Locking Down Roaming Profiles Issue

In my environment I have Students and Teachers / Staff all in their own groups for Roaming Profiles. All the permissions are setup so students are denied access to staff Roaming profiles just incase something freaks out and shows them the path.
My problem is the Students, I had a student that dragged an image file from their profile into Chrome and it gives them their full path to that file. Now if that student goes to File://domain/roamingprofile, they can access other students files and folder. I have been going crazy trying to figure out how to block or disable this from happening. I'm not sure if this is a permission issue or what it is. I installed the Chrome GPO and tried blocking those links, as well as putting them in my Firewall. I think even IE does it now, i just dont know where to turn to on this matter.

Permission is as followed for Students on their Students_Home folder and all their roaming profiles are within the Students_Home folder.

Creator Owner - Full Control
System - Full Control
Admins - Full Control
IT - Full Control
Students - "Special" "This Folder Only" "Deny" "List Folder / Read Data"
Students - "Special" "This Folder Only" "Allow" "Create Files / Write Data, Create Folders / Append Data"

Shared Permissions

Creator Owner - Full Control
Admins - Full Control
IT - Full Control
Students - Change
Garrett DoutAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I didn't quite get the whole picture, but did you set up your permissions so that only Teacher1 has access to the home folder of Teacher1 and nobody else ? If permissions are set correctly, the path will not be accessible to anyone else (excluding admins).

You can even configure home folders for exclusive access (via GP), so that even admins cannot access users' home folders.
David Johnson, CD, MVPOwnerCommented:
Share Permission: Everyone Full control

Use the following settings for NTFS Permissions:
CREATOR OWNER - Full Control (Apply onto: Subfolders and Files Only)
System - Full Control (Apply onto: This Folder, Subfolders and Files)
Domain Admins - Full Control (Apply onto: This Folder, Subfolders and Files)  // I disagree with this one and should either not be there or this folder only
Everyone - Create Folder/Append Data (Apply onto: This Folder Only)
Everyone - List Folder/Read Data (Apply onto: This Folder Only)
Everyone - Read Attributes (Apply onto: This Folder Only)
Everyone - Traverse Folder/Execute File (Apply onto: This Folder Only)

 If you enable the setting to give the user exclusive access to the folder, you will override the inherited permissions and need to reset the ACL.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Garrett DoutAuthor Commented:
Thank you so much, i will change the permissions and see if it fixes my issues.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

David Johnson, CD, MVPOwnerCommented:
And the results are?
Garrett DoutAuthor Commented:
I didnt want to change the permissions till this Thursday when the students go on Christmas Break. Just incase I would have to reimport the data from Veeam for some reason.
PberSolutions ArchitectCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: David Johnson CD MVP (https:#a42386768)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Experts-Exchange Cleanup Volunteer
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.