We looked for a long time on internet before to write this long post, but we didn't find any solution to this specific case, even on Microsoft's website.
Long story to understand the context
We started a project with a Windows Server 2016 and it is the first time that we apply the AGDLP model to configure the shared folders. Everything work fine except the roaming profiles.
For licensing and costs reason, we can have only 2 virtual machines available with Windows Server, one dedicated for Active Directory, the second one for the shares and applications (no remote desktop access for users, just a software running, and shared folders for documents and roaming profiles). That exclude the fact we can have a 3rd virtual machine to separate the software and shares (without buying another license of Windows Server). There is 2 different companies who can access to the server of the client, first one as IT services (us), and the second one to manage a specific software who need to install and update the software by its own. However, we don't want the 3rd company to be able to see the content of the shared folders, even if they need to be members of the server's "Builtin Administrators" to be able to install the software, and of course without access to the Active Directory server.
We configured the ACLs of each folder with the security groups (read, modify, full) and assign the groups to other groups as it is recommended in AGDLP context. However we didn't add the "BUILTIN Administrators" part of the access for the reasons mentioned above, and for security reason we didn't add the "Domain Admins" neither (Domain Admins group is reserved to administrate the Active Directory only, everything else has its own group).
Everything work fine except the "Homes" directory where we have the users' roaming profiles and redirected folders. For security reasons, we would like that only the user (Creator Owner) and a specific group named "Homes Administrators" have access.
This group can access to the profiles, BUT we are not able to change the folder's rights inside even if we are part of the group that has the full rights over the folder and sub-folders. It looks that we need to be member of "Administrators" (Builtin or domain) to be able to modify it.
Do you have experience in this situation? or do you have any suggestion that can help us to move on?
As english is not our main language, we hope this post is enough clear. If not of if you need more information, please tell us.
Thank you very much for your time and help :-)
