NTFS Permissions for root share that houses Home Directories Windows Server 2008 R2

This is what I have in my favourites for reference:

http://blogs.technet.com/b/migreene/archive/2008/03/24/3019467.aspx

  • CREATOR OWNER - Full Control (Apply onto: Subfolders and Files Only)
  • System - Full Control (Apply onto: This Folder, Subfolders and Files)
  • Domain Admins - Full Control (Apply onto: This Folder, Subfolders and Files)
  • Everyone - Create Folder/Append Data (Apply onto: This Folder Only)
  • Everyone - List Folder/Read Data (Apply onto: This Folder Only)
  • Everyone - Read Attributes (Apply onto: This Folder Only)
  • Everyone - Traverse Folder/Execute File (Apply onto: This Folder Only)

It also recommends setting share permissions as:

  • Everyone - Full Control

It's documented here:

https://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx

Administrators: Full Control  
System: Full Control  
Creator Owner: Full Control  
Authenticated Users: Read & Execute, List Folder Contents, Read  

And you must further edit the ACE for Authenticated Users so that it only applies to This Folder Only.


Expanding on @Dan's answer...

Agree Creator Owner, but I never grant FC to users. This allows them to set their own DACLs, which, in my experience brings a world of pain, when the odd power-user (read "pain in the ar$e) removes permissions for SYSTEM, thus stopping you backing up their files. So, normally limit the user of the data to Modify (change in old-school parlance).

SYSTEM : FC, yes.

Domain Admins : Nope. Specify server's local administrators group.

Everyone : Why? Would personally never use "Everyone" anyway, as it includes non-authenticated users.

Share permissions - agree. They only serve to confuse access queries.