Somewhere between Windows 2012 and 2016, Microsoft added a conditional feature to NTFS permissions, where a given ACE could be limited to only apply if certain claims about the user or device were true.
When the Advanced view of the Permissions Entry dialog refers to these conditions, one of the options you are given the choice of is User is a member of... or Device is a member of....
Does anyone know definitively, when referring to Device is a member of..., is it referring to the server device (i.e. the one on which the file or folder resides) or the client device (i.e. the one from which the end-user attempts to access the file)?
In the contrived below example dialog, is it saying that:
- Everyone has read-access to the folder as long as they access it from a machine in the Domain Computers group?
- Everyone has read-access to the folder as long as the file server on which that folder resides is in the Domain Computers group?
I can see uses for either approach so, in either case, is there an alternative condition I could use (or define via a GPO/Central Access Policy) that infers the other meaning...?
(aside: I think this is referred to Dynamic Access Control, but my Google-fu is failing me, and I keep getting info on Azure AD, which is not what I am interested in.)
Device is referring to client device. https://social.technet.microsoft.com/wiki/contents/articles/14269.introducing-dynamic-access-control.aspx (chapter "Windows 8 Member Computer")