Access Denied after Encrypting Offline Cache

[Robin Hearne]

I have enabled the Group Policy setting to encrypt the offline file cache and
I am getting the following errors in the Application event log:

Event Type: Error
Event Source: Offline Files
Event Category: None
Event ID: 18
Date: 05/08/2009
Time: 15:09:31
User: N/A
Computer: PC-007183
Description:
Encryption of the Offline Files cache failed with error 5.

File: <filename removed>

Access is denied.

This is occuring on all PCs where this policy is applied. I've not been
able to find any other posts refering to this problem. Is anyone able to
help?

Regards,


Robin

 

[Old Rookie]

One thing to check is that EFS encryption is enabled [or not disabled] in
the domain. Try to manually use EFS on a test folder/file on one of the
computers in question to see if that can be done or not. If not then most
likely it is disabled in some domain GPO under computer
configuration\windows settings\computer settings\public key
policies\encrypted file system [gpresult/rsop.msc may help track that down].
You can encrypt a folder with EFS via it's properties - advanced.

Steve

 

[Robin Hearne]

If I try to manually encypt a test folder in the root of C:\ I get the
following error:

'Recovery policy configured for this system contains invailid recovery
certificate'

However, if I create a test folder in the Windows directory and try to
encrypt that then I get an 'Access Denied' error

Robin

P.S. I'm hoping that it's not neccessary to create a recovery certificate as
it's only the offline copies that are to be encypted.

One thing to check is that EFS encryption is enabled [or not disabled] in
the domain. Try to manually use EFS on a test folder/file on one of the
computers in question to see if that can be done or not. If not then most
likely it is disabled in some domain GPO under computer
configuration\windows settings\computer settings\public key
policies\encrypted file system [gpresult/rsop.msc may help track that down].
You can encrypt a folder with EFS via it's properties - advanced.

Steve

I have enabled the Group Policy setting to encrypt the offline file cache
and
I am getting the following errors in the Application event log:

Event Type: Error
Event Source: Offline Files
Event Category: None
Event ID: 18
Date: 05/08/2009
Time: 15:09:31
User: N/A
Computer: PC-007183
Description:
Encryption of the Offline Files cache failed with error 5.

File: <filename removed>

Access is denied.

This is occuring on all PCs where this policy is applied. I've not been
able to find any other posts refering to this problem. Is anyone able to
help?

Regards,


Robin

 

[Old Rookie]

Acording to Microsoft the cause and solution to your issue is below. Your
solution will depend on if you have a an Enterprise Certificate Authority
server or not in the domain. You will want to find the GPO that is pushing
the RC out to the domain workstations and there you will be able to
configure new RA certificate for the domain computers under computer
configuration\windows settings\computer settings\public key
policies\encrypted file system . You got access denied becaue Windows does
not allow you to encrypt system files.

When encrypting a file, a message appears: "Recovery policy configured for
this system contains invalid recovery certificate" or
"ERROR_BAD_RECOVERY_POLICY."
Cause: The Encrypting File System (EFS) recovery policy that is implemented
on this computer contains one or more EFS recovery agent certificates that
have expired. These certificates cannot be used.

Solution: Either renew the existing certificates or generate new
certificates for the EFS recovery agents and reapply the recovery agent
policy with those certificates.

If I try to manually encypt a test folder in the root of C:\ I get the
following error:

'Recovery policy configured for this system contains invailid recovery
certificate'

However, if I create a test folder in the Windows directory and try to
encrypt that then I get an 'Access Denied' error

Robin

P.S. I'm hoping that it's not neccessary to create a recovery certificate
as
it's only the offline copies that are to be encypted.

One thing to check is that EFS encryption is enabled [or not disabled] in
the domain. Try to manually use EFS on a test folder/file on one of the
computers in question to see if that can be done or not. If not then most
likely it is disabled in some domain GPO under computer
configuration\windows settings\computer settings\public key
policies\encrypted file system [gpresult/rsop.msc may help track that
down].
You can encrypt a folder with EFS via it's properties - advanced.

Steve

I have enabled the Group Policy setting to encrypt the offline file
cache
and
I am getting the following errors in the Application event log:

Event Type: Error
Event Source: Offline Files
Event Category: None
Event ID: 18
Date: 05/08/2009
Time: 15:09:31
User: N/A
Computer: PC-007183
Description:
Encryption of the Offline Files cache failed with error 5.

File: <filename removed>

Access is denied.

This is occuring on all PCs where this policy is applied. I've not
been
able to find any other posts refering to this problem. Is anyone able
to
help?

Regards,


Robin

 

[Robin Hearne]

Thanks Steve. I found that the Default Domain Policy had an expired recovery
certificate which must have been there since we migrated from the NT 4.0
domain!
I'll get it removed and hopefully this will resolve the issue.


Robin

Acording to Microsoft the cause and solution to your issue is below. Your
solution will depend on if you have a an Enterprise Certificate Authority
server or not in the domain. You will want to find the GPO that is pushing
the RC out to the domain workstations and there you will be able to
configure new RA certificate for the domain computers under computer
configuration\windows settings\computer settings\public key
policies\encrypted file system . You got access denied becaue Windows does
not allow you to encrypt system files.

When encrypting a file, a message appears: "Recovery policy configured for
this system contains invalid recovery certificate" or
"ERROR_BAD_RECOVERY_POLICY."
Cause: The Encrypting File System (EFS) recovery policy that is implemented
on this computer contains one or more EFS recovery agent certificates that
have expired. These certificates cannot be used.

Solution: Either renew the existing certificates or generate new
certificates for the EFS recovery agents and reapply the recovery agent
policy with those certificates.

If I try to manually encypt a test folder in the root of C:\ I get the
following error:

'Recovery policy configured for this system contains invailid recovery
certificate'

However, if I create a test folder in the Windows directory and try to
encrypt that then I get an 'Access Denied' error

Robin

P.S. I'm hoping that it's not neccessary to create a recovery certificate
as
it's only the offline copies that are to be encypted.

One thing to check is that EFS encryption is enabled [or not disabled] in
the domain. Try to manually use EFS on a test folder/file on one of the
computers in question to see if that can be done or not. If not then most
likely it is disabled in some domain GPO under computer
configuration\windows settings\computer settings\public key
policies\encrypted file system [gpresult/rsop.msc may help track that
down].
You can encrypt a folder with EFS via it's properties - advanced.

Steve

I have enabled the Group Policy setting to encrypt the offline file
cache
and
I am getting the following errors in the Application event log:

Event Type: Error
Event Source: Offline Files
Event Category: None
Event ID: 18
Date: 05/08/2009
Time: 15:09:31
User: N/A
Computer: PC-007183
Description:
Encryption of the Offline Files cache failed with error 5.

File: <filename removed>

Access is denied.

This is occuring on all PCs where this policy is applied. I've not
been
able to find any other posts refering to this problem. Is anyone able
to
help?

Regards,


Robin

 

[Robin Hearne]

The offending certificate has now been removed and the encryption of the
offline cache is working successfully.

Thanks for all your help.

Robin

Thanks Steve. I found that the Default Domain Policy had an expired recovery
certificate which must have been there since we migrated from the NT 4.0
domain!
I'll get it removed and hopefully this will resolve the issue.


Robin

Acording to Microsoft the cause and solution to your issue is below. Your
solution will depend on if you have a an Enterprise Certificate Authority
server or not in the domain. You will want to find the GPO that is pushing
the RC out to the domain workstations and there you will be able to
configure new RA certificate for the domain computers under computer
configuration\windows settings\computer settings\public key
policies\encrypted file system . You got access denied becaue Windows does
not allow you to encrypt system files.

When encrypting a file, a message appears: "Recovery policy configured for
this system contains invalid recovery certificate" or
"ERROR_BAD_RECOVERY_POLICY."
Cause: The Encrypting File System (EFS) recovery policy that is implemented
on this computer contains one or more EFS recovery agent certificates that
have expired. These certificates cannot be used.

Solution: Either renew the existing certificates or generate new
certificates for the EFS recovery agents and reapply the recovery agent
policy with those certificates.

If I try to manually encypt a test folder in the root of C:\ I get the
following error:

'Recovery policy configured for this system contains invailid recovery
certificate'

However, if I create a test folder in the Windows directory and try to
encrypt that then I get an 'Access Denied' error

Robin

P.S. I'm hoping that it's not neccessary to create a recovery certificate
as
it's only the offline copies that are to be encypted.

:

One thing to check is that EFS encryption is enabled [or not disabled] in
the domain. Try to manually use EFS on a test folder/file on one of the
computers in question to see if that can be done or not. If not then most
likely it is disabled in some domain GPO under computer
configuration\windows settings\computer settings\public key
policies\encrypted file system [gpresult/rsop.msc may help track that
down].
You can encrypt a folder with EFS via it's properties - advanced.

Steve

I have enabled the Group Policy setting to encrypt the offline file
cache
and
I am getting the following errors in the Application event log:

Event Type: Error
Event Source: Offline Files
Event Category: None
Event ID: 18
Date: 05/08/2009
Time: 15:09:31
User: N/A
Computer: PC-007183
Description:
Encryption of the Offline Files cache failed with error 5.

File: <filename removed>

Access is denied.

This is occuring on all PCs where this policy is applied. I've not
been
able to find any other posts refering to this problem. Is anyone able
to
help?

Regards,


Robin

 

[Old Rookie]

Great to hear that Robin! Thanks for reporting back what worked so that
others with the same problem can benefit.

Steve

The offending certificate has now been removed and the encryption of the
offline cache is working successfully.

Thanks for all your help.

Robin

Thanks Steve. I found that the Default Domain Policy had an expired
recovery
certificate which must have been there since we migrated from the NT 4.0
domain!
I'll get it removed and hopefully this will resolve the issue.


Robin

Acording to Microsoft the cause and solution to your issue is below.
Your
solution will depend on if you have a an Enterprise Certificate
Authority
server or not in the domain. You will want to find the GPO that is
pushing
the RC out to the domain workstations and there you will be able to
configure new RA certificate for the domain computers under computer
configuration\windows settings\computer settings\public key
policies\encrypted file system . You got access denied becaue Windows
does
not allow you to encrypt system files.

When encrypting a file, a message appears: "Recovery policy configured
for
this system contains invalid recovery certificate" or
"ERROR_BAD_RECOVERY_POLICY."
Cause: The Encrypting File System (EFS) recovery policy that is
implemented
on this computer contains one or more EFS recovery agent certificates
that
have expired. These certificates cannot be used.

Solution: Either renew the existing certificates or generate new
certificates for the EFS recovery agents and reapply the recovery agent
policy with those certificates.




If I try to manually encypt a test folder in the root of C:\ I get
the
following error:

'Recovery policy configured for this system contains invailid
recovery
certificate'

However, if I create a test folder in the Windows directory and try
to
encrypt that then I get an 'Access Denied' error

Robin

P.S. I'm hoping that it's not neccessary to create a recovery
certificate
as
it's only the offline copies that are to be encypted.

:

One thing to check is that EFS encryption is enabled [or not
disabled] in
the domain. Try to manually use EFS on a test folder/file on one of
the
computers in question to see if that can be done or not. If not then
most
likely it is disabled in some domain GPO under computer
configuration\windows settings\computer settings\public key
policies\encrypted file system [gpresult/rsop.msc may help track
that
down].
You can encrypt a folder with EFS via it's properties - advanced.

Steve

message
I have enabled the Group Policy setting to encrypt the offline file
cache
and
I am getting the following errors in the Application event log:

Event Type: Error
Event Source: Offline Files
Event Category: None
Event ID: 18
Date: 05/08/2009
Time: 15:09:31
User: N/A
Computer: PC-007183
Description:
Encryption of the Offline Files cache failed with error 5.

File: <filename removed>

Access is denied.

This is occuring on all PCs where this policy is applied. I've
not
been
able to find any other posts refering to this problem. Is anyone
able
to
help?

Regards,


Robin