We have a 25Mb connection going over a 10Gb link on a 3850-48P.  We currently have it shaped to 25Mb with a nested QoS Policy:

class-map match-any QOS-EF-OUT
 description QOS EF Queue
  match  dscp af41  af42  ef 

class-map match-any QOS-VOIP-CONTROL-OUT
 description QOS VOIP Control Queue
  match ip dscp cs3 
  match ip dscp af31 

policy-map QOS-OUTBOUND
 class QOS-EF-OUT
    priority percent 30
 class QOS-VOIP-CONTROL-OUT
    bandwidth percent 5
 class class-default

policy-map SHAPE-25MBPS
 class class-default
    shape average 25000000
   service-policy QOS-OUTBOUND

We are having an issue where some of our security guards are monitoring the cameras at this remote site in a higher quality than they should chewing up all of the bandwidth.  We want to limit the security network to 10Mb across this link but still keep the QOS policy and the rest of the traffic shaped to 25Mb.  Best I could figure was to add a class map matching an ACL for the network and adding that class to the policy-map:

class-map match-any SECURITY
   match  access-group 150

class-map match-any QOS-EF-OUT
 description QOS EF Queue
  match  dscp af41  af42  ef 

class-map match-any QOS-VOIP-CONTROL-OUT
 description QOS VOIP Control Queue
  match ip dscp cs3 
  match ip dscp af31 

policy-map QOS-OUTBOUND
 class QOS-EF-OUT
    priority percent 30
 class QOS-VOIP-CONTROL-OUT
    bandwidth percent 5
 class class-default

policy-map SHAPE-25MBPS
 class SECURITY
    shape average 10m
 class class-default
    shape average 25m
   service-policy QOS-OUTBOUND

This gives me an error - "Hierarchical Policy must have child under all user defined classes for wired ports" - so I tried adding the QOS-OUTBOUND policy under the class SECURITY as well and get this - "Invalid queuing class-map!!! Queuing actions supported only with dscp/cos/qos-group/precedence based classification!!!".  I've tried various different combinations of this moving the shapers and policy maps, classes in and out of each group and keep getting these errors.