Group Policy Quick Tip: Exclude Files From Being Cached by Offline Files

In this edition of Group Policy Quick Tips, I’ll be covering a policy that has been around a while, but was renamed and might be hard to find if you haven’t configured it before.  In Windows 7/Server 2008 R2, this setting was called “Exclude files from being cached.”  With Windows 8.x/Server 2012, the name changed to “Enable file screens.”  Same thing; different name.

In Windows Server, you can create File Screens to prevent file types from being saved to network shares on file servers.  (If I had to guess, this policy setting was simply renamed so it would be in line with the feature it is emulating from Windows server.)  This policy setting effectively does the same thing… it prevents users from creating files with the file types you specify from being able to create those files in folders that have been made available as Offline Files.

Why would you want to set this policy?

  • This is a great way to keep people from downloading certain large file types from folders that redirect back to a file server.  Most file servers I’ve managed had quotas for end users, but typically we’ve given power users and/or users working on projects shared space for their large files.  This is a great way to ‘remind’ them where the files should go.  Files like ISO images, video files, MP3’s, etc. come to mind.
  • This is also a great way to keep potentially malicious executable files (executable files, scripts, batch files, etc.) out of folders folders for non-Administrative users.
  • I highly recommend using this setting if you have File Screening configured on your file server.  If you don’t, users will be able to download files that you’ve blocked on the file server into their local cache.  When the client attempts to sync the screened files back up to the file server, the sync will fail.  (This can get really annoying if you’ve configured email alerts!)

Where is the policy located?

  • [Windows 8+, Windows Server 2012+] Computer Configuration > Polices > Administrative Templates > Network > Offline Files > Enable File Screens

group_policy_quick_tip-enable_file_screens

  • [Windows 7, Windows Server 2008 R2] Computer Configuration > Polices > Administrative Templates > Network > Offline Files > Exclude files from being cached

group_policy_quick_tip-exclude_files_from_being_cached

Configurable Options

  • Enabled or Disabled
  • Semicolon separated list of file extensions that you want excluded from being made available via Offline Files.  (Note: format must be asterisk, period. file extension.)
    Example:  *.iso;*.bak;*.exe;*.dll

Supported Operating Systems/Software

  • Windows 7+ client OS / Windows Server 2008 R2+ server OS
Kyle Beckman

Kyle Beckman

Kyle is a Systems Administrator with 15+ years of experience. He currently works in Higher Education supporting everything from smartphones to desktop PC's to Hyper-V Failover Clusters. (If it has a IP address, he probably supports it!) He has also worked in Small Business IT consulting supporting a wide variety of businesses and non-profit organizations.

Kyle is also the Vice President of the Atlanta Windows Infrastructure and Virtualization User Group (WINVUG).You can find additional articles he's written on 4sysops.com.
Kyle Beckman

2 Comments

Add a Comment
  1. Hi, I am searching for a screening file for windows 7 PRO, 8 and 10.

    I dont want to allow to any program save file with a couple of extension used from some malware like cryptolocker.

    Something like:
    Exclude: *.crypz; *.ccc and so on.

    When anybody try to write a file with the above ext I would like windows lock it

    Any idea?

    thanks

    1. This only prevents files by being cached by Offline Files. If you’re wanting to prevent them from being stored on your file server, look into file screening. You may also want to look into AppLocker to prevent users from running executables from their user profiles and thumb drives to prevent CryptoLocker from hitting your machines in the first place.

Leave a Reply

Your email address will not be published. Required fields are marked *

© trekker.net