I do this by logon script under the students OU. Works fine for correcting students as they logon, but not so great for correcting any historic data you may have.

The script runs once to correct the permissions and write a dummy text file to check for in future logons to save the hassle of recorrecting the perms every time.

\\server\share$ would be the name and share of the home folder location
domain\group would be your domain and group name you either want to add or remove.

If exist "\\server\share$\%username%\logon.txt" goto exit

REM Apply correct security settings to students folders
xcacls \\server\share$\%username% /t /c /g %username%:f "domain\administrator group":f "creator owner":f system:f /y

REM remove groups from folders
xcacls \\server\share$\%username% /e /t /r "domain\group"
Date /t >\\server\share$\%username%\logon.txt