NTFS Permissions for root share that houses Home Directories Windows Server 2008 R2
This is what I have in my favourites for reference:
http://blogs.technet.com/b/migreene/archive/2008/03/24/3019467.aspx
- CREATOR OWNER - Full Control (Apply onto: Subfolders and Files Only)
- System - Full Control (Apply onto: This Folder, Subfolders and Files)
- Domain Admins - Full Control (Apply onto: This Folder, Subfolders and Files)
- Everyone - Create Folder/Append Data (Apply onto: This Folder Only)
- Everyone - List Folder/Read Data (Apply onto: This Folder Only)
- Everyone - Read Attributes (Apply onto: This Folder Only)
- Everyone - Traverse Folder/Execute File (Apply onto: This Folder Only)
It also recommends setting share permissions as:
- Everyone - Full Control
It's documented here:
https://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx
Administrators: Full Control
System: Full Control
Creator Owner: Full Control
Authenticated Users: Read & Execute, List Folder Contents, Read
And you must further edit the ACE for Authenticated Users so that it only applies to This Folder Only.
Expanding on @Dan's answer...
Agree Creator Owner, but I never grant FC to users. This allows them to set their own DACLs, which, in my experience brings a world of pain, when the odd power-user (read "pain in the ar$e) removes permissions for SYSTEM, thus stopping you backing up their files. So, normally limit the user of the data to Modify (change in old-school parlance).
SYSTEM : FC, yes.
Domain Admins : Nope. Specify server's local administrators group.
Everyone : Why? Would personally never use "Everyone" anyway, as it includes non-authenticated users.
Share permissions - agree. They only serve to confuse access queries.