A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » Security and Administration with Windows XP
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

FIX: Can't encrypt the Offline Files cache using Group Policy sett



 
 
Thread Tools Display Modes
  #1  
Old November 19th 09, 05:55 PM posted to microsoft.public.windowsxp.security_admin
Christopher Hill
external usenet poster
 
Posts: 1
Default FIX: Can't encrypt the Offline Files cache using Group Policy sett

Hi all,

Just thought I would post a quick fix to a problem that I think many people
have been experiencing when enabling the 'Encrypt the Offline Files Cache'
setting in Group Policy, but finding out that the 'Encrypt offline files to
secure data' setting under 'Folder Options / Offline Files' remains greyed
out, and that offline files are not actually encrypted.

(You can find out if Offline Files encryption is working properly by
navigating to "%SystemRoot%\CSC" and looking in the subfolders for any files
that appear in 'green'. If you can see some 'green' files, offline files
encryption is working fine. If not, and the box mentioned above in Folder
Options / Offline Files remains greyed out, you might have this problem).

After some searching and testing, I have found the following checks & steps
which seem to fix the problem in my environment at least:

1. Make sure you have the KB810859 hotfix installed ('The "Encrypt the
Offline Files cache" Group Policy setting does not take effect when a user
logs on to a Windows XP-based computer',
http://support.microsoft.com/kb/810859). This really is the key to the whole
thing, and thankfully it seems to be included in XP SP3.

2. Once you have installed the hotfix / SP3, make sure that your copy of
system.adm is up-to-date. You can check this by going to %windir%\inf and
opening the file in Notepad. Search for the string
'{C631DF4C-088F-4156-B058-4375F0853CD8}' (without quotes) - if you can find
it, you should be fine.

3. ON THE SYSTEM WHICH HAS THE UPDATED VERSION OF SYSTEM.ADM, go into the
Group Policy where you have set the 'Encrypt the Offline Files Cache'
setting, REMOVE the policy (set it to 'Not Configured', click Apply), and
then RE-ENABLE the policy (set it to 'Enabled', click Apply), then close the
policy. As KB810859 describes, this will set the gPCMachineExtensionNames
attribute on this particular Group Policy object to 'trigger' the new
functionality in the hotfix - if you don't do this, then none of this will
work.

4. Perform the above step on any other policies on your domain which include
the 'Encrypt the Offline Files Cache' setting. Any policies which have this
setting included need to be 'touched' with the new version of system.adm in
order to have any effect on patched computers.

5. Make sure that the computer where you are trying to enable offline files
encryption on actually has some offline files set. It might sound obvious,
but the Group Policy setting won't apply until there are some actually some
offline files to encrypt - it won't work on a 'clean' cache.

6. Once the computer has some offline files set, *wait for Group Policy to
refresh* before checking if Offline Files encryption is working or not.
Unfortunately, even if the Group Policy setting is enabled, the encryption
process won't begin until the next Group Policy refresh interval occurs - by
default 90 minutes on most clients. If you can't wait this long (or want to
make sure it's working), type 'gpupdate' into a Command Prompt and wait -
after a few seconds the encryption process should begin, you should see the
files in %SystemRoot%\CSCCSC files start to go 'green', and the 'Encrypt
offline files to secure data' box in Folder Options should become ticked. As
I said, it might take a few seconds for the settings to be applied, it should
work eventually.

All of the above information is available at various points around the web,
except for the fact that even if the Group Policy setting is enabled, it
won't be applied to a 'fresh' Offline Files cache until the next Group Policy
refresh interval, which IMO is a bit of a flaw in the design. Nevertheless,
that is how it works at the moment, so if you have been struggling to get it
to work, and have applied the updated ADM file settings to all of your GPOs,
give the 'gpupdate' command a try.

Hope this helps,
--
Chris Hill
ICT Technician - Colchester Royal Grammar School
Ads
 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off






All times are GMT +1. The time now is 04:19 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.