Access denied to client computers

ARD 3.x
client machines have all been updated.
I had ARD 3 up and running smoothly but after changing the administrator password on the client machines I now have "accessed denied" showing on the computer list in ARD on my administrator machine.
If I change the administrator password back to the original one on the client machines ARD once again recognizes the client and works fine.
I'm missing something in the setup I'm sure but don't know what it is.

Good question. Yes, I did clear the list and then created a new Scanner then added the computers from that. No help.
What I finally poked around and found was that double-clicking on the computers in the list opened a window that allowed me to edit the password of the client machine. This took care of the problem. I was not able to change a group of computers so had to change all 27 one at a time.
Thanks Dave.

Similar Messages

Financial Reporting 11.1.1.3 Client "Access Denied" connecting to HFM

Hi,
I have installed Financial Reporting 11.1.1.3 Client on a PC running Windows Vista 32 bit SP1. When I try to access to a report created form another PC that connects to HFM, it says "Error connectiong to server" and "Cannot connect to database "X": Access Denied". The native user is the same that created the report; on the same machine, I can succesfully access HFM applications from HFM client and Rule editor.
Any idea?
Thanks

Dear John,
How to install latest Version of Hyperion HFM
1) I had downloaded Hyperion Enterprise Performance Management System Foundation Services, Product specific Essabase and Financial Management , and unzip into common folder . but stll iam not able to see Installtool.cmd
which part i have still dowloaded.
Regards
Amit

Access denied report App\Client SDK

Server crashed, therefore I reinstalled Crystal Reports 9 & Crystal Enterprise 9 and attempting to rebuild the ASP pages which pass report parameters. The error received is:
Technical Information (for support personnel)
Error Type:
webReporting.dll (0x80004005)
Access denied. Please check directory setting for files you can access.
/HTMLViewers/reportgenerator.asp, line 31
Browser Type:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 2.0.50727)
Page:
GET /HTMLViewers/reportgenerator.asp
Line 31 on the page reads:
.processHttpRequest Request, Response, Session
Running the registry moniter I receive an access Denied for hklm\software\Crystal Decisions\9.0\report App\client SDK
This is my first time on the forum, hope I explained myself properly.

Thanks Shaun, I appreciate your link for the process monitor application. This replaces my older seperate reg mon & file mon apps.
I have now been able to determine that my application is getting to where it is calling the cachemanager.dll and it is experiencing the problem. I tried manually registering this dll and receive the error Loadlibrary("cachemanager.dll")failed. GetLastError Returns 0x00000007e.
If I change the ASP pages to a very simple process, it will run the demo report, and my report. Once I attempt to use the ASP page with the login requesst, and parameter call I receive this error.
Error Type:
webReporting.dll (0x80004005)
The system cannot find the path specified.
/HTMLViewers/reportgenerator.asp, line 31
Browser Type:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 2.0.50727)
Page:
GET /HTMLViewers/reportgenerator.asp
The reportgenerator ASP page which is causing this error is:
trace.write(category,message)
trace.warn(category,message)
<%@ Language="VBScript"%>
<%
'Declare variables for the report viewer and the ObjectFactory objects, and create the ObjectFactory object.
Dim ObjectFactory, userName, password
dim clientid
dim reportid
clientid = request.querystring("Clientid")
session("Clientid") = clientid
reportid = request.querystring("reportid")
' open a report
' copy this report to "Report Directory" in RAS Configuration Manager
Session("ReportName") = "C:\Program Files\Crystal Decisions\Report Application Server 9\Reports\logonparm\" & reportid
userName = "SYSDBA"
password = "masterkey"
'Create the ObjectFactory for use in creating other Crystal Objects
Set ObjectFactory=CreateObject("CrystalReports.ObjectFactory.2")
'Instantiate the Server Control object which allows us to collect information about the required
'inputs to run the report
Set ServerControl = ObjectFactory.CreateObject("CrystalReports.CrystalReportServerControl")
With ServerControl
 .ReportSource = Session("ReportName")
 .EnableLogonPrompt = False ' Set this to false so that we can override the controls prompting for logon
 .processHttpRequest Request, Response, Session
End With
Set Session("ReportParameters") = ServerControl.ParameterFields
' Set Login info for all connections
' ***************** Added to logon using Viewer SDK *****************************
Set connectionInfos = serverControl.databaseLogonInfos
For x=0 To connectionInfos.count - 1
 Set connInfo = connectionInfos.Item(x)
 connInfo.UserName = CStr(username)
 connInfo.Password = CStr(password)
Next
For each parameter in Session("ReportParameters")
 Set parameterField = parameter
 paramName = parameterField.Name
 if paramName = "INTERFACE ID" then
 Dim paramValue
 Set paramValue = ObjectFactory.CreateObject("CrystalReports.ParameterFieldDiscreteValue")
 paramValue.Value = session("Clientid")
 parameterField.CurrentValues.RemoveAll
 ' Add this value to current value list
 parameterField.CurrentValues.Add paramValue
 end if
Next
Set clientDoc = CreateObject("CrystalClientDoc.ReportClientDocument")
clientDoc.Open session("ReportName")
set session("oclientdoc")=clientdoc
Session("pathReport") = pathReport
Set Session("connectionInfos") = connectionInfos
Response.Redirect "Viewer.asp"
%>
My appologies if I do not explain my problem well. I am not an ASP programmer, and am desperatly looking for assistance to resolve this problem. If anyone can refer a contract programmer that would be interested and capable of assisting me, that would be appreciated. I believe I am close to resolving this problem. I purchased a support session only to find out that this version is no longer supported.

Client host rejected: Access denied

Getting a ton of bounced back emails most likely the address is no longer in use but I filtered out any of the emails that say so. I'm no professional at this thats why I'm looking for help here. I tried searching for the problem on the forum but found
stuff about server 2003.
Im getting alot of the kickbacks saying Client host rejected: Access denied
I've tried emailing the recipient on my personal Gmail and recieved the same error. can we safely say that the addresses are no longer in use that i'm getting these kickbacks? heres the full header for anyone
who wants to look.
The original message was received at Wed, 5 Mar 2014 15:29:34 -0500 from odbmap07.extra.chrysler.com [129.9.107.35]
 ----- The following addresses had permanent fatal errors ----- <mail address here>
 (reason: 554 5.7.1 <unknown[151.171.97.83]>: Client host rejected: Access denied)
 ----- Transcript of session follows ----- ... while talking to odbmap07.out.extra.chrysler.com.:
<<< 554 5.7.1 <unknown[151.171.97.83]>: Client host rejected: Access denied
554 5.0.0 Service unavailable
We are using someone to host our email server for more information.
I use a program called G-Lock easy mail to send out our newsletter.

Hi,
Which email client are you using to send and receive emails? G-Lock?
Please refer to the links below and check if they help:
http://www.symantec.com/business/support/index?page=content&id=TECH169847
http://support.mailhostbox.com/email-administrators-guide/error-codes
In addition, if you are not using Microsoft Outlook as your email client, it's better to contact the support for your mail client for further assistance.
Best Regards,
Steve Fan
TechNet Community Support

Access denied while loading jar files from client

I am creating a platform
that can be started by JWS
and then load plug-ins from client drive.
I've signed my platform (packaged as a jar file),
and set up the security tag in my jnlp,
so that it can access client files.
The plug-ins are packaged as jar files.
And in one of the plug-ins, there is a class that has a JFileChooser field.
While initializing this field, the AccessControlException is thrown.
I can't figure out what is wrong,
So I tried to sign the plug-in, but the problem stands still.
PS. I have made my own ClassLoader,
and this platform works well without JWS.
Please help me, thanks.
Below is the error message:
Java Web Start 1.4.2 主控台,已啟動 Fri Jul 02 01:31:17 CST 2004
Java 2 Runtime Environment:版本 1.4.2,作者:Sun Microsystems Inc.
/*my own log message*/
2004/7/2 上午 01:31:23 pluginmanager.Activater activate /*this is my own classloader*/
配置: activate jar=\Plugins\Common.jar /*load plug-in Common.jar*/
2004/7/2 上午 01:31:23 pluginmanager.Activater activate
細緻: collect resources /*collect other jar files needed by Common.jar*/
2004/7/2 上午 01:31:23 pluginmanager.Activater activate
細緻: load plugin=\Plugins\Common.jar
2004/7/2 上午 01:31:23 pluginmanager.Activater activate
細緻: activating class name=filemanager.FileManager /*instantiate plug-in component*/
java.security.AccessControlException: access denied (java.util.PropertyPermission user.dir read)
 at java.security.AccessControlContext.checkPermission(Unknown Source)
 at java.security.AccessController.checkPermission(Unknown Source)
 at java.lang.SecurityManager.checkPermission(Unknown Source)
 at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
 at java.lang.System.getProperty(Unknown Source)
 at java.io.Win32FileSystem.getUserPath(Unknown Source)
 ... /*cut*/
 at javax.swing.JFileChooser.<init>(Unknown Source)
 at filemanager.Open.<init>(Open.java:20)
 at filemanager.FileManager.<init>(FileManager.java:38)
 at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
 ... /*cut*/
 at java.lang.Class.newInstance(Unknown Source)
 at pluginmanager.Activater.activate(Activater.java:120)
 at pluginmanager.PluginManager$ActivateAction.actionPerformed(PluginManager.java:53)

When running under Java Web Start, a security manager is installed.
Since you have created your own classloader, you are responsible for assigning permissions to the classes you load.
You can change you class loader to extend SecureClassLoader, then override getPermissions:
protected PermissionCollection getPermissions(CodeSource codesource) {
PermissionCollection perms = super.getPermissions(codesource);
/* add whatever permissions you want your code to hance*/
perms.add( ... );
/* or just add all-permissions */
perms.add(new AllPermission());
or - you can just remove the Security Manager:
System.setSecurityManager(null);
/Dietz

Error (access denied) when starting Client Runtime Audit Browser

LS,
After starting the OC4J instance, I try to start the Client Runtime Audit Browser. For a brief moment I see a DOS-box, then an IE-page appears saying the following:
======================================================
ERROR
The requested URL could not be retrieved
While trying to retrieve the URL: http://127.0.0.1:8999/owbb/RABLogin.uix
The following error was encountered:
Access Denied.
Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.
======================================================
Any idea whether this is a local problem?
I've tried applying the settings as mentioned in the configuration guide, but the Bypass option for the proxy is impossible to set since we do not use a proxy server.
Your thoughts?
Regards, Patrick

Good morning All,
Maybe I've got the wrong idea of what is all needed to be able to run the RAB locally, but I thought that starting the OC4J instance would be sufficient to get started.
In the Installation and Configuration Guide the following is mentioned:
2.7 Step 6. Configure the Web Browser for Design and Runtime Audit Browsers
2.7.1 Add "LOCALHOST" to Your Web Browser Proxy Server Bypass List
2.7.2 Configure the Cache Management in Your Web Browser
2.7.3 Configure Warehouse Builder with a Net Service Name
As said before:
@2.7.1, we do not use a proxy (according to Internet Explorer settings) therefore I can't add 'localhost' to the bypass-list, but then again I think that it does not need to be, since there is nothing to be bypassed in the first place.
2.7.2 has been implemented.
@2.7.3, I added the net service name manually to TNSNAMES.ORA (since I also needed that to be able to get on to the database using TOAD and SQL*Plus).
We do not have 9iAS integration for RAB, nor do we have OEM integration.
Are there other things that need to be implemented? Mentioned so far have been HTTP-server and RTP services, but paragraph 2.7 does not mention anything about this. Maybe there are certain services that need to be running on the server (like HTTP and/or RTP), even though I would like to run the RAB locally?
Where does one actually need RTP for?
Thanks in advance.
Cheers, Patrick

Access denied against DP for untrusted clients

Hi,
I have an SCCM 2012 R2 environment.
There are a few clients in an untrusted domain behind a firewall.
DP's and MP's are not configured for SSL. The following ports have been opened to the MP and DP's.
TCP 80
TCP 10123
TCP 2710
DNS or AD for the untrusted servers have not been extended with SCCM data.
Clients were installed on the untrusted servers using the SMSMP switch.
After installation the clients appeared in SCCM and were manually approved.
Boundaries exist for the lcients associated with the correct boundary group for site system assignment
Since installation the clients have successfully discovered MP's, DP's and performed inventories
There is however a problem with software deployment.
The clients try to download content as expected from the correct DP's however the log files show 80070005 therefore access denied.
There is anetwork access account configured for the site which definatley works because we have no OSD issues.
Am I right in thinking that these untrusted clients should revert to using the network access account when they get an access denied ?
If so what may prevent them from doing this
Thanks,
Jim

Hi Jason,
The clients are running server 2012 R2
Here are some log snippets with server names and site codes editied.
CAS.LOG
Location update from CTM for content xxx00043.2 and request {D6BA950D-1DB5-4FDE-8B61-C73A3D4A96A6} ContentAccess 11/01/2015 02:06:57 5392 (0x1510)
Download location found 0 - http://server1/SMS_DP_SMSPKG$/xxx00043 ContentAccess 11/01/2015 02:06:57 5392 (0x1510)
Download location found 1 - http://server2/SMS_DP_SMSPKG$/xxx00043 ContentAccess 11/01/2015 02:06:57 5392 (0x1510)
Download location found 2 - http://server3/SMS_DP_SMSPKG$/xxx00043 ContentAccess 11/01/2015 02:06:57 5392 (0x1510)
Download request only, ignoring location update ContentAccess 11/01/2015 02:06:57 5392 (0x1510)
Download started for content xxx00043.2 ContentAccess 11/01/2015 02:06:57 3872 (0x0F20)
Download failed for content xxx00043.2 under context System, error 0x80070005 ContentAccess 11/01/2015 02:06:58 5392 (0x1510)
Download failed for download request {D6BA950D-1DB5-4FDE-8B61-C73A3D4A96A6} ContentAccess 11/01/2015 02:06:58 5392 (0x1510)
Raising event:
[SMS_CodePage(850), SMS_LocaleID(2057)]
instance of SoftDistDownloadFailedEvent
ClientID = "GUID:820D9280-13A5-4295-9250-CF675073FF35";
DateTime = "20150111020658.235000+000";
MachineName = "client";
PackageId = "xxx00043";
PackageName = "xxx00043";
PackageVersion = "2";
ProcessID = 4188;
SiteCode = "S01";
ThreadID = 5392;
ContentAccess 11/01/2015 02:06:58 5392 (0x1510)
Successfully raised Download Failed event. ContentAccess 11/01/2015 02:06:58 5392 (0x1510)
ContentTransferManager.log
Starting CTM job {369AA46C-CF9F-4DD2-AE50-45874D28F571}. ContentTransferManager 11/01/2015 06:06:58 6528 (0x1980)
Created CTM job {369AA46C-CF9F-4DD2-AE50-45874D28F571} for user S-1-5-18 ContentTransferManager 11/01/2015 06:06:58 6528 (0x1980)
Created and Sent Location Request '{0D80A8A2-2E69-47E6-9E22-419F6612DB85}' for package xxx00043 ContentTransferManager 11/01/2015 06:06:58 4672 (0x1240)
CTM job {369AA46C-CF9F-4DD2-AE50-45874D28F571} entered phase CCM_DOWNLOADSTATUS_DOWNLOADING_DATA ContentTransferManager 11/01/2015 06:06:58 4672 (0x1240)
Queued location request '{0D80A8A2-2E69-47E6-9E22-419F6612DB85}' for CTM job '{369AA46C-CF9F-4DD2-AE50-45874D28F571}'. ContentTransferManager 11/01/2015 06:06:58 4672 (0x1240)
Persisted locations for CTM job {369AA46C-CF9F-4DD2-AE50-45874D28F571}:
(LOCAL) http://server1/SMS_DP_SMSPKG$/xxx00043
(LOCAL) http://server2/SMS_DP_SMSPKG$/xxx00043
(LOCAL) http://server3/SMS_DP_SMSPKG$/xxx00043 ContentTransferManager 11/01/2015 06:06:58 6132 (0x17F4)
CTM job {369AA46C-CF9F-4DD2-AE50-45874D28F571} (corresponding DTS job {4E1EF8CA-6985-4D42-99F0-3107B7589CA6}) started download from 'http://server1/SMS_DP_SMSPKG$/xxx00043' for full content download. ContentTransferManager 11/01/2015 06:06:58 6132
(0x17F4)
CTM job {369AA46C-CF9F-4DD2-AE50-45874D28F571} entered phase CCM_DOWNLOADSTATUS_DOWNLOADING_DATA ContentTransferManager 11/01/2015 06:06:59 3204 (0x0C84)
CTM job {369AA46C-CF9F-4DD2-AE50-45874D28F571} switched to location 'http://server2/SMS_DP_SMSPKG$/xxx00043' ContentTransferManager 11/01/2015 06:06:59 3204 (0x0C84)
CTM job {369AA46C-CF9F-4DD2-AE50-45874D28F571} entered phase CCM_DOWNLOADSTATUS_DOWNLOADING_DATA ContentTransferManager 11/01/2015 06:06:59 6528 (0x1980)
CTM job {369AA46C-CF9F-4DD2-AE50-45874D28F571} switched to location 'http://server3/SMS_DP_SMSPKG$/xxx00043' ContentTransferManager 11/01/2015 06:06:59 4672 (0x1240)
CTM job {369AA46C-CF9F-4DD2-AE50-45874D28F571} entered phase CCM_DOWNLOADSTATUS_DOWNLOADING_DATA ContentTransferManager 11/01/2015 06:06:59 304 (0x0130)
CTM job {369AA46C-CF9F-4DD2-AE50-45874D28F571} encountered error 0x80070005 during download ('Error processing manifest.')- The error maps to denied access. ContentTransferManager 11/01/2015 06:06:59 6528 (0x1980)
Let me know if any other specific log files will give more clues
Thanks,
Jim

Access denied error in a popup for most of the clients.

Hi all,
 i implemented the search help in a popup. its working well in some clients and in some clients it's not .
 here clients means not different browsers different workstations.
 the problem is .
 from the popup i am setting the opener field value.
the code is as follows.
 parent.document.getElementById("XXXXX").value ="XY";
 here i am getting the Access denied error on some clients and some clients the value is getting set.
 how could i overcome this problem,
Regards,
shiva.

Hi
 i tried how was it in the thread mentioned in the above reply, but not getting it .
but what i noticed is
 if my server domain is like ABC.COM it's working .
 if the server domain is like ABC.XXX.COM then it's not working
Any suggestions will be appreciated.
Regards
shiva.

Access denied when trying to connect client cd rom to vm

Hey guys,
One of my users is using the client to build a vm, tries to connect their cdrom using the client and gets access denied. What is the minimum permissions needed to be able to connect a remote physical cd rom to a vm? VC 2.5, esx 3.0, I believe they currently have virtual machine power user role on the object.
Respectfully,
Matthew
Kaizen!

Hey Guys,
I think there is something else going on here Probably not permissions or roles, maybe a service needs restarting? The user gets the following error:
Exception of type Vmomi.fault.no permission' was thrown
Ideas?
Respectfully,
Matthew
Kaizen!

Error 5: Access Denied can not start the DHCP Client service on Local Computer.

Ran into this error problem with both the DHCP and BFE service. Neither will start and both give me the same error code 5 access denied.
Found this little nugget below:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp
Right click and choose Permissions. There should be the following:
System = Full Control
Local Service = Read
Network Service = Read
Local Admin = Full Control
Local Users = Read
Dhcp = Read with special permissions
No problem adding the missing Local Service and Network Service. How does one add Dhcp? Is there a way to create this because under permissions there is no way to add this or search it up. Is there a NetSH reset command that will add this in for me?
The Netlogon service was not running and to get the Netlogon service going I ran NetSH int ip reset and it started to work. The other services were not running either and I was hoping they would after resetting IP
Any ideas on to fix this problem? Also, the user turned off the laptop when it was doing updates. Still I do not think it would have created this headache.
TIA
Spammer Hammer

Hi,
Was your issue resolved?
If no, please reply and tell us the current situation in order to provide further help.
Karen Hu
TechNet Community Support

Clients can't save to the server, access denied no permissions, how to give permission?

I set up my school lab with an xserv 10.6.8. Everything was fine in terms of the users logging in to their respective groups. However, they weren't able to save anything to the server , they had access denied errors or you don't have permissions, even the keychain app was giving the users an error that said it couldn't save to reset to default values. Anyhow, I tried using the Server Admin application to propagate permissions, selected the hard drives and propagated permissions by clicking all the selections in the dialog. Now, the server wont start and only shows the grey Apple and the spinning gear, please help, I am so frustrated, I was so close to have this server running. All I want is to be able to have the students in my school log in to the server from the computer lab and save their work on the server. Simple service, I have running AFP, OD, DNS and SMB. I don't knowe if SMB is neccesary either.

Yes, I created the users using WGM home tab and then clicking on the create home now and then save. No, I didn't use terminal with the command, maybe that's one of the things I needed to do so that the problems with permissions wouldn't show. I used the secondary HD to create the sharepoint folder "Users" and that's the folder I used when creating the home directory for that specific part of the setup. My setup is pretty simple, I just want a Groups folder(sharepoint) where I can store the diffrent grades or classes that come to my lab and I have a "Users" folder(sharepoint) where the kids can use to login and save their work. Later, I may add another folder to place videos so that the folder can mount when they log in and all they have to do is go to the folder and double click on the video. Can you ellaborate more on how to use the command with terminal? Would the "a" be the name of the sharepoint? I created the folders using Server Admin, I believe that clicking on the sharepoint button, there is another button that says "new", would that be the correct way to do it? When I get back to school tomorrw I will post more specifics on the way that I setup the server and maybe it will give you a better picture of how I did it.
I really appreciate your assistance, I am trying to use the limited knowledge I have to setup this lab which will enable me to do a lot of things with the kids and make their lives easier, so they don't have to bring flash drives to save their work. Thanks again for your time!

Adobe Reader 11.0.06 "There was an error opening this document. Access Denied"

Windows 7 64-bit
If I go into My Windows 7 Documents Library folder (which is redirected by Group Policy to a network share), I get "There was an error opening this document. Access Denied". If I then map a drive to the share, I can open the PDF without the error message.
I've read a workaround for some time now for older versions has been to uncheck Enable Protected Mode at startup under Security (Enhanced) in Preferences. I find this does work but this is probably not the best way to handle this situation.
I've also read one person removed the desktop.ini on the desktop to resolve.
Is there any official response from Adobe on this issue that I can be pointed too? Are others still having this issue?
We plan to update several thousand clients and I'd like resolve this issue before we do.

We tried 11.0.05, 11.0.06 and 11.0.07 with the same result on different computers with different local Admin accounts.
When we re-install 10.1.0 the issue is gone and Protected Mode is enabled.
We then returned to 11.0.06 or 11.0.07
I'm logged in with a local Admin account.
I turned on Protected Mode Logging and captured what happens when I attempt to double click a pdf file in my Documents Library with 11.0.06 installed. Access Denied.
I then doubled clicked the file from a drive mapped to the same share and the file opened.
[06:11/16:02:40] Adobe Reader Protected Mode Logging Initiated
[06:11/16:02:41] NtCreateKey: STATUS_ACCESS_DENIED
[06:11/16:02:41] real path: \REGISTRY\MACHINE\Software\Adobe
[06:11/16:02:41] Consider modifying policy using this policy rule: REG_ALLOW_ANY
[06:11/16:02:41] NtCreateKey: STATUS_ACCESS_DENIED
[06:11/16:02:41] real path: \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Adobe
[06:11/16:02:41] Consider modifying policy using this policy rule: REG_ALLOW_ANY
[06:11/16:02:41] NtCreateFile: STATUS_ACCESS_DENIED
[06:11/16:02:41] real path: \??\Volume{a758d00a-e81c-11e2-b856-806e6f6e6963}\$Extend\$Reparse:$R:$INDEX_ALLOCATION
[06:11/16:02:41] Consider modifying policy using these policy rules: FILES_ALLOW_ANY or FILES_ALLOW_DIR_ANY
[06:11/16:02:41] NtCreateFile: STATUS_ACCESS_DENIED
[06:11/16:02:41] real path: \??\UNC\nawrcs-bbc1fs\mousers\u212940\Documents\Citrix Adding a Printer.pdf
[06:11/16:02:41] Consider modifying policy using these policy rules: FILES_ALLOW_ANY or FILES_ALLOW_DIR_ANY
[06:11/16:02:41] NtCreateFile: STATUS_ACCESS_DENIED
[06:11/16:02:41] real path: \??\UNC\nawrcs-bbc1fs\mousers\u212940\Documents\Citrix Adding a Printer.pdf
[06:11/16:02:41] Consider modifying policy using these policy rules: FILES_ALLOW_ANY or FILES_ALLOW_DIR_ANY
[06:11/16:02:46] NtCreateKey: STATUS_ACCESS_DENIED
[06:11/16:02:46] real path: \REGISTRY\USER\S-1-5-21-1691402968-2266345157-3523873211-67461\Software\Adobe\Adobe Acrobat
[06:11/16:02:46] Consider modifying policy using this policy rule: REG_ALLOW_ANY
[06:11/16:02:46] NtCreateKey: STATUS_ACCESS_DENIED
[06:11/16:02:46] real path: \REGISTRY\USER\S-1-5-21-1691402968-2266345157-3523873211-67461\Software\Adobe\Adobe Acrobat
[06:11/16:02:46] Consider modifying policy using this policy rule: REG_ALLOW_ANY
[06:11/16:02:46] NtCreateKey: STATUS_ACCESS_DENIED
[06:11/16:02:46] real path: \REGISTRY\USER\S-1-5-21-1691402968-2266345157-3523873211-67461\Software\Adobe\Adobe Acrobat
[06:11/16:02:46] Consider modifying policy using this policy rule: REG_ALLOW_ANY
[06:11/16:02:46] NtCreateKey: STATUS_ACCESS_DENIED
[06:11/16:02:46] real path: \REGISTRY\USER\S-1-5-21-1691402968-2266345157-3523873211-67461\Software\Adobe\Adobe Acrobat
[06:11/16:02:46] Consider modifying policy using this policy rule: REG_ALLOW_ANY
[06:11/16:02:46] NtCreateKey: STATUS_ACCESS_DENIED
[06:11/16:02:46] real path: \REGISTRY\USER\S-1-5-21-1691402968-2266345157-3523873211-67461\Software\Adobe\Adobe Acrobat
[06:11/16:02:46] Consider modifying policy using this policy rule: REG_ALLOW_ANY
[06:11/16:02:46] NtCreateKey: STATUS_ACCESS_DENIED
[06:11/16:02:46] real path: \REGISTRY\USER\S-1-5-21-1691402968-2266345157-3523873211-67461\Software\Adobe\Adobe Acrobat
[06:11/16:02:46] Consider modifying policy using this policy rule: REG_ALLOW_ANY
[06:11/16:02:46] NtCreateKey: STATUS_ACCESS_DENIED
[06:11/16:02:46] real path: \REGISTRY\USER\S-1-5-21-1691402968-2266345157-3523873211-67461\Software\Adobe\Adobe Acrobat
[06:11/16:02:46] Consider modifying policy using this policy rule: REG_ALLOW_ANY
[06:11/16:02:46] NtCreateKey: STATUS_ACCESS_DENIED
[06:11/16:02:46] real path: \REGISTRY\USER\S-1-5-21-1691402968-2266345157-3523873211-67461\Software\Adobe\Adobe Acrobat
[06:11/16:02:46] Consider modifying policy using this policy rule: REG_ALLOW_ANY
[06:11/16:02:47] NtCreateFile: STATUS_ACCESS_DENIED
[06:11/16:02:47] real path: \??\C:\Users\c702939\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
[06:11/16:02:47] Consider modifying policy using these policy rules: FILES_ALLOW_ANY or FILES_ALLOW_DIR_ANY
[06:11/16:02:47] NtCreateFile: STATUS_ACCESS_DENIED
[06:11/16:02:47] real path: \??\C:\Users\c702939\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
[06:11/16:02:47] Consider modifying policy using these policy rules: FILES_ALLOW_ANY or FILES_ALLOW_DIR_ANY
[06:11/16:02:47] NtCreateKey: STATUS_ACCESS_DENIED
[06:11/16:02:47] real path: \REGISTRY\USER\S-1-5-21-1691402968-2266345157-3523873211-67461\Software\Adobe\Adobe Acrobat
[06:11/16:02:47] Consider modifying policy using this policy rule: REG_ALLOW_ANY
[06:11/16:02:47] NtCreateKey: STATUS_ACCESS_DENIED
[06:11/16:02:47] real path: \REGISTRY\USER\S-1-5-21-1691402968-2266345157-3523873211-67461\Software\Adobe\Adobe Acrobat
[06:11/16:02:47] Consider modifying policy using this policy rule: REG_ALLOW_ANY
[06:11/16:02:47] NtCreateKey: STATUS_ACCESS_DENIED
[06:11/16:02:47] real path: \REGISTRY\USER\S-1-5-21-1691402968-2266345157-3523873211-67461\Software\Adobe\Adobe Acrobat
[06:11/16:02:47] Consider modifying policy using this policy rule: REG_ALLOW_ANY
[06:11/16:02:47] NtCreateKey: STATUS_ACCESS_DENIED
[06:11/16:02:47] real path: \REGISTRY\USER\S-1-5-21-1691402968-2266345157-3523873211-67461\Software\Adobe\Adobe Acrobat
[06:11/16:02:47] Consider modifying policy using this policy rule: REG_ALLOW_ANY
[06:11/16:02:47] NtCreateFile: STATUS_ACCESS_DENIED
[06:11/16:02:47] real path: \??\C:\Users\c702939\Desktop\desktop.ini
[06:11/16:02:47] Consider modifying policy using these policy rules: FILES_ALLOW_ANY or FILES_ALLOW_DIR_ANY
[06:11/16:02:48] NtCreateFile: STATUS_ACCESS_DENIED
[06:11/16:02:48] real path: \??\C:\Users\c702939\Desktop\desktop.ini
[06:11/16:02:48] Consider modifying policy using these policy rules: FILES_ALLOW_ANY or FILES_ALLOW_DIR_ANY

EFS Encrypted Files over home workgroup network via WebDAV avoiding Active Directory fixing Access Denied errors

This is for information to help others
KEYWORDS:
- Sharing EFS encrypted files over a personal lan wlan wifi ap network
- Access denied on create new file / new fold on encrypted EFS network file share remote mapped folder
- transfer encryption keys / certificates
- set trusted delegation for user + computer for EFS encrypted files via
Kerberos
- Windows Active Directory vs network file share
- Setting up WinDAV server on Windows 7 Pro / Ultimate
It has been a long painful road to discover this information.
I hope sharing it helps you.
Using EFS on Windows 7 pro / ultimate is easy and works great. See
here and
here
So too is opening + editing encrypted files over a peer-to-peer Windows 7 network.
HOWEVER, creating a new file / new folder over a peer-to-peer Windows 7 network
won't work (unless you follow below steps).
Typically, it is only discovered as an issue when a home user wants to use synchronisation software between their home computers which happens to have a few folders encrypted using windows EFS. I had this issue trying to use GoodSync.
Typically an "Access Denied" error messages is thrown when a \\clientpc tries to create new folder / new file in an encrypted folder on a remote file share \\fileserver.
Why such a EFS drama when a network is involved?
Assume a home peer-to-peer network with 2pc: \\fileserver and \\clientpc
When a \\clientpc tries to create a new file or new folder on a \\fileserver (remote computer) it fails. In a terribly simplified explanation it is because the process on \\fileserver that is answering the network requests is a process working for a user on
another machine (\\clientpc) and that \\fileserver process doesn't have access to an encryption certificate (as it isn't a user). Active Directory gets around this by using kerberos so the process can impersonate a \\fileserver user and then use their certificate
(on behalf of the clienpc's data request).
This behaviour is confusing, as a \\clientpc can open or edit an existing efs encrypted file or folder, just can't create a new file or folder. The reason editing + opening an encrypted file over a network file share is possible is because the encrypted
file / folder already has an encryption certificate, so it is clear which certificate is required to open/edit the file. Creating a new file/folder requires a certificate to be assigned and a process doesn't have a profile or certificates assigned.
Solutions
There are two main approaches to solve this:
 1) SOLVE by setting up an Active Directory (efs files accessed through file shares)
 EFS operations occur on the computer storing the files.
 EFS files are decrypted then transmitted in plaintext to the client's computer
 This makes use of kerberos to impersonate a local user (and use their certificate for encrypt + decrypt)
 2) SOLVE by setting up WebDAV (efs files accessed through web folders)
 EFS operations occur on the client's local computer
 EFS files remain encrypted during transmission to the client's local computer where it is decrypted
 This avoids active directory domains, roaming or remote user profiles and having to be trusted for delegation.
 BUT it is a pain to set up, and most online WebDAV server setup sources are not for home peer-to-peer networks or contain details on how to setup WebDAV for EFS file provision
 READ BELOW as this does
Create new encrypted file / folder on a network file share - via Active Directory
It is easily possible to sort this out on a domain based (corporate) active directory network. It is well documented. See
here. However, the problem is on a normal Windows 7 install (ie home peer-to-peer) to set up the server as part of an active directory domain is complicated, it is time consuming it is bulky, adds burden to operation of \\fileserver computer
and adds network complexity, and is generally a pain for a home user. Don't. Use a WebDAV.
Although this info is NOT for setting up EFS on an active directory domain [server],
for those interested here is the gist:
Use the Active Directory Users and Computers snap-in to configure delegation options for both users and computers. To trust a computer for delegation, open the computer’s Properties sheet and select Trusted for delegation. To allow a user
account to be delegated, open the user’s Properties sheet. On the Account tab, under Account Options, clear the The account is sensitive and cannot be delegated check box. Do not select The account is trusted for delegation. This property is not used with
EFS.
NB: decrypted data is transmitted over the network in plaintext so reduce risk by enabling IP Security to use Encapsulating Security Payload (ESP)—which will encrypt transmitted data,
Create new encrypted file / folder on a network file share - via WebDAV
For home users it is possible to make it all work.
Even better, the functionality is built into windows (pro + ultimate) so you don't need any external software and it doesn't cost anything. However, there are a few hotfixes you have to apply to make it work (see below).
Setting up a wifi AP (for those less technical):
 a) START ... CMD
 b) type (no quotes): "netsh wlan set hostednetwork mode=allow ssid=MyPersonalWifi key=12345 keyUsage=persistent"
 c) type (no quotes): "netsh wlan start hostednetwork"
Set up a WebDAV server on Windows 7 Pro / Ultimate
-----ON THE FILESERVER------
 1 click START and type "Turn Windows Features On or Off" and open the link
 a) scroll down to "Internet Information Services" and expand it.
 b) put a tick in: "Web Management Tools" \ "IIS Management Console"
 c) put a tick in: "World Wide Web Services" \ "Common HTTP Features" \ "WebDAV Publishing"
 d) put a tick in: "World Wide Web Services" \ "Security" \ "Basic Authentication"
 e) put a tick in: "World Wide Web Services" \ "Security" \ "Windows Authentication"
 f) click ok
 g) run HOTFIX - ONLY if NOT running Windows 7 / windows 8
KB892211 here ONLY for XP + Server 2003 (made in 2005)
KB907306 here ONLY for Vista, XP, Server 2008, Server 2003 (made in 2007)
2 Click START and type "Internet Information Services (IIS) Manager"
3 in IIS, on the left under "connections" click your computer, then click "WebDAV Authoring Rules", then click "Open Feature"
 a) on the right side, under Actions, click "Enable WebDAV"
4 in IIS, on the left under "connections" click your computer, then click "Authentication", then click "Open Feature"
 a) on the "Anonymous Authentication" and click "Disable"
 b) on the "Windows Authentication" and click "Enable"
 NB: Some Win 7 will not connect to a webDAV user using Basic Authentication.
 It can be by changing registry key:
 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters]
 BasicAuthLevel=2
 c) on the "Windows Authentication" click "Advanced Settings"
 set Extended Protection to "Required"
 NB: Extended protection enhances the windows authentication with 2 security mechanisms to reduce "man in the middle" attacks
5 in IIS, on the left under "connections" click your computer, then click "Authorization Rules", then click "Open Feature"
 a) on the right side, under Actions, click "Add Allow Rule"
 b) set this to "all users". This will control who can view the "Default Site" through a web browser
 NB: It is possible to specify a group (eg Administrators is popular) or a user account. However, if not set to "all users" this will require the specified group/user account to be used for logged in with on the
clientpc.
 NB: Any user account specified here has to exist on the server. It has a bug in that it usernames specified here are not validated on input.
6 in IIS, on the left under "connections" click your computer, then click "Directory Browsing", then click "Open Feature"
 a) on the right side, under Actions, click "Enable"
HOTFIX - double escaping
7 in IIS, on the left under "connections" click your computer, then click "Request Filtering", then click "Open Feature"
 a) on the right side, under Actions, click "Edit Feature Settings"
 b) tick the box "Allow double escaping"
 *THIS IS VERY IMPORTANT* if your filenames or foldernames contain characters like "+" or "&"
 These folders will appears blank with no subdirectories, or these files will not be readable unless this is ticked
 This is safe btw. Unchecked (default) it filters out requests that might possibly be misinterpreted by buggy code (eg double decode or build url's via string-concat without proper encoding). But any bug would need to be in IIS basic
file serving and this has been rigorously tested by microsoft, so very unlikely. Its safe to "Allow double escaping".
8 in IIS, on the left under "connections" right click "Default Web Site", then click "Add Virtual Directory"
 a) set the Alias to something sensible eg "D_Drive", set the physical path
 b) it is essential you click "connect as" and set
this to a local user (on fileserver),
 if left as "pass through authentication" a client won't be able to create a new file or folder in an encrypted efs folder (on fileserver)
 NB: the user account selected here must have the required EFS certificates installed.
 See
here and
here
 NB: Sharing the root of a drive as an active directory (eg D:\ as "D_Drive") often can't be opened on clientpcs.
 This is due to windows setting all drive roots as hidden "administrative shares". Grrr.
 The work around is on the \\fileserver create an NTFS symbollic link
 e.g. to share the entire contents of "D:\",
 on fileserver browse to site path (iis default this to c:\inetpub\wwwroot)
 in cmd in this folder create an NTFS symbolic link to "D:\"
 so in cmd type "cd c:\inetpub\wwwroot"
 then in cmd type "mklink /D D_Drive D:\"
 NB: WebDAV will open this using a \\fileserver local user account, so double check local NTFS permissions for the local account (clients will login using)
 NB: If clientpc can see files but gets error on opening them, on clientpc click START, type "Manage Network Passwords", delete any "windows credentials" for the fileserver being used, restart
clientpc
9 in IIS, on the left under "connections" click on "WebDAV Authoring Rules", then click "Open Feature"
 a) click "Add authoring rules". Control access to this folder by selecting "all users" or "specified groups" or "specified users", then control whether they can read/write/source
 b) if some exist review existing allow or deny.
 Take care to not only review the "allow access to" settings
 but also review "permissions" (read/write/source)
 NB: this can be set here for all added virtual directories, or can be set under each virtual directory
10 Open your firewall software and/or your router. Make an exception for port 80 and 443
 a) In Windows Firewall with Advanced Security click Inbound Rules, click New Rule
 choose Port, enter "80, 443" (no speech marks), follow through to completion. Repeat for outbound.
 NB: take care over your choice to untick "Public", this can cause issues if no gateway is specified on the network (ie computer-to-computer with no router). See "Other problems+fixes"
below, specifically "Cant find server due to network location"
 b) Repeat firewall exceptions on each client computer you expect to access the webDAV web folders on
HOTFIX - MAJOR ISSUE - fix KB959439
11 To fully understand this read "WebDAV HOTFIX: RAW DATA TRANSFERS" below
 a) On Windows 7 you need only change one tiny registry value:
 - click START, type "regedit", open link
 -browse to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MRxDAV\Parameters]
 -on the EDIT menu click NEW, then click DWORD Value
 -Type "DisableEFSOnWebDav" to name it (no speech marks)
 -on the EDIT menu, click MODIFY, type 1, then click OK
 -You MUST now restart this computer for the registry change to take effect.
 b) On Windows Server 2008 / Vista / XP you'll FIRST need to
download Windows6.0-KB959439 here. Then do the above step.
 NB microsoft will ask for your email. They don't care about licence key legality, it is more to keep you updated if they modify that hotfix
12 To test on local machine (eg \\fileserver) and deliberately bypass the firewall.
 a) make sure WebClient Service is running
 (click START, type "services" and open, scroll down to WebClient and check its status)
 b) Open your internet software. Go to address "http://localhost:80" or "http://localhost:80"
 It should show the default "IIS7" image.
 If not, as firewall and port blocking are bypassed (using localhost) it must be a webDAV server setting. Check "Authorization Rules" are set to "Allow All Users"
 c) for one of the "virtual directories" you added (8), add its "alias" onto "http://localhost/"
 e.g. http://localhost/D_drive
 If nothing is listed, check "Directory Browsing" is enabled
13 To test on local machine or a networked client and deliberately try and access through the firewall or port opening of your router.
 a) make sure WebClient Service is running
 (click START, type "services" and open, scroll down to WebClient and check its status)
 b) open your internet software. Go to address "http://<computer>:80" or "http://<computer>:80".
 eg if your server's computer name is "fileserver" go to "http://fileserver:80"
 It should show the default "IIS7" image. If not, check firewall and port blocking.
 Any issue ie if (12) works but (13) doesn't, will indicate a possible firewall issue or router port blocking issue.
 c) for one of the "virtual directories" you added (8), add its "alias" onto "http://<computername>:80/"
 eg if alias is "C_driver" and your server's computer name is "fileserver" go to "http://fileserver:80/C_drive"
 A directory listing of files should appear.
--- ON EACH CLIENT ----
HOTFIX - improve upload + download speeds
14 Click START and type "Internet Options" and open the link
 a) click the "Connections" tab at the top
 b) click the "LAN Settings" button at the bottom right
 c) untick "Automatically detect settings"
HOTFIX - remove 50mb file limit
15 On Windows 7 you need only change one tiny registry value:
 a) click START, type "regedit", open link
 b) browse to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters]
 c) click on "FileSizeLimitInBytes"
 d) on the EDIT menu, click MODIFY, type "ffffffff", then click OK (no quotes)
HOTFIX - remove prompt for user+pass on opening an office or pdf document via WebDAV
16 On each clientpc click START, type "Internet Options" and open it
 a) click on "Security" (top) and then "Custom level" (bottom)
 b) scroll right to the bottom and under "User Authentication" select "Automatic logon with current username and password"
 SUCH an easy fix. SUCH an annoying problem on a clientpc
 NB: this is only an issue if the file is opened through windows explorer. If opened through the "open" dialogue of the software itself, it doesn't happen. This is as a WebDAV mapped drive is consdered a "web folder" by windows
explorer.
TEST SETUP
17 On the client use the normal "map network drive"
 e.g. server= "http://fileserver:80/C_drive", tick reconnect at logon
 e.g. CMD: net use * "http://fileserver:80/C_drive"
 If it doens't work check "WebDAV Authoring Rules" and check NTFS permissions for these folders. Check that on the filserver the elected impersonation user that the client is logging in with (clientpc
"manage network passwords") has NTFS permissions.
18 Test that EFS is now working over the network
 a) On a clientpc, map network drive to http://fileserver/
 b) navigate to a folder you know on the \\flieserver is encrypted with EFS
 c) create a new folder, create a new file.
 IF it throws an error, check carefully you mapped to the WebDAV and not file share
 i.e. mapped to "http://fileserver" not "\\fileserver"
 Check that on clientpc the required efs certificate is installed. Then check carefully on clientpc what user account you specified during the map drive process. Then check on the \\fileserver this
account exists and has the required EFS certificate installed for use. If necessary, on clientpc click START, type "Manage Network Passwords" and delete the windows credentials currently in the vault.
 d) on clientpc (through a webDAV mapped folder) open an encrypted file, edit it, save it, close it. On the \\fileserver now check that file is readable and not gobble-de-goup
 e) on clientpc copy an encrypted efs file into a folder (a webDAV mapped folder) you know is not encrypted on \\fileserver. Now check on the \\fileserver computer that the file is readable and not gobble-de-goup (ie the
clientpc decrypted it then copied it).
 If this fails, it is likely one in IIS setting on fileserver one of the shared virtual directories is set to: "pass through authentication" when it should be set to "connect as"
 If this is not readable check step (11) and that you restarted the \\fileserver computer.
19 Test that clients don't get the VERY annoying prompt when opening an Office or PDF doc
 a) on clientpc in windows explorer browse to a mapped folder you know is encrypted and open an office file and then PDF.
 If a prompt for user+pass then check hotfix (16)
20 Consider setting up a recycling bin for this mapped drive, so files are sent to recycling bin not permanently deleted
 a) see the last comment at the very bottom of
this page:
Points to consider:
 - NB: WebDAV runs on \\fileserver under a local user account, so double check local NTFS permissions for that local account and adjust file permissions accordingly. If the local account doesn't have permission, the webDAV / web folder share won't
either.
- CONSIDER: IP Security (IPSec) or Secure Sockets Layer (SSL) to protect files during transport.
MORE INFO: HOTFIX: RAW DATA TRANSFERS
More info on step (11) above.
Because files remain encrypted during the file transfer and are decrypted by EFS locally, both uploads to and downloads from Web folders are raw data transfers. This is an advantage as if data is intercepted it is useless. This is a massive disadvantage as
it can cause unexpected results. IT MUST BE FIXED or you could be in deep deep water!
Consider using \\clientpc to access a webfolder on \\fileserver and copying an encrypted EFS file (over the network) to a web folder on \\fileserver that is not encrypted.
Doing this locally would automatically decrypt the file first then copy the decrypted file to the non-encrypted folder.
Doing this over the network to a web folder will copy the raw data, ie skip the decryption stage and result in the encrypted EFS file being raw copied to the non-encrypted folder. When viewed locally this file will not be recognised as encrypted (no encryption
file flag, not green in windows explorer) but it will be un-readable as its contents are still encrypted. It is now not possible to locally read this file. It can only be viewed on the \\clientpc
There is a fix:
 It is implimented above, see (11) above
 Microsoft's support page on this is excellent and short. Read "problem description" of "this microsoft webpage"
Other problems + fixes
PROBLEM: Can't find server due to network location.
 This one took me a long time to track down to "network location".
 Win 7 uses network locations "Home" / "Work" / "Public".
 If no gateway is specified in the IP address, the network is set to '"unidentified" and so receives "Public" settings.
 This is a disaster for remote file share access as typically "network discovery" and "file sharing" are disabled under "Public"
 FIX = either set IP address manually and specify a gateway
 FIX = or force "unidentified" network locations to assume "home" or "work" settings -
read here or
here
 FIX = or change the "Public" "advanced network settings" to turn on "network discovery" and "file sharing" and "Password Protected Sharing". This is safe as it will require a windows
login to gain file access.
PROBLEM: Deleting files on network drive permanently deletes them, there is no recycling bin
 By changing the location of "My Contacts" or similar to the root directory of your mapped drive, it will be added to recycling bin locations
 Read
here (i've posted a batch script to automatically make the required reg files)
I really hope this helps people. I hope the keywords + long title give it the best chance of being picked up in web searches.

What probably happens is that processes are using those mounts. And that those processes are not killed before the mounts are unmounted. Is there anything that uses those mounts?

Offline Files sync gives Access Denied on Windows 8.1 Enterprise

A small number of our staff have now been issued with Windows 8.1 Enterprise hybrid tablet computers, however there is a problem with using Offline Files on them - when synchronising, it responds "Access Denied".
The tablets have Windows 8.1 Enterprise with all the latest updates on them. Staff users have a home folder on the network under \\server\staff\homes\departmentname\username which gets mapped to U: and their My Documents is redirected there. The server is currently
Windows Server 2003 R2 SP2.
We have tried:
Resetting the Offline Files cache using the FormatDatabase registry key
Using Group Policy Objects to force Offline Files synchronisation at logon and logoff
Clearing the local cached copy of the user's profile from the machine and getting them to log back on to recreate it
Setting up Offline Files event logging to the event viewer - this provides no useful information as it only logs disconnect/reconnect and logoff/logon events
Forcing Group Policy update using gpupdate /force
Forcing synchronisation using PowerShell and https://msdn.microsoft.com/en-us/library/windows/desktop/bb309189%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396
As suggested by http://support.microsoft.com/kb/275461 we gave the All Staff security group Read permissions on F:\Staff (which is the one that is shared as \\server\staff) and then blocked inheritance for folders below that
We also checked the following:
The CSC cache has not been relocated
No error 7023 or event 7023 errors relating to Offline Files are present in the event logs
The Offline Files service is running
The OS is already Windows 8.1 Enterprise, so installing the Pro Pack is not applicable
In HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UserState\UserStateTechnologies\ConfigurationControls all the values are set to 0 and not 1
We do not use System Center Configuration Manager
No errors were found in the Folder Redirection event logs
None of these solved the problem, does anyone have any suggestions?
Here is the error we are seeing:
Thanks,
Dan Jackson (Lead ITServices Technician)
Long Road Sixth Form College
Cambridge, UK

Hi,
Generally speaking, this problem is most probably occurs at File Server Client.
Firstly, please check the sharing file Sync Settings.
Shared file properties\Sharing\Advanced Sharing\Caching
Also check shared file user list, make sure these problematic user account have full permission.
On the other hand, could you able to access to the shared file directly in Windows Explorer?
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Yes, the user can access the shared folder in Windows Explorer. The user has the following permissions:
Traverse Folder/Execute File
List Folder/Read Data
Read Attributes
Read Extended Attributes
Create Files/Write Data
Create Folders/Append Data
Write Attributes
Write Extended Attributes
Delete
Read Permissions
Here is a screenshot of how the Caching settings are set up on the top-level Staff share.

WSUS throwing 13002, "Client computers are installing updates with a higher than 25 percent failure rate. This is not normal."

Hello,
Within the past two months our WSUS Server started throwing error 13002, "Client computers are installing updates with a higher than 25 percent failure rate. This is not normal." We currently have 252 computers with errors in WSUS,
and 33 updates with errors. We have never had issues up until two months ago. If you keep rebooting the machine, and keep running updates, they eventually all install. I believe I will see the machines with errors go away as the weekly scheduled
WSUS install runs over and over, and the machines reboot.
- We run IE8 in our environment and sometimes IE9.
- We have 300 clients, all running Windows 7 SP1 x64.
- Our WSUS server is running on Server 2008 R2. The WSUS build number is 3.2.7600.262.
- We created an alternate WSUS 4.0 server on Server 2012, and redownloaded all updates. We put one client on it and it is showing errors on 3 updates, KB890830, KB931125, and KB2917500.
- Clients are throwing errors 800F0902, 80242016, and 80070005.
- I've noticed something with the C:\Windows\SoftwareDistribution\Download folder on the clients. When an update runs and fails, there is a "Install" folder created inside this folder. If you try to open it after the failure you get
"Access Denied" If you reboot the machine, the install folder goes away. (I assume this is a temp folder created to run updates). I've checked the permissions on this folder on various machines and all seems normal. I think
this is the root of the problem, and why we need to keep rebooting to get all of the updates to run.
- I tried deleting the Software Distribution folder on a client after stopping the update service, then restarting the update service. The folder redownloads but the client still throws errors.
- I've gone through our Group Policies looking for anything that can cause this and found nothing. We've created a test OU blocking inheritance, and only applying a WSUS policy in it to make it get the updates internally. I then rebuilt multiple
machines using Dell KACE, and still had failures.
- We run SEP 11 and 12 on our clients. I've tried removing the AV, making sure the firewall was off, etc. It still throws errors.
- I've spoken with our network team, and installed wireshark on a few clients looking for network errors and found nothing.
- I've tried various Dell KACE scripted installs on test machines (erasing and rebuilding the machines from scratch), after which I run Windows Updates from WSUS. They have thrown errors.
- I've rebuilt a machine using Dell KACE, undomained it, then ran updates externally from WSUS going to Microsoft's site, and I'm still getting errors.
- I've tried removing all software from the Dell KACE build to where it is just installing the OS and I'm still getting errors.
- I tried taking a plain Windows 7 x64 DVD and installing that on a test machine, then without domaining it and without installing any other software, running updates from Microsofts update site. This seems to work, althrough it does throw some errors
but I believe those are related to having to reboot your machine in order to complete the updates (I can't remember that error code at the moment).
Has anyone else been experiencing this? Any suggestions as to how I can fix this?

Hi,
Error 800f0902
Please try the method in this thread:
Error
Code: 800f0902
Error 80242016
If you receive Windows Update error 80242016 while checking for updates, it might be caused by a connection interruption between your computer and the Windows Update servers.
80070005
Usually means access denied
Since it worked perfectly for a while, did you make any change on the server? Any applications new installed on clients?

Access denied to client computers

Similar Messages

Maybe you are looking for