When a non-claims-aware client computer hits a file server that is configured to use DAC, my understanding is that the file server issues a S4USelf kerb request to get claims from AD for the user account. Is there a set amount of time that claims info would exist on the file server? Would this be a standard kerberos ticket lifetime, and if so is there a way to clear a particular users ticket? I'm wondering if a user has an invalid property, say department, gets an access denied when hitting the file server, then corrects their AD account to the proper department, will they have to wait 8 hours to connect that file server again?
Thanks