I'm running a server 2012 std domain and I'm in the process of rebuilding our fileserver after we had some pretty serious permission issues. Bad permissions (Everyone had full access to user documents share) were migrated when we move to the new server and then by some strange Monday morning freak out all users lost access to their documents. I restored from backups, redirected everyone's folders back to local computer and started to reconfigure the share permissions. I moved our administration group back to the server after securing proper permissions for folder redirection (permissions copied from https://technet.microsoft.com/en-us/library/jj649078.aspx?f=255&MSPPError=-2147217396 table 1, only difference is instead of creating a new security group for redirection users, I used the everyone group) to test and everything went perfectly. The GPO created the users folders under the root and redirection was good to go. Along with that, other users cannot access other users documents anymore which was the intended outcome. 

Last night I was looking at security groups and see that our administration group (back office group: accounting, HR, etc..) was a member of the domain admins. I removed them from the domain admins group and added them to the administrators group (they do need regular admin access) then went on like normal. This morning, all users in that group can no longer access their documents on the server. I immediately think that permissions were broken again and started to get angry, but then realize that all the files are still accessible on the server (no lost permissions like before) and the user is still shown as the owner with full permissions, but the files are inaccessible to those users. I re-added them to the domain admins group, logged out, logged back in and documents are back and accessible by the user. Remove them from the domain admins group, log out, log back in and the documents are inaccessible again. Re-add to the domain admins group and back to normal. 

Which leads me to now. If the users are part of the domain admins group, they have access to their files. If they are removed from the domain admins group, they lose access. When they lose access, they are still the owners of the files/folders with full permissions, yet they can't access their documents. Also, just to add, the domain admins group has no specified permissions on the files or folders. See screenshots below..

Here is the root share. 

And the user's desktop folder. The folder is owned by the user with full permissions. This is the folder the redirection GPO created.

Any ideas why removing the group from domain admins would drop access to their files? They are still the owners of the files and should have full access but they don't. Is there something I'm not seeing here?

Notes:

• You can use the Effective Access tab to verify if a certain user has access to this item.
• Removing a user/group from the Domain Admins domain group, and placing them in the Administrators domain group will not grant them Administrative access to member servers.  The Administrators domain group is for the domain controllers only.

In your second screen shot:

• If your user (M*) is not a member of this server's Administrators groups, then they have no access to any files in this folder tree.
• The user only has Full control to subfolders and files that they create from now on, but they do not have permissions to create new files/folders.
• You said that when you restored the data, you reset the owner/permissions.  If so, then this user doesn't have access to any files/folders in this directory tree because they aren't the owner of those files.  Even if they are, CREATOR OWNER is only applied to folders, not files.

Suggestions:

• Remove CREATOR OWNER from the permissions (it's not helpful when working with dedicated "home directories").
• Add the user (M*) with Modify (or Full Control) to this folder, subfolders and files.

You'll want to do this for each user's private folder.  This is easily scriptable if you have many users.

Effective Access shows the user has full control of the Desktop folder

I see what you're saying about Administrators domain group. I'll just add them as local admins via GPO and that should solve that issue. 

As for the second screen shot, the *-Admins folder is the root to which Everyone has special permissions on and can create folders. The folder for M* was created by the GPO, which makes M* the owner to which they have Full control of subfolders and files. The GPO also created the Desktop folder, giving owner full permissions of subfolders and files. Inside the Desktop folder, permissions remain Full control for owner for subfolders and files. Even if it was the case that they only had permissions on subfolders and files, wouldn't each subfolder under that one be considered a subfolder and file of the top folder?

I'm not saying your wrong, I'm just curious why the technet article would advise Creator/Owner giving full control of subfolders and files only if that were not correct. I can add the permissions for the users easily, I just don't see why I need to give explicit permissions to access something when the GPO created those folders for me, which Microsoft recommends you allow. If the GPO can create folders and the folders are owned by the user, then the user can obviously add/create/modify/view those files and folders. 

When I restored the data, no permission were reset. Permissions were restored to the wonky version where the Everyone group has full access to everything. Ownership of the files/folders remained the same. 

Effective Access shows the user has full control of the Desktop folder

This is a problem with the Effective Access tab when using CREATOR OWNER.  As you have noticed, the user doesn't really have the access that the tab says it does.  This is because of how CREATOR OWNER works.

CREATOR OWNER is only evaluated when a file/folder is created.  IF a user can create a file/folder, then the permissions assigned to CREATOR OWNER are copied to a new permissions entry for that user.

To see this:

1. Logon as an administrator and create a file in the Desktop folder in your screenshot.
2. Examine the permissions of the new file.
3. You'll see that there is a new entry for the account you logged on with.
4. CREATOR OWNER is gone.  CREATOR OWNER would still be there if you created a folder (because of "subfolders and files").

In the Desktop folder (in your screenshot), only SYSTEM and Administrator can create/access files.

To fix this, you need to grant the users the ability to list the directory contents and create new files/folders.  This corresponds with the suggestion of Table 1 in the document you found.

I see what you're saying about Administrators domain group. I'll just add them as local admins via GPO and that should solve that issue. 

No, scary!  This will grant those users administrative permission on your server.  They will be able to see any file anywhere on that server.

If your goal is to provide a place that is private for each user, then the simplest approach is to grant each user permission to their own folder.  Like this for Test User:

Notes for above:

• I set the user's permission to Modify because there is no good reason why the user should change these permissions
• The owner of this folder is unimportant.  I leave it set to Administrators
• You can, and I do, remove CREATOR OWNER.  It adds no value in this situation and just causes confusion.

As for the second screen shot, the *-Admins folder is the root to which Everyone has special permissions on and can create folders. The folder for M* was created by the GPO, which makes M* the owner to which they have Full control of subfolders and files. The GPO also created the Desktop folder, giving owner full permissions of subfolders and files. Inside the Desktop folder, permissions remain Full control for owner for subfolders and files. Even if it was the case that they only had permissions on subfolders and files, wouldn't each subfolder under that one be considered a subfolder and file of the top folder?

If this works as you say, then Yes, it should work.  But, I don't see the entries for use M*.  Remember, there should be entries for the M* user that is a duplicate of CREATOR OWNER.

I suspect that Group Policy is creating the directories (elevated) and then changing the owner to M* afterward.  This does not duplicate the CREATOR OWNER entries as needed.  If this is the case, I consider it a flaw because your permissions do not allow user M* to create files/folders, and group policy shouldn't bypass security.

I'm not saying your wrong, I'm just curious why the technet article would advise Creator/Owner giving full control of subfolders and files only if that were not correct. I can add the permissions for the users easily, I just don't see why I need to give explicit permissions to access something when the GPO created those folders for me, which Microsoft recommends you allow. If the GPO can create folders and the folders are owned by the user, then the user can obviously add/create/modify/view those files and folders. 

When I restored the data, no permission were reset. Permissions were restored to the wonky version where the Everyone group has full access to everything. Ownership of the files/folders remained the same.

A couple things:

• The article instructed the use of Folder Redirection Users group that had permissions to create files.  Your examples didn't have that.  Because of this, your user could create new files.
• The article assumes that the directories you are creating will be empty.  Existing files will be unreadable to everyone except Admins.
• If you follow the directions in the article, then anyone in the Folder Redirection Users group can write files to anyone else's directory.
• One benefit of the document's approach is that all the users could be redirected to the same folder using the article, and it would work.  A benefit, I guess.
• But, I like my user's separate and unable to see each other's files -- at all.  This is why I recommend replacing CREATOR OWNER with the specific user.
• I believe this document is a "how to get it done" document, not necessarily a best practices document.  I see it as a starting point, and that's why I didn't follow it exactly.
• Lastly, CREATOR OWNER permissions are useful but confusing.  I avoid them unless I have the rare circumstance where they are perfect.

When I restored the data, no permission were reset. Permissions were restored to the wonky version where the Everyone group has full access to everything. Ownership of the files/folders remained the same.

To summarize:

In the user's directory, you need to provide permission to list and create new files/folders, and you need grant the user permission to the existing files.