Offline files access denied error
hi im having probs with offline files getting an error access denied the file permissions on their network shares all seem fine they can delete and create etc etc but it just wont synchronize i have found if i make them (temporarily) a domain admin it will synch the files successfully but alas it seems to do it again after the rights have been removed.
it seems like a permissions issue to me but i cant think of how as the users have full access to their shares.:(
it seems like a permissions issue to me but i cant think of how as the users have full access to their shares.:(
ASKER
hmm ok well the user is the owner and has full permissions to acces the files ill read your links abit more though to see if they shed any light :)
oh and thx for the reply
oh and thx for the reply
Just to be a little more specific, assuming this is a server permission error, confirm the following minimum permissions requirements. For example using a server shared folder named HOME and the users my documents being redirected to a folder within that share, named USERNAME.
The root folder HOME-
-Needs to be a shared folder
-Share permissions =Everyone Full Control
-Security/NTFS permissions =
System = Full control
Creator Owner = Full control of subfolders and files
Administrators =none required (often you may want full, at least for Domain Admins)
( Depending how your back up was configured you may need to
add administrators or other permissions)
<users group such as domain users> =List Folder Contents, Read Data, Create Folders and
Append Data for this root folder only
The users folder USERNAME-
-normally named with the user's account name so can be referenced with variable %username%
-Share permissions - not shared
-Folder owner = %username%
-Security/NTFS permissions =
System = Full control
Administrators =none required (often you may want full, at least for Domain Admins)
( Depending how your back up was configured you may need to
add administrators or other permissions)
%Username% = Full control
Microsoft recommends you create the root folder, and allow redirection to create the users folder with the proper permissions, but that is not always possible.
Also another note, if you are using the option to redirect to a user's Home directory/folder it will not work with Windows 2000 computers, you will get a permissions or access errors. In this situation you need to use, redirect all users to a common folder, and use a UNC name like \\ServerName\ShareName\%Us
Hope this helps a bit more.
The root folder HOME-
-Needs to be a shared folder
-Share permissions =Everyone Full Control
-Security/NTFS permissions =
System = Full control
Creator Owner = Full control of subfolders and files
Administrators =none required (often you may want full, at least for Domain Admins)
( Depending how your back up was configured you may need to
add administrators or other permissions)
<users group such as domain users> =List Folder Contents, Read Data, Create Folders and
Append Data for this root folder only
The users folder USERNAME-
-normally named with the user's account name so can be referenced with variable %username%
-Share permissions - not shared
-Folder owner = %username%
-Security/NTFS permissions =
System = Full control
Administrators =none required (often you may want full, at least for Domain Admins)
( Depending how your back up was configured you may need to
add administrators or other permissions)
%Username% = Full control
Microsoft recommends you create the root folder, and allow redirection to create the users folder with the proper permissions, but that is not always possible.
Also another note, if you are using the option to redirect to a user's Home directory/folder it will not work with Windows 2000 computers, you will get a permissions or access errors. In this situation you need to use, redirect all users to a common folder, and use a UNC name like \\ServerName\ShareName\%Us
Hope this helps a bit more.
ASKER
by setting the permissions like that though everyone will be able to access each others files? well thats what happened when i applied these permissions it worked obviously but not a good idea ;) ill play some more with the permissions
>>"by setting the permissions like that though everyone will be able to access each others files?"
That is paraphrased from a Microsoft site, but re-reading it and looking at a couple of my configurations I agree, you should change that.
Delete the "<users group such as domain users>" configuration completely on the root share (HOME) folder.
or under advanced permissions check "create folders" only.
Also, make sure the "Share permissions =Everyone Full Control" is share permissions, not security/NTFS permissions.
Hopefully that will work better for you. Sorry.
That is paraphrased from a Microsoft site, but re-reading it and looking at a couple of my configurations I agree, you should change that.
Delete the "<users group such as domain users>" configuration completely on the root share (HOME) folder.
or under advanced permissions check "create folders" only.
Also, make sure the "Share permissions =Everyone Full Control" is share permissions, not security/NTFS permissions.
Hopefully that will work better for you. Sorry.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
sorry rob yes its all working now i cant remember the exact differences but the way ive got it all working is slightly different with the preferences but was close enough to your suggestion for it to be very helpfull so thanx for that
Thanks dadd0012 ,
--Rob
--Rob
ASKER
np mate sorry i left it so late
I have had the Access denied message when synchronizing, and it was related to expired EFS certificates (when you encrypt cached files).
Try this, and see if the certificates are expired:
Log on as administrator at the first DC in the domain. Click Start , point to Programs , point to Administrative Tools , and then click Active Directory Users and Computers .
In the Active Directory Users and Computers console, right-click your domain name, and then click Properties .
In the domain Properties dialog box, click the Group Policy tab. Click the highest priority domain Group Policy object (GPO), and then click Edit .
Expand the top-level domain policy node, and then expand Computer Configuration . Expand the Windows Settings node, and then expand the Security Settings node. Expand the Public Key Policies node, and then click the Encrypted Data Recovery node.
Try this, and see if the certificates are expired:
Log on as administrator at the first DC in the domain. Click Start , point to Programs , point to Administrative Tools , and then click Active Directory Users and Computers .
In the Active Directory Users and Computers console, right-click your domain name, and then click Properties .
In the domain Properties dialog box, click the Group Policy tab. Click the highest priority domain Group Policy object (GPO), and then click Edit .
Expand the top-level domain policy node, and then expand Computer Configuration . Expand the Windows Settings node, and then expand the Security Settings node. Expand the Public Key Policies node, and then click the Encrypted Data Recovery node.
Yes that was also the problem for me (EFS Certificate expired). But the GPO I had to verify was the one containing the settings for the OfflineFiles (and not the one default Domain Policy one). They weren't using the same certificate.
The security settings described by RobWill: way up top did work correctly just note to set the domain user security for THIS FOLDER ONLY under the advanced settings.
-Security/NTFS permissions =
System = Full control
Creator Owner = Full control of subfolders and files
Administrators =none required (often you may want full, at least for Domain Admins)
( Depending how your back up was configured you may need to
add administrators or other permissions)
<users group such as domain users> =List Folder Contents, Read Data, Create Folders and
Append Data <b>for this root folder only</b>
-Security/NTFS permissions =
System = Full control
Creator Owner = Full control of subfolders and files
Administrators =none required (often you may want full, at least for Domain Admins)
( Depending how your back up was configured you may need to
add administrators or other permissions)
<users group such as domain users> =List Folder Contents, Read Data, Create Folders and
Append Data <b>for this root folder only</b>
http://technet2.microsoft.com/WindowsServer/en/Library/42607d0b-5d44-4f99-8992-d63b99320bb61033.mspx
http://www.iss.soton.ac.uk/dabs/adhowtoredirect.html