This issue really ought to be much simpler to resolve than it has been so far. I've been trying things for long enough that nothing seems to make sense any longer, which is why I'm posting it here even though there are lots of articles on the web regarding user permissions on home folders.
Here's what I know:
I've inherited administration of a Windows Server 2008 R2 file server in a Windows domain (2008 schema). This domain was migrated from an SBS 2003 domain at some point in the past (I can see traces of the SBS structure in AD, as well as the existing group policy objects).
Our user's home folders are created by the system automatically when I create new users in AD. I had not been altering the permissions in any way. In addition, we have an SBS group policy still in effect that redirects the user's 'My Documents' folder to their home folder on the server (for backups).
And here's the problem:
I was recently approached by a new user who stated that she wasn't able to delete some data that she had stored in her home folder. As I looked into it, I found that while she had access to any files that she placed into her home directory, she didn't have access to the redirected 'My Documents' folders and files. As I looked at the security settings for the folder, it looked like she should have had access: she was listed as the folder owner (with full control, which is too much in my opinion, but it should have worked). When I looked at effective permissions for her user account, Windows believed that she should have had access.
This felt like a group policy problem of some sort to me, so I moved her user account to an OU I use for testing (it has inheritance blocked). After logging off and then back on, not only did she still not have access to her folders, but I couldn't view ownership or permissions data from the file server, even when logged on as the domain admin.
I was able to take ownership using 'takeown' and make the permissions look correct, but she still didn't have access. As a part of the troubleshooting, I moved my AD user into the same 'no policys' OU, and am now seeing the same issues with the home folder.
I did some googling and found the following ICACLS script to reset user permissions:
set /p userDir=Enter the login of the user's directory you're modifying permissions for. (i.e. jDoe)
TAKEOWN /f "E:\Home Directories\%userDir%" /r /d y
ICACLS "E:\Home Directories\%userDir%" /reset /T
ICACLS "E:\Home Directories\%userDir%" /grant:r "MYDOMAIN\%userDir%":(OI)(CI)F
ICACLS "E:\Home Directories\%userDir%" /setowner "MYDOMAIN\%userDir%" /T
I modified it to fit my domain and ran it against my user folder. The script completed successfully, but I am still being denied access.
I'm at a loss at this point. So far, only 2 of the 80+ users are being affected, so I'm hesitant to run any scripts or make any changes that would effect the entire parent folder structure. However, it's obvious that I either have a permission issue that is being inherited down and causing problems, or a policy that is causing issues, or both. I'm afraid that the problem will continue to escalate as time goes on.
Does anyone have some advice on how to approach the issue?