Offline files failing to synchronize

Posted on 2009-06-30
Medium Priority
Last Modified: 2013-12-02
Just over the last few days, offline files, which have been working reasonably well over the last several years for about 40 laptops, has started to fail.  The specific error I get is 'Access is denied'.  This is only when synching from the network to the laptop.  So far, all are XP SP3.

When offline, users can no longer write to the offline drive, but do have read access to it.  When they open a file offline and try to save it, they get the application's equivelant of "can't save/path/file not found".

When online, users can read and write to the network share as normal.  Only offline, there is no write access (and therefore no synching from the network to the laptop).  Looking at KB257839 which was informative, but didn't offer a solution.

Like I said, this just started happening on at least a dozen laptops (but not all at the same time, gradually over a few days), and there hasn't been any changes to network security.  Access is Denied sounds like a security issue, but since we have read/write access while online, I don't think it is network security.   Domain accounts are a member of the local computer's Administrators group, so again they should have full rights on the laptop so I can't believe it is a local security issue.

I reinitialized my offline files cache but this didn't fix the problem (and now I don't have even the read-only copy, as consistent with the problem).

No Windows updates were pushed out recently that may have caused this problem.  I also performed a full virus scan (automatically runs each week on all laptops, but I also ran a manual scan) but it didn't produce any infections.

Anyone seen this behavior or can offer a fix?
Question by:TWBit
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 79

Expert Comment

ID: 24750650
Check what gpresult /v reports on the laptop while the system is on the LAN.
In particular, double check that all GPOs you have are applied without error.
Additionally, check the cache settings on the shares to which the folders were redirected.

LVL 11

Author Comment

ID: 24750851
Thanks for your reply.

Nothing seems out of the ordinary with the GP output, no failures that I noted.  We're not using Folder Redirection.  Caching on that share set to 'Only the files and programs that users specify....'
LVL 79

Expert Comment

ID: 24751167
If you are not using folder redirection, what is the point of allowing offline file caching? The share is not present when the user is off site.
Check the options in the control panel folder options/offline files tab.
Could you check the share to make sure that there are no ~filename.doc lock files or an attribute marking the file read only.
Also check the security under the share configuration as well as regular security.
Are the files that you can not access/save MS documents or any document?

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

LVL 11

Author Comment

ID: 24751399
Folders can be set up for offline use for a variety of reasons - it doesn't only pertain to redirecting the My Documents folder.   In our case,  we have private data folders for each user which remain encrypted (albeit windows security, but better than no security) plus shared folders with forms, policies, procedures, utilities, printer drivers, etc that are synchronized so the users have them when offsite.

The private folders are the user's Home folder which is K: being assigned to \\{server1}\Users\{Username}.  Inside the {Username} folder the user can have whatever they want, but per instruction (and at time of account creation) a Data folder is created, and set to 'Make Available Offline'.  This allows them to control what they want saved on the network and available offline vs. saved on the network and not available offline.  Per instruction, users are told not save documents directly on the C:, such as My Documents.  The shared folder is a "Support" folder which was assigned as an offline folder via GPO.

Both folders are in the root of the D: drive of the primary file server.  Up until now, there were only a handful of missing files and times where I needed to re-init the cache.

Per GPO, most options are set on the offline files tab - Enable, sync when logging on & off, and encrypt.

No ~*.doc files, only a few documents intentionally set to read-only.

I don't see any problem with security under the shares.  Also remember that I can read/write to it when online so it should be fine.  Can't remember the last time I made a change to security on those shares - maybe a few years ago.  Sharing is set for Domain Users (change/read).  NTFS is set for server's Administrator (full), System (full), Creator Owner (full) & Administrators group (full), propogated to child objects (User added to their private folder - all except full).

Right - all docs, even a text file.

Keep in mind the big picture - that this problem is affecting at least a dozen users, not just one person.  If only one user was having problems, I could question what they did, but for all these users to break at once - something either was centrally set or has propogated.  I'm the only one with admin access to the shares and GPOs, and nothing has changed since a software assignment about 2 months ago.  Nothing updated, changed, no recent server restarts that would have committed pending changes.

Thanks for your attention in this problem.

 Users are local admins on their machines, and have been that way since day 1.
LVL 79

Assisted Solution

arnold earned 1000 total points
ID: 24751599
Double check the encrypt portion.  I think if the user no longer had the right certificate, during the attempt to decrypt the file, they will get an error 'access denied'.
How are the EFS certificates issued to the user?  Is it done by the local system or do you have a CA that issues an EFS certificate to each user?

I think the encrypt option is likely the cause for your problems.

Did any of the users who experience this issue had their passwords reset?
i.e. they did not change their passwords, but their passwords were changed by admin in AD?

Do you have an EFS recovery agent defined? You may have to recover their certificates. To gain access to the data.

LVL 11

Author Comment

ID: 24751808
Right, just 'basic' encryption by the local system, as in http://support.microsoft.com/kb/312221 and http://technet.microsoft.com/en-us/library/bb456987.aspx (more detailed)

I've occasionally needed to reset a user's password (and without consequence), but not all of these users, myself included, in the last few days.

This might be pointing me in a relevent direction.  Let me do some more research and testing.  Thanks.
LVL 11

Accepted Solution

TWBit earned 0 total points
ID: 24788790
I finally resolved this with more research and trial & error.  I first turned off encyrption of the offline files by GPO which enabled users to synchronize their private data folder without error (which also proved it was an encryption problem).  Also after some more digging around, I saw Windows System Event ID 6028 - "EFS recovery policy contains invalid recovery certificate" was being logged each time synching was attempted.

All along I have speculated that it was something 'global' to my environment and not local to each PC.  I found in the Default Domain Policy's Windows Settings|Security Settings|Public Key Policies|Encryptiong File System that the cert had indeed expired on the 26th, not surprisingly when people started to have problems.  As some users were off the network, they didn't experience the problem until they logged in and the policy was applied.  Apparently the initial certificate was valid for a 3 year period.  Since you can't extend it, you have add a new certificate, then delete the old one.

Perfect instructions are located here: http://blogs.technet.com/askds/archive/2008/01/07/replacing-an-expired-dra-certificate.aspx 


Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Determining the an SCCM package name from the Package ID
In this blog, we’ll look at how improvements to Percona XtraDB Cluster improved IST performance.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses
Course of the Month9 days, 3 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question