I am attaching the summary from the service, and then the Enforcement profile page.
For the configuration in question, DNEWSOME is the user's LDAP ID (EAD LDAP). So that one is explicitly allowed, while the rest (anyone else in the EAD LDAP) are denied by the second rule.
We then authenticate against the local database (where we have the superusers - the ones that have access to everything). The Local database also includes some of the individual campus folks (legacy that I hope to get rid of in the near future). So the legacy users are denied, while the rest of the Local Database is allowed (the last line).
The "DenyProfile" is basically an empy profile that has no devices, so forcing the users to be put into that profile denies them access to the device.
Let me know if you need any other screen shots.