In the last post of my Dynamic Access Control (DAC) series I explained how to configure user user claims. Today we classify shared folders for DAC based upon a simple, real-world scenario.

Today we’re going to continue our deep-dive study into the new Dynamic Access Control (DAC) feature in Windows Server 2012. I’ve structured the deep-dive into four separate blog posts, with this one being the second.

The Scenario ^

The following figure graphically illustrates the simple, real-world scenario upon which we base our study of DAC:

Our Dynamic Access Control scenario

Our Dynamic Access Control scenario

We have three computers that comprise our test network:

  • DCNUGGET: Windows Server 2012 domain controller
  • MEMNUGGET: Windows Server 2012 file server that will host DAC-protected shared resources
  • CLINUGGET: Windows 8 client computer

We’re going to apply a DAC access policy to a shared folder named CORPDOCS that is hosted on MEMNUGGET. We’ll then create user claims

In Part 2 of this series, we configured the CORPDOCS shared folder on MEMNUGGET that holds the target resources in question. We also created the two user claims for user location and department.

We now need to turn our attention to the shared folder metadata properties (also called taxonomic “tags”) that are relevant for our situation.

Creating Resource Properties ^

In DAC terminology resource properties correspond to meaningful classifications, or tags, that we can apply to our file servers’ shared resources. To get started, open the Active Directory Administrative center from your administrative workstation or domain controller, click the Dynamic Access Control node, right-click Resource Properties, and select New > Resource Property.

NOTE: A reference resource property is a resource property that is explicitly linked to an existing claim type with suggested values. We can address this special case in a separate blog post; let me know in the comments if you are interested.

Dynamic Access Control elements

Dynamic Access Control elements

In this example, we need to create two resource properties that will be used with our CORPDOCS shared folder:

  • Campus (our fictional organization has two campuses: Nashville and Syracuse)
  • Classification (we’ll create two file classification levels: Public and Confidential)

Take a look at the following screenshot and I will walk you through the creation of the Campus resource property:

Defining a new resource property

Defining a new resource property

  1. Provide a friendly name for your new resource property.
  2. Each resource property can be associated with one of a number of different data types. Let’s choose Single-valued choice because only one option from a predescribed list will be relevant for the CORPDOCS folder
  3. Click Add to add an entry for our two campuses: Nashville and Syracuse. This dialog box is shown in the following screenshot

Defining a suggested value for a resource property

 Defining a suggested value for a resource property

Once you’ve defined resource properties for both Campus and Classification, you can verify their existence in the Resource Properties list. Observe that Microsoft gives us several pre-built resource properties that we can leverage; to enable one, right-click the property and select Enable. For performance and manageability reasons, all of the built-in resource properties are disabled by default.

Managing resource properties

Managing resource properties

Creating and deploying the Resource Property List ^

In DAC, the Resource Property List (RPL) is the deployable unit to our file servers. We can create any number of RPLs and deploy them selectively to our domain file servers.

Let’s do this! In the Dynamic Access Control node in ADAC, right-click Resource Property Lists and select New > Resource Property List.

Defining a new Resource Property List

Defining a new Resource Property List

  1. Provide a meaningful name to your RPL. Feel free to document the purpose of the RPL in the Description field as well.
  2. Click Add to associate our previously created resource properties to the new RPL. The Select Resource Properties dialog box is shown in the following screenshot.

Adding our resource properties to our resource property list

Adding our resource properties to our resource property list

Believe it or not, we are still not finished. We now need to deploy our RPL to our domain file servers. To do this, we need to open an administrative PowerShell session and issue the following cmdlet:

Update-FSRMClassificationPropertyDefinition

We are now ready to shift our attention from our domain controller to our Windows Server 2012 file server, MEMNUGGET, to classify the CORPDOCS folder.

Classifying our target folder ^

When we examine the properties of the CORPDOCS shared folder, we see a new tab called Classification. Let’s go there now.

Tagging a shared folder

Tagging a shared folder

The tagging process is pretty straightforward. We can simply select each resource property and then select a value from the choices that we set earlier in Dynamic Access Control. Pretty cool, eh?

NOTE: Windows Server 2012 provides us with methods for deploying automatic file classification so we administrators don’t need to “touch” each file share separately. I am more than happy to delve into that subject in another blog post.

Conclusion ^

By now we have configured our user claims and tagged the target folder with meaningful classifications. The next step in this process is to create a Central Access Policy that will actually create the access rule that ties together claims and resource properties. We’ll cover that topic in the next installment of this series.

0
0 Comments

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account