If the user's profile folder does not exist when they first logon, the folder is created by a process in Userenv.dll, which sets:

Administrators = FULL
%username% = FULL
System = FULL

When the user logs off, no additional persmissions are set.

To workaround this behavior:

Pre-create the user's profile folder

          OR

Delete the user's profile folder after they logon but before they logoff.