Two days wasted on this!
Apparantly someone before me upgraded one of the DCs from 2003 to 2008 R2, but left the second exisiting one as 2003. From what I've read offline file encryption in XP uses a local admin account (with cert) as the decryption manager. With Win 7 it's all in Group Policy.
In 2003 a cert was issued in AD to the Administrator account for encryption. I assume on XP it was for the high level crypto stuff. This cert was only issued for a couple of years. Mine expired in 2009.
As it turns out of the cert has expired Win 7 starts to offline your files, then gets access denied for all users on that laptop unless your format the CSC cache and turn sync off. Even if your connected to the network, as it's still reading from the CSC cache which is encrypted, which it can't read as the cert is out of date!
Two days of head scratching later finally figure out. You have to delete the existing cert in GPO, then create a new one. 2008 R2 issues a 100 year cert. After that it all works.
They don't pay me enough for this crap
Last edited by Trapper; 17th May 2012 at 10:59 PM.
There are currently 1 users browsing this thread. (0 members and 1 guests)