Creating home folder, how to do it?

Hey Guys! I am going to be setting up my 2nd ever magic triangle network soon and the first time I did it I wasn't over pleased with some of the permissions going wrong on the home folders for users and groups and so I wondered if someone could give me a few pointers/tips/instructions on the correct method; The network structure is AD > Users OU > sub-ou for each year of students so 2007, 2008, 2009. Withing 2008 (for example) are all the user accounts for students who started in 2008 and there is a user group (called 2008users) that contains all the 2008 users. On the OD server (which is also hosting home folders) I have a share point for each user group 2008, 2009 etc and I have created a group called 2008import which has the AD group 2008user nested inside it.This is where it goes blurry... How should the group folders be created on the Apple server and the user folders within those to make sure (because this was the problem with my last setup) no two users in the same OU group (2008users for example) can seen inside each others home folder but "Administrators" can still read and execute (but not wright). I was using the command line tool "createhomedir" because when setting the home folder location for the user account in AD it would try to make the folder and make a hash of the permissions (so I took away AD Administrator permissions from the share points and made them by hand). How does everyone else do this and what should I be doing? All windows clients are XP SP3 and Apple clients are a mix of 10.4.11 and 10.5.7. Thanks for reading guys any help is appreciated. Regards, James ;)