Windows – Offline files – Access Denied

offline-fileswindows 7windows-sbs

I do some consulting work, so for my home / home office network I'm using Windows SBS 2008 server, with Windows 7 clients on my desktop and PC.

I have user folder redirection since I've setup SBS, and things have been working fine. The Windows 7 clients used the setting correctly, and Windows setup Offline Files, and the server enables encryption of offline files.

I suddenly started having a problem where new files created in offline avaible folders (such as My Documents) would allow the file to be created, but trying to access them immediately resulted in Access denied errors. Existing files were fine.

I disabled offline files on my desktop and cleared the offline file cache completely. I re-enabled it, and try to sync My Documents again however every file now resulted in an Access Denied message. I can see the files just fine on the share, the errors are coming from the cached copies of the files.

I haven't changed anything, this problem just appeared one day.

Any ideas on how to get my offline file cache working again?

Best Answer

You may have an expired EFS Data Recovery Agent certificate for your domain.

Test if this is the case by using this procedure:

  • save a text file on your workstation (c:\temp\myfile.txt for example)
  • edit its properties and encrypt the file

If the recovery agent isn't valid you won't be able to encrypt the file and you will receive an error indicating a problem with the recovery agent.

To resolve this issue replace the expired certificate and update Group Policy on the impacted workstations.

From the Microsoft Directory Services Team Blog:

Find the certificate

  • On the server, locate and open the Default Domain Policy navigate to Computer Configuration -> Windows Settings -> Public Key Policies -> Encrypting File System

  • In the right-hand pane, right-click on the expired certificate and select All Tasks | Export

Create a new certificate

  • From a workstation, run the command cipher /r:<filename-without-extension> and use any password you wish when prompted
  • Copy the resulting .CER and .PFX files to your server

Import the certificate and refresh Group Policy

  • Return to the server, re-locate the Default Domain Policy, highlight Encrypting File System, and select Add Data Recovery Agent
  • Browse for the .CER and .PFX files you just copied over and answer YES if you are warned about revocation or prompted to the install the certificate.
  • Add the certificate to the Domain Trusted Root store (Computer Configuration -> Windows Settings -> Public Key Policies -> Trusted Root Certificate Authorities)
  • Force an update of group policy using gpupdate /force at a command prompt

Confirm your existing files have been updated with the new DRA certificate

  • check the Advanced Attributes of an encrypted file and compare the thumbprint of the DRA to the thumbprint of the certificate you just created.
Related Question