Dynamic access control (DAC) user claims work device claims do not

Pero 66 Reputation points

Hello all,

I have "simple" problem and DAC is simple solution for me. I have security group with users that can access certain folder on our FS (servers 2019). But they should be able to access mentioned folder ONLY from ONE or TWO workstations (win10 or server 2019)


Picture above represents NTFS permissions I want...and adding DEVICE claim should do the work. But DEVICE CLAIMS are NOT working. USER CLAIMS work.

1.GPO "kerberos armoring" for domain controllers (all 2016) is in place.

2.GPO "Kerberos client support for claims" is in place for needed workstations (win10)

SG-scanarhiva contains users, SG-PCclaim contains workstations from witch SG-scanarhiva should access folder testCN.

Like i mentioned user claims work. I created new "Claim type" in ADAC and tested it with department atribute. All users having for example "IT" string in department field can access folder. Users without cannot.

When i type "whoami /claims" i cmd i can clearly see claims for particular user.

Problem is whatever combination I try with DEVICE CLAIM, with any attribute (CN, department...etc) folder does not give NTFS access.

But if I test it in "effective access" looks like I should have permissions.



I really don't know how to troubleshoot Device claims... What is the difference between device and user claims?? Can you help me and point me to right direction ??

Additionally, i tried to make device claims based on department, CN and location... (same way like i do for users and for users it works). But with devices, No luck..

And I want't to check device claims by runing: New-Object System.Security.Principal.WindowsIdentity("PC$@keyman .local")

result is:

DeviceClaims : {}

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,304 questions
{count} votes

7 answers

Sort by: Most helpful
  1. Fan Fan 15,061 Reputation points


    I tried to follow the steps in my lab , and it can works well.
    For your reference:
    If there are any difference from what you did, please let me know.
    Best Regards,

  2. Pero 66 Reputation points


    First of all thank you for your effort to help me.

    Actually, I never made "Central access policy". Didn't have any need to create it.

    What I did is.... Enabled GPOs, made new "Claim Type" by "attribute" for example "location attribute" (but i tried many others, like cn, department etc..) In "Resource Properties" I enabled "Confidentiality, Department, Folder usage".

    And the rest is like in pictures, I added condition to folder ACLs. Done.

    Now...biggest question is.... It works for user claims, but why identical procedure is not working with device claims. It should be same.

    Did you make it work with device or user ??

    No comments

  3. Fan Fan 15,061 Reputation points

    Here is my test :

    1. GPO "kerberos armoring" for domain controllers (on default domain controller policy )
    2. GPO "Kerberos client support for claims" (on default domain policy)
      Create user claim
      Create device claim

    In the folder permission entry , only assign the read permission for the authenticated users.
    Then add the authenticated users again ,assign the modify permission , add user claim and device claim as following:
    If users matches both the condition , then it will have the modify permissions.If not ,or only matches one of the two,it will only have the read permission.
    Both the user and device claims work well.

  4. Pero 66 Reputation points

    Any update on issue ?? Any ideas ??

    No comments

  5. Fan Fan 15,061 Reputation points

    Here is my test .
    Folder :dac final 2 has the following NTFS permission
    And everyone full control on this folder.
    Then i add a group dac group (contain user dac1 and user dac 2), give the group modify permission. And add a condition ,a device claims (department=IT) as following:
    Then users(dac1 and dac2) have modify permission from the workstation (department=IT)
    From the other workstation only have the read permission.

    No comments