How do I prevent all users access to the local Admin's My Documents

[GvIntern]

Hey everyone,

First post here as we are having some issues at my job. We're a small sized school district and we are in the process of currently attempting to create a universal image to roll out across the district. As part of the initial process, we are following a spiceworks directed tutorial to create the image and we are enabling the local administrator account. After imaging, there are a few other things that need to be done on each individual machine so we have a "tech" folder set up to allow our techs to go step by step to get the machine to where we want it to be. Once a machine is imaged, it is then added to our domain.
The issue we are having is that whether we place this 'tech' folder on the desktop, the Admin's desktop, or the Admin's My Documents folder: any other user on the computer (even non-admins) are getting access to the Administrator's user folders (including desktop and documents). This means that any enterprising student can search hard enough and find it, and then access the files in the tech folder.

Now, it is our practice to then disable the local admin account after imaging, before sending the machine out. However, on the off chance one of the techs forgets or has a lapse in procedure, this could result in a few non-critical, but still important, pieces of software being accessible to all users.

Our question is this: What could be causing this lapse in policy? Or are we misunderstanding the way Win7 operates the local Admin account? Our understanding is that no users should by default have access to the Admin's files, so there must be something in the way we are creating the image that is causing this issue. Is there something we can do using domain GPOs or local GPOs to prevent this?

The image we are using is a SYSprepped, generalized image of Windows 7 professional, 64bit. Our domain is using Windows Server 2008 R2. We have fairly strict GPOs on our domain, but are unsure where to locate this specific issue. Any help would be greatly appreciated, and if there is any other information needed, I will be glad to provide what I can. Thanks!

 

[logicearth]

No users have access to any other user's profile directory. "C:\Users\[username]" The only way they can get access is if they are an Administrator. The next way is if you are changing the permissions to give everyone access. But the default state for Windows is no user has access to another user's profile directory. Most likely you have done something to set it up to give users access or your method for detecting this is flawed. (I.e. you are using an Admin account to check the access of the directory, an Admin account can and will override permissions to give itself access.)

 

[GvIntern]

That is what we thought, but where would we check to verify each individual user's permissions? We have tested with a number of different accounts (4 to be exact) and none of them are admins. They are all in the regular users group, and we verified in both AD and on the local machine that they do not have Admin access. Yet while using these accounts (3 of them are actual student accounts, the other is our Test Student account) we can access the C:\Users\Administrator folders and all files within.

Is it something to do with the generalize option in the Windows Sysprep for creating the universal image? Or is it coming down through our domain?

 

[GvIntern]

Also, we have noticed that whenever you login as any other user the contents of the Administrator's my documents are being populated in ALL User's my documents folders. We just noticed this.
Our thought is that there is something going on with the Sysprep that is causing this.

 

[logicearth]

I'm not sure what you could have done to get that mess, unless you used "CopyProfile" to modify the default user account by copying the Administrator account after you finished modifying it.

Anyway here is the default permission I have on my Administrator account folder: