Tuesday, March 29, 2011

Access is denied Windows 7 Offline files (CSC)

These last couple of days I’ve been troubleshooting offline files in Windows 7. At a customer we are building a new OU structure and new GPO policies for Windows 7 (the old ones are old Win2000/xp, and really need to be updated).

The new GPO for Windows 7 is defined to allow offline files, transparent caching, when to synchronize and encryption of offline files and are linked on the computers OU. The user GPO has the automatically offline redirected folders.

Today, the Windows 7 computers are configured with Offline files, and everything is working as normal. (Pretty much the same configuration as we have created, but they are created for WinXP)

When we move a computer and user to the new OU structure and the new GPOs are applied, we get an “access is denied” when we try to edit files in the CSC Cache. We are able to create files, but not able to edit them… When we move the computer back to the old OU and GPO everything works normal.

If we turn off encryption of offline files in the new OU structure everything works normal, and creating and editing is fine.

After digging around, I found that the DRA (Data Recovery Agent) certificate (Default created when installing a domain) had expired in 2003…. (time to renew...)

I utilized the existing PKI and created a new DRA and tried again. But I still got the “Access is denied” when the computer was placed in the new OU and got the new GPOs.

Since the default DRA had expired in 2003 and the computer associated with the private key has been recycled to car parts, I deleted it from the Domain Policy. So only the new DRA certificate was available.

When the client got the new GPO with only one valid DRA, everything worked like a charm.

During the troubleshooting I saw some status issues in the sync center. When I got the “access is denied” messages I saw that in Sync Center->Manage Offline Files->Encryption had a statuslike "not all of the offline files are encrypted."

After the DRA fix up was done, the status of Encryption was like "all offline files is encrypted"!

Why it worked with the old policies I haven’t quite understood.

No comments: