So, I always forget this stuff but setting good home folder rights is THE way of automating home folder creating from AD to a share or allowing users to create backupfolders on any share basically.
Link to the source site: Technet Blog AD Team + my own tweaks
1. Turn off inheritance on the folder and copy the permissions. You do this by:
a. Click the Advanced button found on the Security tab.
b. Clear Allow inheritable permissions to propagate to this object check box in the Advanced Security Settings dialog box.
c. Click Copy when prompted by the Security dialog box.
2. Click OK to return to the Security tab. Ensure we have the following permissions set and remove all others:
Administrators: Full Control (This folder, subfolders and files)
System: Full Control (This folder, subfolders and files)
Creator Owner: Full Control (Subfolders and files only)
Authenticated Users: Special (This folder only)
3. Change permissions for Authenticated Users and Creator Owner to match step 2. Now they cannot access other users’ folders but are allowed to create new ones on the top level. You do this by:
a. Click Advanced on the Security tab.
b. Click Authenticated Users and then click Edit.
On the Applies to dropdown, select This Folder Only and Check the following boxes:
Traverse Folder / Execute File
List Folder / Read Data
Read Extended Attributes
Create Folder / Append Data
c. Click OK
d. Now click Creator Owner and then click Edit
On the Applies to dropdown, select Subfolders and Files only and Check the following boxes:
e. Click OK twice.
Good security practice would also be to enable ABE (Access Based Enumeration) on Server2003 and later. This will “hide” all shares that a user does not have permission to read. I like ABE, you should to. As a sidenote it seems that Oracle Solaris is also capable of Windows compatible ABE on *nix shares, very cool!
Now you are done!