This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 52%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Hello all,
I have "simple" problem and DAC is simple solution for me. I have security group with users that can access certain folder on our FS (servers 2019). But they should be able to access mentioned folder ONLY from ONE or TWO workstations (win10 or server 2019)
Picture above represents NTFS permissions I want...and adding DEVICE claim should do the work. But DEVICE CLAIMS are NOT working. USER CLAIMS work.
1.GPO "kerberos armoring" for domain controllers (all 2016) is in place.
2.GPO "Kerberos client support for claims" is in place for needed workstations (win10)
SG-scanarhiva contains users, SG-PCclaim contains workstations from witch SG-scanarhiva should access folder testCN.
Like i mentioned user claims work. I created new "Claim type" in ADAC and tested it with department atribute. All users having for example "IT" string in department field can access folder. Users without cannot.
When i type "whoami /claims" i cmd i can clearly see claims for particular user.
Problem is whatever combination I try with DEVICE CLAIM, with any attribute (CN, department...etc) folder does not give NTFS access.
But if I test it in "effective access" looks like I should have permissions.
I really don't know how to troubleshoot Device claims... What is the difference between device and user claims?? Can you help me and point me to right direction ??
Additionally, i tried to make device claims based on department, CN and location... (same way like i do for users and for users it works). But with devices, No luck..
And I want't to check device claims by runing: New-Object System.Security.Principal.WindowsIdentity("PC$@keyman .local")
result is:
DeviceClaims : {}
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Hi,
This is a quick note to let you know that I am currently performing research on this issue and will get back to you as soon as possible. I appreciate your patience.
If you have any updates during this process, please feel free to let me know.
Best Regards,
Thank you, If you need any aditional info let me know.
Hi,
I tried to follow the steps in my lab , and it can works well.
For your reference:
https://www.lepide.com/blog/dynamic-access-control-for-file-server-1/
https://www.lepide.com/blog/dynamic-access-control-for-file-server-2/
If there are any difference from what you did, please let me know.
Best Regards,
Hi,
Just want to confirm the current situations.
If there's anything you'd like to know, don't hesitate to ask.
Best Regards,
Hello,
First of all thank you for your effort to help me.
Actually, I never made "Central access policy". Didn't have any need to create it.
What I did is.... Enabled GPOs, made new "Claim Type" by "attribute" for example "location attribute" (but i tried many others, like cn, department etc..) In "Resource Properties" I enabled "Confidentiality, Department, Folder usage".
And the rest is like in pictures, I added condition to folder ACLs. Done.
Now...biggest question is.... It works for user claims, but why identical procedure is not working with device claims. It should be same.
Did you make it work with device or user ??
Hi,
Here is my test :
In the folder permission entry , only assign the read permission for the authenticated users.
Then add the authenticated users again ,assign the modify permission , add user claim and device claim as following:
If users matches both the condition , then it will have the modify permissions.If not ,or only matches one of the two,it will only have the read permission.
Both the user and device claims work well.
Hello,
I did everything like you did, and more. Problem persists. User Claims work by any attribute, device claims do not work.
Effective access gives me all green but access is denied on folder itself. With user claim it works like a charm.
And all I need one simple device claim by CN attribute and that is all.
If you are part of security group SG-group and you are accessing from PC-withclaim access granted.
Can you make PC claim only by CN atribute, lets say all domain users can modify files if accessing them from PC-A ?? Biggest question now is what is the difference, what can I do wrong if user claims work, ad procedure is identical... ???
Hi,
For a test would you please tell how did you assign the share permission and the NTFS permission?
And how did you assign permission when add the device claims?
Best Regards,
Hi,@Pero
I tested a lot for the device claims.
As you said the user claims works but the device not working even it shows correctly in the effective access .
I would do more research about the issue.
If there are any progress , i would update here!
Thanks for your time and patience!
Best Regards,
Thank you,
I was testing myself...
1.made one "computer claim" by department, added suggestion "IT" and added "IT" to department PC-attribute
If you wish, I can do additional testing...
Any update on issue ?? Any ideas ??
Hi,
Here is my test .
Folder :dac final 2 has the following NTFS permission
And everyone full control on this folder.
Then i add a group dac group (contain user dac1 and user dac 2), give the group modify permission. And add a condition ,a device claims (department=IT) as following:
Then users(dac1 and dac2) have modify permission from the workstation (department=IT)
From the other workstation only have the read permission.