Network users forcing writes on read-only folder

[jim]

Just wondering if anyone had any ideas, this is driving me mental.

Basically, all users' desktops are redirected to a common folder on the server, which is used as the desktop when they log in via Active Directory. That folder is of course read-only, so they can't add files in and alter everybody's desktop at the same time.

However, recently I've had people with intermittent connections, whether that means laptops that go offsite or computers with a dodgy internet connection writing to that folder. I think they go off the network for whatever reason, shift shortcuts or files to the desktop, and then when the PC comes back it forces a write to desktop folder. How it does that, I don't know - it should be refused access without admin rights.

Any ideas?

[Jay]

do you have roaming profiles or is it all redirected?

[jim]

Everyone has a personal roaming profile set on the server, as well as having desktop redirected to a generic folder.

[Jay]

what permissions do the files have after they are written? I wonder if its offline files?

[jim]

They always appear with Full Control specifically granted to the user who created them - which then presumably takes precedence over the read-only access granted to them as a user.

We do use offline files on the machines that are affected, yes - specifically to cater for this kind of event so that they retain access to the files they need whilst network access is lost.

[Jay]

I think the offline files are copying back to the desktop. If the folder is read only I can't see how they are writing to it.

maybe setup mandatory profiles

[jim]

I think the offline files are copying back to the desktop. If the folder is read only I can't see how they are writing to it.

Exactly, that's what I don't get. I was hoping there might be some sort of technical solution to prevent even offline files writing to that directory, but I don't know whose credentials it uses to access the folder.

I don't know about mandatory user profiles, it may still not fix the problem and the article on them from MS recommends against using it.

[jim]

Anybody else have any thoughts?

Still got this at the moment, as things stand I'm contemplating making a secondary desktop for all the users who seem to enjoy filling it with junk and then let them stew in it... not the best solution though.