I'm running a server 2012 std domain and I'm in the process of rebuilding our fileserver after we had some pretty serious permission issues. Bad permissions (Everyone had full access to user documents share) were migrated when we move to the new server and then by some strange Monday morning freak out all users lost access to their documents. I restored from backups, redirected everyone's folders back to local computer and started to reconfigure the share permissions. I moved our administration group back to the server after securing proper permissions for folder redirection (permissions copied from https://technet.microsoft.com/en-us/library/jj649078.aspx?f=255&MSPPError=-2147217396 table 1, only difference is instead of creating a new security group for redirection users, I used the everyone group) to test and everything went perfectly. The GPO created the users folders under the root and redirection was good to go. Along with that, other users cannot access other users documents anymore which was the intended outcome.
Last night I was looking at security groups and see that our administration group (back office group: accounting, HR, etc..) was a member of the domain admins. I removed them from the domain admins group and added them to the administrators group (they do need regular admin access) then went on like normal. This morning, all users in that group can no longer access their documents on the server. I immediately think that permissions were broken again and started to get angry, but then realize that all the files are still accessible on the server (no lost permissions like before) and the user is still shown as the owner with full permissions, but the files are inaccessible to those users. I re-added them to the domain admins group, logged out, logged back in and documents are back and accessible by the user. Remove them from the domain admins group, log out, log back in and the documents are inaccessible again. Re-add to the domain admins group and back to normal.
Which leads me to now. If the users are part of the domain admins group, they have access to their files. If they are removed from the domain admins group, they lose access. When they lose access, they are still the owners of the files/folders with full permissions, yet they can't access their documents. Also, just to add, the domain admins group has no specified permissions on the files or folders. See screenshots below..
Here is the root share.
And the user's desktop folder. The folder is owned by the user with full permissions. This is the folder the redirection GPO created.
Any ideas why removing the group from domain admins would drop access to their files? They are still the owners of the files and should have full access but they don't. Is there something I'm not seeing here?