth-biologic: Datto→SharePoint migration unconfirmed complete

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-24 19:38:50 -07:00

99 lines
6.4 KiB
Markdown
Raw Blame History

---
type: client
name: sombra-residential
display_name: Sombra Residential LLC
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- clients/sombra-residential/CONTEXT.md
- clients/sombra-residential/session-logs/2026-05-06-howard-bryan-sombrahomes-ghost-account-cleanup.md
backlinks:
- projects/gururmm
---
# Sombra Residential LLC
## Profile
- **Company type:** Residential property management company (Arizona). Formerly operated under the brand/domain `sombrahomes.com`; rebranded to `sombraresidential.com` at some point post-2022.
- **Contract type:** [unverified — managed MSP implied by ACG handling M365 and new-PC setup; no explicit contract type documented]
- **Key contacts:**
- Amy — caller/office contact (last name not documented)
- Bryan Menie — employee; accounts `bryan@sombraresidential.com` (current), formerly `bryan@sombrahomes.com`
- **Billing rate:** [unverified]
- **Syncro customer ID:** 32971820
## Infrastructure
### Servers & Services
| Host | IP | Role | OS | Notes |
|---|---|---|---|---|
| Server2013 | `Server2013` (hostname only) | File / application server | Windows Server **2012** (build 9200) — [WARNING] EOL 2023-10-10, running unpatched | Name "Server2013" is a label only; actual product is WS2012. Remote access via ScreenConnect. |
| DESKTOP-UQRN4K3 | [unverified] | Bryan Menie's workstation | Windows (version unverified) | New PC set up by ACG prior to 2026-05-06; data transferred via Transwiz |
### Email & Identity
- **M365 tenant:** sombraresidential.com (primary current domain); former domain sombrahomes.com still exists in legacy identity caches on endpoints
- **MFA status:** [unverified]
- **Office version:** OneNote Free + O365 Business Retail, Click-to-Run, version 16.0.19929.20106 (confirmed on Bryan's PC 2026-05-06)
- **Identity note:** Company rebranded from sombrahomes.com to sombraresidential.com after 2022. Classic Office MAPI profiles and token stores on pre-rebrand machines (or Transwiz-migrated machines) still reference the old domain. New Outlook app uses WAM (unaffected); classic Word/Excel prompt against dead LiveId tokens.
### Network
- **ISP / WAN:** [unverified]
- **Firewall:** [unverified]
- **VPN:** [unverified]
## GuruRMM
- **Client name:** Sombra Residential LLC
- **Client ID:** `4143369f-de59-42e6-b1a0-e9939aa42a2d`
- **Site name:** main office
- **Site ID:** `787d497a-eb1d-4468-a8ac-51d3c23954cb`
### Enrolled Agents
| Agent | Host | OS | Agent ID | Notes |
|---|---|---|---|---|
| Server2013 | Server2013 | Windows Server 2012 | `5383e9c1-56e1-4389-9c89-1991a77bbc3a` (device id `win-e59d7c6c-9bd6-4b49-a892-71788039bf14`) | Enrolled 2026-04-30 |
| DESKTOP-UQRN4K3 | Bryan's workstation | Windows | `6dc0fb03-d6c4-4e3e-a58c-d9d015ff588a` | Used as remote command channel for ghost-account cleanup 2026-05-06 |
## Access
- **ScreenConnect:** Installed on Server2013 and Bryan's PC (ACG SC instance)
- **Server2013 local accounts:**
- `Administrator` — password at `clients/sombra-residential/server2013.sops.yaml`
- `sysadmin` — password [WARNING] TBD; not yet vaulted as of CONTEXT.md (2026-04-30). Confirm with Howard or pull from server before next session.
- **Vault path:** `clients/sombra-residential/server2013.sops.yaml`
## Patterns & Known Issues
- **[WARNING] Server2013 is Windows Server 2012 (EOL 2023-10-10):** Running unpatched. EOL risk has not been formally presented to client per available session logs. Mike needs to confirm a refresh/migration recommendation with the client.
- **Transwiz ghost account pattern:** Transwiz migrates M365 identity stores wholesale from the source machine, including DPAPI-bound tokens and Office MAPI profiles. On a domain-rebranded shop (sombrahomes.com → sombraresidential.com), the migrated machine carries dead LiveId entries from the old domain. Symptoms: Word and Excel prompt for `<user>@olddomain.com` credentials on every open; ErrorState=6 (stuck token, cannot refresh). New Outlook app (WAM-based) is unaffected — only classic Win32 Office apps hit this.
- **Detection:** Check `HKU\<user-SID>\Software\Microsoft\Office\16.0\Common\Identity\Identities` and `ServicesManagerCache\Identities` for LiveId entries with the old domain. Also check classic MAPI Outlook profiles under `15.0` and `16.0` trees.
- **Fix:** Three-pass cleanup (Identity keys → ServicesManagerCache + OneAuth blobs → classic MAPI profiles). Run with snapshot-first backup + auto-generated revert.ps1. All Office processes must be closed before each pass.
- **Recommended:** Add a "post-Transwiz Office identity sweep" step to the ACG new-PC checklist for any customer with M365 domain rebrand history.
- **GuruRMM SYSTEM context:** HKCU probes from GuruRMM commands hit the SYSTEM hive, not the logged-in user's. For per-user registry work, resolve the target user's SID from `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList` and read `HKU:\<SID>\` directly.
- **Syncro warranty billing:** Use product `1049360` Labor - Warranty work for work that is a direct side effect of a prior ACG ticket. Do NOT use `1190473` Labor - Remote Business with `billable: false` or a patched price. The warranty product is the correct path.
- **Syncro `billable: false` on timer_entry is silently ignored** — does not prevent a charged line item from being generated. Always pick the correct product.
## Active Work
- **Open items from CONTEXT.md (2026-04-30):**
- Capture `sysadmin` password for Server2013 into vault
- Confirm Server 2012 EOL risk with Mike and recommend refresh / migration path
- Discover and document: workstations, network, primary contact, full business purpose
## History Highlights
| Date | Event |
|---|---|
| Post-2022 | Company rebranded from sombrahomes.com to sombraresidential.com |
| 2026-04-30 | Server2013 enrolled in GuruRMM (agent `5383e9c1`). CONTEXT.md stub created by Howard. New PCs set up for staff (referenced as "the week prior" in 2026-05-06 log). |
| 2026-05-06 | Howard: Bryan's PC (DESKTOP-UQRN4K3) — Word/Excel ghost credential prompt for old domain `bryan@sombrahomes.com`. Root cause: Transwiz-migrated classic MAPI + LiveId entries from pre-rebrand machine. Three-pass registry cleanup via GuruRMM. Billed as warranty ($0) against ticket #32225 (invoice #67572). Revert scripts at `C:\ProgramData\ACG\sombrahomes-cleanup-*` on Bryan's PC. |
## Backlinks
- [[projects/gururmm]] — Server2013 and DESKTOP-UQRN4K3 enrolled (site: main office)
Reference in New Issue View Git Blame Copy Permalink