Offline files failing to synchronize

Just over the last few days, offline files, which have been working reasonably well over the last several years for about 40 laptops, has started to fail.  The specific error I get is 'Access is denied'.  This is only when synching from the network to the laptop.  So far, all are XP SP3.

When offline, users can no longer write to the offline drive, but do have read access to it.  When they open a file offline and try to save it, they get the application's equivelant of "can't save/path/file not found".

When online, users can read and write to the network share as normal.  Only offline, there is no write access (and therefore no synching from the network to the laptop).  Looking at KB257839 which was informative, but didn't offer a solution.

Like I said, this just started happening on at least a dozen laptops (but not all at the same time, gradually over a few days), and there hasn't been any changes to network security.  Access is Denied sounds like a security issue, but since we have read/write access while online, I don't think it is network security.   Domain accounts are a member of the local computer's Administrators group, so again they should have full rights on the laptop so I can't believe it is a local security issue.

I reinitialized my offline files cache but this didn't fix the problem (and now I don't have even the read-only copy, as consistent with the problem).

No Windows updates were pushed out recently that may have caused this problem.  I also performed a full virus scan (automatically runs each week on all laptops, but I also ran a manual scan) but it didn't produce any infections.

Anyone seen this behavior or can offer a fix?
LVL 11
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Check what gpresult /v reports on the laptop while the system is on the LAN.
In particular, double check that all GPOs you have are applied without error.
Additionally, check the cache settings on the shares to which the folders were redirected.

TWBitAuthor Commented:
Thanks for your reply.

Nothing seems out of the ordinary with the GP output, no failures that I noted.  We're not using Folder Redirection.  Caching on that share set to 'Only the files and programs that users specify....'
If you are not using folder redirection, what is the point of allowing offline file caching? The share is not present when the user is off site.
Check the options in the control panel folder options/offline files tab.
Could you check the share to make sure that there are no ~filename.doc lock files or an attribute marking the file read only.
Also check the security under the share configuration as well as regular security.
Are the files that you can not access/save MS documents or any document?

Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

TWBitAuthor Commented:
Folders can be set up for offline use for a variety of reasons - it doesn't only pertain to redirecting the My Documents folder.   In our case,  we have private data folders for each user which remain encrypted (albeit windows security, but better than no security) plus shared folders with forms, policies, procedures, utilities, printer drivers, etc that are synchronized so the users have them when offsite.

The private folders are the user's Home folder which is K: being assigned to \\{server1}\Users\{Username}.  Inside the {Username} folder the user can have whatever they want, but per instruction (and at time of account creation) a Data folder is created, and set to 'Make Available Offline'.  This allows them to control what they want saved on the network and available offline vs. saved on the network and not available offline.  Per instruction, users are told not save documents directly on the C:, such as My Documents.  The shared folder is a "Support" folder which was assigned as an offline folder via GPO.

Both folders are in the root of the D: drive of the primary file server.  Up until now, there were only a handful of missing files and times where I needed to re-init the cache.

Per GPO, most options are set on the offline files tab - Enable, sync when logging on & off, and encrypt.

No ~*.doc files, only a few documents intentionally set to read-only.

I don't see any problem with security under the shares.  Also remember that I can read/write to it when online so it should be fine.  Can't remember the last time I made a change to security on those shares - maybe a few years ago.  Sharing is set for Domain Users (change/read).  NTFS is set for server's Administrator (full), System (full), Creator Owner (full) & Administrators group (full), propogated to child objects (User added to their private folder - all except full).

Right - all docs, even a text file.

Keep in mind the big picture - that this problem is affecting at least a dozen users, not just one person.  If only one user was having problems, I could question what they did, but for all these users to break at once - something either was centrally set or has propogated.  I'm the only one with admin access to the shares and GPOs, and nothing has changed since a software assignment about 2 months ago.  Nothing updated, changed, no recent server restarts that would have committed pending changes.

Thanks for your attention in this problem.

 Users are local admins on their machines, and have been that way since day 1.
Double check the encrypt portion.  I think if the user no longer had the right certificate, during the attempt to decrypt the file, they will get an error 'access denied'.
How are the EFS certificates issued to the user?  Is it done by the local system or do you have a CA that issues an EFS certificate to each user?

I think the encrypt option is likely the cause for your problems.

Did any of the users who experience this issue had their passwords reset?
i.e. they did not change their passwords, but their passwords were changed by admin in AD?

Do you have an EFS recovery agent defined? You may have to recover their certificates. To gain access to the data.

TWBitAuthor Commented:
Right, just 'basic' encryption by the local system, as in and (more detailed)

I've occasionally needed to reset a user's password (and without consequence), but not all of these users, myself included, in the last few days.

This might be pointing me in a relevent direction.  Let me do some more research and testing.  Thanks.
TWBitAuthor Commented:
I finally resolved this with more research and trial & error.  I first turned off encyrption of the offline files by GPO which enabled users to synchronize their private data folder without error (which also proved it was an encryption problem).  Also after some more digging around, I saw Windows System Event ID 6028 - "EFS recovery policy contains invalid recovery certificate" was being logged each time synching was attempted.

All along I have speculated that it was something 'global' to my environment and not local to each PC.  I found in the Default Domain Policy's Windows Settings|Security Settings|Public Key Policies|Encryptiong File System that the cert had indeed expired on the 26th, not surprisingly when people started to have problems.  As some users were off the network, they didn't experience the problem until they logged in and the policy was applied.  Apparently the initial certificate was valid for a 3 year period.  Since you can't extend it, you have add a new certificate, then delete the old one.

Perfect instructions are located here: 


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Server Software

From novice to tech pro — start learning today.