Students have permissions to access and read each others home folders - after setting up mandatory profiles

I don't want them to have this access.  I don't know what I have done wrong in setting up these mandatory profiles.

I created a shared folder called "Profiles$" in which I created the "Student-mandatory.man" folder.  Then copied (using system applet) the prepared profile from a workstation to this folder.  Renamed Ntuser.dat to ntuser.man.

Then created another shared folder "Students" which would contain the newly created home folders.  
"Students" folder share permissions:
administrator=full
students = read, change
teachers = read, change

"Students" NTFS permissions
admin = full
Creator=
System=
Users ("Domain"\users)= Read-execute, List folder, Read, Special=Create files\write data, Create folders\append data

I then created some student accounts on the DC, pointed to the "Student-mandatory.man" folder and the "Student" home folder.  Then logged on from a workstation.  The students home folders were automatically created under "Student" and everything seemed fine until I realised that the students had read permissions to each others folders.

Obviously I can go in and change the permissions on each individual student account to fix the problem but
1  The problem permissions are being inherited
2  How can I avoid this problem in the first stage of setting up each student profile, before their home folder is created, so that when it is created it has the correct permissions?
Alistair7Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BrianIT ManagerCommented:
The reason looks like because you have Students share permssion as read and change and Users group (which includes the students) NTFS permission as Read-execute, List folder, Read, Special=Create files\write data, Create folders\append data.

With these permissions all users in the Students and Teachers groups will have read permission.  Take a look at the following article and see if that helps.
http://www.windowsnetworking.com/articles_tutorials/Profile-Folder-Redirection-Windows-Server-2003.html

Brian

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Alistair7Author Commented:
I'm a little surprised that I need to do so much modifying of permissions as described in the above article.  I would have thought that windows would have automatically set the appropriate perms for the Administrator, System, Owner and Username ACE's when a new "home" user folder is created on the server the first time the user logs on to the domain.

I don't know if I made it clear enough above that I actually have 3 independent shares:

Profiles$ - in which all user profiles are stored.  Student mandatory and teacher roaming profiles.
Students - in which student user documents are stored within a folder with their username (these folders are created automatically by the system)
Teachers - in which teacher user documents are stored within a folder with their username.

Is this a silly thing to do - to save their documents into a separate folder outside of their Profile$ folders?
It seemed a good idea at first.

By the way Brian, I have opened yet another question on Ownership.  I'm sure you could answer it very quickly.
http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21484872.html

I'm still in the process of setting up 2 systems at 2 small schools. (60 students each)  So I really need answers to these questions to get these systems up and running.  I'm having to use my summer holidays for this work, which I do not want to do actually.  
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.