(Msg. 1) Posted: Wed Aug 05, 2009 8:13 am
Post subject: Access Denied after Encrypting Offline Cache Archived from groups: microsoft>public>windowsxp>security_admin (more info?)
I have enabled the Group Policy setting to encrypt the offline file cache and
I am getting the following errors in the Application event log:
(Msg. 2) Posted: Wed Aug 05, 2009 3:55 pm
Post subject: Re: Access Denied after Encrypting Offline Cache [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
One thing to check is that EFS encryption is enabled [or not disabled] in
the domain. Try to manually use EFS on a test folder/file on one of the
computers in question to see if that can be done or not. If not then most
likely it is disabled in some domain GPO under computer
configuration\windows settings\computer settings\public key
policies\encrypted file system [gpresult/rsop.msc may help track that down].
You can encrypt a folder with EFS via it's properties - advanced.
Steve
"Robin Hearne" <RobinHearne.TakeThisOut@discussions.microsoft.com> wrote in message
news:1DB3FD7E-2CE4-4A8A-BDC5-383F220164D4@microsoft.com...
>I have enabled the Group Policy setting to encrypt the offline file cache
>and
> I am getting the following errors in the Application event log:
>
> Event Type: Error
> Event Source: Offline Files
> Event Category: None
> Event ID: 18
> Date: 05/08/2009
> Time: 15:09:31
> User: N/A
> Computer: PC-007183
> Description:
> Encryption of the Offline Files cache failed with error 5.
>
> File: <filename removed>
>
> Access is denied.
>
> This is occuring on all PCs where this policy is applied. I've not been
> able to find any other posts refering to this problem. Is anyone able to
> help?
>
> Regards,
>
>
> Robin
(Msg. 3) Posted: Fri Aug 07, 2009 2:50 am
Post subject: Re: Access Denied after Encrypting Offline Cache [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
If I try to manually encypt a test folder in the root of C:\ I get the
following error:
'Recovery policy configured for this system contains invailid recovery
certificate'
However, if I create a test folder in the Windows directory and try to
encrypt that then I get an 'Access Denied' error
Robin
P.S. I'm hoping that it's not neccessary to create a recovery certificate as
it's only the offline copies that are to be encypted.
"Old Rookie" wrote:
> One thing to check is that EFS encryption is enabled [or not disabled] in
> the domain. Try to manually use EFS on a test folder/file on one of the
> computers in question to see if that can be done or not. If not then most
> likely it is disabled in some domain GPO under computer
> configuration\windows settings\computer settings\public key
> policies\encrypted file system [gpresult/rsop.msc may help track that down].
> You can encrypt a folder with EFS via it's properties - advanced.
>
> Steve
>
> "Robin Hearne" <RobinHearne RemoveThis @discussions.microsoft.com> wrote in message
> news:1DB3FD7E-2CE4-4A8A-BDC5-383F220164D4@microsoft.com...
> >I have enabled the Group Policy setting to encrypt the offline file cache
> >and
> > I am getting the following errors in the Application event log:
> >
> > Event Type: Error
> > Event Source: Offline Files
> > Event Category: None
> > Event ID: 18
> > Date: 05/08/2009
> > Time: 15:09:31
> > User: N/A
> > Computer: PC-007183
> > Description:
> > Encryption of the Offline Files cache failed with error 5.
> >
> > File: <filename removed>
> >
> > Access is denied.
> >
> > This is occuring on all PCs where this policy is applied. I've not been
> > able to find any other posts refering to this problem. Is anyone able to
> > help?
> >
> > Regards,
> >
> >
> > Robin
>
>
>
(Msg. 4) Posted: Fri Aug 07, 2009 5:57 pm
Post subject: Re: Access Denied after Encrypting Offline Cache [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
Acording to Microsoft the cause and solution to your issue is below. Your
solution will depend on if you have a an Enterprise Certificate Authority
server or not in the domain. You will want to find the GPO that is pushing
the RC out to the domain workstations and there you will be able to
configure new RA certificate for the domain computers under computer
configuration\windows settings\computer settings\public key
policies\encrypted file system . You got access denied becaue Windows does
not allow you to encrypt system files.
When encrypting a file, a message appears: "Recovery policy configured for
this system contains invalid recovery certificate" or
"ERROR_BAD_RECOVERY_POLICY."
Cause: The Encrypting File System (EFS) recovery policy that is implemented
on this computer contains one or more EFS recovery agent certificates that
have expired. These certificates cannot be used.
Solution: Either renew the existing certificates or generate new
certificates for the EFS recovery agents and reapply the recovery agent
policy with those certificates.
"Robin Hearne" <RobinHearne.DeleteThis@discussions.microsoft.com> wrote in message
news:0ADC4953-76EE-43E6-A13C-A9F38053E8A4@microsoft.com...
> If I try to manually encypt a test folder in the root of C:\ I get the
> following error:
>
> 'Recovery policy configured for this system contains invailid recovery
> certificate'
>
> However, if I create a test folder in the Windows directory and try to
> encrypt that then I get an 'Access Denied' error
>
> Robin
>
> P.S. I'm hoping that it's not neccessary to create a recovery certificate
> as
> it's only the offline copies that are to be encypted.
>
> "Old Rookie" wrote:
>
>> One thing to check is that EFS encryption is enabled [or not disabled] in
>> the domain. Try to manually use EFS on a test folder/file on one of the
>> computers in question to see if that can be done or not. If not then most
>> likely it is disabled in some domain GPO under computer
>> configuration\windows settings\computer settings\public key
>> policies\encrypted file system [gpresult/rsop.msc may help track that
>> down].
>> You can encrypt a folder with EFS via it's properties - advanced.
>>
>> Steve
>>
>> "Robin Hearne" <RobinHearne.DeleteThis@discussions.microsoft.com> wrote in message
>> news:1DB3FD7E-2CE4-4A8A-BDC5-383F220164D4@microsoft.com...
>> >I have enabled the Group Policy setting to encrypt the offline file
>> >cache
>> >and
>> > I am getting the following errors in the Application event log:
>> >
>> > Event Type: Error
>> > Event Source: Offline Files
>> > Event Category: None
>> > Event ID: 18
>> > Date: 05/08/2009
>> > Time: 15:09:31
>> > User: N/A
>> > Computer: PC-007183
>> > Description:
>> > Encryption of the Offline Files cache failed with error 5.
>> >
>> > File: <filename removed>
>> >
>> > Access is denied.
>> >
>> > This is occuring on all PCs where this policy is applied. I've not
>> > been
>> > able to find any other posts refering to this problem. Is anyone able
>> > to
>> > help?
>> >
>> > Regards,
>> >
>> >
>> > Robin
>>
>>
>>
(Msg. 5) Posted: Mon Aug 10, 2009 8:50 am
Post subject: Re: Access Denied after Encrypting Offline Cache [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
Thanks Steve. I found that the Default Domain Policy had an expired recovery
certificate which must have been there since we migrated from the NT 4.0
domain!
I'll get it removed and hopefully this will resolve the issue.
Robin
"Old Rookie" wrote:
> Acording to Microsoft the cause and solution to your issue is below. Your
> solution will depend on if you have a an Enterprise Certificate Authority
> server or not in the domain. You will want to find the GPO that is pushing
> the RC out to the domain workstations and there you will be able to
> configure new RA certificate for the domain computers under computer
> configuration\windows settings\computer settings\public key
> policies\encrypted file system . You got access denied becaue Windows does
> not allow you to encrypt system files.
>
> When encrypting a file, a message appears: "Recovery policy configured for
> this system contains invalid recovery certificate" or
> "ERROR_BAD_RECOVERY_POLICY."
> Cause: The Encrypting File System (EFS) recovery policy that is implemented
> on this computer contains one or more EFS recovery agent certificates that
> have expired. These certificates cannot be used.
>
> Solution: Either renew the existing certificates or generate new
> certificates for the EFS recovery agents and reapply the recovery agent
> policy with those certificates.
>
>
>
>
> "Robin Hearne" <RobinHearne.DeleteThis@discussions.microsoft.com> wrote in message
> news:0ADC4953-76EE-43E6-A13C-A9F38053E8A4@microsoft.com...
> > If I try to manually encypt a test folder in the root of C:\ I get the
> > following error:
> >
> > 'Recovery policy configured for this system contains invailid recovery
> > certificate'
> >
> > However, if I create a test folder in the Windows directory and try to
> > encrypt that then I get an 'Access Denied' error
> >
> > Robin
> >
> > P.S. I'm hoping that it's not neccessary to create a recovery certificate
> > as
> > it's only the offline copies that are to be encypted.
> >
> > "Old Rookie" wrote:
> >
> >> One thing to check is that EFS encryption is enabled [or not disabled] in
> >> the domain. Try to manually use EFS on a test folder/file on one of the
> >> computers in question to see if that can be done or not. If not then most
> >> likely it is disabled in some domain GPO under computer
> >> configuration\windows settings\computer settings\public key
> >> policies\encrypted file system [gpresult/rsop.msc may help track that
> >> down].
> >> You can encrypt a folder with EFS via it's properties - advanced.
> >>
> >> Steve
> >>
> >> "Robin Hearne" <RobinHearne.DeleteThis@discussions.microsoft.com> wrote in message
> >> news:1DB3FD7E-2CE4-4A8A-BDC5-383F220164D4@microsoft.com...
> >> >I have enabled the Group Policy setting to encrypt the offline file
> >> >cache
> >> >and
> >> > I am getting the following errors in the Application event log:
> >> >
> >> > Event Type: Error
> >> > Event Source: Offline Files
> >> > Event Category: None
> >> > Event ID: 18
> >> > Date: 05/08/2009
> >> > Time: 15:09:31
> >> > User: N/A
> >> > Computer: PC-007183
> >> > Description:
> >> > Encryption of the Offline Files cache failed with error 5.
> >> >
> >> > File: <filename removed>
> >> >
> >> > Access is denied.
> >> >
> >> > This is occuring on all PCs where this policy is applied. I've not
> >> > been
> >> > able to find any other posts refering to this problem. Is anyone able
> >> > to
> >> > help?
> >> >
> >> > Regards,
> >> >
> >> >
> >> > Robin
> >>
> >>
> >>
>
>
>
(Msg. 6) Posted: Thu Aug 13, 2009 5:21 am
Post subject: Re: Access Denied after Encrypting Offline Cache [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
The offending certificate has now been removed and the encryption of the
offline cache is working successfully.
Thanks for all your help.
Robin
"Robin Hearne" wrote:
> Thanks Steve. I found that the Default Domain Policy had an expired recovery
> certificate which must have been there since we migrated from the NT 4.0
> domain!
> I'll get it removed and hopefully this will resolve the issue.
>
>
> Robin
>
> "Old Rookie" wrote:
>
> > Acording to Microsoft the cause and solution to your issue is below. Your
> > solution will depend on if you have a an Enterprise Certificate Authority
> > server or not in the domain. You will want to find the GPO that is pushing
> > the RC out to the domain workstations and there you will be able to
> > configure new RA certificate for the domain computers under computer
> > configuration\windows settings\computer settings\public key
> > policies\encrypted file system . You got access denied becaue Windows does
> > not allow you to encrypt system files.
> >
> > When encrypting a file, a message appears: "Recovery policy configured for
> > this system contains invalid recovery certificate" or
> > "ERROR_BAD_RECOVERY_POLICY."
> > Cause: The Encrypting File System (EFS) recovery policy that is implemented
> > on this computer contains one or more EFS recovery agent certificates that
> > have expired. These certificates cannot be used.
> >
> > Solution: Either renew the existing certificates or generate new
> > certificates for the EFS recovery agents and reapply the recovery agent
> > policy with those certificates.
> >
> >
> >
> >
> > "Robin Hearne" <RobinHearne DeleteThis @discussions.microsoft.com> wrote in message
> > news:0ADC4953-76EE-43E6-A13C-A9F38053E8A4@microsoft.com...
> > > If I try to manually encypt a test folder in the root of C:\ I get the
> > > following error:
> > >
> > > 'Recovery policy configured for this system contains invailid recovery
> > > certificate'
> > >
> > > However, if I create a test folder in the Windows directory and try to
> > > encrypt that then I get an 'Access Denied' error
> > >
> > > Robin
> > >
> > > P.S. I'm hoping that it's not neccessary to create a recovery certificate
> > > as
> > > it's only the offline copies that are to be encypted.
> > >
> > > "Old Rookie" wrote:
> > >
> > >> One thing to check is that EFS encryption is enabled [or not disabled] in
> > >> the domain. Try to manually use EFS on a test folder/file on one of the
> > >> computers in question to see if that can be done or not. If not then most
> > >> likely it is disabled in some domain GPO under computer
> > >> configuration\windows settings\computer settings\public key
> > >> policies\encrypted file system [gpresult/rsop.msc may help track that
> > >> down].
> > >> You can encrypt a folder with EFS via it's properties - advanced.
> > >>
> > >> Steve
> > >>
> > >> "Robin Hearne" <RobinHearne DeleteThis @discussions.microsoft.com> wrote in message
> > >> news:1DB3FD7E-2CE4-4A8A-BDC5-383F220164D4@microsoft.com...
> > >> >I have enabled the Group Policy setting to encrypt the offline file
> > >> >cache
> > >> >and
> > >> > I am getting the following errors in the Application event log:
> > >> >
> > >> > Event Type: Error
> > >> > Event Source: Offline Files
> > >> > Event Category: None
> > >> > Event ID: 18
> > >> > Date: 05/08/2009
> > >> > Time: 15:09:31
> > >> > User: N/A
> > >> > Computer: PC-007183
> > >> > Description:
> > >> > Encryption of the Offline Files cache failed with error 5.
> > >> >
> > >> > File: <filename removed>
> > >> >
> > >> > Access is denied.
> > >> >
> > >> > This is occuring on all PCs where this policy is applied. I've not
> > >> > been
> > >> > able to find any other posts refering to this problem. Is anyone able
> > >> > to
> > >> > help?
> > >> >
> > >> > Regards,
> > >> >
> > >> >
> > >> > Robin
> > >>
> > >>
> > >>
> >
> >
> >
(Msg. 7) Posted: Thu Aug 13, 2009 10:50 pm
Post subject: Re: Access Denied after Encrypting Offline Cache [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
Great to hear that Robin! Thanks for reporting back what worked so that
others with the same problem can benefit.
Steve
"Robin Hearne" <RobinHearne RemoveThis @discussions.microsoft.com> wrote in message
news:B5CBC11F-7CEF-4FFE-B186-46A7A5FCF91C@microsoft.com...
> The offending certificate has now been removed and the encryption of the
> offline cache is working successfully.
>
> Thanks for all your help.
>
> Robin
>
> "Robin Hearne" wrote:
>
>> Thanks Steve. I found that the Default Domain Policy had an expired
>> recovery
>> certificate which must have been there since we migrated from the NT 4.0
>> domain!
>> I'll get it removed and hopefully this will resolve the issue.
>>
>>
>> Robin
>>
>> "Old Rookie" wrote:
>>
>> > Acording to Microsoft the cause and solution to your issue is below.
>> > Your
>> > solution will depend on if you have a an Enterprise Certificate
>> > Authority
>> > server or not in the domain. You will want to find the GPO that is
>> > pushing
>> > the RC out to the domain workstations and there you will be able to
>> > configure new RA certificate for the domain computers under computer
>> > configuration\windows settings\computer settings\public key
>> > policies\encrypted file system . You got access denied becaue Windows
>> > does
>> > not allow you to encrypt system files.
>> >
>> > When encrypting a file, a message appears: "Recovery policy configured
>> > for
>> > this system contains invalid recovery certificate" or
>> > "ERROR_BAD_RECOVERY_POLICY."
>> > Cause: The Encrypting File System (EFS) recovery policy that is
>> > implemented
>> > on this computer contains one or more EFS recovery agent certificates
>> > that
>> > have expired. These certificates cannot be used.
>> >
>> > Solution: Either renew the existing certificates or generate new
>> > certificates for the EFS recovery agents and reapply the recovery agent
>> > policy with those certificates.
>> >
>> >
>> >
>> >
>> > "Robin Hearne" <RobinHearne RemoveThis @discussions.microsoft.com> wrote in message
>> > news:0ADC4953-76EE-43E6-A13C-A9F38053E8A4@microsoft.com...
>> > > If I try to manually encypt a test folder in the root of C:\ I get
>> > > the
>> > > following error:
>> > >
>> > > 'Recovery policy configured for this system contains invailid
>> > > recovery
>> > > certificate'
>> > >
>> > > However, if I create a test folder in the Windows directory and try
>> > > to
>> > > encrypt that then I get an 'Access Denied' error
>> > >
>> > > Robin
>> > >
>> > > P.S. I'm hoping that it's not neccessary to create a recovery
>> > > certificate
>> > > as
>> > > it's only the offline copies that are to be encypted.
>> > >
>> > > "Old Rookie" wrote:
>> > >
>> > >> One thing to check is that EFS encryption is enabled [or not
>> > >> disabled] in
>> > >> the domain. Try to manually use EFS on a test folder/file on one of
>> > >> the
>> > >> computers in question to see if that can be done or not. If not then
>> > >> most
>> > >> likely it is disabled in some domain GPO under computer
>> > >> configuration\windows settings\computer settings\public key
>> > >> policies\encrypted file system [gpresult/rsop.msc may help track
>> > >> that
>> > >> down].
>> > >> You can encrypt a folder with EFS via it's properties - advanced.
>> > >>
>> > >> Steve
>> > >>
>> > >> "Robin Hearne" <RobinHearne RemoveThis @discussions.microsoft.com> wrote in
>> > >> message
>> > >> news:1DB3FD7E-2CE4-4A8A-BDC5-383F220164D4@microsoft.com...
>> > >> >I have enabled the Group Policy setting to encrypt the offline file
>> > >> >cache
>> > >> >and
>> > >> > I am getting the following errors in the Application event log:
>> > >> >
>> > >> > Event Type: Error
>> > >> > Event Source: Offline Files
>> > >> > Event Category: None
>> > >> > Event ID: 18
>> > >> > Date: 05/08/2009
>> > >> > Time: 15:09:31
>> > >> > User: N/A
>> > >> > Computer: PC-007183
>> > >> > Description:
>> > >> > Encryption of the Offline Files cache failed with error 5.
>> > >> >
>> > >> > File: <filename removed>
>> > >> >
>> > >> > Access is denied.
>> > >> >
>> > >> > This is occuring on all PCs where this policy is applied. I've
>> > >> > not
>> > >> > been
>> > >> > able to find any other posts refering to this problem. Is anyone
>> > >> > able
>> > >> > to
>> > >> > help?
>> > >> >
>> > >> > Regards,
>> > >> >
>> > >> >
>> > >> > Robin
>> > >>
>> > >>
>> > >>
>> >
>> >
>> >
All times are: Eastern Time (US & Canada) (change)
Page 1 of 1
You can post new topics in this forum You can reply to topics in this forum You can edit your posts in this forum You can delete your posts in this forum You can vote in polls in this forum
Home
Forums
Home
FAQ
Profile
Private Messages
Log in
Windows XP