Just got around to playing with this in a Dev environment. Very interesting stuff. Got it all to work perfectly. Just have one question.
So for my Dev environment I had a test setup where it would allow access to a share based on the "department" attribute in AD. If in "Sales" or "HR", allow. Worked great. Then what I did was modify one of the "Sales" users department attribute. So they had access before.... Then after the change it should have denied them access. I found in testing (using the effective permissions tab on the file server) that it took about 10 minutes for this to deny the user. That surprised me. It wasn't a change to any of the DAC items (policy, list, etc...), nor was it a Group Policy change. It was a change to the attribute of the user. So where was that being cached, that it took 10 minutes? In my test environment I only have 1 DC. Also, from what I have read.... a Windows 7 client should work with this. So far I've only tested with a 2012 R2 client. Can anyone confirm that? Thanks Christopher Bodnar Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com<mailto:> [cid:image001.png@01D02679.274D4CA0] The Guardian Life Insurance Company of America www.guardianlife.com<http://www.guardianlife.com/> ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you.