If the user's profile folder does not exist when they first logon, the folder is created by a process in Userenv.dll, which sets:
Administrators = FULL
%username% = FULL
System = FULL
When the user logs off, no additional persmissions are set.
To workaround this behavior:
Pre-create the user's profile folder
Delete the user's profile folder after they logon but before they logoff.