May be possible with PDM Professional, not sure 100%. Lock all users to add/ delete files to and from vault and in your macro, login as a admin or create a new login as you mentioned.
Unfortunately, PDM isn't an option since most of the users are on standard licenses.
I would just get the macro to open up an FTP protocol or something similar as over smb you will have to log the user out and then login with
or have the macro email the file to the server / Dropbox
Create a system file watcher service.
Install it on the server.
Create a dump folder on the server with read write access
When the new file goes in, the system file watcher service moves the file to it's read only folder.
The system file watcher service will have the rights it needs.