We would like the Help Desk to have the responsibility of creating User Home folders instead of our 2nd level support. The help desk global group is already an Account Operator, so in Active Directory they are able to edit all User Attributes just fine.
The problem is figuring out the minimum level of permissions needed on the File Server to create the home share, with out giving them access to everyone home share.
So if they open AD Users and Computer, open the properties for a user, and enter \home\users\%username% in the profile tab and then click OK, they get the following error.
The \home\users\username home folder was not created because you do not have create access on the server. The user account has been updated with the new home folder value but you must create the directory manually after obtaining the required access right.
Right now I have given the Helpdesk group Full Control on the root folder only (no files or subdirectories)
The directory is actually created, but the permissions on the newly created folder only show administrators full control, and no permissions for the configured user account.
It sure sounds like I'd have to make the helpdesk local admins on the file servers, which is what I'd like to avoid. Especially since the file servers are a large cluster hosting much much more than the entire orgs home share structure.
Looks like it's the Share Permissions.
They need to be Full Control as well, instead of just read write.
I really didn't want to give Full Control, even to the root folder, as it allows them to do more than I really want them to be able to do. But as long as they can't actually open other people's home directories, it should be fine.
You could use a batch script written with CPAU. This tool is basically like "runas" except that there is an option to pass the password for a privileged account in an "encoded" form (i.e. difficult to read, but not encrypted.)
The script would sit in the root of the share and the Helpdesk would have to run the script with a parameter such as "username". The CPAU tool would run the folder creation in an elevated context (maybe a local login with modify permissions on the HomeDirs folder).
And so on. It requires a little bit of thought to line up your ducks with this.