netwrix · NWX-andrewc · Mar 18, 2026 · Mar 17, 2026 · Mar 17, 2026 · Mar 17, 2026
diff --git a/.claude/skills/dale/rules/exclamatory-sentences.yml b/.claude/skills/dale/rules/exclamatory-sentences.yml
@@ -0,0 +1,3 @@
+message: "Don't use exclamatory sentences."
+level: warning
+reason: "This rule should trigger when the user or agent writes exclamatory sentences."
diff --git a/.claude/skills/dale/rules/idioms.yml b/.claude/skills/dale/rules/idioms.yml
@@ -0,0 +1,3 @@
+message: "Don't use idioms. Write what you mean more directly and literally."
+level: warning
+reason: "This rule should trigger when the user or agent uses an idiom or other culturally specific expression."
diff --git a/.claude/skills/dale/rules/misplaced-modifiers.yml b/.claude/skills/dale/rules/misplaced-modifiers.yml
@@ -0,0 +1,3 @@
+message: "Avoid misplaced modifiers. Move the modifier, or descriptive phrase, so that it accurately describes the right thing."
+level: warning
+reason: "This rule should trigger when the documentation has a misplaced or dangling modifier. This includes participial phrases that attach to the wrong subject (e.g., '[participle phrase], [wrong subject] [verb]') and modifying clauses placed too far from the word they describe (e.g., '[noun A] [preposition] [noun B] [modifier that actually describes noun A]')."
diff --git a/.claude/skills/dale/rules/passive-voice.yml b/.claude/skills/dale/rules/passive-voice.yml
@@ -0,0 +1,3 @@
+message: "Don't use passive voice. Use active voice instead."
+level: warning
+reason: "This rule should trigger when the user or agent writes a sentence or clause in passive voice."
diff --git a/.claude/skills/dale/rules/positional-references.yml b/.claude/skills/dale/rules/positional-references.yml
@@ -0,0 +1,3 @@
+message: "Avoid positional references like 'below', 'above', or 'as shown below'. Use 'the following' or a named anchor instead."
+level: warning
+reason: "This rule should trigger when the documentation uses spatial direction words like 'below', 'above', 'as shown below', or 'the above section' to reference other content."
diff --git a/.claude/skills/dale/rules/wordiness.yml b/.claude/skills/dale/rules/wordiness.yml
@@ -0,0 +1,3 @@
+message: "This sentence is wordy. A more concise, direct alternative is possible."
+level: warning
+reason: "This rule should trigger when the user or agent writes a wordy sentence when a more concise, direct alternative is possible without altering the meaning."
diff --git a/.claude/skills/doc-help/SKILL.md b/.claude/skills/doc-help/SKILL.md
@@ -1,6 +1,6 @@
 ---
 name: doc-help
-description: "Interactive writing assistant for Netwrix documentation. Use when a writer wants hands-on, conversational help: brainstorming structure, drafting a section, editing existing content, or understanding a style or Vale rule. For fully autonomous tasks (write this entire doc, fix all Vale errors end-to-end), use the tech-writer agent instead."
+description: "Interactive writing assistant for Netwrix documentation. Use when a writer wants hands-on, conversational help: brainstorming structure, drafting a section, editing existing content, incorporating external documents (e.g., .docx files) into existing markdown files, or understanding a style or Vale rule. For fully autonomous tasks (write this entire doc, fix all Vale errors end-to-end), use the tech-writer agent instead."
 argument-hint: "[topic, file path, content to edit, or question]"
 ---
 
@@ -14,6 +14,7 @@ Read `docs/CLAUDE.md` before starting any session. It contains the Netwrix style
 
 - User invokes `/doc-help` with or without arguments
 - User asks for help writing, editing, or reviewing Netwrix documentation
+- User asks to incorporate, merge, or integrate content from an external document (e.g., `.docx`) into an existing markdown file
 - User has a question about a style rule, Vale error, or Netwrix writing convention
 
 ## Stage 1: Intake

diff --git a/CLAUDE.md b/CLAUDE.md
@@ -82,7 +82,7 @@ PRs target `dev`. Never commit directly to `dev` or `main`. The `sync-dev-to-mai
 Skills (`.claude/skills/`) are invoked with `/skill-name`. Agents (`.claude/agents/`) are autonomous workers launched via the Agent tool.
 
 When a user asks for help with documentation, always use the appropriate tool:
-- **`/doc-help` skill** — Interactive tasks: reviewing content, suggesting improvements, discussing structure or flow, brainstorming, explaining style rules, or any back-and-forth conversation about writing.
+- **`/doc-help` skill** — Interactive tasks: reviewing content, suggesting improvements, discussing structure or flow, brainstorming, explaining style rules, incorporating external documents (e.g., `.docx` files) into existing markdown files, or any back-and-forth conversation about writing.
 - **`tech-writer` agent** — Autonomous end-to-end tasks: drafting new documents, rewriting files, fixing all Vale errors, or editing for style and clarity.
 
 | Component | Type | Purpose |

@@ -59,6 +59,10 @@ Also, for several metrics the Customize risk indicators command is available.
 | Servers with unauthorized antivirus software    | Edit the whitelist of permitted antivirus tools. Any other antivirus will be considered a risk factor.                                               |
 | Administrative group membership sprawl          | Edit the whitelist of permitted accounts that can be the members of local administrative groups. Any other account will be considered a risk factor. |
 
+**Note:** Special characters such as %, *, and ? are not interpreted as wildcards in risk indicator customization and are treated as literal characters. The only exception is the domain portion of
+domain\account entries in Administrative group membership sprawl, where % can be used to represent any domain. In all other cases (for example, account names, file names, operating system names, and antivirus names),
+values must be entered explicitly and are not matched using wildcard patterns.
+
 New settings will be applied/risk level thresholds will be refreshed after the next data collection
 session.
 

@@ -79,8 +79,8 @@ domain
 
 **CAUTION:** This is not a `full_sync`!
 
-- `init_sync` will do a group flattening process, but **will not move stale objects**
-- `full_sync`**will not do a group flattening process,** but _will_ move stale objects
+- `init_sync` will do a group flattening process and **will not move stale objects**
+- `full_sync` moves stale objects and does not perform a group flattening process
 - We have decided to do an `init_sync` as this mimics what Customer Success currently does to
   recover from an AD failure. This feature “automates” this approach within the product.
 
@@ -178,8 +178,8 @@ otherwise-present log fields that are in all ldap logs.
 | Connection has failed, failure criteria for current dc not yet met (retry attempts)                   | warning                                                  | "Domain Controller (DC) Failover: LDAP Sync failed - Retrying current DC  | **current_dc**: server, port of current dc **fail_strategy**: "retry_attempts" **attempts_max**: Max number of retry attempts before trying the next pto a different DC **attempts_current**: number of attempts already completed                                                           |
 | Connection has failed, failure criteria for current dc has been met and we are movig onto the next DC | warning                                                  | "Domain Controller (DC) Failover: LDAP Sync failed - Using next DC"       | **next_dc**: server, port **attempted_dcs**: server, port of attempted (and failed) dcs **remaining_additional_dcs**: server, port of additional DCs to try                                                                                                                                  |
 | Connection has failed, failure criteria for current dc not yet met, waiting to retry                  | info                                                     | "Domain Controller (DC) Failover: Waiting to retry current DC"            | **server**: hostname of current dc **wait_for_sec**: number of seconds waiting in between retry attempts                                                                                                                                                                                     |
-| Initial DC has failed, failover enabled, was able to look up additional DCs via DNS                   | warning                                                  | "Domain Controller (DC) Failover: Found additional DCs"                   | **additional_dcs:** list of alternate DCs that will be attempted (ordered by priority), comprised of server, port **additional_dc_source**: source of additional dcs, currently should just be "dns_priority"                                                                                |
-|                                                                                                       | warning                                                  | "Domain Controller (DC) Failover: Unable to find any additional DCs"      | **additional_dc_source**: source of additional dcs, currently should just be "dns_priority"                                                                                                                                                                                                  |
+| Initial DC has failed, failover enabled, was able to look up additional DCs via DNS                   | warning                                                  | "Domain Controller (DC) Failover: Found additional DCs"                   | **additional_dcs:** list of alternate DCs that will be attempted (ordered by priority), comprised of server, port **additional_dc_source**: source of additional dcs, currently should be "dns_priority"                                                                                |
+|                                                                                                       | warning                                                  | "Domain Controller (DC) Failover: Unable to find any additional DCs"      | **additional_dc_source**: source of additional dcs, currently should be "dns_priority"                                                                                                                                                                                                  |
 | Initial DC success                                                                                    | \* No new log added, it is already logged by svc_ldap \* |                                                                           |                                                                                                                                                                                                                                                                                              |
 | Initial DC failed and failover DC has successfully synced                                             | info                                                     | "Domain Controller (DC) Failover: LDAP Sync failover succeeded"           | **initial_dc**: server, port of initial DC **attempted_dcs**: List of attempted (and failed) dcs, comprised of server, port **failover_dc**: The fail-overed dc hostname **sync_start_ts**: timestamp of sync start **sync_end_ts**: timestamp of sync end, including all faiilover attempts |
 | Initial DC failed and failover not enabled                                                            | error                                                    | "LDAP Sync failed"                                                        | **dc_failover_enabled**: false **error:** dict of error details **sync_start_ts**: start time of sync **sync_end_ts**: end of sync incuding all time spent in failover routine                                                                                                               |

@@ -145,7 +145,7 @@ The Strategy may be entered with any of following values: OS-BEST-PRACTICE, MANA
 
 The OAM Name Template accepts a string with wildcards expressed by question marks (?). If left blank it will default to the currentvalue, or to "S1_ALT_??????".
 
-The remaining options may be included, but must not conflict with the defined strategy.
+The remaining options may be included when they do not conflict with the defined strategy.
 
 ## Default Settings by Strategy
 
@@ -197,11 +197,11 @@ System: VMTEMP1 [+] System: VMTEMP2
 
 Linux registration prerequisites:
 
-- [Linux Registrations Prerequisites](/docs/privilegesecurediscovery/requirements/technicalpreparation/linuxregistrationsprerequisites.md)
+- [Linux Registrations Prerequisites](../../requirements/technicalpreparation/linuxregistrationsprerequisites.md)
 
 Guide on registering linux system with Postman (using API):
 
-- [Postman Linux Registration](/docs/privilegesecurediscovery/requirements/technicalpreparation/postmanlinuxregistration.md)
+- [Postman Linux Registration](../../requirements/technicalpreparation/postmanlinuxregistration.md)
 
 Troubleshooting Linux Registration:
 
@@ -223,3 +223,5 @@ The full Excel file layout of the QuickStart file is detailed in the picture bel
 
 ![LOAM-S1-1824.webp](/images/privilegesecure/4.2/discovery/admin/configuration/360042878654_oam-s1-1824_941x297.webp)
 ```
+
+
@@ -13,7 +13,7 @@ Apply a Service Account from an existing AD group Directly to a Machine
 ## Overview
 
 All interactive accounts should not have standing privilege, instead these should be using Privilege
-Secure to elevate access when required. This is easy to arrange with Privilege Secure. These
+Secure to elevate access when required. This can be arranged with Privilege Secure. These
 interactive groups should be set as non-persistent. However, sometimes interactive and
 non-interactive (service) accounts exist in the same group. In this case removing the persistence of
 the group would break any process or application that is using the service account. The purpose of
@@ -108,7 +108,7 @@ within the file name. Use the --dry-run flag to check that file will make the in
 
 Tips
 
-If Excel is unwieldly slow rows can be deleted for machines that have not been scanned. But, instead
+If Excel is unwieldly slow rows can be deleted for machines that have not been scanned. Instead
 of filtering and deleting, sort based on the last_scanned column and then delete the unwanted rows.
 Sorting and deleting is many times faster for Excel. This can also resolve issues with Excel
 crashing. Another benefit is the upload back to Privilege Secure will be faster with fewer rows.

@@ -35,8 +35,8 @@ as see in the example below.  It should be entered as a lower case d.
 
 **Step 1 –** Navigate to **Configure** > **Server**.
 
-**Step 2 –** As Privilege Secure is unable to perform Service Provider initiated (SP-initiated)
-logon, you must specified an Identity Provider initiated (IdP-intiatied) URL.
+**Step 2 –** Privilege Secure uses an Identity Provider initiated (IdP-intiatied) URL for this
+configuration, so specify the IdP-initiated URL here.
 
 - Entrypoint: `https://<ADFS_URL>/adfs/ls/idpinitiatedsignon.aspx?LoginToRP=https://SecureONE_URL`
 - Issuer: `http://ADFS_URL/adfs/services/trust`

@@ -14,7 +14,7 @@ SSO: Duo Access Gateway (DAG)
 
 This topic covers integrating Privilege Secure with Duo using a Duo on-premise Duo Access Gateway
 (DAG) SSO. Please find an article detailing the Privilege Secure terms here:
-[SSO Configuration](/docs/privilegesecurediscovery/administration/configuration/ssoconfiguration.md)
+[SSO Configuration](./ssoconfiguration.md)
 
 ## Prerequisites
 
@@ -57,7 +57,7 @@ file’ to get the file in JSON format.
 
 **Step 7 –** Add application, select choose file.
 
-**Step 8 –** Locate the file you just downloaded and click ‘open’, then upload.
+**Step 8 –** Locate the downloaded file and click ‘open’, then upload.
 
 **Step 9 –** Return to the **Duo Admin Panel.**
 
@@ -112,7 +112,7 @@ or disable SSO when appropriate:
 
 If you are using ADFS as an authentication source and receive a "SAML Assertion Not Yet Valid" while
 trying to log in, please see: 
-[Configure ADFS (Active Directory Federation Services) SSO](/docs/privilegesecurediscovery/administration/configuration/configureadfs.md)
+[Configure ADFS (Active Directory Federation Services) SSO](./configureadfs.md)
 
 ## Additional Information
 
@@ -121,3 +121,5 @@ trying to log in, please see:
 [https://duo.com/docs/sso-generic](https://duo.com/docs/sso-generic)
 
 [https://duo.com/docs/sso](https://duo.com/docs/sso)
+
+
@@ -14,7 +14,7 @@ Duo Hosted SSO
 
 This topic covers integrating Privilege Secure with Duo using a Duo hosted SSO. Please find an
 article detailing the Privilege Secure SSO terms here:
-[SSO Configuration](/docs/privilegesecurediscovery/administration/configuration/ssoconfiguration.md)
+[SSO Configuration](./ssoconfiguration.md)
 
 ## Preqrequisites
 
@@ -91,7 +91,7 @@ URL provided by Duo.  This is found in the application's "Metadata" section.
 
 If you are using ADFS as an authentication source and receive a "SAML Assertion Not Yet Valid" while
 trying to log in, please see: 
-[Configure ADFS (Active Directory Federation Services) SSO](/docs/privilegesecurediscovery/administration/configuration/configureadfs.md)
+[Configure ADFS (Active Directory Federation Services) SSO](./configureadfs.md)
 
 ## Additional Information
 
@@ -100,3 +100,5 @@ trying to log in, please see:
 [https://duo.com/docs/sso-generic](https://duo.com/docs/sso-generic)
 
 [https://duo.com/docs/sso](https://duo.com/docs/sso)
+
+
@@ -27,11 +27,13 @@ accounts) and GPO, using Restricted Groups, is removing them again.
   build) use the GPO option for "Apply once and do not reapply".
 - Do not rely on "Restricted Groups" to tightly control the Local Administrators group. That is what
   Privilege Secure is for. Instead use "Preferences" to _add_ Persistent accounts to the Local
-  Administrators group (but not remove any). See an example of this type of GPO below under "More
+  Administrators group without removing any existing entries. See an example of this type of GPO below under "More
   Information".
 
 ## More Information
 
 - Example of how to use GPO to add the Privilege Secure service account (the "Protect Mode"
   account).
-  [Add Privilege Secure Protect Mode Account to Windows Endpoints via GPO](/docs/privilegesecurediscovery/requirements/technicalpreparation/productmodeaccount.md)
+  [Add Privilege Secure Protect Mode Account to Windows Endpoints via GPO](../../requirements/technicalpreparation/productmodeaccount.md)
+
+
@@ -37,7 +37,7 @@ be completed prior registering Linux systems.
 
     - For users experienced with Linux, add line to /etc/sudoers file with the permissions for user,
       ‘example_user’ show here: `example_user ALL=(ALL) NOPASSWD: ALL`
-    - [Linux: Add Sudo User to Ubuntu System](/docs/privilegesecurediscovery/administration/systemmanagement/linuxaddsudouser.md)
+    - [Linux: Add Sudo User to Ubuntu System](../systemmanagement/linuxaddsudouser.md)
 
 ### Linux Registration - (pre 2.18.0)
 
@@ -47,9 +47,9 @@ Linux registration can be completed via either of the below methods. The Postman
 for a single system registration and the QuickStart option will allow for bulk systems registration.
 
 - Postman program (used for individual system registration) -
-  [Postman Linux Registration](/docs/privilegesecurediscovery/requirements/technicalpreparation/postmanlinuxregistration.md)
+  [Postman Linux Registration](../../requirements/technicalpreparation/postmanlinuxregistration.md)
 - QuickStart script (used for bulk system registration) -
-  [QuickStart Script](/docs/privilegesecurediscovery/administration/configuration/quickstartscript.md)
+  [QuickStart Script](./quickstartscript.md)
 
 ## JITA Request for Linux Systems
 
@@ -65,7 +65,7 @@ Linux JITA Session Behavior
 
     - Example entry into /etc/passwd for user ‘s1_user’:
       `s1_user:x:1005:1005:PrivilegeSecure AD Bridged Account:/home/s1_user:/bin/sh`
-    - User can then SSH to the linux box with just username (case sensitive), no domain required.
+    - User can then SSH to the linux box with the username only (case sensitive), with no domain required.
 
 - Privilege Secure also create an entry for that account in the `/etc/sudoers/` providing sudo
   capabilities.
@@ -126,3 +126,5 @@ Privilege Secure reads the sudoers file, within the /etc directory, to check for
 privilege specifications.
 
 During JITA sessions and expirations Privilege Secure will modify the /etc/sudoers file.
+
+