Using Group Policy to Configure Offline Files (Exclusive to the Computer Node)

Allow or Disallow Use of the Offline Files Feature

Previously, in Windows 2000, this policy setting was called Enabled , a really horrible name ; so I'm glad they renamed it for Windows 2003. This policy setting is similar to the Prohibit user configuration of Offline Files setting discussed in the previous section. Once that policy setting is enabled, the Offline Files feature is active, and users cannot turn it off. If this policy setting is enabled, Offline Files is enabled, but users can change the settings. If no additional GPOs are defined, the defaults are used. Once this policy setting is disabled, the target machine's Offline Files tab in the "Folder Options" dialog box (seen in Figure 9.23) has grayed-out check boxes, and Offline Files is disabled.

Recall that Offline Files is enabled only for Windows 2000 Professional and Windows XP. It's disabled for servers by default. You can use the Allow or Disallow use of the offline files feature policy setting to your advantage to turn on Offline Files on all your Windows 2000 Servers or Windows Server 2003 computers easilynot that you would need to, as it's highly unlikely your servers will often be offline. Note that Windows Server 2003 requires that Remote Desktop Connections be disabled in order for Offline Files to function. See the sidebar titled "Offline Files and Windows 2000 Server and Windows Server 2003" earlier.

Default Cache Size

This corresponds to the "Amount of disk space to use for temporary online files" slider in the Offline Files tab in the Folder Options dialog box, as shown in Figure 9.23 earlier in this chapter. You can control what percentage of the C: partition is available for automatic caching.

If you enable this policy setting, you must enter a whole number that represents what percentage of the partition you will be using. If you want to use 31 percent, enter 3100. (The total range begins at 0 percent, then can be set to 100 or 1 percent, and ends at 10,000 or 100 percent.) This setting is then locked in, and users can't change it. If you disable this policy setting, the default of 10 percent is locked in, and users can't change it. Remember that this has a maximum size of only 2GB. Since this policy setting works with a percentage value, it can be difficult to know if that percentage exceeds 2GB on any target volume.

Files Not Cached

By default, several file extensions cannot be cached, due to their sensitive nature. Microsoft is concerned that especially large files will be shuttled up and back with just 1 byte changed. Therefore, the synchronization is hard-coded not to cache certain file extensions, most notably databases. That is, for extra protection, Microsoft prevents databases from being cached. The following file types cannot be cached:

• .pst (Outlook personal folder)

• .slm (Source Library Management file)

• .mdb (Access database)

• .ldb (Access security

• .mdw (Access workgroup)

• .mde (Access compiled module)

• .db? (Everything that has the extension .db plus anything else in the third character, such as .dbf , is never included in the cache.)

If you enable this policy setting, you can add to this list. For instance, you can add your own file types in the form of *.doc, *.exe , and *.jam to also eliminate the caching of only .doc, .exe , and .jam files. In my testing, there appears to be no way to allow the caching of the hardcoded database files listed earlier. If users try to synchronize any of these file types, the Synchronization Manager balks with a "Files of This Type Cannot Be Made Available Offline" message. Windows XP/Service Pack 2 adds the capability to turn off the error every time users log synchronize. Although it is basically a manual endeavor, the hacks are described in KB 811660 in the section titled "Exclusion Error Suppression."

At Logoff , Delete Local Copy of User's Offline Files

This policy setting sort of defeats the purpose of using Offline Files in the first place. Its main purpose is for logon use at a kiosk-style machine. That is, a user logs on for a bit and then logs off. You'll want to ensure their Offline Files are cleaned up behind them. Another reason I can see using this policy setting is to prevent files from being lifted off a user's hard drive. Theoretically, you can do this by digging around in the c:\windows\CSC folder. Even if the files are deleted at logoff, a good hacker could theoretically get the files back via an "undelete" program of some type.

Moreover, this policy setting doesn't guarantee a synchronization before it wipes the local cache clean upon logoff. Therefore, it is highly recommended that if you use this policy setting, you pair it with the "Synchronize All Offline Files before Logging Off" option (seen in Figure 9.23), which will save your users' bacon. Avoid using this option unless you have some workstation that needs extra security and is infrequently used, and you don't mind if the occasional file gets lost when using it.

If protection is what you're after, and you use EFS setup for your laptops users, a better option (for Windows XP machines only) is to use the "Encrypt the Offline Files cache" policy setting, discussed shortly.

Subfolders Always Available Offline

This policy setting is useful if you want to ensure that all subfolders are also available offline. Essentially, it prevents users from excluding the ability to cache subfolders and makes subfolders available offline whenever their parent folder is made available offline. Any new folder a user creates under cached subfolders is automatically cached and synchronized when the parent folder is scheduled for synchronization.

Encrypt the Offline Files Cache

If you have EFS set up for your laptop users, enabling this policy setting is a good idea. By default, even files stored in an encrypted format on shares are not protected in the Windows 2000 file cache. With Windows XP, they can and should be.

Synchronization Manager Limitations

You might see some weird behavior if a single computer is shared among multiple people. You can see this behavior in the following example:

Configure two GPOs that redirect My Documents to two different locations, \\WS03ServerA\UserDocs and \\WS03ServerB\UserDocs. Link the first GPO to OU-A and the second GPO to OU-B. OU-A contains Fred, and OU-B contains Robin.

Fred logs on and verifies that the My Documents redirection has taken effect by looking at the path in the Properties dialog box. If Fred opens the Synchronization Manager after creating or modifying a file in \\WS03ServerA\Data, he sees the \\WS03\UserDocs UNC in the synchronization list. When he logs off, he sees the synchronization happen for this UNC.

Now Robin logs on to the same Windows XP workstation and verifies that My Document redirection has taken effect. When Robin opens Synchronization Manager, she sees the \\WS03ServerB\UserDocs UNC and the \\WS03ServerB\UserDocs UNC in the synchronization list. When she logs off, she sees both paths attempting to perform a synchronization.

You can take this to extremes too. Try to configure five users in five different OUs with five different GPOs, each redirecting My Documents to one of five different servers. As each user logs on to a single Windows XP desktop (or a Windows 2000 desktop and chooses to manually cache the share), the UNC path for that user is added to the UNC paths for the other users in Synchronization Manager.

So what should you do? Allow only your laptop users to use offline caching. You can configure a GPO to prohibit offline caching for desktops and leave it enabled for laptops. Since laptop users don't tend to share their machines often, they don't build up many synchronization links. The workaround for those users is to open Synchronization Manager and uncheck all UNC paths except their own. But no user is going to do this.

After you have Windows XP/Service Pack 2 installed on the client, you have another option. You can leverage the tips in KB 811660, which explains how to perform several new feats of magic. One of the sections in the article describes how you can "Prevent admin pinning of files for non-primary users." Hence, when logging out, the mail user of the machine will no longer re-sync the other user's settings. Here's the bad news, though: there are no new Windows XP/Service Pack 2 policy settings to help you. This is basically, a manual endeavor to enter in the hacks described in KB 811660. Or, you can come to GPanswers.com for a downloadable ADM template that can perform this action on multiple clients at once.

Thanks to Bill Boswell for inspiration on this tip.

Configure Slow Link Speed

Recall that the Synchronization Manager in Windows 2000 and XP thinks a slow link is 64Kbps. When a user comes in over a slow link (less than 64Kbps), the system automatically uses their locally cached version of network files. Additionally, the foreground Synchronization Manager does not run. You can change the definition of the speed of a slow link, but only for Windows XP and Windows 2003 clients.