Solved

Offline files failing to synchronize

Posted on 2009-06-30
7
1,093 Views
Last Modified: 2013-12-02
Just over the last few days, offline files, which have been working reasonably well over the last several years for about 40 laptops, has started to fail.  The specific error I get is 'Access is denied'.  This is only when synching from the network to the laptop.  So far, all are XP SP3.

When offline, users can no longer write to the offline drive, but do have read access to it.  When they open a file offline and try to save it, they get the application's equivelant of "can't save/path/file not found".

When online, users can read and write to the network share as normal.  Only offline, there is no write access (and therefore no synching from the network to the laptop).  Looking at KB257839 which was informative, but didn't offer a solution.

Like I said, this just started happening on at least a dozen laptops (but not all at the same time, gradually over a few days), and there hasn't been any changes to network security.  Access is Denied sounds like a security issue, but since we have read/write access while online, I don't think it is network security.   Domain accounts are a member of the local computer's Administrators group, so again they should have full rights on the laptop so I can't believe it is a local security issue.

I reinitialized my offline files cache but this didn't fix the problem (and now I don't have even the read-only copy, as consistent with the problem).

No Windows updates were pushed out recently that may have caused this problem.  I also performed a full virus scan (automatically runs each week on all laptops, but I also ran a manual scan) but it didn't produce any infections.

Anyone seen this behavior or can offer a fix?
0
Comment
Question by:TWBit
  • 4
  • 3
7 Comments
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Check what gpresult /v reports on the laptop while the system is on the LAN.
In particular, double check that all GPOs you have are applied without error.
Additionally, check the cache settings on the shares to which the folders were redirected.


0
 
LVL 11

Author Comment

by:TWBit
Comment Utility
Thanks for your reply.

Nothing seems out of the ordinary with the GP output, no failures that I noted.  We're not using Folder Redirection.  Caching on that share set to 'Only the files and programs that users specify....'
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
If you are not using folder redirection, what is the point of allowing offline file caching? The share is not present when the user is off site.
Check the options in the control panel folder options/offline files tab.
Could you check the share to make sure that there are no ~filename.doc lock files or an attribute marking the file read only.
Also check the security under the share configuration as well as regular security.
Are the files that you can not access/save MS documents or any document?


0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 11

Author Comment

by:TWBit
Comment Utility
Folders can be set up for offline use for a variety of reasons - it doesn't only pertain to redirecting the My Documents folder.   In our case,  we have private data folders for each user which remain encrypted (albeit windows security, but better than no security) plus shared folders with forms, policies, procedures, utilities, printer drivers, etc that are synchronized so the users have them when offsite.

The private folders are the user's Home folder which is K: being assigned to \\{server1}\Users\{Username}.  Inside the {Username} folder the user can have whatever they want, but per instruction (and at time of account creation) a Data folder is created, and set to 'Make Available Offline'.  This allows them to control what they want saved on the network and available offline vs. saved on the network and not available offline.  Per instruction, users are told not save documents directly on the C:, such as My Documents.  The shared folder is a "Support" folder which was assigned as an offline folder via GPO.

Both folders are in the root of the D: drive of the primary file server.  Up until now, there were only a handful of missing files and times where I needed to re-init the cache.

Per GPO, most options are set on the offline files tab - Enable, sync when logging on & off, and encrypt.

No ~*.doc files, only a few documents intentionally set to read-only.

I don't see any problem with security under the shares.  Also remember that I can read/write to it when online so it should be fine.  Can't remember the last time I made a change to security on those shares - maybe a few years ago.  Sharing is set for Domain Users (change/read).  NTFS is set for server's Administrator (full), System (full), Creator Owner (full) & Administrators group (full), propogated to child objects (User added to their private folder - all except full).

Right - all docs, even a text file.

Keep in mind the big picture - that this problem is affecting at least a dozen users, not just one person.  If only one user was having problems, I could question what they did, but for all these users to break at once - something either was centrally set or has propogated.  I'm the only one with admin access to the shares and GPOs, and nothing has changed since a software assignment about 2 months ago.  Nothing updated, changed, no recent server restarts that would have committed pending changes.

Thanks for your attention in this problem.

 Users are local admins on their machines, and have been that way since day 1.
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 250 total points
Comment Utility
Double check the encrypt portion.  I think if the user no longer had the right certificate, during the attempt to decrypt the file, they will get an error 'access denied'.
How are the EFS certificates issued to the user?  Is it done by the local system or do you have a CA that issues an EFS certificate to each user?

I think the encrypt option is likely the cause for your problems.

Did any of the users who experience this issue had their passwords reset?
i.e. they did not change their passwords, but their passwords were changed by admin in AD?

Do you have an EFS recovery agent defined? You may have to recover their certificates. To gain access to the data.

0
 
LVL 11

Author Comment

by:TWBit
Comment Utility
Right, just 'basic' encryption by the local system, as in http://support.microsoft.com/kb/312221 and http://technet.microsoft.com/en-us/library/bb456987.aspx (more detailed)

I've occasionally needed to reset a user's password (and without consequence), but not all of these users, myself included, in the last few days.

This might be pointing me in a relevent direction.  Let me do some more research and testing.  Thanks.
0
 
LVL 11

Accepted Solution

by:
TWBit earned 0 total points
Comment Utility
I finally resolved this with more research and trial & error.  I first turned off encyrption of the offline files by GPO which enabled users to synchronize their private data folder without error (which also proved it was an encryption problem).  Also after some more digging around, I saw Windows System Event ID 6028 - "EFS recovery policy contains invalid recovery certificate" was being logged each time synching was attempted.

All along I have speculated that it was something 'global' to my environment and not local to each PC.  I found in the Default Domain Policy's Windows Settings|Security Settings|Public Key Policies|Encryptiong File System that the cert had indeed expired on the 26th, not surprisingly when people started to have problems.  As some users were off the network, they didn't experience the problem until they logged in and the policy was applied.  Apparently the initial certificate was valid for a 3 year period.  Since you can't extend it, you have add a new certificate, then delete the old one.

Perfect instructions are located here: http://blogs.technet.com/askds/archive/2008/01/07/replacing-an-expired-dra-certificate.aspx


0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now