Ok guys, this is a five minute fix from someone but I'm obviously missing something.
I've just about finished setting up a win7 mandatory student profile the way I like it, ready for Remote Desktop. Some kids tried it over the weekend and said all was good except they could save on the desktop. I'm pretty sure they couldn't before although I'm not sure what I changed to allow them to. I don't have context menus disabled in GP and as far as I can remember, never have.
Anyway, I don't want them to be able to create stuff on the desktop but I want to maintain context menus within Explorer. I've tried changing the permissions on the Desktop folder in the mandatory profile on the server to deny the Students group write access, I've tried enforcing Software Restrictions and now I gather that redirecting them all to a shared desktop with nothing on it and no access is the general way to do it. So I've set up a shared folder on the fileserver, StudentDesktop, given them normal NTFS access to it with the addition of Deny Write, the share permissions allow them only read but when I log on as a student and it tries to redirect the desktop, it says (in event viewer):
Failed to perform redirection of folder Desktop. The new directories for the redirected folder could not be created. The folder is configured to be redirected to <\\xyz\studentdesktop>, the final expanded path was <\\xyz\studentdesktop>. The following error occurred:
This security ID may not be assigned as the owner of this object.
So obviously I'm missing something blinding simple, can someone help me?? This is my last hurdle for Win7 student profiles and Remote Desktop and it really needs to just work, lol.