Article ID: 810859
Article Last Modified on 8/29/2007
APPLIES TO
- Microsoft Windows XP Professional
SYMPTOMS
After the network administrator applies the Encrypt the Offline Files cache (EncryptCache) Group Policy setting to a Microsoft Windows XP Professional-based computer, the Group Policy setting does not take effect on the client computer. This symptom occurs only if the user logs on interactively by using the keyboard.
Additionally, the following event is logged in the application event log:
Event Type: Error
Event Source: Offline Files
Event ID: 16
Description: Encryption of the Offline Files cache failed with error 5. Access is denied. The application event log
CAUSE
This problem may occur when the user who logs on does not have administrator permissions.
When the administrator applies the Encrypt the Offline Files cache Group Policy, the EncryptCache registry value on the client computer is updated. Depending on the registry value, the Client Side Caching extension (Cscui.dll) in Windows Explorer tries to encrypt the Client Side Caching folder. However, the Client Side Caching folder encryption state cannot be changed by a user who does not have administrator permissions.
RESOLUTION
A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hotfix.
To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:
Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
32-bit versions of Windows XP
| File name | File version | File size | Date | Time | Platform | SP requirement |
|---|---|---|---|---|---|---|
| Cscui.dll | 5.1.2600.1656 | 312,320 | 31-Mar-2005 | 20:16 | x86 | SP1 |
| Regedit.exe | 5.1.2600.1656 | 134,144 | 31-Mar-2005 | 00:36 | x86 | SP1 |
| System.adm | Not Applicable | 1,521,538 | 01-Feb-2005 | 02:58 | Not Applicable | SP1 |
64-bit versions of Windows XP
| File name | File version | File size | Date | Time | Platform | SP requirement | Service branch |
|---|---|---|---|---|---|---|---|
| Cscui.dll | 5.1.2600.1656 | 690,688 | 31-Mar-2005 | 04:14 | IA-64 | SP1 | Not Applicable |
| Regedit.exe | 5.1.2600.1656 | 369,152 | 30-Mar-2005 | 08:56 | IA-64 | SP1 | Not Applicable |
| System.adm | Not Applicable | 1,521,538 | 02-Feb-2005 | 02:21 | Not Applicable | SP1 | Not Applicable |
| Wcscui.dll | 5.1.2600.1656 | 312,320 | 31-Mar-2005 | 04:16 | x86 | SP1 | WOW |
a
Applying the hotfix
This hotfix changes the way that the EncryptCache Group Policy setting is implemented. Before you apply the hotfix, the EncryptCache policy is implemented as a Client Side Caching extension in Cscui.dll. After you apply the hotfix, the Cscui.dll client extension is used when this Group Policy setting is applied to a computer. The Cscui.dll client extension encrypts or decrypts the Client Side Caching cache, depending on your setting. This Client Side Caching extension is used in a privileged context. Therefore, an administrator does not have to log on to the computer interactively to encrypt the cache.
To apply this hotfix, make sure that you do both of the following:
- Update the Active Directory Group Policy setting to reference the new Client Side Caching extension.
- Install this hotfix on all your Windows XP-based computers.
Note The local Group Policy System.adm file is also updated when you apply the hotfix.
While you apply this hotfix, your production environment may contain one or more of the following:
- An old Active Directory Group Policy setting that does not have the Client Side Caching extension.
- A new Active Directory Group Policy setting that has the Client Side Caching extension.
- A Windows XP-based computer that does not have the hotfix applied.
- A Windows XP-based computer that has the hotfix applied.
The following table explains what occurs when the old settings are mixed with the new settings.
| The CLIENTEXT line in the System.adm file and in the Active Directory Group Policy object | The Group Policy extension in Cscui.dll | Expected behavior |
| No | No | This is Windows XP without the hotfix installed. The encryption policy requires the administrator to be logged on to the client computer. |
| No | Yes | The Group Policy extension exists but is not used by the Group Policy engine. The original encryption code has been removed from Cscui.dll. Therefore, no encryption occurs in response to the Group Policy setting. |
| Yes | No | The Group Policy setting tries to use the Group Policy extension, but the Group Policy extension does not exist in Cscui.dll. The original encryption code exists in Cscui.dll and will be executed as in the original version of Windows XP. You must log on as an administrator to encrypt the Client Side Caching cache. |
| Yes | Yes | The hotfix is applied as a Group Policy extension. |
Based on this table, use the following deployment strategy.
Part 1: Modify the Active Directory Group Policy setting
To modify the Active Directory Group Policy setting to reference the new Group Policy Client Side extension, use the new Client Side extension in an Active Directory Group Policy setting.
Note Update the System.adm file and the Group Policy object in Active Directory. Update the System.adm file first. To do this, follow these steps:
Update the System.adm file to include the CLIENTEXT line, as follows:
POLICY!!Pol_EncryptOfflineFiles #if version >= 4 SUPPORTED !!SUPPORTED_WindowsXP #endif VALUENAME "EncryptCache" EXPLAIN !!Pol_EncryptOfflineFiles_Help VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 CLIENTEXT {C631DF4C-088F-4156-B058-4375F0853CD8} END POLICYTo find the System.adm location path for the Group Policy setting, follow these steps:
- Use the Active Directory Users and Computers tool to select a container where the Group Policy setting is applied.
- Change the container to display the Group Policy setting GUID. An example of this GUID is {9F16DD40-9777-4AD9-870C-9B9F1E73203E}.
- Use the Active Directory Service Interfaces (ADSI) Edit tool or the EnumProp tool to display the gPCFileSysPath attribute, as in the following exampe:
enumprop "LDAP://mydc/CN={3D6FF2C0-1DFC-41A9-AE72-D4502BDA81E8},CN=Po licies,CN=System,DC=mycompany,DC=com"The following example shows the gPCFileSysPath attribute:
Note The EnumProp tool is included in the Windows XP Resource Kit.LDAP://machinedc/CN={3D6FF2C0-1DFC-41A9-AE72-D4502BDA81E8},CN=Policies,CN=Syst em,DC= mycompany,DC=com: 19 set properties. gPCFileSysPath: \\Test.net\SysVol\mycompany.com\Policies\{3D6FF2C0-1DFC-41A9-AE72 -D4502BDA81E8}
- Update the Active Directory Group Policy object to include the Client Side extension in the gPCMachineExtensionNames attribute. To do this automatically in the Group Policy Editor snap-in, follow these steps:
- Use the Group Policy Editor snap-in to modify the Group Policy setting.
- Modify the "Encrypt the Offline Files cache" Group Policy setting.
Note Because the "Encrypt the Offline Files cache" Group Policy setting is now linked to the new CLIENTEXT line in the System.adm file, the Group Policy Editor will automatically update the gPCMachineExtensionNames Active Directory attribute to include the new Client Side extension GUID.
Part 2: Deploy the hotfix to your Windows XP-based computers
After you apply this hotfix, you may receive the following error message in the Application log:
If you receive this error message after Windows XP restarts, you can safely ignore it. Every time that Windows restarts, the "Encrypt the Offline Files cache" Group Policy setting determines whether the offline folder cache is encrypted. If the Client Side Caching database is not fully initialized, the policy logs this error message. Because the policy is refreshed at set intervals, you can safely ignore this error message.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
MORE INFORMATION
The "Encrypt the Offline Files cache" Group Policy setting determines whether offline files are encrypted. Offline files reside on a user's local drive, not on the network. Offline files are stored in a local cache on the computer. Encrypting this cache helps improve security on a local computer. If the cache on the local computer is not encrypted, any encrypted files that are cached from the network are not encrypted on the local computer. This situation may pose a security risk in some environments.
Notes
- If you enable the "Encrypt the Offline Files cache" Group Policy setting, all files in the Offline Files cache are encrypted. This includes existing files and files that are added later. The cached copy on the local computer is affected, but the associated network copy is not affected. The user cannot decrypt Offline Files through the user interface.
- If you disable the "Encrypt the Offline Files cache" Group Policy setting, all files in the Offline Files cache are unencrypted. This includes existing files and files that are added later. The cached copy on the local computer is affected, but the associated network copy is not affected. The user cannot encrypt offline files through the user interface.
- If you do not configure the "Encrypt the Offline Files cache" Group Policy setting, encryption of the Offline Files cache is controlled by the user through the user interface. The current cache state is retained, and if the cache is only partially encrypted, the operation finishes so that the cache is fully encrypted. The cache does not return to the unencrypted state. The user must have administrator permissions on the local computer to encrypt or to decrypt the Offline Files cache.
- By default, the access control list (ACL) helps protect the Offline Files cache on an NTFS file system partition.
REFERENCES
For more information about the terms that are used in this article, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates
Keywords: kbhotfixserver kbqfe kbqfe kbfix kbbug KB810859
