Microsoft KB Archive/810859

= The &quot;Encrypt the Offline Files cache&quot; Group Policy setting does not take effect when a user logs on to a Windows XP-based computer =

Article ID: 810859

Article Last Modified on 8/29/2007

-

APPLIES TO


 * Microsoft Windows XP Professional

-





SYMPTOMS
After the network administrator applies the Encrypt the Offline Files cache (EncryptCache) Group Policy setting to a Microsoft Windows XP Professional-based computer, the Group Policy setting does not take effect on the client computer. This symptom occurs only if the user logs on interactively by using the keyboard.

Additionally, the following event is logged in the application event log: Event Type: Error

Event Source: Offline Files

Event ID: 16

Description: Encryption of the Offline Files cache failed with error 5. Access is denied. The application event log



CAUSE
This problem may occur when the user who logs on does not have administrator permissions.

When the administrator applies the Encrypt the Offline Files cache Group Policy, the EncryptCache registry value on the client computer is updated. Depending on the registry value, the Client Side Caching extension (Cscui.dll) in Windows Explorer tries to encrypt the Client Side Caching folder. However, the Client Side Caching folder encryption state cannot be changed by a user who does not have administrator permissions.



RESOLUTION
A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hotfix.

To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:

http://go.microsoft.com/?linkid=6294451

Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

64-bit versions of Windows XP
a

Applying the hotfix
This hotfix changes the way that the EncryptCache Group Policy setting is implemented. Before you apply the hotfix, the EncryptCache policy is implemented as a Client Side Caching extension in Cscui.dll. After you apply the hotfix, the Cscui.dll client extension is used when this Group Policy setting is applied to a computer. The Cscui.dll client extension encrypts or decrypts the Client Side Caching cache, depending on your setting. This Client Side Caching extension is used in a privileged context. Therefore, an administrator does not have to log on to the computer interactively to encrypt the cache.

To apply this hotfix, make sure that you do both of the following:
 * Update the Active Directory Group Policy setting to reference the new Client Side Caching extension.
 * Install this hotfix on all your Windows XP-based computers.

Note The local Group Policy System.adm file is also updated when you apply the hotfix.

While you apply this hotfix, your production environment may contain one or more of the following:
 * An old Active Directory Group Policy setting that does not have the Client Side Caching extension.
 * A new Active Directory Group Policy setting that has the Client Side Caching extension.
 * A Windows XP-based computer that does not have the hotfix applied.
 * A Windows XP-based computer that has the hotfix applied.

The following table explains what occurs when the old settings are mixed with the new settings.

Based on this table, use the following deployment strategy.

Part 1: Modify the Active Directory Group Policy setting
To modify the Active Directory Group Policy setting to reference the new Group Policy Client Side extension, use the new Client Side extension in an Active Directory Group Policy setting.

Note Update the System.adm file and the Group Policy object in Active Directory. Update the System.adm file first. To do this, follow these steps:   Update the System.adm file to include the CLIENTEXT line, as follows: POLICY!!Pol_EncryptOfflineFiles #if version >= 4 SUPPORTED !!SUPPORTED_WindowsXP #endif VALUENAME &quot;EncryptCache&quot; EXPLAIN !!Pol_EncryptOfflineFiles_Help VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 CLIENTEXT {C631DF4C-088F-4156-B058-4375F0853CD8} END POLICY To find the System.adm location path for the Group Policy setting, follow these steps:  Use the Active Directory Users and Computers tool to select a container where the Group Policy setting is applied. Change the container to display the Group Policy setting GUID. An example of this GUID is {9F16DD40-9777-4AD9-870C-9B9F1E73203E}. Use the Active Directory Service Interfaces (ADSI) Edit tool or the EnumProp tool to display the gPCFileSysPath attribute, as in the following exampe:

enumprop &quot;LDAP://mydc/CN={3D6FF2C0-1DFC-41A9-AE72-D4502BDA81E8},CN=Po licies,CN=System,DC=mycompany,DC=com&quot;

The following example shows the gPCFileSysPath attribute:

LDAP://machinedc/CN={3D6FF2C0-1DFC-41A9-AE72-D4502BDA81E8},CN=Policies,CN=Syst em,DC= mycompany,DC=com: 19 set properties. gPCFileSysPath: \\Test.net\SysVol\mycompany.com\Policies\{3D6FF2C0-1DFC-41A9-AE72 -D4502BDA81E8}

Note The EnumProp tool is included in the Windows XP Resource Kit.</ol> </li> Update the Active Directory Group Policy object to include the Client Side extension in the gPCMachineExtensionNames attribute. To do this automatically in the Group Policy Editor snap-in, follow these steps: <ol style="list-style-type: lower-alpha;"> Use the Group Policy Editor snap-in to modify the Group Policy setting.</li> Modify the &quot;Encrypt the Offline Files cache&quot; Group Policy setting.

Note Because the &quot;Encrypt the Offline Files cache&quot; Group Policy setting is now linked to the new CLIENTEXT line in the System.adm file, the Group Policy Editor will automatically update the gPCMachineExtensionNames Active Directory attribute to include the new Client Side extension GUID.</li></ol> </li></ol>

Part 2: Deploy the hotfix to your Windows XP-based computers
After you apply this hotfix, you may receive the following error message in the Application log:

18/03/2003 12:46:31 Offline Files Error None 16 N/A LLDN0114233 Encryption of the Offline Files cache failed with error 12.

If you receive this error message after Windows XP restarts, you can safely ignore it. Every time that Windows restarts, the &quot;Encrypt the Offline Files cache&quot; Group Policy setting determines whether the offline folder cache is encrypted. If the Client Side Caching database is not fully initialized, the policy logs this error message. Because the policy is refreshed at set intervals, you can safely ignore this error message.

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

<div class="moreinformation_section">

MORE INFORMATION
The &quot;Encrypt the Offline Files cache&quot; Group Policy setting determines whether offline files are encrypted. Offline files reside on a user's local drive, not on the network. Offline files are stored in a local cache on the computer. Encrypting this cache helps improve security on a local computer. If the cache on the local computer is not encrypted, any encrypted files that are cached from the network are not encrypted on the local computer. This situation may pose a security risk in some environments.

Notes
 * If you enable the &quot;Encrypt the Offline Files cache&quot; Group Policy setting, all files in the Offline Files cache are encrypted. This includes existing files and files that are added later. The cached copy on the local computer is affected, but the associated network copy is not affected. The user cannot decrypt Offline Files through the user interface.
 * If you disable the &quot;Encrypt the Offline Files cache&quot; Group Policy setting, all files in the Offline Files cache are unencrypted. This includes existing files and files that are added later. The cached copy on the local computer is affected, but the associated network copy is not affected. The user cannot encrypt offline files through the user interface.
 * If you do not configure the &quot;Encrypt the Offline Files cache&quot; Group Policy setting, encryption of the Offline Files cache is controlled by the user through the user interface. The current cache state is retained, and if the cache is only partially encrypted, the operation finishes so that the cache is fully encrypted. The cache does not return to the unencrypted state. The user must have administrator permissions on the local computer to encrypt or to decrypt the Offline Files cache.
 * By default, the access control list (ACL) helps protect the Offline Files cache on an NTFS file system partition.

<div class="references_section">