Preventing saving to desktop on roaming profiles
I'm trying to implement desktop restrictions on staff roaming profiles but encountering a couple of issues.
I've used XCACLS on the desktop folder in their server copy of the profile to prevent them from writing:
and in Group Policy Admin Templates - Desktop I've enabled "Don't save settings at exit"
%LOGONSERVER%\Netlogon\xcacls "%USERPROFILE%\Desktop" /P "%USERDOMAIN%\%USERNAME%":RX Administrators:F System:F /Y
But the problem is that when they're logged on they can still save stuff onto the desktop. Its only when they log off they get an error that the files cannot be written to the server location.
Plus, when they log back onto the same machine the files are there because of the locally cached copy of the profile.
Can anyone advise what other option I'm missing out? ISTR years ago when I first implemented this I could get an "Access denied" error whenever you tried to put something on the desktop.