Let me start off by saying this isn't a question about getting home directories to work properly for multiple users. I am looking for some documentation on securing file servers and shares for home directory use. Situation I am dealing with is this:
Our CEO does not like the fact that anybody in the admins group can see her home folder and its contents. I have restricted the Local System account down to read/write permissions so I can back up her directory and removed all of the permissions of Domain Admins down to read/write attributes and read/write/change permission entries on the top (root of the share) directory and below.
My issue mainly is that my understanding of things leads me to think that if I pull Domain Admins off of that directory security I make it harder to manage at the root level and her level and to do anything later I would have to take ownership of the folder or have her walk through adding a proper user or group back in to then give us correct permssions, while not really effectively increasing the security because I can still take ownership and break my way back in if I or anybody in domain admins wanted to.
So, does anybody know of the proper way to secure the server and share? There has to be a way. I have thrown out the idea of EFS on her home directory but there has to be downsides to that I am not aware of it seems. Also talked about RMS (Rights Management Services) but that only works on Office files, not PDF's and such. I have googled and searched bing about this but I am only turning up articles on fixing permissions for general home directory setup, nothing in depth.