Offline Files is Kicking my Butt

T

TechieSooner

Supreme [H]ardness
Joined
Nov 7, 2007
Messages
7,601
This has to be something very simple but I cannot find a solution online... Everything I found online says "Full Control to Everyone", which is crappy security...

I have all my users' Home Directories at \\server\Home Folders\%username%.
I have those set to utilized a mapped drive.
I also have those set to where the user's My Documents folder is also accessing that location (Their Home Directory and My Documents are the same location).

However when I go into My Computer and right-click the mapped drive and take Make Available Offline option, it scans all my items and then error out with Access is Denied.
Makes no sense. The users all have full control on their own Home Directory and can make any changes they want, but when using Offline Files, it's failing.

Any tips on how to fix this? Thanks!
 
Sounds like its access denied to the local disk, it can't write the cache. Either that or document redirection is screwed up.

First step, reinitilize document redirection reboot and try again.
 
k1pp3r said:
Sounds like its access denied to the local disk, it can't write the cache. Either that or document redirection is screwed up.

First step, reinitilize document redirection reboot and try again.
Click to expand...

Document Redirection works great. No issues there at all.
 
k1pp3r said:
Okie dokie, is the only message your getting access denied, or is there any more information like "more data is available"?
Click to expand...

Here's what I get:
3202208660_81dc511f46.jpg
 
Totally depends how its setup throught the GPO with document redirection. I would say get rid of the home folder, you don't need it since my docs maps to the same place, then try to setup offline files through a GPO

That is generally how i do it,
 
I'd really like to keep my mapped drive... Is there no way around that?

Guess that's a screwup on my part for not thinking of that when I created these drives.
 
Actually saw something in GPO that led me to think that My Documents redirection automatically means Offline Files... I'll test that theory out and see if it works.
 
TechieSooner said:
Actually saw something in GPO that led me to think that My Documents redirection automatically means Offline Files... I'll test that theory out and see if it works.
Click to expand...

From what I've seen in my quick setup so far, as soon as My Documents is set to a Remote Location, Offline Files and synchronization comes into play automatically. I'll be able to confirm this exactly for you on Monday.

EDIT:
-----------------------------------------------------------------------------------------------------------
Since I hate waiting for answers, I went and booted up some VMs in VirtualBox, here are their configs:

Name: 2000server
OS: Windows 2000 Advanced Server
Domain Controller of engineering.local
Latest updates available from Windows Update
Click to expand...

Name: XPClient
OS: Windows XP Professional
Member of engineering.local
Latest updates available from Windows Update
Click to expand...

Alright, so - I have a user setup like so.

Home Folder was set to "\\2000server\UserFiles\%username%" at creation. The folder was created automatically with proper permissions for the user set.
Click to expand...

"\\2000server\UserProfiles\All" is a mandatory profile which all users have access to. (I'm aware it says UserFiles, that was a typo when making it, didn't want to fix)
Click to expand...



I'd note, even at this point, offline files seems to be enabled simply from setting the home folder here.
Click to expand...


Next, I created the GPO to redirect My Documents for the users. This is a domain-wide GPO, applied to Authenticated Users.




Time to test it! This is all descriptive, no pictures.

After booting up XPClient, I logged in using the domain admin and ran a "gpupdate /force" to make sure the group policy had been applied. Logged off.

Logged into my user "owen" and opened up My Documents, the "sync" icon appeared on the files in here. I created a few new text files here, they appeared instantly in the folder on 2000server "Yay!". So I logged off.

Next, to test for offline, I paused the 2000server machine and logged back on to "owen" on XPClient. Unable to contact the server, it loaded the local profile and failed the sync, and began work in Offline Mode (a balloon tip let me know). I unpaused 2000server at this point. Opened up My Documents again and created a few more text files. These files didn't appear in the folder on 2000server since we're working in Offline Mode. So I logged off and it synced successfully. Hooray!

Hopefully you can understand by ramblings and it helps you out in some way.
 
I don't use roaming user profiles, so that part wouldn't apply to me. However my question is in this statement...
Home Folder was set to "\\2000server\UserFiles\%username%" at creation. The folder was created automatically with proper permissions for the user set.
Click to expand...

What's your permissions on \\2000server\UserFiles?
Mine is Administrators ONLY... And then \\2000server\UserFiles\Techiesooner would have TechieSooner will full control.
 
"\\2000server\UserFiles" is shared to Everyone, a basic windows share. Each folder within it, eg. "\\2000server\UserFiles\owen" is then set (automatically) to the user in question, and Administrators. In this fashion, they could technically see all the folders there, but cannot actually access any other than their own. As long as you don't have the "Everyone" permission propegate to children, you should be okay.

\\2000server\UserFiles
Everyone: Full Control

\\2000server\UserFiles\owen
Administrators: Full Control
owen: Full Control


This may not be be 100% the best way to do it, but peoples files still remain secure.
 
Oneos said:
"\\2000server\UserFiles" is shared to Everyone, a basic windows share. Each folder within it, eg. "\\2000server\UserFiles\owen" is then set (automatically) to the user in question, and Administrators. In this fashion, they could technically see all the folders there, but cannot actually access any other than their own. As long as you don't have the "Everyone" permission propegate to children, you should be okay.
Click to expand...
Hmm OK...

I was woried about future child objects, mainly, inheriting permissions from that Everyone parent.

So Windows will, when I create a new user profile, just set Administrators and that User? It won't look at parent permissions?
 
From my experience, that's what's happening. When mapping the home folder, it will create the folder and set permissions (if the folder already exists, it will warn you to make sure permissions are correct). By default, it seems to have "Allow inheritable permissions from parent..." disabled, which is good.

permissionsfs7.png
 
Is caching enabled on the share? By default, it is, but I didn't see where you have verified that. I usually force it on for all folders in the share from the server side when I need it instead of the 'only the files and programs that users specify will be available offline option'
 
joblo37pam said:
Is caching enabled on the share? By default, it is, but I didn't see where you have verified that. I usually force it on for all folders in the share from the server side when I need it instead of the 'only the files and programs that users specify will be available offline option'
Click to expand...

Yep, even kicked it up a notch to the next level (making available to ALL files).
 
Ok, then have you tried to force replacement of the ntfs permissions\owner?

Is this just for one user, or multiple/all?
 
joblo37pam said:
Ok, then have you tried to force replacement of the ntfs permissions\owner?

Is this just for one user, or multiple/all?
Click to expand...
All users. I think the above solutions will probably work though, now that I'm thinking about it...
 
Hate to bump this up again, but apparently this isn't going to work for me...

By default, when a profile is created (at least on my server in the testing I just did), the Home Folder gets set with inherited permissions. Which means if D:\Home Folders is set to have users read it, D:\Home Folders\ttest would be able to be ready by users.

Screenshot:

3212282453_65722f8906.jpg


Now what???

It seems rather a PITA to have to go in and manually set permissions whenever I add someone new.
 
Uncheck the box for "Allow inheritable permissions from the parent to propogate..." box on your share folder, that way the newly created folders will only have the permissions granted by the wizard, not the parent folder's permissions.

Make sure you click the 'copy' option when you do it, though, otherwise it will remove all of the other permissions that you have already applied.
 
Hey Techie, can't tell you for sure there, I did both setups (VM and real world) the same way.

Can I ask how you made the share that you're putting the home folders in? Maybe that could change something.
 
joblo37pam said:
Uncheck the box for "Allow inheritable permissions from the parent to propogate..." box on your share folder, that way the newly created folders will only have the permissions granted by the wizard, not the parent folder's permissions.
Click to expand...
It *is* unchecked. That's the odd thing. But when Server creates those Home Folders themselves, it by default checks the box to inherit from the parent...

Oneos said:
Can I ask how you made the share that you're putting the home folders in? Maybe that could change something.
Click to expand...

Manually. Created a Home Folder directory, shared it out, and then as for all the subfolders I let Server do that automatically.
 
Is that box checked on the parent folder (the share)? If so, uncheck it there, and the newly created folders shouldn't have it checked, either.

Edit: Now that I think about it, the user folders should have that box checked, that way any folders they create will have the same permissions as their home folder. It is the parent folder that should have that box unchecked, and only admin permissions.
 
joblo37pam said:
Is that box checked on the parent folder (the share)? If so, uncheck it there, and the newly created folders shouldn't have it checked, either.

Edit: Now that I think about it, the user folders should have that box checked, that way any folders they create will have the same permissions as their home folder. It is the parent folder that should have that box unchecked, and only admin permissions.
Click to expand...

I think you're looking at that the wrong way. It should be unchecked. You don't want permissions to be propagated from the parent. I believe you're looking at it as it's permissions propagating to children.

TechieSooner said:
Manually. Created a Home Folder directory, shared it out, and then as for all the subfolders I let Server do that automatically.
Click to expand...
So you just made a folder, went to Sharing in the properties, and check "Share This Folder"? Didn't do any other permissions on it or anything? That's how mine is, it's also in the root of the drive, if that might affect anything in how it wants to work.
 
Oneos said:
I think you're looking at that the wrong way. It should be unchecked. You don't want permissions to be propagated from the parent. I believe you're looking at it as it's permissions propagating to children.
Click to expand...

That's exactly what I said, just a little more clearly. ;)

It should be unchecked on the parent, and checked on the children.
 
joblo37pam said:
That's exactly what I said, just a little more clearly. ;)

It should be unchecked on the parent, and checked on the children.
Click to expand...

Perhaps you're referring to different folders than I am, but it should be something like this:

Code: 
\\server\share			Doesn't matter, its our root folder
	|-\user'sfiles		Unchecked, don't want it coming from the parent
		|-\123		Once again, don't think it matters much
 
Your userfiles folder should be set to either everyone full control or domain users, domain admins full control. Allow propagation, that is fine. you can map the home folder, that is fine too. What you need to do is in the folder redirection GPO set the check box to allow only the user access to their files. AD will take care of the rest, no need to mess with folder level permissions for each user.
 
Oneos said:
So you just made a folder, went to Sharing in the properties, and check "Share This Folder"? Didn't do any other permissions on it or anything? That's how mine is, it's also in the root of the drive, if that might affect anything in how it wants to work.
Click to expand...
Yes, that's how I did it basically.

Captain Colonoscopy said:
Your userfiles folder should be set to either everyone full control or domain users, domain admins full control. Allow propagation, that is fine. you can map the home folder, that is fine too. What you need to do is in the folder redirection GPO set the check box to allow only the user access to their files. AD will take care of the rest, no need to mess with folder level permissions for each user.
Click to expand...
So... Will the GPO reset the permissions on the shares? That's a little too scary for comfort, putting alot of trust in GPO to make sure the files get mapped.
 
If you just want them to be able to create and list folders and not be able to read anything you can also do that with NTFS. I'm trying to find the document about it but its something like giving them list, traverse, and create/append folders and thats it.
 
Oneos said:
Perhaps you're referring to different folders than I am, but it should be something like this:

Code: 
\\server\share			Doesn't matter, its our root folder
	|-\user'sfiles		Unchecked, don't want it coming from the parent
		|-\123		Once again, don't think it matters much
Click to expand...


Thats basically what I was saying. I usually uncheck it on the user'sfiles folder, and lock it down so that users can't see each other's folders. When AD creates the home directory, it will inherit the permissions from the user'sfiles folder, plus grant the user permissions. In the end, only the user and the administrators group have permissions to their home directory. I just tested it on a new install in a vm, and it worked just like I want it to. Of course, if you don't care that user's can see each other's folders, the config would be a little different.
 
Just not working that way for me at all... When AD creates a new Home Folder it inherits all the permissions of the parent, at least for me.
 
You must log in or register to reply here.
Back
Top