RE: Win7 w/SP1 offline sync gives Access Denied
So, shortly before I left yesterday I went through our GPOs that were applying to Win7 laptops. The only one I thought might have anything to do with this turned out to be the culprit, but I'm not exactly sure why. Since we won't be calling PSS at this point I may not find the answer to that, but here's what it was: Since we started adding Win7 policies (back in October/November 2010) along with many other policies, we enabled the setting for \computer configuration\Administrative Templates\Offline Files Encrypt the Offline Files cache. Yesterday as a test, I changed this to disabled, which decrypts the cache. After after rebooting the machines with the access denied errors, everything started working again, so I changed it at the domain level and got the same results-things are now working normally again. Question-does anyone know if this encryption is done using EFS? It is not specified in the policy description. We have disabled EFS at the domain level, as we don't want kids encrypting their files. So, it makes sense to me that if it uses EFS but it is disabled at the domain, this would cause a potential conflict and could cause the access denied errors we were seeing. What I don't understand is why the problem only starts after SP1 is applied, unless there is a problem with the RTM version applying this policy altogether. Hopefully today will be a better day... -Bonnie From: Miller Bonnie L. [mailto:mille...@mukilteo.wednet.edu] Sent: Tuesday, March 29, 2011 12:22 PM To: NT System Admin Issues Subject: Win7 w/SP1 offline sync gives Access Denied Anyone else seeing this problem, or successfully syncing their offline files using a Win7 SP1 system in a domain? User logs onto Win7 non-sp1, offline sync of files works fine. Machine gets updated to SP1, same user (no changes) logs onto Win7 with SP1, offline sync throws access denied errors on all files. Log off, take the same user account (same profile, etc) back to a non-SP1 machine and offline sync works fine. We have quite a few Win7 systems now that have SP1, and are getting the same symptoms across multiple machines. I've tried tons of stuff, including changing the back-end server from WS03 R2 to WS08 R2 SP1, taking DFS out of the equation, changing paths from DNS names to netbios names to IPs, removing ABE, setting ownership to the user, and setting both NTFS and share permissions to full control all the way down the tree on the server to Everyone. As best I can tell, this is a client-side issue, but I'm not sure what else to look at. There are a few policies that control offline file behavior, and although nothing has changed from our non-sp1 setup, I'm happy to change something if it would help. We're about to open a PSS call, but I'm fishing for other ideas as well. Searching around, I'm just not seeing other people reporting this problem. Thanks, -Bonnie ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Win7 w/SP1 offline sync gives Access Denied
On Wed, Mar 30, 2011 at 10:26 AM, Miller Bonnie L. mille...@mukilteo.wednet.edu wrote: What I don’t understand is why the problem only starts after SP1 is applied, unless there is a problem with the RTM version applying this policy altogether. Or, it could be it was a problem in RTM and it's just the diagnostic was added in SP1. That is, maybe it was failing silently before and you just never knew? -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Win7 w/SP1 offline sync gives Access Denied
Question-does anyone know if this encryption is done using EFS? Yes, it is specified in the EFS documentation that EFS is used for the offline file cache. The policy interaction you describe is very interesting. From a purely theoretical POV, if I disable EFS at the Domain level, that should be it, period. However there is a rapid publish KB that describes some unexpected behaviors with disabling/enabling EFS via policy http://support.microsoft.com/kb/960050/EN-US that may be germane to your situation. From: Miller Bonnie L. [mailto:mille...@mukilteo.wednet.edu] Sent: Wednesday, March 30, 2011 7:26 AM To: NT System Admin Issues Subject: RE: Win7 w/SP1 offline sync gives Access Denied So, shortly before I left yesterday I went through our GPOs that were applying to Win7 laptops. The only one I thought might have anything to do with this turned out to be the culprit, but I'm not exactly sure why. Since we won't be calling PSS at this point I may not find the answer to that, but here's what it was: Since we started adding Win7 policies (back in October/November 2010) along with many other policies, we enabled the setting for \computer configuration\Administrative Templates\Offline Files Encrypt the Offline Files cache. Yesterday as a test, I changed this to disabled, which decrypts the cache. After after rebooting the machines with the access denied errors, everything started working again, so I changed it at the domain level and got the same results-things are now working normally again. Question-does anyone know if this encryption is done using EFS? It is not specified in the policy description. We have disabled EFS at the domain level, as we don't want kids encrypting their files. So, it makes sense to me that if it uses EFS but it is disabled at the domain, this would cause a potential conflict and could cause the access denied errors we were seeing. What I don't understand is why the problem only starts after SP1 is applied, unless there is a problem with the RTM version applying this policy altogether. Hopefully today will be a better day... -Bonnie From: Miller Bonnie L. [mailto:mille...@mukilteo.wednet.edu] Sent: Tuesday, March 29, 2011 12:22 PM To: NT System Admin Issues Subject: Win7 w/SP1 offline sync gives Access Denied Anyone else seeing this problem, or successfully syncing their offline files using a Win7 SP1 system in a domain? User logs onto Win7 non-sp1, offline sync of files works fine. Machine gets updated to SP1, same user (no changes) logs onto Win7 with SP1, offline sync throws access denied errors on all files. Log off, take the same user account (same profile, etc) back to a non-SP1 machine and offline sync works fine. We have quite a few Win7 systems now that have SP1, and are getting the same symptoms across multiple machines. I've tried tons of stuff, including changing the back-end server from WS03 R2 to WS08 R2 SP1, taking DFS out of the equation, changing paths from DNS names to netbios names to IPs, removing ABE, setting ownership to the user, and setting both NTFS and share permissions to full control all the way down the tree on the server to Everyone. As best I can tell, this is a client-side issue, but I'm not sure what else to look at. There are a few policies that control offline file behavior, and although nothing has changed from our non-sp1 setup, I'm happy to change something if it would help. We're about to open a PSS call, but I'm fishing for other ideas as well. Searching around, I'm just not seeing other people reporting this problem. Thanks, -Bonnie ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Win7 w/SP1 offline sync gives Access Denied
Thanks guys-it must be then that there was some kind of issue in RTM, and as Ben said, it was silently failing until SP1 applied. We're not trying to re-enable EFS via GPO at another level (using Computer config\Windows settings\security settings\public key policies), so I don't think the article applies in this case, but that is good to know about. From: Free, Bob [mailto:r...@pge.com] Sent: Wednesday, March 30, 2011 8:08 AM To: NT System Admin Issues Subject: RE: Win7 w/SP1 offline sync gives Access Denied Question-does anyone know if this encryption is done using EFS? Yes, it is specified in the EFS documentation that EFS is used for the offline file cache. The policy interaction you describe is very interesting. From a purely theoretical POV, if I disable EFS at the Domain level, that should be it, period. However there is a rapid publish KB that describes some unexpected behaviors with disabling/enabling EFS via policy http://support.microsoft.com/kb/960050/EN-US that may be germane to your situation. From: Miller Bonnie L. [mailto:mille...@mukilteo.wednet.edu] Sent: Wednesday, March 30, 2011 7:26 AM To: NT System Admin Issues Subject: RE: Win7 w/SP1 offline sync gives Access Denied So, shortly before I left yesterday I went through our GPOs that were applying to Win7 laptops. The only one I thought might have anything to do with this turned out to be the culprit, but I'm not exactly sure why. Since we won't be calling PSS at this point I may not find the answer to that, but here's what it was: Since we started adding Win7 policies (back in October/November 2010) along with many other policies, we enabled the setting for \computer configuration\Administrative Templates\Offline Files Encrypt the Offline Files cache. Yesterday as a test, I changed this to disabled, which decrypts the cache. After after rebooting the machines with the access denied errors, everything started working again, so I changed it at the domain level and got the same results-things are now working normally again. Question-does anyone know if this encryption is done using EFS? It is not specified in the policy description. We have disabled EFS at the domain level, as we don't want kids encrypting their files. So, it makes sense to me that if it uses EFS but it is disabled at the domain, this would cause a potential conflict and could cause the access denied errors we were seeing. What I don't understand is why the problem only starts after SP1 is applied, unless there is a problem with the RTM version applying this policy altogether. Hopefully today will be a better day... -Bonnie From: Miller Bonnie L. [mailto:mille...@mukilteo.wednet.edu] Sent: Tuesday, March 29, 2011 12:22 PM To: NT System Admin Issues Subject: Win7 w/SP1 offline sync gives Access Denied Anyone else seeing this problem, or successfully syncing their offline files using a Win7 SP1 system in a domain? User logs onto Win7 non-sp1, offline sync of files works fine. Machine gets updated to SP1, same user (no changes) logs onto Win7 with SP1, offline sync throws access denied errors on all files. Log off, take the same user account (same profile, etc) back to a non-SP1 machine and offline sync works fine. We have quite a few Win7 systems now that have SP1, and are getting the same symptoms across multiple machines. I've tried tons of stuff, including changing the back-end server from WS03 R2 to WS08 R2 SP1, taking DFS out of the equation, changing paths from DNS names to netbios names to IPs, removing ABE, setting ownership to the user, and setting both NTFS and share permissions to full control all the way down the tree on the server to Everyone. As best I can tell, this is a client-side issue, but I'm not sure what else to look at. There are a few policies that control offline file behavior, and although nothing has changed from our non-sp1 setup, I'm happy to change something if it would help. We're about to open a PSS call, but I'm fishing for other ideas as well. Searching around, I'm just not seeing other people reporting this problem. Thanks, -Bonnie ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE
RE: Win7 w/SP1 offline sync gives Access Denied
Interesting—it might work now for you then. Was there a kb on that? I did take DFS out of the equation during testing and that didn’t seem to matter one iota—it would fail with a straight UNC path as well. From: Crawford, Scott [mailto:crawfo...@evangel.edu] Sent: Wednesday, March 30, 2011 10:18 AM To: NT System Admin Issues Subject: RE: Win7 w/SP1 offline sync gives Access Denied EFS of offline files with DFS was failing for us pre-SP1. I haven't looked at it since SP1. Sent from my Palm Pre on the Now Network from Sprint On Mar 30, 2011 12:14 PM, Miller Bonnie L. mille...@mukilteo.wednet.edu wrote: Thanks guys—it must be then that there was some kind of issue in RTM, and as Ben said, it was silently failing until SP1 applied. We’re not trying to re-enable EFS via GPO at another level (using Computer config\Windows settings\security settings\public key policies), so I don’t think the article applies in this case, but that is good to know about. From: Free, Bob [mailto:r...@pge.com] Sent: Wednesday, March 30, 2011 8:08 AM To: NT System Admin Issues Subject: RE: Win7 w/SP1 offline sync gives Access Denied Question—does anyone know if this encryption is done using EFS? Yes, it is specified in the EFS documentation that EFS is used for the offline file cache. The policy interaction you describe is very interesting. From a purely theoretical POV, if I disable EFS at the Domain level, that should be it, period. However there is a rapid publish KB that describes some unexpected behaviors with disabling/enabling EFS via policy http://support.microsoft.com/kb/960050/EN-US that may be germane to your situation. From: Miller Bonnie L. [mailto:mille...@mukilteo.wednet.edu] Sent: Wednesday, March 30, 2011 7:26 AM To: NT System Admin Issues Subject: RE: Win7 w/SP1 offline sync gives Access Denied So, shortly before I left yesterday I went through our GPOs that were applying to Win7 laptops. The only one I thought might have anything to do with this turned out to be the culprit, but I’m not exactly sure why. Since we won’t be calling PSS at this point I may not find the answer to that, but here’s what it was: Since we started adding Win7 policies (back in October/November 2010) along with many other policies, we enabled the setting for \computer configuration\Administrative Templates\Offline Files “Encrypt the Offline Files cache”. Yesterday as a test, I changed this to disabled, which decrypts the cache. After after rebooting the machines with the “access denied” errors, everything started working again, so I changed it at the domain level and got the same results—things are now working “normally” again. Question—does anyone know if this encryption is done using EFS? It is not specified in the policy description. We have disabled EFS at the domain level, as we don’t want kids encrypting their files. So, it makes sense to me that if it uses EFS but it is disabled at the domain, this would cause a potential conflict and could cause the “access denied” errors we were seeing. What I don’t understand is why the problem only starts after SP1 is applied, unless there is a problem with the RTM version applying this policy altogether. Hopefully today will be a better day… -Bonnie From: Miller Bonnie L. [mailto:mille...@mukilteo.wednet.edu] Sent: Tuesday, March 29, 2011 12:22 PM To: NT System Admin Issues Subject: Win7 w/SP1 offline sync gives Access Denied Anyone else seeing this problem, or successfully syncing their offline files using a Win7 SP1 system in a domain? User logs onto Win7 non-sp1, offline sync of files works fine. Machine gets updated to SP1, same user (no changes) logs onto Win7 with SP1, offline sync throws “access denied” errors on all files. Log off, take the same user account (same profile, etc) back to a non-SP1 machine and offline sync works fine. We have quite a few Win7 systems now that have SP1, and are getting the same symptoms across multiple machines. I’ve tried tons of stuff, including changing the back-end server from WS03 R2 to WS08 R2 SP1, taking DFS out of the equation, changing paths from DNS names to netbios names to IPs, removing ABE, setting ownership to the user, and setting both NTFS and share permissions to full control all the way down the tree on the server to “Everyone”. As best I can tell, this is a client-side issue, but I’m not sure what else to look at. There are a few policies that control offline file behavior, and although nothing has changed from our non-sp1 setup, I’m happy to change something if it would help. We’re about to open a PSS call, but I’m fishing for other ideas as well. Searching around, I’m just not seeing other people reporting this problem. Thanks, -Bonnie ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http
Win7 w/SP1 offline sync gives Access Denied
Anyone else seeing this problem, or successfully syncing their offline files using a Win7 SP1 system in a domain? User logs onto Win7 non-sp1, offline sync of files works fine. Machine gets updated to SP1, same user (no changes) logs onto Win7 with SP1, offline sync throws access denied errors on all files. Log off, take the same user account (same profile, etc) back to a non-SP1 machine and offline sync works fine. We have quite a few Win7 systems now that have SP1, and are getting the same symptoms across multiple machines. I've tried tons of stuff, including changing the back-end server from WS03 R2 to WS08 R2 SP1, taking DFS out of the equation, changing paths from DNS names to netbios names to IPs, removing ABE, setting ownership to the user, and setting both NTFS and share permissions to full control all the way down the tree on the server to Everyone. As best I can tell, this is a client-side issue, but I'm not sure what else to look at. There are a few policies that control offline file behavior, and although nothing has changed from our non-sp1 setup, I'm happy to change something if it would help. We're about to open a PSS call, but I'm fishing for other ideas as well. Searching around, I'm just not seeing other people reporting this problem. Thanks, -Bonnie ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
