We have AD level 2012R2, DCs running 2012R2 of course, and we have clustered File Server (3 FSNodes running 2012R2).
We enabled 2 policies
KDC Support for claim
Kerberos support for claim
We created 1 claim type in ADAC (For example "Division" Source Property). Filled this property to all IT AD Accounts by our value "IT"
On FS made a share folder ITDivision:
- set permissions Domain Users can Modify if User.Division equals "IT"
so on Windows 8 IT Users can access files on this share and on Windows 7 they cant=\ . We know from many presentations about Dynamic Access Control that File Server must enroll user claims if client do not support this claims (Service-for-User-To-Self) .