Profile permissions and sharing...
Have somewhat of an odd request.
We use local profiles - meaning that student a logs on, it makes a local profile. We redirect desktop, docs.
Recently found that students can change permissions on these profiles... meaning that student a can give student b access to his local profile. This does NOT affect anything that is redirected as those acls are set correctly, but does give access to say appdata, or the favs folder...
I need a way to block this. As a student is technically the creator of the profile, he is the owner and can change permissions or add people. So I am kinda lost on how to do this.
Why is this important? We have some special accounts that are not allowed to access resources not on the network (external media is blocked for them). However, what they do is log on with an account on the network, save the files to the local c (everywhere but their profile is locked down hard, so they have to save to their profile), add in the special account so it can read their files, and then the special account has those files it should not have.
The one idea I came up with was to somehow force everyone to use a temp profile. I know, crazy, most people are trying to prevent users from getting a temp profile, but imagine if you login -> temp profile -> deleted when you log off.....