The "Encrypt the Offline Files cache" Group Policy setting does not take effect when a user logs on to a Windows XP-based computer

Article translations Article translations
Article ID: 810859 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

After the network administrator applies the Encrypt the Offline Files cache (EncryptCache) Group Policy setting to a Microsoft Windows XP Professional-based computer, the Group Policy setting does not take effect on the client computer. This symptom occurs only if the user logs on interactively by using the keyboard.

Additionally, the following event is logged in the application event log:

Event Type: Error
Event Source: Offline Files
Event ID: 16
Description: Encryption of the Offline Files cache failed with error 5. Access is denied. The application event log

CAUSE

This problem may occur when the user who logs on does not have administrator permissions.

When the administrator applies the Encrypt the Offline Files cache Group Policy, the EncryptCache registry value on the client computer is updated. Depending on the registry value, the Client Side Caching extension (Cscui.dll) in Windows Explorer tries to encrypt the Client Side Caching folder. However, the Client Side Caching folder encryption state cannot be changed by a user who does not have administrator permissions.

RESOLUTION

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

32-bit versions of Windows XP

Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatformSP requirement
Cscui.dll5.1.2600.1656312,32031-Mar-200520:16x86SP1
Regedit.exe5.1.2600.1656134,14431-Mar-200500:36x86SP1
System.admNot Applicable1,521,53801-Feb-200502:58Not ApplicableSP1

64-bit versions of Windows XP

Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Cscui.dll5.1.2600.1656690,68831-Mar-200504:14IA-64SP1Not Applicable
Regedit.exe5.1.2600.1656369,15230-Mar-200508:56IA-64SP1Not Applicable
System.admNot Applicable1,521,53802-Feb-200502:21Not ApplicableSP1Not Applicable
Wcscui.dll5.1.2600.1656312,32031-Mar-200504:16x86SP1WOW
a

Applying the hotfix

This hotfix changes the way that the EncryptCache Group Policy setting is implemented. Before you apply the hotfix, the EncryptCache policy is implemented as a Client Side Caching extension in Cscui.dll. After you apply the hotfix, the Cscui.dll client extension is used when this Group Policy setting is applied to a computer. The Cscui.dll client extension encrypts or decrypts the Client Side Caching cache, depending on your setting. This Client Side Caching extension is used in a privileged context. Therefore, an administrator does not have to log on to the computer interactively to encrypt the cache.

To apply this hotfix, make sure that you do both of the following:
  • Update the Active Directory Group Policy setting to reference the new Client Side Caching extension.
  • Install this hotfix on all your Windows XP-based computers.

    Note The local Group Policy System.adm file is also updated when you apply the hotfix.
While you apply this hotfix, your production environment may contain one or more of the following:
  • An old Active Directory Group Policy setting that does not have the Client Side Caching extension.
  • A new Active Directory Group Policy setting that has the Client Side Caching extension.
  • A Windows XP-based computer that does not have the hotfix applied.
  • A Windows XP-based computer that has the hotfix applied.
The following table explains what occurs when the old settings are mixed with the new settings.
Collapse this tableExpand this table
The CLIENTEXT line in the System.adm file and in the Active Directory Group Policy objectThe Group Policy extension in Cscui.dllExpected behavior
NoNoThis is Windows XP without the hotfix installed. The encryption policy requires the administrator to be logged on to the client computer.
NoYesThe Group Policy extension exists but is not used by the Group Policy engine. The original encryption code has been removed from Cscui.dll. Therefore, no encryption occurs in response to the Group Policy setting.
YesNoThe Group Policy setting tries to use the Group Policy extension, but the Group Policy extension does not exist in Cscui.dll. The original encryption code exists in Cscui.dll and will be executed as in the original version of Windows XP. You must log on as an administrator to encrypt the Client Side Caching cache.
YesYesThe hotfix is applied as a Group Policy extension.
Based on this table, use the following deployment strategy.

Part 1: Modify the Active Directory Group Policy setting

To modify the Active Directory Group Policy setting to reference the new Group Policy Client Side extension, use the new Client Side extension in an Active Directory Group Policy setting.

Note Update the System.adm file and the Group Policy object in Active Directory. Update the System.adm file first. To do this, follow these steps:
  1. Update the System.adm file to include the CLIENTEXT line, as follows:
    POLICY!!Pol_EncryptOfflineFiles
       #if version >= 4
          SUPPORTED !!SUPPORTED_WindowsXP
       #endif
       VALUENAME "EncryptCache"
       EXPLAIN !!Pol_EncryptOfflineFiles_Help
          VALUEON  NUMERIC 1
          VALUEOFF NUMERIC 0
          CLIENTEXT {C631DF4C-088F-4156-B058-4375F0853CD8}
    END POLICY
    
    To find the System.adm location path for the Group Policy setting, follow these steps:
    1. Use the Active Directory Users and Computers tool to select a container where the Group Policy setting is applied.
    2. Change the container to display the Group Policy setting GUID. An example of this GUID is {9F16DD40-9777-4AD9-870C-9B9F1E73203E}.
    3. Use the Active Directory Service Interfaces (ADSI) Edit tool or the EnumProp tool to display the gPCFileSysPath attribute, as in the following exampe:
      enumprop "LDAP://mydc/CN={3D6FF2C0-1DFC-41A9-AE72-D4502BDA81E8},CN=Po
      licies,CN=System,DC=mycompany,DC=com"
      The following example shows the gPCFileSysPath attribute:
      LDAP://machinedc/CN={3D6FF2C0-1DFC-41A9-AE72-D4502BDA81E8},CN=Policies,CN=Syst
      em,DC= mycompany,DC=com: 19 set properties.
       gPCFileSysPath: \\Test.net\SysVol\mycompany.com\Policies\{3D6FF2C0-1DFC-41A9-AE72
      -D4502BDA81E8}
      Note The EnumProp tool is included in the Windows XP Resource Kit.
  2. Update the Active Directory Group Policy object to include the Client Side extension in the gPCMachineExtensionNames attribute. To do this automatically in the Group Policy Editor snap-in, follow these steps:
    1. Use the Group Policy Editor snap-in to modify the Group Policy setting.
    2. Modify the "Encrypt the Offline Files cache" Group Policy setting.

      Note Because the "Encrypt the Offline Files cache" Group Policy setting is now linked to the new CLIENTEXT line in the System.adm file, the Group Policy Editor will automatically update the gPCMachineExtensionNames Active Directory attribute to include the new Client Side extension GUID.

Part 2: Deploy the hotfix to your Windows XP-based computers

After you apply this hotfix, you may receive the following error message in the Application log:
18/03/2003 12:46:31 Offline Files Error None 16 N/A LLDN0114233 Encryption of the Offline Files cache failed with error 12.
If you receive this error message after Windows XP restarts, you can safely ignore it. Every time that Windows restarts, the "Encrypt the Offline Files cache" Group Policy setting determines whether the offline folder cache is encrypted. If the Client Side Caching database is not fully initialized, the policy logs this error message. Because the policy is refreshed at set intervals, you can safely ignore this error message.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

The "Encrypt the Offline Files cache" Group Policy setting determines whether offline files are encrypted. Offline files reside on a user's local drive, not on the network. Offline files are stored in a local cache on the computer. Encrypting this cache helps improve security on a local computer. If the cache on the local computer is not encrypted, any encrypted files that are cached from the network are not encrypted on the local computer. This situation may pose a security risk in some environments.

Notes
  • If you enable the "Encrypt the Offline Files cache" Group Policy setting, all files in the Offline Files cache are encrypted. This includes existing files and files that are added later. The cached copy on the local computer is affected, but the associated network copy is not affected. The user cannot decrypt Offline Files through the user interface.
  • If you disable the "Encrypt the Offline Files cache" Group Policy setting, all files in the Offline Files cache are unencrypted. This includes existing files and files that are added later. The cached copy on the local computer is affected, but the associated network copy is not affected. The user cannot encrypt offline files through the user interface.
  • If you do not configure the "Encrypt the Offline Files cache" Group Policy setting, encryption of the Offline Files cache is controlled by the user through the user interface. The current cache state is retained, and if the cache is only partially encrypted, the operation finishes so that the cache is fully encrypted. The cache does not return to the unencrypted state. The user must have administrator permissions on the local computer to encrypt or to decrypt the Offline Files cache.
  • By default, the access control list (ACL) helps protect the Offline Files cache on an NTFS file system partition.

REFERENCES

For more information about the terms that are used in this article, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Properties

Article ID: 810859 - Last Review: August 29, 2007 - Revision: 5.2
APPLIES TO
  • Microsoft Windows XP Professional
Keywords: 
kbautohotfix kbhotfixserver kbqfe kbqfe kbfix kbbug KB810859

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com