The best way to prevent a Windows domain user from deleting their home directory sub-directories

I'm working on a Windows Server 2012 R2 domain controller, with primarily Windows 7 Professional clients.

I have recently set up folder redirection and user profile roaming, such that each domain user has a folder on a network share wherein they store both their user profile and their documents. These user folders have form,

D:\Users\%USERNAME%

on the the file server and, correspondingly,

\\MYSERVER\Users\%USERNAME%

on the domain.

These folders are generated automatically on the user first-time login, and contain all the usual suspects including "Application Data", "My Documents", "Links", "Contacts" and "Profile.V2".

All these subfolders are also generated automatically on the user's first login, as is specified by domain group policy. Specifically, all these subfolders with the exception of "Profile.V2" are the result of folder redirection policies; "Profile.V2" is the result of roaming user profile policies.

To achieve all this I've set NTFS permissions on

D:\Users\%USERNAME%

as is recommended by Microsoft (can't remember where now!) and by countless other derivative blog posts. These permissions are,

Disable Inheritance

Allow - SYSTEM - Full Control - This Folder, Subfolders and Files
Allow - Administrator - Full Control - This Folder, Subfolders and Files

Allow - CREATOR OWNER - Full Control - Subfolders and Files

Allow - MyUserGroup - Special (List Folder / Read Data; Create Folders / Append Data) - This Folder Only

This works well for me, with one problem. Once a user has logged on, and the folder structure generated as specified, the user naturally retains the permission to delete any of these folders as they like. This means that the user could, by accident or otherwise, delete – for example – "Desktop". Not only does this result in a loss of the contents of the "Desktop" folder, but it also breaks folder redirection on the next login.

My question is, what is the best way to prevent a user from deleting these top-level user subfolders ("Desktop", "Contacts", "Profile.V2", and the rest)? I have experimented with alternative permissions on the parent folder, but these inevitably break automatic folder generation on user first-time login. Moreover, I have tried to adjust the permissions on these subfolders programmatically following user fist-time login with a script – but I keep missing the mark (modifying ACLs using Powershell is proving to be something of a headache.)

What is the best-practice solution here? Surely I can't be the only one who's run into this issue!