Home directory permissions

[Xander]

If I create a new user and add a network location for his/her home directory
under the profile tab, a home directory is automatically created with as
default persmissions the User having full control and the Domain Admins
having full control. No other permissions. My question is, where do the
Domain Admins permissions come from since "Allow inheritable permissions
from parent to propagate to this object" is turned off? I did some searching
already, assuming it probably is a GPO in which this is configured, but I
have not found it so far and I can not imagine this being a default
permission, or is it?

 

[Herb Martin]

If I create a new user and add a network location for his/her home
directory under the profile tab, a home directory is automatically created
with as default persmissions the User having full control and the Domain
Admins having full control. No other permissions. My question is, where do
the Domain Admins permissions come from since "Allow inheritable
permissions from parent to propagate to this object" is turned off? I did
some searching already, assuming it probably is a GPO in which this is
configured, but I have not found it so far and I can not imagine this
being a default permission, or is it?

No it is (as far as I know from way back in NT days) a feature of the
management console which adds the Admins FC for the users area to
allow admins to assist the user.

You can subsequently change this with Cacls.exe (or XCacls.exe) or
Explorer but be careful because doing so incorrectly can make the Home
directory difficult to use.