Redirected Folders won't allow offline folders (article 288991)

Discussion in 'Windows Server' started by Bob, Jun 2, 2006.

  1. Bob

    Bob Guest

    I'm having trouble with Article ID: 288991
    "Enabling the administrator to have access to redirected folders"

    The process works fine with one exception. "Doman Users" can not make their
    redirected folders go offline to their local CSC (Client Side Cache) folder.

    If I don't implement article 288991, the redirected folders will
    automatically become offline folders as they should by default. Also, the
    "Make Available Offline" option (found by right-clicking the My Documents
    folder) is checked off and grayed out as it should be.

    If I do implement article 288991, the My Documents folder is redirected, but
    the "Make Available Offline" option is not checked off and is black allowing
    me to select the option. If I manually select the "Make Available Offline"
    option, synchronization starts, but immediately fails with "Access is denied".

    Checking the folders Security tab shows the user has "Special Permissions".
    Clicking advanced tab shows the user has "Full Control" of "This folder only"
    (which is a result of setting full control to Creator Owner as the article
    instructs). The user is listed as the owner and the "Effective Permissions"
    shows full control for the user.

    If I make the user a "Backup Operator" or a "Domain Admin", they can
    manually make the folders go offline. If the user was a "Backup Operator" or
    a "Domain Admin" before this change, their folders will automatically go to
    offline cache.

    However, if the Backup Operator" or a "Domain Admin" security group is
    removed AND the local profile is deleted, I'm back at square one as "Domain
    Users" do not seem to have the security rights to make folders they create
    using the "Creator Owner" security group go offline.

    System is Windows Server 2003, Standard Edition SP1 with Win XP PRO SP2
    clients.

    Any one know what might be wrong?
     
    Bob, Jun 2, 2006
    #1
    1. Advertisements

  2. Hi Bob,

    I'd like to suggest you check the policy :Computer
    Configuration\Administrative Templates\Network\Offline Files\Allow or
    Disallow use of the Offline Files feature

    Because if you enable this setting, Offline Files is enabled and users
    cannot disable it and if you disable this setting, Offline Files is
    disabled and users cannot enable it.

    Please check this policy before and after you implement KB288991.

    Also, you can try to reset Offline files cache.

    230738 How to Restart the Offline Files Cache/Database
    http://support.microsoft.com/?id=230738

    Hope this helps.

    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    ======================================================
    Get Secure! - www.microsoft.com/security
    ======================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others
    may learn and benefit from this issue.
    ======================================================
    This posting is provided "AS IS" with no warranties,and confers no rights.
    ======================================================



    --------------------
     
    Vincent Xu [MSFT], Jun 5, 2006
    #2
    1. Advertisements

  3. Bob

    Bob Guest

    Hi Vincent,

    I did not see (in RSoP) any GPO that set the Offline File feature. I did
    however enabled the setting and this resulted in no change. I tired to
    disable the setting and the Offline folders became disabled. So I guess this
    means the GPO works, but not of any help. I placed the setting back to "not
    configured" where it was (as are all the other Offline settings).

    Per article "How to re-initialize the offline files cache and database", I
    deleted and then re-initialized the cache via (Ctrl-Shift Delete Files), but
    I still have the same problem.
     
    Bob, Jun 6, 2006
    #3
  4. Hi,

    Thanks for clarifying.

    Based on my research, I have following suggestions:


    1. Please check following article:

    http://support.microsoft.com/?id=313323

    2. Reset your operating system back to original installation default
    security settings:
    1) Click Start, click Run, type cmd, and then press ENTER.
    2) Type secedit /configure /cfg %windir%\repair\secsetup.inf /db
    secsetup.sdb /verbose, and then press ENTER. You receive a "Task is
    completed" message, and a warning message that something could not be done.
    You can safely ignore this message. For more information about this
    message, view the %windir%\Security\Logs\Scesrv.log file.

    Let me know if the problem still occurs. Thanks.

    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    ======================================================
    Get Secure! - www.microsoft.com/security
    ======================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others
    may learn and benefit from this issue.
    ======================================================
    This posting is provided "AS IS" with no warranties,and confers no rights.
    ======================================================



    --------------------
     
    Vincent Xu [MSFT], Jun 7, 2006
    #4
  5. Bob

    Bob Guest

    Hi Vincent,
    I reset the OS back to the original install default security setting, but no
    change.

    I should be clear that this is not happening on just one workstation. This
    problem exists on all three independent Windows 2003 Servers I have applied
    article 288991 to. And all workstations (that I've checked), exhibit the same
    symptom.

    It does not require setting a GPO for Folder Redirection of “My Documentsâ€
    either as this problem exists with any folder a Domain User wishes to cache
    offline (assuming the folders are prepared as article 288991 instructs).

    You can test this for yourself by following the instructions I have outlined
    below:

    1. Log on as an administrator to the server and run the following from the
    command prompt:
    cd \
    md \Test288991
    net share "Test288991"="C:\Test288991" /grant:Everyone,full /remark:"Article
    288991 Test Folder"
    cacls "C:\Test288991" /t /g Administrators:f System:f "Creator Owner":f

    2. You'll need to use the GUI to add the last security settings for
    "Authenticated Users" as I can't see how to do it with cacls.

    Click Add, and add Authenticated Users.
    Click Advanced.
    Select Authenticated Users from the Permissions tab and click Edit.
    Ensure only the following permissions are allowed:
    o Read Attributes
    o Read Extended Attributes
    o Create Folders / Append Data
    o Read Permissions
    Accept the default “Apply onto: This folder, subfolder and filesâ€.
    Ensure the box “Apply these permissions…†is left unchecked. Click “OKâ€
    three times until the properties dialog is closed.

    3. Create a subfolder: md \Test288991\TestUser

    4. The “TestUser†folder will inherit all the security attributes from
    “Test288991â€. However, you’ll need to grant a domain user (such as TestUser)
    to have full control of “This folder onlyâ€. (This simulates what Folder
    Redirection does).

    5. From a workstation, log onto a user that is only a member of the “Domain
    Users†group. e.g. “TestUserâ€.

    6. Have TestUser go to the share \\server\Test288991\TestUser and create the
    folder “MyDocumentsâ€.

    7. Create a document within the folder MyDocuments.

    8. Right-click folder “MyDocumentsâ€
    (\\server\Test288991\TestUser\MyDocuments) and click “Make Available
    Offlineâ€. You should find this to fail with error “Access is deniedâ€.

    9. Log off TestUser and make TestUser a member of the Domain Admins security
    group.

    10 Log back onto TestUser and repeat step 8 above.
    You’ll find that TestUser is now able to make MyDocuments an offline cached
    folder. This is why I believe article 288991 is not working as is should
    because it won’t allow the Domain Users to make their redirected “My
    Documents†folder go to offline cache.

    You can remove the Domain Admins security group from TestUser and you’ll
    find MyDocuments will continue to synchronize, but this is not an adequate
    circumvention because if TestUser logs onto some other workstation (via
    Roaming User Profiles), they’ll find they can not make MyDocuments go to
    offline cache once again.

    I hope this explains the problem a little bit better. Thanks!
     
    Bob, Jun 10, 2006
    #5
  6. Hi Bob,

    I tried to follow your steps but I cannot reproduce your problem. Here is
    my steps:

    1. Create a folder called Test288991 and grant Administrators, System and
    Creator Owner full controll permission.

    2. Cretae a new user called abc in domain and it is in Domain Users group.

    3. Grant abc only permission:
    Read Attributes
    Read Extended Attributes
    Create Folders / Append Data
    Read Permissions

    on Test288991

    4. Create a subfolder TestUser under Test288991and give user account abc
    Full Controll permission on this folder only

    5. Log on to one client Windows XP with abc and try to access
    \\server\Test288991\TestUser and create a folder called My Documents. Also
    create a txt file under "My Documents"

    6. Right-click folder "My documents" and try to make it offline. Success!

    Let me know if I have any inaccurate steps as above. If the steps is the
    same, I'd like to suggest you run cacls to export the permission on
    "Test288991" , "TestUser" "My Documents" to a txt file. I'll try to check
    the permission on it. You can attach the three txt file in your reply.

    Thanks.

    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    ======================================================
    Get Secure! - www.microsoft.com/security
    ======================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others
    may learn and benefit from this issue.
    ======================================================
    This posting is provided "AS IS" with no warranties,and confers no rights.
    ======================================================



    --------------------
     
    Vincent Xu [MSFT], Jun 12, 2006
    #6
  7. Bob

    Bob Guest

    Hi Vincent,
    My procedure is different from yours. Where you grant abc permissions in
    step 3, I grant those permissions to "Authenticated Users".

    Here are my cacls outputs with Domain User “abcâ€:

    C:\Test288991 BUILTIN\Administrators:(OI)(CI)F
    NT AUTHORITY\Authenticated Users:(OI)(CI)(special access:)
    READ_CONTROL
    SYNCHRONIZE
    FILE_APPEND_DATA
    FILE_READ_EA
    FILE_READ_ATTRIBUTES

    BUILTIN\Administrators:F
    CREATOR OWNER:(OI)(CI)(IO)F
    NT AUTHORITY\SYSTEM:(OI)(CI)F

    C:\Test288991\TestUser COMPUTERCREATE\abc:F
    BUILTIN\Administrators:(OI)(CI)F
    NT AUTHORITY\Authenticated Users:(OI)(CI)(special
    access:)
    READ_CONTROL
    SYNCHRONIZE

    FILE_APPEND_DATA
    FILE_READ_EA

    FILE_READ_ATTRIBUTES

    CREATOR OWNER:(OI)(CI)(IO)F
    NT AUTHORITY\SYSTEM:(OI)(CI)F

    C:\Test288991\TestUser\My Documents BUILTIN\Administrators:(OI)(CI)F
    NT AUTHORITY\Authenticated
    Users:(OI)(CI)(special access:)

    READ_CONTROL

    SYNCHRONIZE

    FILE_APPEND_DATA

    FILE_READ_EA

    FILE_READ_ATTRIBUTES

    COMPUTERCREATE\abc:F
    CREATOR OWNER:(OI)(CI)(IO)F
    NT AUTHORITY\SYSTEM:(OI)(CI)F
     
    Bob, Jun 12, 2006
    #7
  8. Bob

    Bob Guest

    Here is the cacls for my failing Folder Redirection:

    J:\ BUILTIN\Remote Desktop Users:(OI)(CI)N
    Everyone:(OI)(CI)F


    J:\Folder Redirection BUILTIN\Administrators:(OI)(CI)F
    NT AUTHORITY\Authenticated Users:(special access:)
    READ_CONTROL
    SYNCHRONIZE
    FILE_APPEND_DATA
    FILE_READ_EA
    FILE_READ_ATTRIBUTES

    CREATOR OWNER:(OI)(CI)(IO)F
    NT AUTHORITY\SYSTEM:(OI)(CI)F


    J:\Folder Redirection\Test Boy BUILTIN\Administrators:(OI)(CI)F
    COMPUTERCREATE\Test Boy:F
    CREATOR OWNER:(OI)(CI)(IO)F
    NT AUTHORITY\SYSTEM:(OI)(CI)F


    J:\Folder Redirection\Test Boy\My Documents BUILTIN\Administrators:(OI)(CI)F
    COMPUTERCREATE\Test Boy:F
    CREATOR OWNER:(OI)(CI)(IO)F
    NT AUTHORITY\SYSTEM:(OI)(CI)F
     
    Bob, Jun 12, 2006
    #8
  9. Hi Bob,

    I tried again to add Authenticate Users in my test but the same,I'm able to
    make the shared folder offline.

    Check following scenarios: You create a share, put the user's subfolder
    under a root share folder, and then include the folder name as part of the
    drive mapping.

    Did you do the same thing? For example,
    1. On a server that has a folder named Home, you create a share for users
    to connect named \\server_name\home$.
    2. You map a drive on the client computer as \\server_name\home$\user_name.

    This operation can brought problems.

    If you didn't do this, I'll try to perform further research. I'll
    apprecaite your patience and understanding.




    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    ======================================================
    Get Secure! - www.microsoft.com/security
    ======================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others
    may learn and benefit from this issue.
    ======================================================
    This posting is provided "AS IS" with no warranties,and confers no rights.
    ======================================================



    --------------------
     
    Vincent Xu [MSFT], Jun 13, 2006
    #9
  10. Hi Bob,

    After discussed with other engineer, he think we must have read & list
    folders on the parent folder,otherwise we will get Access Denied when
    trying to cache any subfolders. Please help me confirmed that can you
    access \\server\Test288991 ?

    Thanks for your time.


    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    ======================================================
    Get Secure! - www.microsoft.com/security
    ======================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others
    may learn and benefit from this issue.
    ======================================================
    This posting is provided "AS IS" with no warranties,and confers no rights.
    ======================================================



    --------------------
     
    Vincent Xu [MSFT], Jun 14, 2006
    #10
  11. Bob

    Bob Guest

    Hi Vincent,

    I was logging on today to inform you of the question you just asked as I
    thought it might be relevent.

    The answer is no. A domain user (only) can not access \\server\Test288991,
    but the user can access \\server\Test288991\TestUser and below. The domain
    admins can access \\server\Test288991 however.

    I thought this was by design as you may not want your Domain Users seeing
    all the other redirected users. (The "Test288991" folder would normally be
    the "Folder Redirection" folder and all the users would come under this).

    As a side note, I created another (virtual) server and tried our test on
    that. It fails just like all the rest.

    I also created an ABC user and kept it out of the GPO's. The machine
    however is within my GPO's.
     
    Bob, Jun 15, 2006
    #11
  12. Hi,

    As a work around, can you manually give the user permission list & read to
    the folder \\server\Test288991 ?

    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    ======================================================
    Get Secure! - www.microsoft.com/security
    ======================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others
    may learn and benefit from this issue.
    ======================================================
    This posting is provided "AS IS" with no warranties,and confers no rights.
    ======================================================



    --------------------
     
    Vincent Xu [MSFT], Jun 16, 2006
    #12
  13. Bob

    Bob Guest

    Vincent,
    Yes, adding list & read to \\server\Test288991 for the user (this folder
    only), does allow the user to open the folder AND to make
    \\server\Test288991\TestUser\MyDocuments go to offline cache.

    I presume you don't have list & read enabled, yet you can make your users
    documents go to offline cache??

    I suppose there is no harm in adding "Authenticated Users" to have list &
    read allow authority to the "\\server\Folder Redirection" (or
    \\server\Test288991) [this folder only] as a permanent circumvention, but I'd
    sure like to know why I need this circumvention and you do not.
     
    Bob, Jun 16, 2006
    #13
  14. Hi Bob,

    "I presume you don't have list & read enabled, yet you can make your users
    documents go to offline cache??"
    Yes, I feel strange with this also.Based on my knowledge, I suspect there
    are some inherited permission in my test enviroment which makes my user has
    list permission. However, my test enviroment is wiped(You know, I cannot
    keep it for long times, sorry.), I cannot prove this.

    Hope you are satisified with this explanation.

    Have a good day.

    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    ======================================================
    Get Secure! - www.microsoft.com/security
    ======================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others
    may learn and benefit from this issue.
    ======================================================
    This posting is provided "AS IS" with no warranties,and confers no rights.
    ======================================================



    --------------------
     
    Vincent Xu [MSFT], Jun 19, 2006
    #14
  15. Bob

    Bob Guest

    Hi Vincent,
    Yes, I am EXTREAMLY SATISFIED with what seems to be the FIX. I don't think
    this is a circumvention to the problem and have submittted a feedback to
    article 288991 suggesting that it be revised to add the "List Folders / Read
    Data" permission.

    To be clear to any other readers, article 288991 seems to be lacking one
    required permission. IMO, step 12 should read:

    12. Click Add, add Authenticated Users, and then set the following
    permissions to Allow:

    • List Folders / Read Data << Missing permission required for Domain (only)
    Users
    • Read Attributes
    • Read Extended Attributes
    • Create Folders / Append Data
    • Read Permissions
     
    Bob, Jun 19, 2006
    #15
  16. Hi Bob,

    I totally agree with you and I'm glad to see you provided feedback to this
    KB article. You know, your feedback is very important for our improvement.
    We really value having you as a Microsoft customer.

    If you have any other questions or concerns, please do not hesitate to
    contact us. It is always our pleasure to be of assistance.

    Have a nice day!

    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    ======================================================
    Get Secure! - www.microsoft.com/security
    ======================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others
    may learn and benefit from this issue.
    ======================================================
    This posting is provided "AS IS" with no warranties,and confers no rights.
    ======================================================



    --------------------
     
    Vincent Xu [MSFT], Jun 20, 2006
    #16
  17. Bob

    Richard C Guest

    Hello Vincent, Bob,

    I was researching this exact problem too and have found an odd workaround.
    Our environment is similar too where we redirect My Documents to a share
    similar to \\SERVER\Share\%UserName%. We've only given Domain Users the
    rights to traverse through \\Server\Share to their home folder which the
    user has Full Control.

    This setup did work for offline files as I have many laptop users setup to
    use offline files. However a recent change must have taken place (a
    critical M$ patch I suspect) that has broken this behaviour.

    Because we do NOT want ordinary users to list folders under our
    \\Server\Share we are NOT able to use the workaround as suggest by this
    thread. However, if we add the user who needs their redirected My Documents
    folder to be cached offline we can add them to the local admins group on the
    \\Server where the home share is. Log in as the user on thier PC/Laptop and
    proceed with a one time synchronization. Once that is completed the user
    can be removed from the local admins and offline files work as expected.

    HTH

    RichardC...
     
    Richard C, Jul 27, 2006
    #17
  18. Bob

    Mark Guest

    Hi there,

    I am having the same problem, but only at one regional site all 9 other
    sites worked first time with no problems! The 9 sites are single server sites
    which are DC's as well as file and print servers.
    Each site DC holds the users Roamaing Profiles & Home folders. My docs is
    redirected to the users Home Drive as "Username's Documents" This works Great
    appart from the one site. All servers are 2003 SP1 and are fully up to date
    as of 27 Oct 06 and were setup exactly the same and are of a standard
    configuration as far as security settings are concerned.

    I have had a look at Article ID 288991 and have a question about point 12:
    To what level do we apply these settings?
    This folder only
    This folder subfolders and files
    This folder and files
    Subfolders and files only
    Subfolders only
    Files only?

    Additionally - if the patch level of all of the regional servers is the same
    and the Home folder security settings, share permissions, and GPO's for
    redirection are identical appart from the server names how could this go
    wrong in the first place?

    I tried the fix of adding the users in question to the Administrators
    group, logon to laptop to Sync, logoff and remove user from Administrators
    group which worked, but this is more of a workaround rather than a root cause
    fix which would have to be applied to to all new users of this particular
    site. This would be a problem for Helpdesk staff as they do not have
    permission to add users to the Administrative groups!

    In the meantime I am going to re-create a Test home directory and a few test
    users on the server in question and see what happens.

    Any further Ideas will be much appreciated!

    Best regards

    Mark

     
    Mark, Oct 27, 2006
    #18
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.