• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2185
  • Last Modified:

Offline Files GPO

For a lot of year we have had a 2003 domain and mostly XP workstations. Via a GPO on the server I have disabled offline files and it had been disabled forever. I didn't notice the problem over the last two years while replacing XP workstations with Windows 7 and the 2003 Servers with 2012 but today was an eye opened.

  On a Windows 7 x64 workstation (in Sync Center) the offline files were enabled and greyed out so you couldn't change the state. I went back and double checked the Default Domain GPO and verified that the offline files were disabled. Disabled yet they were enabled on this Windows 7 box. The fact that the button was greyed out would indicate that the domain GPO was in effect but the state of the offline files was incorrect.

I finally had to go in to gpedit on that workstation and disable offline files. It work which, to me, means the network GPO was not the reason the offline files button was greyed out.

Very, very strange. As a footnote I did replace two of the 2003 servers with 2012. Does anyone have any idea what is going on with the offline files GPO and these W7 workstations?
0
LockDown32
Asked:
LockDown32
  • 10
  • 8
1 Solution
 
Hypercat (Deb)Commented:
If the UAC is on, I think Win7 requires admin rights to make that change. Have you logged on to those Win7 workstations with administrative rights and tried to disable Offline Files?
0
 
LockDown32Author Commented:
Yes. UAC is off and although it is dangerous I make all users administrators of their computers. When I go in to Sync Center and Manage Offline Files it tell me offline files are enabled but the button to disable them is greyed out.

Now it get even weirder. I looked as a XP workstation on the domain. Same set of GPOs and offline files are not enabled and everything is greyed out. It is almost like the Windows 7 stations aren't effected by the GPO yet the XP workstations are.
0
 
Hypercat (Deb)Commented:
Did you upgrade your domain group policies to Windows 7 (admx)?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Hypercat (Deb)Commented:
OOPs - your OP says you've upgraded to server 2012, which would mean that the GPO version is up to date.  Try running the group policy results tool on one of the Windows 7 workstations.  This will tell you if the policy is being applied or not, and if not will give you some indication of the reason.
0
 
LockDown32Author Commented:
I was trying to find that utility the other day. Do you know where I can get my hands on it?
0
 
Hypercat (Deb)Commented:
You can run it from the command line on any workstation by typing gpresult.  If you're a bit lazy and GUI-dependent like me, on the server, open the group policy management console.  When you expand the Forest object, at the bottom of the list you should see Group Policy Results. Right-click on that and start the results wizard. This allows you to pick any workstation or server and user combination on the domain to test your group policy effectiveness. When the report has been generated, click on the Summary tab to see an overview, or the Settings tab to see the detailed report. You can also save and/or print the report from the console.
0
 
LockDown32Author Commented:
I am missing something. Attached it the gpresult from the one Windows 7 workstation. It looks like the Default Policy is in effect. I see a lot of things I set within it but I don't see the offline files settings in the Default Domain Policy. What am I missing?
results.txt
0
 
LockDown32Author Commented:
I just ran the gpresult on the XP workstation where offline files is disabled. I don't see the offline file settings under administrative templates either. It is attached.
XPresult.txt
0
 
Hypercat (Deb)Commented:
These are the settings that are being controlled by your group policy:

GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows\NetCache\Enabled
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows\NetCache\SyncAtLogon
                Value:       0, 0, 0, 0
                State:       Enabled

 GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows\NetCache\SyncAtLogoff
                Value:       0, 0, 0, 0
                State:       Enabled

Those are the offline files entries in the registry.  Look in your default domain policy for the following settings:

Computer Configuration/Policies/Administrative Templates/Network/Offline files:

Allow or Disallow use of Offline Files Feature
Synchronize all offline files when logging off
Synchronize all offline files when logging on

Also there are other settings in that part of group policy that you can look at an use if necessary to control the operation of offline files.
0
 
LockDown32Author Commented:
That is what is throwing me. I figured out that NetCache is Offline files but looking through the results they don't give you any detail on which netcache options they are. There are about 6 offline files options set. The ones you mention above:

Allow or Disallow use of Offline Files Feature
Synchronize all offline files when logging off
Synchronize all offline files when logging on

Are configured. Allow/Disallow is disables and sync at logoff and logon are disabled along with about 4 other offline files options. Why doesn't gpresult reflect those? or does it? Those result logs have 5 or 6 netcache entries. They just don't specify what they are in detail.
0
 
Hypercat (Deb)Commented:
It looks like you ran gpresult from the workstation.  You get a different viewpoint if you run it from the GPMC.  The GPMC will show you which group policies themselves (rather than the reg entries) are being applied successfully or unsuccessfully.  It looks to me like the reg entries show that offline files are enabled, and sync at logon and logoff are also enabled, on the Win7 machine that you tested.  So, given the group policy settings you're saying you see in the default domain policy, something in the application of your group policy settings is definitely not working, or some other policy is interfering.

Let's start with running the group policy results tool from the GPMC on the server and post the resulting report.
0
 
LockDown32Author Commented:
The GPMC method is much more "readable". It does show that the Offline Files are disabled along with some other offline file settings that I have been told I need to set to disable offline files on Windows 7. The GPMC result is attached.

   It is almost as if on XP all you have to do is Disable or Enable the user of Offline Files where Windows 7 required that and about 6-7 addition settings including disabling the cscservice.

   I am curious... at the top of this report I see a warning {10831910-5A33-47E2-8321-87711B577337} Computer Configuration Disabled,Enforced

What does that signify?
HEALTH-04.htm
0
 
Hypercat (Deb)Commented:
You need to look in your sysvol on the DC. There may be an existing group policy object with the GUID that is shown at the top of your report. This may be the remnant of some old group policy that existed in the 2003 domain.  Is there any object in your GPMC named "Classic Administrative Templates (ADM)" or any other active policy other than the default domain one?  Or this may just be some sort of orphaned object.
0
 
LockDown32Author Commented:
There is a policy in the sysvol with that GUID. I don't see anything by the name "Classic" in GPMC. I only have 5 total objects:

Default Domain Controller Policy
Default Domain Policy
Enable Offline Files
Local Printers
Redirection to GovCtrDC

I do still have two 2003 Domain Controllers. Soon to be only one.
0
 
Hypercat (Deb)Commented:
Then it could really be any of those policies.  I would examine all of those policies to see if any of them has the Computer Configuration section of the policy disabled.  There may be a reason that it's disabled, but if you can find it then you can determine whether it needs to be disabled.  In the GPMC, it's easy to find this setting. Just click on the policy name and then click the Details tab in the right-hand pane.  This also shows the GUID of the policy in case you want to check to make sure it's the same one.
0
 
Hypercat (Deb)Commented:
OH - forgot to say that you want to look at the GPO Status; this will tell you if everything is Enabled or if part of the GPO - user config or computer config - is disabled.
0
 
LockDown32Author Commented:
Thanks for all your help on this hypercat. That particular GPO was put in long ago but the copier people to install their page count software. I had forgotten all about it but I don't think the computer configuration should have been disabled. I think I am OK. Disabling offline files seems to be different between XP and Windows 7. Windows 7 needs the extra step of disabling the offline files service. Once I did that in the GPO the offline files did disable.
0
 
Hypercat (Deb)Commented:
Great - glad to be of help!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 10
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now