- The catalog, containing all home users' catalogs does not inherit from the parent volume, but in its turn permits for all child objects full access for the local admin group of this server (to allow further administering in critical conditions).
- In addition to that, each inner home catalog has Modify rights only for the corresponding %USERNAME% and Full Control for the Creator Owner.
- Each home catalog is shared separately as %USERNAME%$ with Change or Full Control for only the user himself.
I cannot comment if I don't know what you actually are looking for; however, I do wonder at statement number 2. Only the user has modify rights? But Creator Owner has full control? This seems to tell me that there may be files placed there for them to use, that you want to protect their change permissions on them, or delete subfolders and files, if this is a folder. If my assumption is correct, then in any circumstance where you want to control security on files within a folder, this is a very good move, as the Creator Owner group can help do just that.
It is also a very good idea to prevent permission inheritance when you develop permission for files that might be overwritten from above. It is also a good idea, most agree, to maintain some administrative control over user files and folders, although (truth be told) an administrator can, of course, take ownership and get back control if it is necessary for administration. So when needs for security are higher (i.e., avoiding casual access to files), you can remove those administrative rights.
This was first published in June 2003