- Install Ansible on Windows - Thu, Jul 20 2023
- Use Azure Bastion as a jump host for RDP and SSH - Tue, Apr 18 2023
- Azure Virtual Desktop: Getting started - Fri, Apr 14 2023
Today we’re going to continue our deep-dive study into the new Dynamic Access Control (DAC) feature in Windows Server 2012. I’ve structured the deep-dive into four separate blog posts, with this one being the second.
The Scenario
The following figure graphically illustrates the simple, real-world scenario upon which we base our study of DAC:
Our Dynamic Access Control scenario
We have three computers that comprise our test network:
- DCNUGGET: Windows Server 2012 domain controller
- MEMNUGGET: Windows Server 2012 file server that will host DAC-protected shared resources
- CLINUGGET: Windows 8 client computer
We’re going to apply a DAC access policy to a shared folder named CORPDOCS that is hosted on MEMNUGGET. We’ll then create user claims
In Part 2 of this series, we configured the CORPDOCS shared folder on MEMNUGGET that holds the target resources in question. We also created the two user claims for user location and department.
We now need to turn our attention to the shared folder metadata properties (also called taxonomic “tags”) that are relevant for our situation.
Creating Resource Properties
In DAC terminology resource properties correspond to meaningful classifications, or tags, that we can apply to our file servers’ shared resources. To get started, open the Active Directory Administrative center from your administrative workstation or domain controller, click the Dynamic Access Control node, right-click Resource Properties, and select New > Resource Property.
NOTE: A reference resource property is a resource property that is explicitly linked to an existing claim type with suggested values. We can address this special case in a separate blog post; let me know in the comments if you are interested.
Dynamic Access Control elements
In this example, we need to create two resource properties that will be used with our CORPDOCS shared folder:
- Campus (our fictional organization has two campuses: Nashville and Syracuse)
- Classification (we’ll create two file classification levels: Public and Confidential)
Take a look at the following screenshot and I will walk you through the creation of the Campus resource property:
Defining a new resource property
- Provide a friendly name for your new resource property.
- Each resource property can be associated with one of a number of different data types. Let’s choose Single-valued choice because only one option from a predescribed list will be relevant for the CORPDOCS folder
- Click Add to add an entry for our two campuses: Nashville and Syracuse. This dialog box is shown in the following screenshot
Defining a suggested value for a resource property
Once you’ve defined resource properties for both Campus and Classification, you can verify their existence in the Resource Properties list. Observe that Microsoft gives us several pre-built resource properties that we can leverage; to enable one, right-click the property and select Enable. For performance and manageability reasons, all of the built-in resource properties are disabled by default.
Managing resource properties
Creating and deploying the Resource Property List
In DAC, the Resource Property List (RPL) is the deployable unit to our file servers. We can create any number of RPLs and deploy them selectively to our domain file servers.
Let’s do this! In the Dynamic Access Control node in ADAC, right-click Resource Property Lists and select New > Resource Property List.
Defining a new Resource Property List
- Provide a meaningful name to your RPL. Feel free to document the purpose of the RPL in the Description field as well.
- Click Add to associate our previously created resource properties to the new RPL. The Select Resource Properties dialog box is shown in the following screenshot.
Adding our resource properties to our resource property list
Believe it or not, we are still not finished. We now need to deploy our RPL to our domain file servers. To do this, we need to open an administrative PowerShell session and issue the following cmdlet:
Update-FSRMClassificationPropertyDefinition
We are now ready to shift our attention from our domain controller to our Windows Server 2012 file server, MEMNUGGET, to classify the CORPDOCS folder.
Classifying our target folder
When we examine the properties of the CORPDOCS shared folder, we see a new tab called Classification. Let’s go there now.
Tagging a shared folder
The tagging process is pretty straightforward. We can simply select each resource property and then select a value from the choices that we set earlier in Dynamic Access Control. Pretty cool, eh?
NOTE: Windows Server 2012 provides us with methods for deploying automatic file classification so we administrators don’t need to “touch” each file share separately. I am more than happy to delve into that subject in another blog post.
Conclusion
By now we have configured our user claims and tagged the target folder with meaningful classifications. The next step in this process is to create a Central Access Policy that will actually create the access rule that ties together claims and resource properties. We’ll cover that topic in the next installment of this series.
