none
Set up offline files to sync two specific folders and their subdirectories

    Question

  • I am setting up offline files policies for an environment that has laptops - the laptops themselves are all correctly added to OUs that have the offline files policy applied, so this question is more to do with the policy itself rather than its application...

    Essentially, there is an issue in which they are synchronising a folder on the file server which is a DFS root for the other subdirectories on the server, the scenario for instance is the following setup.

    The file server's name on the network is FILESERV1

    The file server's main drive is E: , and E: has the following set up:

    E:\UserData\Homes\Sales is shared as \\FILESERV1\Saleshomes$

    E:\UserData\Profiles\Sales is shared as \\FILESERV1\Salesprofiles$

    Those two paths are the desired folders to synchronise to these laptops.

    Currently, the laptops are synchronising the DFS root, which is set up like the following:

    E:\DFS is shared as \\FILESERV1\dfs$

    E:\DFS\saleshomes is a symlink to the E:\UserData\Homes\Sales folder - this is all shared as \\FILESERV1\dfs$\saleshomes

    E:\DFS\salesprofiles is a symlink to the E:\UserData\Profiles\Sales folder - this is all shared as \\FILESERV1\dfs$\salesprofiles

    These are not the only two folders in E:\DFS, however they are the only two ones that should be synced (either through \\FILESERV1\dfs$ or their direct share). I find Offline Files quite fiddly myself, so if someone could post something with some screenshots on setting this up and/or how to check that it's working correctly, that would be very much appreciated.


    • Edited by Rory Fewell Tuesday, October 11, 2016 12:43 PM formatting
    Tuesday, October 11, 2016 12:41 PM

Answers

  • > *dfs$\Saleshomes* - Grants: SYSTEM, NETWORK SERVICE, Administrators and
    > Staff all R/W access at some level
    > *dfs$\Saleshomes\Natalie.West* - Grants: SYSTEM, NETWORK SERVICE,
    > Administrators and Natalie.West all R/W access at some level
     
    If Natalie is a member of Staff, this should work. Note that for some
    folders  the user needs not only R/W, but full access. This is required
    to set integrity levels (applies AFAIK by default only to favorites and
    some other IE related stuff)
     
    • Marked as answer by Rory Fewell Friday, October 14, 2016 10:09 AM
    Friday, October 14, 2016 9:56 AM
  • I thought that server changes might be the reason for that. :) --

    Hmm... I can't see what else it would be then, because it really seems like Windows *knows* it's meant to only sync the one user's folder (as evidenced by the fact that no other user's folder says "Available Offline") so I'm not sure why it's synchronising them.

    I have applied some changes to ACLs on the user folders though through a PowerShell script - which imo was long overdue. Before, there were ACEs for Security Groups like "Staff" applied to all user home folders, as far as I know, they don't need this because the staff don't even know that they can get to each others' directories (I would think they're not supposed to).

    From somewhere, I read that Offline Files will only try and sync the folders it has read/write access to. So by my book, removing those groups from the ACLs (and thus, having users only be able to read/write to their own home directory) should stop it synchronising everyone's files, even if it would try to otherwise.

    To me, I know that's not a great solution, but at this point I've kind of ran out of ideas? Typically we don't do Offline Files as far as I know so unfortunately I'm the only person who's dealing with the problem and don't have much to base my solutions off of.

    If you have any more ideas, please let me know - I'll update this post once someone on site is able to report back to me on the laptops. Thanks for all the help so far! :)

    • Marked as answer by Rory Fewell Friday, October 14, 2016 10:09 AM
    Thursday, October 13, 2016 4:19 PM

All replies

  • Hi,
    You could share us what group polices are configured for syncing offline files.
    If you want to set up offline files to sync two specific folders and their subdirectories, you could configure “Subfolders always available offline”policy and “Administratively assigned offline files”policy.
    Administratively assigned offline files policy lists network files and folders that are always available for offline use. This policy makes the specified files and folders available offline to users.
    Subfolders always available offline policy makes subfolders available offline when their parent folder is made available offline.
    Please see details from:
    Administratively assigned offline files
    https://technet.microsoft.com/en-us/library/cc978568.aspx
    Subfolders always available offline
    https://technet.microsoft.com/en-us/library/cc978601.aspx
    And based on your description, you might need to enable offline files for DFS share, in this case, I would suggest you some article for reference:
    Support for DFS-based shares for Offline Files
    https://support.microsoft.com/en-sg/kb/262845
    DFS and Offline files Set up, confused
    https://social.technet.microsoft.com/Forums/en-US/e2f84c9e-0c09-4dab-9a1e-af5e86872fba/dfs-and-offline-files-set-up-confused?forum=winserverfiles
    Since it is related to DFS, I would suggest that you could also post the questions in the file service forum:
    https://social.technet.microsoft.com/Forums/en-US/home?forum=winserverfiles
    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 12, 2016 6:29 AM
    Moderator
  • It seems like the "Specify administratively assigned Offline Files" policy has done the work I needed, although right now it's pointed towards \\FILESERV1\Saleshomes$ rather than \\FILESERV1\dfs$\Saleshomes , is this okay or is it bad practice to not use the DFS path?

    Another small question on this matter - I have specified it to be \\FILESERV1\Saleshomes$\%username% , I'm not sure if the %username% is correctly resolving to the user's logon name, though at the current time it seems like it may be working (?). I want to know - is it possible/required that I put the %username% there or some other environment variable in order to get it to sync only the currently logged on user, or does Windows manage to detect it on its own?

    And finally, thanks for the suggestion - I just figured that it would be suited for a Group Policy forum but I can see why it makes sense to post this kind of question inside of File Service forum in future. :)

    Wednesday, October 12, 2016 7:13 AM
  • Small update on this issue - it is still synchronising incorrectly.

    In "Specify administratively assigned Offline Files", I have set it to \\FILESERV1\Saleshomes$\%username% , I can confirm from FILESERV1 that this is the correct location.

    However, through the sync centre, it shows that \\FILESERV1\Saleshomes$ is the folder being synchronised, rather than just the user's home folder within. We have done a gpupdate and everything so not sure why it's synchronising the parent folder?

    Wednesday, October 12, 2016 12:10 PM
  • > to*\\FILESERV1\Saleshomes$\%username%* , I can confirm from *FILESERV1
    > *that this is the correct location.
     
    Assigned offline files AFAIK do NOT support variables...
     
    In addition: Both \\fileserv1\saleshome$ and \\fileserv1\dfs$\saleshome
    are wrong - you should use a domain based dfs namespace and use this
    namespace: \\mycorp.domain.com\dfsroot\saleshome
    In using \\fileserv1, you pin offline files to this server.
     
    And for your goal at all, it seems more practical to use folder
    redirection and make redirected folders available offline automatically.
     
    Thursday, October 13, 2016 12:09 PM
  • Thanks for the helpful reply.

    I was skeptical about using the variables - it's good to have some clarification on that matter.

    As for the second point - is it bad practice overall to state the server's name? They are always going to be using the same server name for this as they have been for many years unless there is a full setup redo. I will make note of the domain focus in future however.

    Unfortunately I'm unsure on your last point... stuff appears to be set up to allow offline files automatically already - the problem lies in the fact that it still syncs everything starting at Saleshomes. If I go into File Explorer, the Saleshomes folder shows up as 'Available Offline'. However, within there, when signed on as one of these users, inside the Saleshomes folder (which is available offline) - only the user's home folder says 'Available Offline'. None of the other user folders have a sync icon.

    Are you suggesting that I disable the Offline Files automatically setting on the parent Saleshomes folder - and instead set it on the child folders (the actual home directories themselves)? Would that fix the issue?

    I do appreciate the help and the information - from my perspective it feels like it should be working as another location actually does have theirs set up (their "Specify administratively assigned Offline Files" policy is actually set to \\FILESERVER\\%username%$ and is working perfectly!) - unfortunately this location does not have the same kind of folder setup so it cannot be replicated exactly.

    The above two questions are the major point - I feel like this is close to working but not quite there, I am hopeful though and always happy to take on some advice about practices in this regard (I am still a noob at Windows Server administration as you can probably tell!)

    Thursday, October 13, 2016 2:14 PM
  • > I was skeptical about using the variables - it's good to have some
    > clarification on that matter.
     
    ...maybe I'm wrong :-)
     
    > server's name? They are always going to be using the same server name
     
    until business requirements demant a server change :)
     
    > into File Explorer, the Saleshomes folder shows up as 'Available
    > Offline'.
     
    Parent folders AFAIK have to be offline available for child folders to
    be offline available. You cannot have a file in a child folder offline
    available if you cannot access the root share offline :-) The chain
    always starts at share level.
     
    Thursday, October 13, 2016 3:08 PM
  • I thought that server changes might be the reason for that. :) --

    Hmm... I can't see what else it would be then, because it really seems like Windows *knows* it's meant to only sync the one user's folder (as evidenced by the fact that no other user's folder says "Available Offline") so I'm not sure why it's synchronising them.

    I have applied some changes to ACLs on the user folders though through a PowerShell script - which imo was long overdue. Before, there were ACEs for Security Groups like "Staff" applied to all user home folders, as far as I know, they don't need this because the staff don't even know that they can get to each others' directories (I would think they're not supposed to).

    From somewhere, I read that Offline Files will only try and sync the folders it has read/write access to. So by my book, removing those groups from the ACLs (and thus, having users only be able to read/write to their own home directory) should stop it synchronising everyone's files, even if it would try to otherwise.

    To me, I know that's not a great solution, but at this point I've kind of ran out of ideas? Typically we don't do Offline Files as far as I know so unfortunately I'm the only person who's dealing with the problem and don't have much to base my solutions off of.

    If you have any more ideas, please let me know - I'll update this post once someone on site is able to report back to me on the laptops. Thanks for all the help so far! :)

    • Marked as answer by Rory Fewell Friday, October 14, 2016 10:09 AM
    Thursday, October 13, 2016 4:19 PM
  • > evidenced by the fact that no other user's folder says "Available
    > Offline") so I'm not sure why it's synchronising them.
     
    It needs to sync the path from share level down to the user folder -
    otherwise the user folder would not be accessible through explorer
    because its parent isn't available.
     
    > From somewhere, I read that Offline Files will only try and sync the
    > folders it has read/write access to. So by my book, removing those
    > groups from the ACLs (and thus, having users only be able to read/write
    > to their own home directory) should stop it synchronising everyone's
    > files, even if it would try to otherwise.
     
    This will break sync at all. For offline files to work, the user needs
    at least "read (this folder only)" for all folders from share level down
    to his own stuff.
     
    Friday, October 14, 2016 8:49 AM
  • That is correct - I have not taken read access off of the parent folder (that is, dfs$\Saleshomes still grants read/write access to Staff). I have only taken 'Staff' off of the child directories (the user homes themselves), such that users can only access their own folder in this directory.

    Here's an example of what I mean:

    dfs$\Saleshomes - Grants: SYSTEM, NETWORK SERVICE, Administrators and Staff all R/W access at some level

    dfs$\Saleshomes\Natalie.West - Grants: SYSTEM, NETWORK SERVICE, Administrators and Natalie.West all R/W access at some level

    Should this work?

    Friday, October 14, 2016 9:20 AM
  • > *dfs$\Saleshomes* - Grants: SYSTEM, NETWORK SERVICE, Administrators and
    > Staff all R/W access at some level
    > *dfs$\Saleshomes\Natalie.West* - Grants: SYSTEM, NETWORK SERVICE,
    > Administrators and Natalie.West all R/W access at some level
     
    If Natalie is a member of Staff, this should work. Note that for some
    folders  the user needs not only R/W, but full access. This is required
    to set integrity levels (applies AFAIK by default only to favorites and
    some other IE related stuff)
     
    • Marked as answer by Rory Fewell Friday, October 14, 2016 10:09 AM
    Friday, October 14, 2016 9:56 AM
  • I believe they have the ability on the parent folder to create folders and stuff through special permissions, they don't quite have full access (don't want them to delete Saleshomes somehow).

    I have just managed to check with the person on site now - it appears that it is synchronising correctly as a result of the ACL changes. I still find this to be less than optimal (feels more like a workaround), but it comes as a serious relief that at least the problem is gone!

    Thanks for the assistance, I really appreciate the help and advice. :)

    Friday, October 14, 2016 10:09 AM