Back in Windows 2000, when you specified a home folder if the Active Directory Users and Computers MMC, it would create the folder and set the NTFS permissions on that folder. Those permissions were that the Administrators group has full rights, and the user account would get full rights. It would NOT inherit anything from its parent folder.
In Windows Server 2003, this has changed slightly. The home folder now inherits rights from its parent folder. The dilemma here is that users will need 'read' rights on the main users folder so they can browse to their own home folder. However, this would allow everyone to read data in all the user folders. Not good. You can improve this by not giving everyone read access, but just the list folder contents right. To further fix the problem, you can make that right not inherit to child folders. Problem solved.
Here are the default Windows 2003 rights. It inherits from the parent folder:
Go to the parent folder, select the Users group, and click Advanced:
Select the Users group again, click Edit:
Change it from applying to this folder and all sub-folders, to just this folder:
When you are done, you will now see they have special permissions:
Example: You are the IT admin of a school. All of your student's home folders are stored in one share \\MyServer\Students. You want the students to be able to browse this share and see the folders that exist in this share. You want them to be able to open their own folder, but not other student's folders. In addition, you have a group for all of the teachers called Staff. You want the Staff group to be able to go into any student's folder and read/write/modify/delete anything inside the student's folders. To make this example happen, all you need to do is give the staff group full permissions on the main students folder. Those rights will get inherited into each of the student's folders. Since the Students aren't members of the Staff group, they will be able to see only their own home folder.
Last updated: August 20, 2005