There are certain confidential data and we want to make sure that is does not get copied by user and eventually leaked out of organisation.
For achieving the same, we have defined a restricted windows machine which a user can access but no data can be taken in or out. Users on this machine are supposed to access to those sensitive items which are not supposed to be copied.
What i am looking for is to define sub-paths of a network share, to be accessible from certain computers only. Like, if userA access folderA in the share from Workstation-1, he should get access denied, but instead if he access it from Workstation-2, he should get access.
I am using AD controlled environment, with windows Server 2016. Had look in Dynamic access control, but don't know if its possible with it.
--------Update---------
DAC(Dynamic Access control) seems to be the right way.
I tried with it, i was able to construct conditional access on the basis of user attributes/properties. But the same i am failing to don the basis of device properties (Device claims).
Like if i want to construct conditional access to resource path, on the basis of device(computer) description, i am able to put the claim for it, but machine from which i am accessing it is not able to process the claim and just denying access where it is suppose to allow it.
-------Update--------
Finally, giving up on DAC, as most resources available tells you how to deal with user claims, but hardly find any success stories for device claims.
To achieve the aim of maintaining different user rights for different machines, i have created clone of shares, which remain in sync via robocopy utility. Right assignment have to done separately for each machine.
Working fine for now. I loved what DAC purposes, but unable to implement the same.
