[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


Offline files failing to synchronize

Posted on 2009-06-30
Medium Priority
Last Modified: 2013-12-02
Just over the last few days, offline files, which have been working reasonably well over the last several years for about 40 laptops, has started to fail.  The specific error I get is 'Access is denied'.  This is only when synching from the network to the laptop.  So far, all are XP SP3.

When offline, users can no longer write to the offline drive, but do have read access to it.  When they open a file offline and try to save it, they get the application's equivelant of "can't save/path/file not found".

When online, users can read and write to the network share as normal.  Only offline, there is no write access (and therefore no synching from the network to the laptop).  Looking at KB257839 which was informative, but didn't offer a solution.

Like I said, this just started happening on at least a dozen laptops (but not all at the same time, gradually over a few days), and there hasn't been any changes to network security.  Access is Denied sounds like a security issue, but since we have read/write access while online, I don't think it is network security.   Domain accounts are a member of the local computer's Administrators group, so again they should have full rights on the laptop so I can't believe it is a local security issue.

I reinitialized my offline files cache but this didn't fix the problem (and now I don't have even the read-only copy, as consistent with the problem).

No Windows updates were pushed out recently that may have caused this problem.  I also performed a full virus scan (automatically runs each week on all laptops, but I also ran a manual scan) but it didn't produce any infections.

Anyone seen this behavior or can offer a fix?
Question by:TWBit
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 80

Expert Comment

ID: 24750650
Check what gpresult /v reports on the laptop while the system is on the LAN.
In particular, double check that all GPOs you have are applied without error.
Additionally, check the cache settings on the shares to which the folders were redirected.

LVL 11

Author Comment

ID: 24750851
Thanks for your reply.

Nothing seems out of the ordinary with the GP output, no failures that I noted.  We're not using Folder Redirection.  Caching on that share set to 'Only the files and programs that users specify....'
LVL 80

Expert Comment

ID: 24751167
If you are not using folder redirection, what is the point of allowing offline file caching? The share is not present when the user is off site.
Check the options in the control panel folder options/offline files tab.
Could you check the share to make sure that there are no ~filename.doc lock files or an attribute marking the file read only.
Also check the security under the share configuration as well as regular security.
Are the files that you can not access/save MS documents or any document?

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

LVL 11

Author Comment

ID: 24751399
Folders can be set up for offline use for a variety of reasons - it doesn't only pertain to redirecting the My Documents folder.   In our case,  we have private data folders for each user which remain encrypted (albeit windows security, but better than no security) plus shared folders with forms, policies, procedures, utilities, printer drivers, etc that are synchronized so the users have them when offsite.

The private folders are the user's Home folder which is K: being assigned to \\{server1}\Users\{Username}.  Inside the {Username} folder the user can have whatever they want, but per instruction (and at time of account creation) a Data folder is created, and set to 'Make Available Offline'.  This allows them to control what they want saved on the network and available offline vs. saved on the network and not available offline.  Per instruction, users are told not save documents directly on the C:, such as My Documents.  The shared folder is a "Support" folder which was assigned as an offline folder via GPO.

Both folders are in the root of the D: drive of the primary file server.  Up until now, there were only a handful of missing files and times where I needed to re-init the cache.

Per GPO, most options are set on the offline files tab - Enable, sync when logging on & off, and encrypt.

No ~*.doc files, only a few documents intentionally set to read-only.

I don't see any problem with security under the shares.  Also remember that I can read/write to it when online so it should be fine.  Can't remember the last time I made a change to security on those shares - maybe a few years ago.  Sharing is set for Domain Users (change/read).  NTFS is set for server's Administrator (full), System (full), Creator Owner (full) & Administrators group (full), propogated to child objects (User added to their private folder - all except full).

Right - all docs, even a text file.

Keep in mind the big picture - that this problem is affecting at least a dozen users, not just one person.  If only one user was having problems, I could question what they did, but for all these users to break at once - something either was centrally set or has propogated.  I'm the only one with admin access to the shares and GPOs, and nothing has changed since a software assignment about 2 months ago.  Nothing updated, changed, no recent server restarts that would have committed pending changes.

Thanks for your attention in this problem.

 Users are local admins on their machines, and have been that way since day 1.
LVL 80

Assisted Solution

arnold earned 1000 total points
ID: 24751599
Double check the encrypt portion.  I think if the user no longer had the right certificate, during the attempt to decrypt the file, they will get an error 'access denied'.
How are the EFS certificates issued to the user?  Is it done by the local system or do you have a CA that issues an EFS certificate to each user?

I think the encrypt option is likely the cause for your problems.

Did any of the users who experience this issue had their passwords reset?
i.e. they did not change their passwords, but their passwords were changed by admin in AD?

Do you have an EFS recovery agent defined? You may have to recover their certificates. To gain access to the data.

LVL 11

Author Comment

ID: 24751808
Right, just 'basic' encryption by the local system, as in http://support.microsoft.com/kb/312221 and http://technet.microsoft.com/en-us/library/bb456987.aspx (more detailed)

I've occasionally needed to reset a user's password (and without consequence), but not all of these users, myself included, in the last few days.

This might be pointing me in a relevent direction.  Let me do some more research and testing.  Thanks.
LVL 11

Accepted Solution

TWBit earned 0 total points
ID: 24788790
I finally resolved this with more research and trial & error.  I first turned off encyrption of the offline files by GPO which enabled users to synchronize their private data folder without error (which also proved it was an encryption problem).  Also after some more digging around, I saw Windows System Event ID 6028 - "EFS recovery policy contains invalid recovery certificate" was being logged each time synching was attempted.

All along I have speculated that it was something 'global' to my environment and not local to each PC.  I found in the Default Domain Policy's Windows Settings|Security Settings|Public Key Policies|Encryptiong File System that the cert had indeed expired on the 26th, not surprisingly when people started to have problems.  As some users were off the network, they didn't experience the problem until they logged in and the policy was applied.  Apparently the initial certificate was valid for a 3 year period.  Since you can't extend it, you have add a new certificate, then delete the old one.

Perfect instructions are located here: http://blogs.technet.com/askds/archive/2008/01/07/replacing-an-expired-dra-certificate.aspx 


Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question