Files
claudetools/wiki/clients/rednour.md
Howard Enos 00af39d369 sync: auto-sync from HOWARD-HOME at 2026-06-29 14:23:40
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-29 14:23:40
2026-06-29 14:24:12 -07:00

21 KiB

type, name, display_name, last_compiled, compiled_by, sources
type name display_name last_compiled compiled_by sources
client rednour Rednour Law Offices 2026-06-29 HOWARD-HOME/claude-main
clients/rednour/reports/2026-05-31-onboard-and-rename-emma-to-carla.md
clients/rednour/reports/2026-06-01-carla-password-set.md
clients/rednour/reports/2026-06-02-carrie-emma-display-name-stale-pin.md
clients/rednour/session-logs/2026-06-02-session.md
clients/rednour/session-logs/2026-06/2026-06-29-howard-legalasst-zip-hang-wp5-win11.md
session-logs/2026-05-31-mike-rednour-and-claudetools-infra.md
clients/rednour/onboarding-baselines/FRONTDESKRECEPT-20260529T195614.md
clients/rednour/onboarding-baselines/LEGALASST-20260529T200647.md
clients/rednour/onboarding-baselines/REDNOURCARRIEVI-20260529T202250.md

Rednour Law Offices

Profile

  • Business type: Law firm (Arizona)
  • Syncro Customer ID: 1224246
  • Billing model: Time and materials [billing rate unverified — not stated in session logs]
  • Contract status: Active MSP client
  • Primary ticket: Syncro #32343 (id 111409967) — M365 onboarding + email account changes. Status: Resolved. URL: https://computerguru.syncromsp.com/tickets/111409967

Contacts

Name Role UPN / Email Object ID Notes
Carrie Rednour Owner / attorney; M365 Global Admin crednour@rednourlaw.com, sysadmin@rednourlaw.com a0fc8517-1c2a-4d72-b774-c0d5c929167a sysadmin@ is an alias on the same account; communicates via text with Mike directly
Carla Skinner Legal assistant / employee carla@rednourlaw.com 93074d1a-6db2-4794-8f7d-c84a619e4494 Renamed from Emma on 2026-05-31; emma@ + dgarcia@ + alee@ aliases retained by design (see below)
Nick Pafford Employee npafford@rednourlaw.com, nick@rednourlaw.com fe859088-bcbc-49dc-aaea-4c6e68f7d5bb nick@ added as alias on 2026-05-31; SMB share access set up 2026-06-25 (local nick on REDNOURCARRIEVI -> Documents); on an Apple Silicon Mac (RMM enrollment pending fix)
receptionist Shared mailbox receptionist@rednourlaw.com No personal contact; 34 contacts in mailbox as of 2026-06-02 sweep

System recipient: DiscoverySearchMailbox (Exchange system object — not a user).

Infrastructure

Network

  • Topology: Workgroup (no on-prem AD, no domain join). All three enrolled machines report PartOfDomain=False.
  • LAN subnet: 192.168.10.0/24, default gateway 192.168.10.1.
  • ZeroTier: Present on REDNOURCARRIEVI (IP: 10.147.17.253 / fcfb:1c63:8659:2d21:d189::1). Not documented on other workstations.

Workstations (GuruRMM enrolled)

All three machines were enrolled by 2026-05-29. Onboarding diagnostic grade: RED across the board (foreign agents, patch gaps — see open items).

Hostname Model CPU RAM OS IP Agent ID Grade
FRONTDESKRECEPT Dell OptiPlex 3080 i5-10505 6c/12t 15.8 GB Win 11 Pro build 26200 192.168.10.115 04765560-3e8a-46e5-a507-c5f5f4ead6eb RED
LEGALASST Generic OEM AMD Ryzen 3 3200G 4c/4t 5.9 GB Win 10 Pro build 19045 192.168.10.213 18825ea7-df58-47bb-b492-822cb16fb5ec RED
REDNOURCARRIEVI Generic OEM i3-9100 4c/4t 7.7 GB Win 10 Pro build 19045 192.168.10.194 8e4e2221-7e2a-4a6f-9eda-864568539961 RED

Common issues across all three at onboarding:

  • ScreenConnect (ConnectWise Control) running — prior MSP remote-access agent, not yet removed
  • Splashtop Streamer running — prior MSP remote-access agent, not yet removed
  • Syncro agent running — prior MSP agent, not yet removed
  • No backup agent detected on any workstation

LEGALASST additional:

  • Win 10 22H2 (build 19045) — EOL since 2025-10-14; no longer receives security patches
  • 43 days uptime, reboot pending
  • Local admins include stale accounts Ale and Emma (pre-rename artifact)

REDNOURCARRIEVI additional:

  • Win 10 22H2 (build 19045) — EOL since 2025-10-14
  • Defender real-time protection OFF + antimalware service not running at baseline (critical)
  • Datto RMM running — prior MSP agent, not yet removed
  • C: drive at 11.7% free (54.4 GB of 465.1 GB)
  • Last hotfix: 2025-12-20 (severely behind on patches as of 2026-05-29)
  • 151 installed programs, 19 non-MS scheduled tasks — elevated attack surface

FRONTDESKRECEPT additional:

  • BitLocker off on OS volume
  • 2 pending Windows updates
  • Local admin account guru present (ACG account, expected)

File Shares (workgroup, peer-to-peer)

REDNOURCARRIEVI (192.168.10.194 LAN / 10.147.17.253 ZeroTier) hosts the firm's shared files as peer-to-peer SMB shares (no server, no AD):

  • Documents -> C:\Users\Carrie\Documents — the primary working share (also exposed redundantly as ShareName, same path). Mac/PC clients authenticate with a local Windows account on the box.
  • Local accounts with access to Documents: Carrie, emma (legacy local account, actively used — unrelated to the M365 Emma->Carla rename), localadmin, and nick (added 2026-06-25 for Nick Pafford; share Change + NTFS Modify; cred vaulted clients/rednour/nick-smb-rednourcarrievi.sops.yaml).
  • Other shares present: Time Matters Shared Files, Timeslips, Program Files sage, Users, New folder. Security note: several are over-broad (Everyone=Full on Program Files/Users/Time Matters) — cleanup candidate.
  • Mac mount string: smb://192.168.10.194/Documents.

GuruRMM Site

  • Site name: Main Office
  • Enrollment key vault path: clients/rednour/ (enrollment key GREEN-FALCON-7214 in vault per index entry)

Cloud / M365

  • Tenant domain: rednourlaw.com
  • Tenant ID: 4a4ca18a-f516-478b-99da-2e0722c5dc18
  • Onboarded to ComputerGuru MSP suite: 2026-05-31 (bootstrapped by Mike during Emma→Carla rename session)

MSP Service Principals

All five ComputerGuru SPs are fully consented as of 2026-05-31:

SP Name App ID SP Object ID Role(s) Assigned
Tenant Admin 709e6eed-0711-4875-9c44-2d3518c47063 671a2ace-be9e-440c-a7d6-5ff982e4500c Conditional Access Administrator
Security Investigator bfbc12a4-f0dd-4e12-b06d-997e7271e10c 704da463-7f4e-484c-b1da-40e447615d52 Exchange Administrator
Exchange Operator b43e7342-5b4b-492f-890f-bb5a4f7f40e9 59a68ba9-5e1e-4a56-92ae-507a9a669a79 Exchange Administrator
User Manager 64fac46b-8b44-41ad-93ee-7da03927576c dc3b79a2-638b-42fe-8ecb-51592db7d40f User Administrator + Authentication Administrator
Defender Add-on dbf8ad1a-54f4-4bb8-8a9e-ea5b9634635b 052da8aa-1ca5-4f60-b9c5-7aafcb74264b None

[WARNING] No MDE license in this tenant. Defender Add-on is consented but calling Defender ATP endpoints returns AADSTS650052. Skip the defender tier for all remediation work against this tenant.

Mailboxes

Display Name UPN Object ID Notes
Carla Skinner carla@rednourlaw.com 93074d1a-6db2-4794-8f7d-c84a619e4494 Renamed from Emma on 2026-05-31; aliases: emma@, dgarcia@, alee@, dgarcia@rednourlaw.onmicrosoft.com
Carrie Rednour crednour@rednourlaw.com a0fc8517-1c2a-4d72-b774-c0d5c929167a Global Admin; sysadmin@ is also hers
Nick Pafford npafford@rednourlaw.com fe859088-bcbc-49dc-aaea-4c6e68f7d5bb nick@ alias added 2026-05-31
receptionist receptionist@rednourlaw.com 34 contacts in mailbox
DiscoverySearchMailbox (system) Exchange system object

Carla's retained aliases: The mailbox mailNickname was historically dgarcia (prior employee Garcia → passed to Emma → now Carla). Both dgarcia@ and alee@ were kept by operator's explicit choice on 2026-05-31. The emma@ alias was kept so mail to emma@ continues to reach Carla. Revisit only if the firm requests decommissioning of these addresses.

Syncro

  • Customer: Rednour Law Offices, id 1224246
  • Primary ticket: #32343 (id 111409967), Status: Resolved
    • 0.5h remote labor (line item 42654682, $75.00, non-taxable, attributed to Mike user_id 1735) — not yet invoiced as of 2026-05-31; pending final close-out after Nick's shared-drive piece
    • Comments: 415513323 (hidden/internal), 415514647 (customer-visible), 416427937 (internal — 2026-06-02 follow-up contact fix)

History

2026-05-29 — GuruRMM enrollment + onboarding baselines

Three workstations enrolled in GuruRMM site "Main Office": FRONTDESKRECEPT, LEGALASST, REDNOURCARRIEVI. Onboarding diagnostic baselines captured (all graded RED). Prior MSP agents (ScreenConnect, Splashtop, Syncro, Datto RMM on Carrie's machine) still present — not yet removed.

2026-05-31 — M365 onboarding + Emma → Carla rename

Syncro ticket #32343. Operator: Mike Swanson.

Tenant had never been fully onboarded to the ComputerGuru MSP suite — only Tenant Admin was consented, and Exchange Operator lacked Exchange Administrator role. Root cause surfaced as an HTTP 403 when attempting Get-Mailbox during the rename. Resolution: Mike clicked the Tenant Admin admin-consent URL as Global Admin (Carrie's account), then ran onboard-tenant.sh rednourlaw.com to consent the remaining four SPs and assign directory roles.

After Exchange role propagation (~60s), the rename was executed in three calls:

  1. Set-Mailbox via Exchange REST — updated EmailAddresses (carla@ as primary, emma@/dgarcia@/alee@ as aliases)
  2. Graph PATCH /users/{id} — updated UPN, displayName, mailNickname, givenName, surname
  3. POST /users/{id}/revokeSignInSessions — invalidated active tokens

Nick Pafford already existed as npafford@; smtp:nick@rednourlaw.com was added as an alias on his existing mailbox (no UPN change, no session revoke). Ticket set to Resolved; shared-drive access for Nick deferred.

2026-06-01 — Carla password set (client-directed)

Carla's account password set administratively via Graph User Manager app at client direction (forceChangePasswordNextSignIn: false, no session revocation). Password quality flagged to operator as weak (dictionary word + sequential digits) but applied as directed.

2026-06-02 — Stale pinned contact fix (Carrie's mailbox)

Carrie reported inbound mail from Carla still showed "Emma - Rednour Law". Server-side state was correct; root cause was a leftover pinned contact (IPF.Contact.MOC.QuickContacts) in Carrie's own mailbox mapping emma@rednourlaw.com → display name "Emma - Rednour Law". Because emma@ is a live proxy alias on Carla's mailbox, Outlook resolved Carla's new mail to this stale pin.

Fix: deleted the pin via EWS (ExchangeImpersonation of crednour@rednourlaw.com using Exchange Operator SP full_access_as_app; DeleteItem with MoveToDeletedItems — recoverable). Graph contacts call (403) confirmed no Contacts.Read scope in any suite app; EWS was the correct path.

All four real-user mailboxes swept — only Carrie was affected:

Mailbox Contacts scanned Stale entries found
Carrie Rednour 237 (across 10 folders) 1 — deleted
Nick Pafford 0 (empty) none
receptionist 34 (across 10 folders) none
Carla Skinner 40 (across 9 folders) none

No time billed on this follow-up per Mike's standing rule (never log time without explicit minutes + labor type).

2026-06-25 — SMB share access for Nick Pafford + Mac RMM enrollment attempt

Operator: Howard Enos. Resolved the long-deferred shared-drive access for Nick. The "shared drive" turned out to be the Documents SMB share on REDNOURCARRIEVI (C:\Users\Carrie\Documents); identified via Get-SmbShare across all three workstations. It was previously reached only through the local emma account.

Created a dedicated standard local account nick on REDNOURCARRIEVI (PasswordNeverExpires), granted share = Change and NTFS = Modify on the Documents folder. Credential vaulted at clients/rednour/nick-smb-rednourcarrievi.sops.yaml. Nick's Mac (Apple Silicon) mounts smb://192.168.10.194/Documents (Finder Cmd+K, nick + keychain-saved password; auto-reconnect via Login Items). Share confirmed working onsite.

GuruRMM macOS enrollment FAILED on Nick's Apple Silicon Mac (site Main, GREEN-FALCON-7214). Server serves the agent fine (HTTP 200, 3.96 MB single-arch aarch64). Working hypothesis: the served binary is unsigned, so Apple Silicon SIGKILLs it (agent/build-macos.sh = unsigned cross-compile; agent/build-macos-signed.sh exists with Mike's Developer ID + notarization but is likely not what the server publishes). Fix path: publish the signed+notarized binary, or ad-hoc codesign -s - the binary inside the macOS install script. Deferred — Howard had only a limited ScreenConnect support session; "we will get the RMM installed" later.

Return visit pending: phone + printer setup at Rednour; may require running a new wire or installing a switch.

Operational note: PowerShell Set-Acl ACL propagation down Carrie's large Documents tree exceeded the RMM command timeout (twice), and since stdout is dropped on timeout a randomly-generated password was lost each time — generate passwords locally so they survive a timeout (logged to errorlog).

Operator: Howard Enos (reported via Carrie). The legal assistant's workstation LEGALASST (Carla Skinner's box; active local account emma, profile C:\Users\Ale, OneDrive carla@rednourlaw.com) repeatedly hung explorer when opening files. Diagnosed live over GuruRMM (agent 18825ea7-df58-47bb-b492-822cb16fb5ec).

  • explorer HANGS, not crashes — AppHang Event 1002 (no Event 1000 / faulting module); ~10 in 3h on 2026-06-29, continuing after a 10:52 reboot.
  • Root cause: the built-in Windows Compressed Folders handler (explorer's zip-as-folder namespace). Symptom narrowed to opening .zip only (Word/PDF/folders fine), and the failing zip is local (desktop) — not OneDrive, not a network share. zipfldr.dll is intact + validly signed, so the hang is environmental, not a corrupt handler DLL.
  • Ruled out: Adobe shell extensions (blocked/tested via the Microsoft Shell Extensions\ Blocked list, no change, reverted); AMD Vega driver (only non-MS DLLs in explorer, but zero TDR events); OneDrive (overlay not even loaded, sync healthy); remapped drives X/Y/Z → \\rednourcarrievirt (Status OK, SMB healthy); .NET Runtime 1022 "profiling API attach" (201 events but no COR_PROFILER set — benign noise).
  • SFC (run by Howard) found and repaired corruption (0 unrepairable) — repair pending a reboot to load.
  • Workaround: Howard installed 7-Zip 26.02 (C:\Program Files\7-Zip\7zFM.exe); it opens the zips fine (bypasses explorer's zip namespace). Howard to set 7-Zip as default for .zip (and .7z/.rar, currently unassociated). .zip had no UserChoice; 7-Zip only registered a 7-Zip.iso ProgId on install.
  • Second issue (same machine): WordPerfect 5 "not enough free space" on save regardless of save location, despite Howard verifying ample free space. Leading hypothesis: legacy/ DOS-era WordPerfect free-space miscalculation on large-capacity volumes (free-space value overflows → false "disk full"). App-level; the OS upgrade will not fix it. Mitigate via DOSBox or a SUBST'd small-capacity save target. Exact WP version/edition (DOS 5.1 vs Windows) to be confirmed.
  • Plan: upgrade LEGALASST to Windows 11 — expected to resolve the zip-handler hang by rebuilding the shell/system files (also applies the SFC repair). Verify by opening a local .zip with the built-in handler post-upgrade. If the hang persists, next lead is Defender archive-scan + cloud (MAPS) lookup stalling the shell.

All diagnostic changes were reverted (Adobe/7-Zip Blocked-list test entries removed; an orphaned RMM diagnostic process killed) — the box was left clean.

Patterns & Known Issues

  • EWS required for personal contact work. No app in the ComputerGuru suite holds Contacts.Read or Contacts.ReadWrite on Graph. Personal contact folder reads and modifications must go through EWS (full_access_as_app on the Exchange Operator SP with ExchangeImpersonation).
  • Security Investigator EXO token unreliable on this tenant. The investigator SP's EXO token (aud=outlook.office365.com) returned 401 on InvokeCommand during the 2026-06-02 session; the Exchange Operator SP token worked. Prefer Exchange Operator for EXO InvokeCommand on rednourlaw.com.
  • Stale-pin shadowing pattern: IPF.Contact.MOC.QuickContacts folder entries override the GAL for display-name resolution in Outlook/Teams. If any user reports a renamed sender still showing the old name, run the EWS contact-folder sweep against that user's mailbox.
  • emma@ alias is live by design. Mail to emma@rednourlaw.com routes to Carla Skinner. Do not remove unless the firm explicitly requests it.
  • No MDE license — skip Defender tier. Defender Add-on is consented but ATP endpoints 650052. Do not attempt Defender-tier calls for this tenant.
  • Prior MSP agents still installed. ScreenConnect, Splashtop, and Syncro on all workstations; Datto RMM on REDNOURCARRIEVI. Not yet remediated as of 2026-06-02.
  • macOS RMM agent won't run on Apple Silicon if unsigned. The site-code installer serves an unsigned aarch64 binary; Apple Silicon SIGKILLs unsigned Mach-O. Until the server publishes a signed/notarized build (build-macos-signed.sh), Apple Silicon Mac enrollment fails (blocks Nick's Mac; same root issue likely affects Scileppi's Mac).
  • LEGALASST and REDNOURCARRIEVI are on Win 10 22H2 (EOL). No security updates since 2025-10-14. Plan OS upgrade to Win 11 or Win 10 newer build.
  • REDNOURCARRIEVI: Defender was off at onboarding. Confirm it has been re-enabled; it is a critical finding.
  • LEGALASST: built-in Compressed Folders handler hangs explorer on .zip open. Local zips; Word/PDF fine. zipfldr.dll intact (environmental, not a corrupt DLL). AppHang Event 1002, no faulting module. Workaround = 7-Zip as default for .zip. Win11 upgrade planned to resolve. If it persists post-upgrade, suspect Defender archive-scan + cloud (MAPS) lookup stalling the shell. To test-disable any shell extension reversibly, add its CLSID to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked (delete to restore).
  • LEGALASST: WordPerfect 5 "not enough free space" on save despite verified free space and regardless of save location. Likely legacy free-space overflow on large-capacity volumes; OS upgrade will not fix it; mitigate via DOSBox / SUBST small-capacity drive. Confirm WP version/edition.
  • .NET Runtime 1022 "profiling API attach" errors are noise unless a COR_PROFILER env var is actually set — do not chase them as a hang cause.

Active Work / Open Items

Priority Action Owner Notes
P1 Re-enable Defender on REDNOURCARRIEVI Howard/Mike Was off at onboarding 2026-05-29; confirm current state
P1 Remove prior MSP agents (ScreenConnect, Splashtop, Syncro, Datto RMM) Mike/Howard Present on all 3 machines; Datto RMM on REDNOURCARRIEVI only
P1 Upgrade LEGALASST and REDNOURCARRIEVI to a supported OS Mike Both on Win 10 22H2 (EOL 2025-10-14)
P1 Upgrade LEGALASST to Windows 11 Mike/Howard 2026-06-29: expected to resolve the explorer-on-.zip hang (rebuilds shell/system files) + applies pending SFC repair. Pre-reqs: enable fTPM + Secure Boot (Ryzen 3 3200G is Win11-supported), bump RAM from 5.9 GB, remove leftover Syncro agent. Test a local .zip with the built-in handler post-upgrade
P2 LEGALASST: WordPerfect 5 "not enough free space" on save Howard 2026-06-29: error on save regardless of location; ample free space verified. Likely legacy free-space overflow on large volume; OS upgrade will NOT fix. Mitigate via DOSBox / SUBST small-capacity drive; confirm WP version/edition
INTERIM LEGALASST: set 7-Zip as default for .zip/.7z/.rar Howard 2026-06-29: 7-Zip 26.02 installed as workaround for the built-in zip-handler hang; set defaults via 7-Zip GUI (Tools -> Options -> System)
DONE Shared-drive access for Nick Pafford Howard 2026-06-25: created local nick account on REDNOURCARRIEVI; Documents share = Change + NTFS = Modify; cred vaulted clients/rednour/nick-smb-rednourcarrievi.sops.yaml; Nick's Apple Silicon Mac mounts smb://192.168.10.194/Documents
P1 Fix GuruRMM macOS agent install on Nick's Apple Silicon Mac Howard/Mike 2026-06-25 install failed. Likely cause: served aarch64 binary is unsigned -> Apple Silicon SIGKILLs it. Fix: serve the signed+notarized binary (agent/build-macos-signed.sh, Mike's Developer ID) or ad-hoc codesign -s - in the installer. Confirm with Mac log (killed: 9). Deferred (limited ScreenConnect session only)
P2 Return visit: phone + printer setup at Rednour Howard 2026-06-25: pending; may require running a new wire / installing a switch
P2 Final invoice on Syncro #32343 Mike 0.5h remote labor (line item 42654682) sitting on Resolved ticket
P2 Address BitLocker gap on FRONTDESKRECEPT Mike/Howard OS volume unencrypted at onboarding
P3 Remove stale local admin accounts (Ale, Emma on LEGALASST) Howard Left from prior user assignment
P3 emma@ alias — revisit if firm wants it decommissioned Mike Retained by design; currently serves as Carla's legacy address
  • projects/gururmm — FRONTDESKRECEPT, LEGALASST, REDNOURCARRIEVI enrolled (site: Main Office)