Solved

Offline files failing to synchronize

Posted on 2009-06-30
7
1,100 Views
Last Modified: 2013-12-02
Just over the last few days, offline files, which have been working reasonably well over the last several years for about 40 laptops, has started to fail.  The specific error I get is 'Access is denied'.  This is only when synching from the network to the laptop.  So far, all are XP SP3.

When offline, users can no longer write to the offline drive, but do have read access to it.  When they open a file offline and try to save it, they get the application's equivelant of "can't save/path/file not found".

When online, users can read and write to the network share as normal.  Only offline, there is no write access (and therefore no synching from the network to the laptop).  Looking at KB257839 which was informative, but didn't offer a solution.

Like I said, this just started happening on at least a dozen laptops (but not all at the same time, gradually over a few days), and there hasn't been any changes to network security.  Access is Denied sounds like a security issue, but since we have read/write access while online, I don't think it is network security.   Domain accounts are a member of the local computer's Administrators group, so again they should have full rights on the laptop so I can't believe it is a local security issue.

I reinitialized my offline files cache but this didn't fix the problem (and now I don't have even the read-only copy, as consistent with the problem).

No Windows updates were pushed out recently that may have caused this problem.  I also performed a full virus scan (automatically runs each week on all laptops, but I also ran a manual scan) but it didn't produce any infections.

Anyone seen this behavior or can offer a fix?
0
Comment
Question by:TWBit
  • 4
  • 3
7 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 24750650
Check what gpresult /v reports on the laptop while the system is on the LAN.
In particular, double check that all GPOs you have are applied without error.
Additionally, check the cache settings on the shares to which the folders were redirected.


0
 
LVL 11

Author Comment

by:TWBit
ID: 24750851
Thanks for your reply.

Nothing seems out of the ordinary with the GP output, no failures that I noted.  We're not using Folder Redirection.  Caching on that share set to 'Only the files and programs that users specify....'
0
 
LVL 77

Expert Comment

by:arnold
ID: 24751167
If you are not using folder redirection, what is the point of allowing offline file caching? The share is not present when the user is off site.
Check the options in the control panel folder options/offline files tab.
Could you check the share to make sure that there are no ~filename.doc lock files or an attribute marking the file read only.
Also check the security under the share configuration as well as regular security.
Are the files that you can not access/save MS documents or any document?


0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 11

Author Comment

by:TWBit
ID: 24751399
Folders can be set up for offline use for a variety of reasons - it doesn't only pertain to redirecting the My Documents folder.   In our case,  we have private data folders for each user which remain encrypted (albeit windows security, but better than no security) plus shared folders with forms, policies, procedures, utilities, printer drivers, etc that are synchronized so the users have them when offsite.

The private folders are the user's Home folder which is K: being assigned to \\{server1}\Users\{Username}.  Inside the {Username} folder the user can have whatever they want, but per instruction (and at time of account creation) a Data folder is created, and set to 'Make Available Offline'.  This allows them to control what they want saved on the network and available offline vs. saved on the network and not available offline.  Per instruction, users are told not save documents directly on the C:, such as My Documents.  The shared folder is a "Support" folder which was assigned as an offline folder via GPO.

Both folders are in the root of the D: drive of the primary file server.  Up until now, there were only a handful of missing files and times where I needed to re-init the cache.

Per GPO, most options are set on the offline files tab - Enable, sync when logging on & off, and encrypt.

No ~*.doc files, only a few documents intentionally set to read-only.

I don't see any problem with security under the shares.  Also remember that I can read/write to it when online so it should be fine.  Can't remember the last time I made a change to security on those shares - maybe a few years ago.  Sharing is set for Domain Users (change/read).  NTFS is set for server's Administrator (full), System (full), Creator Owner (full) & Administrators group (full), propogated to child objects (User added to their private folder - all except full).

Right - all docs, even a text file.

Keep in mind the big picture - that this problem is affecting at least a dozen users, not just one person.  If only one user was having problems, I could question what they did, but for all these users to break at once - something either was centrally set or has propogated.  I'm the only one with admin access to the shares and GPOs, and nothing has changed since a software assignment about 2 months ago.  Nothing updated, changed, no recent server restarts that would have committed pending changes.

Thanks for your attention in this problem.

 Users are local admins on their machines, and have been that way since day 1.
0
 
LVL 77

Assisted Solution

by:arnold
arnold earned 250 total points
ID: 24751599
Double check the encrypt portion.  I think if the user no longer had the right certificate, during the attempt to decrypt the file, they will get an error 'access denied'.
How are the EFS certificates issued to the user?  Is it done by the local system or do you have a CA that issues an EFS certificate to each user?

I think the encrypt option is likely the cause for your problems.

Did any of the users who experience this issue had their passwords reset?
i.e. they did not change their passwords, but their passwords were changed by admin in AD?

Do you have an EFS recovery agent defined? You may have to recover their certificates. To gain access to the data.

0
 
LVL 11

Author Comment

by:TWBit
ID: 24751808
Right, just 'basic' encryption by the local system, as in http://support.microsoft.com/kb/312221 and http://technet.microsoft.com/en-us/library/bb456987.aspx (more detailed)

I've occasionally needed to reset a user's password (and without consequence), but not all of these users, myself included, in the last few days.

This might be pointing me in a relevent direction.  Let me do some more research and testing.  Thanks.
0
 
LVL 11

Accepted Solution

by:
TWBit earned 0 total points
ID: 24788790
I finally resolved this with more research and trial & error.  I first turned off encyrption of the offline files by GPO which enabled users to synchronize their private data folder without error (which also proved it was an encryption problem).  Also after some more digging around, I saw Windows System Event ID 6028 - "EFS recovery policy contains invalid recovery certificate" was being logged each time synching was attempted.

All along I have speculated that it was something 'global' to my environment and not local to each PC.  I found in the Default Domain Policy's Windows Settings|Security Settings|Public Key Policies|Encryptiong File System that the cert had indeed expired on the 26th, not surprisingly when people started to have problems.  As some users were off the network, they didn't experience the problem until they logged in and the policy was applied.  Apparently the initial certificate was valid for a 3 year period.  Since you can't extend it, you have add a new certificate, then delete the old one.

Perfect instructions are located here: http://blogs.technet.com/askds/archive/2008/01/07/replacing-an-expired-dra-certificate.aspx 


0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
antivirus on mac 8 80
copying evtx files while system is running 2 79
OneNote cannot connect to OneDrive 6 64
SCSM reports export 1 16
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question