Any way to lock down redirected My Documents folders?

[wcrouse]

I'm the admin of a small school lab where I've successfully redirected
"My Documents" to a file server. Per Microsoft's instructions, I've
set it up so both the student user and the administrator get full
control, a necessary precation in this environment. The problem is
that the students, with full rights and as owners, remove the admins
from the permissions list to ensure that they can protect their
folders from the prying eyes of adults. Also, this means they can run
any executables they have downloaded into 'My Documents' on our
network. So -- is there any way to restrict the individual student
folders that have been redirected? Sure, admins can always retake
ownership, but with hundreds of redirected folders that's really not
practical. Thanks for any pointers!

 

[Erik Nettekoven]

You could give the students 'Special permissions' then I suggest you turn
off (or even 'deny', because 'deny' overrules any allow permission.) the
'Change Permissions' and the 'Take Ownership' special rights.

Hope it's worth something. Goodluck anyway!

 

[Bruce]

I also have a lab to maintain. Instead of using the
redirection to create the folders, I create their folders
in advance using a script and xcacls.exe utility and set
permissions to Modify. (This works easily when the folder
name and user id is the same.)

 

[wcrouse]

Good idea, however I did try this. The problem is that as folder
redirection creates each individual folder, the student is the owner,
and can simply uncheck the 'inherit permissions' box, copy, then
delete whatever policy offends them. It appears that Ownership takes
precedence even over 'Deny'.