I don't want them to have this access. I don't know what I have done wrong in setting up these mandatory profiles.
I created a shared folder called "Profiles$" in which I created the "Student-mandatory.man" folder. Then copied (using system applet) the prepared profile from a workstation to this folder. Renamed Ntuser.dat to ntuser.man.
Then created another shared folder "Students" which would contain the newly created home folders.
"Students" folder share permissions:
students = read, change
teachers = read, change
"Students" NTFS permissions
admin = full
Users ("Domain"\users)= Read-execute, List folder, Read, Special=Create files\write data, Create folders\append data
I then created some student accounts on the DC, pointed to the "Student-mandatory.man" folder and the "Student" home folder. Then logged on from a workstation. The students home folders were automatically created under "Student" and everything seemed fine until I realised that the students had read permissions to each others folders.
Obviously I can go in and change the permissions on each individual student account to fix the problem but
1 The problem permissions are being inherited
2 How can I avoid this problem in the first stage of setting up each student profile, before their home folder is created, so that when it is created it has the correct permissions?