CHALLENGE

Sounds like you need to speak with management regarding a basic ENFORCABLE IT Acceptance and Usage Policy. In this policy you should outline where users are to save what data. You also need to identify what users need access to particular resouces and you can begin sorting them within containers in AD. You can then use scripts to assign resouces (mapped drives) and create groups and assign permissions at a group level on your shares. For example this will prevent anyone who doesn't have any business posting in marketing from even seeing it, if they go direct to the share ie. \\server\marketing, they will be denied. Are you currently using profile redirection for users my documents? If not, you can add that option using GPO's. This will at least make sure all users files located in 'my documents' will be housed on the server and backed up centrally provided all locations are pointed to a central server. Also make sure all users on the domain are 'domain users' and not power users or admins. This will prevent them from saving things where they shouldn't (except their own 'desktop').

Offline files can cause a lot of headaches.. I prefer not to use it. If you have mobile users the best solution is going to be VPN and a Cell Card or Remote Web Workplace. Make it easy on your users. The more restrictions and formality you give them the better off they are as it leaves less questions.

It is going to be very hard to limit where your users will save their documents without making significant policy and technology changes.

For policy, it needs to be understood that documents need to be saved on the server so that they are easily accessible. In my experience, many of the reasons why people post locally is simply because they either do not know how to post to the server or because it's just easier not too. This can be rectified by creating a basic guide that shows them how to save data onto the server or setting up default save points for the applications they use to automatically default to your shared server folder. If you can make it so that your employees follow your IT policies, then this will go a long way to resolving your difficulties.

For technology changes, you can use group policy changes and permissions to change where your users can save data. For example, with group policy you can specify that your users cannot save data to removable devices such as floppies, USB drives, etc. This should stop your data from being saved on devices that are easily lost or accessible outside of your organization. You should also make sure your users are not Administrators of their computers. Doing this will make it so that, for the most part, they can only save data in a few locations on the C:\ drive. As an extra bonus, users who are not running as Administrators will significantly decrease the amount of infections on your network. Last, but not least, if your users are not always connected to your network, you can use some sort of synchronization software to synchronize the local data to your network drives when they connect. Microsoft offers a synchronization feature called Offline Folders that you can learn about here:

http://support.microsoft.com/kb/312171

Hope this helps.

Sounds more like a people management issue than a technology one. You can set up user authentication, protected volumes, etc. to your heart's content. But if people don't understand the business reasons behind data management, they'll just continue to find ways around the systems you establish.

Perhaps you should start by having some honest one-on-one discussions with opinion leaders and find out why they aren't doing what you want them to do. You might be surprised with the results!