Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

My Documents mapped to home on laptops

Status
Not open for further replies.
candyman200

candyman200

MIS
Jul 18, 2002
97
0
0
US
We have domain laptops with My Docs mapped to a home dir and set for Offline files. I've had about 4 authenicated users who, while not connected to the network can't see any files in their My Docs. For example they would be in the airport logged in (cached credentials) to the PC and when the double click on My Doc it's empty. Once the get to an office, plug in and authenticate their My Docs are OK again.

I've seen articles on "CachedLogonsCount" but I'm not sure if this count is exceeded their credentials go "stale" and not allowing access to My Docs. I don't know what happens when the users VPNs and authenticates for email or syncing folders, I do know this alone does not allow access to My Docs. Even a wireless connection doesn't seem to "fix" the issue.

For now only 4 users have had this problem.

Thanks for any suggestions.


*** Fix what's broken, whether it's a machine or a process. People don't need to be burdened by problems that could be corrected.
 
Sort by date Sort by votes
If their cached logon count was exceeded, they would not be able to logon at all.

Check that this common problem is not the issue: The most visible symptom is that the “Enable offline files” checkbox gets cleared after a reboot. See, for example,
I suspect the issue has to do with the use of 'Home' folders, as this practice is a legacy one and discouraged. It could well be true that there is offline file caching going on at all:



____________________________
Users Helping Users
 
Upvote 0 Downvote
I assume that if the user can log in then all resources are available during that session - including (offline) My Docs.

Our system redirects to \\server\home\username\My Documents. In the Home directory My Docs shows as "username's documents". The Home properties (caching button) is set to "Only these files...." - should this be set to "All files..." and optimized? It seems that the offline settings are configured correctly with new users. The only issue I've seen is with a few laptop users so the cache count seemed a good fit.

We came off Win2K but did not start redirecting until XP Pro, but we did use home directories. I don't know if the is considered legacy or not. This is a new(er) server with a clean Server 2003 build.

Thanks for looking at this issue - I appreciate any guidance that can be provided.



*** Fix what's broken, whether it's a machine or a process. People don't need to be burdened by problems that could be corrected.
 
Upvote 0 Downvote
Redirect folders to home folders

Typically, it is recommended that you do not redirect to a home directory unless you have already deployed home directories in your organization. However, if you have home directories and want to transition your users to use My Documents while maintaining compatibility with the home directory environment, you can redirect a user’s My Documents folder to the user’s home folder. The Redirect to home folder policy setting is intended only for organizations in which home folders are already in place. Redirect only the My Documents folder to the home folder. For this type of redirection, the client computer must run one of the following operating systems: Windows XP Professional, Microsoft® Windows XP, 64-Bit Edition, or Windows Server 2003. This redirection option does not work for clients that run Windows NT, Windows 2000, or Microsoft® Windows® XP Home Edition.

When a folder is redirected to the home folder, security and ownership are not checked, and permissions are not changed. Folder Redirection behaves as though the administrator has set directory security correctly. This relaxed security is the reason that redirection to the home folder is not recommended if the home folder structure is not already in place, and you have not updated your configuration.

Typically, folder redirection fails if a user is not the owner of the folder to which the My Documents folder is redirected. Because redirection to the home folder is intended for an earlier environment, Folder Redirection does not check for proper folder ownership. Instead, ownership check is left to the administrator.

Users must have the home folder property set correctly on their user object in Active Directory. The client computer gets the path for the user’s home folder from the user object in Active Directory when the user logs on. User accounts that have redirected folders must have this path set correctly, or Folder Redirection fails.
Click to expand...

To add a home folder to a profile
1. Open Active Directory Users and Computers.
2. In the details section, right-click the applicable user account, and then click Properties.
• Active Directory Users and Computers/applicable domain/applicable container (such as Users)/applicable user account
3. Click the Profile tab.
4. In Home Folder, type the directory folder path information.




____________________________
Users Helping Users
 
Upvote 0 Downvote
Everything you've provided is good and reflects how all users are set up. We only have seen issues with limited laptop users, all using domain PCs.

According to a MS KB :
the default setting for "cachedlogonscount" is 10 so I rebooted my laptop (disconnected) 12 times and I still had access to My Docs and it never changed.

I'm hoping duplication the problem and if there's a GPO that can set something for laptops, that would be great.



*** Fix what's broken, whether it's a machine or a process. People don't need to be burdened by problems that could be corrected.
 
Upvote 0 Downvote
cachedlogonscount" is 10
This is the counter for the number of user logons to cache, not the number of times any user used cached credentials to logon.

So with this setting ten different users, maximum, can have their credentials cached.


____________________________
Users Helping Users
 
Upvote 0 Downvote
Finnaly found time to get back to this ... sorry for the break in the action.

Here's what I've found - when the user does not have access to My Docs it appears because the credentials are not "current". Then can log on to the PC but cannot access their (Offline) My Documents with the same credentials. I've read that all offline files, independent of user, are stored in one database and any user that has a profile will be able to get to that database - but only has access to their files thru their credentials (saved in another file).
In one case a user logged on their laptop, enabled their wireless, were given an IP and had access to network resources ... but still could not see their My Documents. I had the user log off and log on - poof, their My Documents were there again. The same credential update will occur if the laptop is wired before the user logs in, the credentials stored on the PC are updated and My Documents are good again.
I have been undable to find anything in MS KB about offline credential validation but from everything I can duplicate, that's were the problem appears to orignate. It also appears to be associate with going into hibernation mode (one user has that problem too).
Since a VPN connection is user dependant, keeping a VPN (ipSEC) will not allow credentials to pass at logon. We don't use RAS but I thought there was a way to "RAS with a VPN connection" but I haven't tried in a log time.
Sorry to be long winded but this is becoming a weekly event and I'd like to find a solution.
Thanks for anything you can suggest.


*** Fix what's broken, whether it's a machine or a process. People don't need to be burdened by problems that could be corrected.
 
Upvote 0 Downvote
Remote Access uses Credential Manager Keyring

Remote Access participates in the keyring by adding a temporary default credential[/u whenever a dial-up or VPN connection is successfully established. This credential contains the username and password that were used in setting up the connection since these are often the same credentials that will enable access to the resources on that network. This makes the experience of connecting to a remote network, and using resources on both that network and your local network, seamless.

The problem is that the password can expire and the user is unaware of it, as they are using cached credentials.

The password expiration policy is not "enforced" when cached credentials are used to logon locally. The next time the computer can communicate with the Domain, the user will be prompted to change their password.

If the user's password has expired, you, as an AD administrator, can set their password to a new value. Then, when the user logs on using VPN Networking, they can specify the new password and the cached credentials on the laptop will be updated.



____________________________
Users Helping Users
 
Upvote 0 Downvote
Thanks for keeping up on this one bcastner.

What you're describing is a seperate issue (Exchange 2000 would email password expiration notices, 2003 doesn't have that same feature ... too bad). We've worked around that by making sure OWA is updated and password reset is enabled. This works fine, even if the password has expired ... but will not work if it's locked. It's an extra step for the remote user but working remote isn't all bright lights, glitz and glamor.

In the case of My Doc disappearing, all the users experiencing problems are well within their password age and the account is not locked. As I noted, the user can log on to the PC and even if working fully disconnected, cannot see their My Docs. All it takes is for the user to make a network connection from an office (VPN does not cut it), log off & log on for the credentials to update in the "right place" then they can see their offline My Docs. There is not resetting passwords or unlocking accounts ... just log off - log on. Side note - all these users are (other than a local and domain admin profile) are the only users on the PC.

I've been "thumpin' my melon" on this one for some time and keep coming up blank.


*** Fix what's broken, whether it's a machine or a process. People don't need to be burdened by problems that could be corrected.
 
Upvote 0 Downvote
I am not referring to Exchange, but to the life of cached credentials on a users keyring.

One way to test this is to is to log on, connect to the Domain, log off, and attempt to log on again. I expect that you will not be able to log back on the second time with the same password you used the first time.

However, now restart the machine off the network. Then you'll be using cached credentials again and the original password will succeed.

In this case a Group Policy setting is missing for the XP Clients to make the logon conform to Windows 2000. Open the MMC and add the group policy snap-in. Under Computer Configuration-->Administrative Templates-->System-->Logon, change "Always wait for the network at computer startup and logon" to ENABLED.

A second setting to look for is password lockout. If they are using cached credentials, then the chances are that they have mis-typed their password wrong too many times, as while the credentials cache does not keep track of password expiry times it does track failed logon attempts. In this case, the only solution is to have them connect to your network, and resync the crdentials cache with the server. This allows them again to access resources that require credentials such as their Home folders. This sounds like what could be happening with your remote users.





____________________________
Users Helping Users
 
Upvote 0 Downvote
I believe I confused the issue when I added the Exchange 2000 reference ... sorry. Let's stay with AD credentials.

Here's the steps:
In the corp office -
1) Turn on laptop (no wire/wireless connection)
2) Log on with domain credentials - successful (127.0.0.1)
(the PC is running independant of the doman)
3) Double-click My Documents ... EMPTY

4) Enable/Turn on wireless (or plug in wire)
5) IP is acquired, can access internet (to test LAN)
6) Open Outlook (Exchange mode) - successful sync

7) Close apps, disconnect from VPN, Log off PC

8) Log on (now with network connection via wire/wireless)
9) Successful logon
10) Double-click My Documents ... ALL FILES OK

The problem appears to be related to credentials assigned to the offline files only, because Outlook uses cached domain credentials to authenticate the Exchange connection. Since the user can connect to the Exchange server and get their email - "those" credentials are working. The user can also access domain resources as allowed before Step 7.

If this is still difficult to understand we can take it "Off-Line" if needed ... just let me know how to do it.

Thanks.

*** Fix what's broken, whether it's a machine or a process. People don't need to be burdened by problems that could be corrected.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Flinx
  • Locked
  • Question
the SAGA of trying to get a computer to sleep and wake up on a schedule
Replies
1
Views
251
Flinx
Flinx
spamjim
  • Locked
  • Question
Sanitizing illegal filenames on NTFS volumes
Replies
2
Views
84
spamjim
spamjim
pjw001
  • Locked
  • Question
How to configure Bookmarks in Chrome 2
Replies
4
Views
121
pjw001
pjw001
Andrzejek
  • Locked
  • Question
How to Disable Google Chrome Password Manager 2
Replies
3
Views
169
combo
combo
goombawaho
  • Locked
  • Question
Windows 7 Pro Red X on mapped drive 1
Replies
14
Views
88
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top