I have setup DAC and implemented the needed GPOs. User claims are working and I can control access based on those. However device claims are not. I can use the command:
$claims = $(new-object System.Security.Principal.WindowsIdentity("machine@domain.com"))
$claims
and I see that the machine has a user claim that puts it into the security group I want. However when I set permissions on a folder to allow access only to a user A from a device with group membership in that group, I get access denied on that folder. I can change that requirement to one of the user claims for user A and things work. Just device claims fail.
I can't find any way to troubleshoot this problem. Not sure what else I could be missing here. Looking for suggestions.