- Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
- Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
- Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016
Files typically have attributes like author, last saved, company, owner, etc. File Classification allows you to supplement those attributes with additional information that may be industry or organization specific based on classifications you perform manually or automatically.
Before I continue, all of the examples that follow are based on Windows Server 2012. File Classification has been greatly improved in Server 2012. Many of the features discussed below like which users can classify files, the UI in Explorer, and automatic classification aren't available in Server 2008 R2.
Classifying files
In the FSRM administrative tool, go to the Classification Management area. Expand Classification Management and click on Classification Properties.
Classification Management in FSRM
Set a Name, Description, and Property type. Property types can be Yes/No, Date/Time, Numbers, Multiple Choice Lists, Ordered Lists, Single Choice, String, and Multi-String. In the example here, I've used Social Security Number since that is a very common piece of data companies in the US consider sensitive and want to identify.
Create a Local Classification Property
If we examine any file’s properties on the file server from Windows Server 2012 or Windows 8, you’ll see there is a new Classification tab that includes the File Classifications that we’ve created.
Classification tab
Now that we’ve created a file classification, we can configure the classification to be applied to files automatically via a schedule or on an ongoing basis. In the FSRM administrative tool, go to Classification Rules under the Classification Management Area, and click on Create Classification Rule.
Classification Rules in FSRM
In the General tab, set a Rule name and ensure that Enabled is checked.
Create Classification Rule
In the Scope tab, set the type of data and folders that will be scanned.
Scope tab
In the Classification tab, set the Classification method to Content Classifier. In Property, choose the classification and set the value. In Parameters, click Configure. In the Classification Parameters, you'll have to set the logic that will be used for finding information inside files. In the case of our example, Social Security Numbers always follow the pattern 3 numbers, 2 numbers, 4 numbers. In addition to use regular expressions, you can also use a string value (both case-sensitive and case-insensitive).
Classification Method – Classification Parameters
In the Evaluation Type tab, determine whether files should be re-evaluated or whether they should be evaluated only once. Also determine whether you want to overwrite or keep old values and click OK.
Evaluation Type
You may have also noticed the option, Configure Classification Schedule in the Classification Rules area. This is the same configuration screen that we briefly covered back in Part 2 of this series. If you're updating your classification rules, now may be a good time to revisit these settings.
If you're planning on automatically classifying files, your business needs are going to dictate how often you need the process to run. An initial pass over a large data set can take quite some time... so definitely set the schedule to run during off hours and setting the limit.
Automatic Classification
Classifying folders
Three different properties can be set for folders: Access-Denied Assistance Message, Folder Owner Email, and Folder Usage. These can all be set in the FSRM administrative tool under Classification Management > Classification Properties > Set Folder Management Properties.
Access-Denied Assistance Message allows you to configure what an end user sees when he/she is denied access to a file or folder. Rather than getting a generic 'access denied' message, the user will get a dialog box that IT can configure with whatever information you believe they should see. The downside is that this particular feature requires Windows Server 2012/Windows 8.
Set Folder Management Properties
The Folder Owner Email property is also something that can come in very handy. In most organizations, IT has to seek approval from the data owner to grant access to thing like file shares. Setting this property allows you to present the user with the owner's email address so that they can seek access approval before contacting IT. This feature also requires Windows 8/Server 2012.
Folder Owner Email property
The Folder Usage property is used when running classification and file management tasks. Folders can be classified as Application Files, Backup & Archival Files, Group Files, and User Files. This allows you to run different classification rules against different types of files which enables you eliminate areas like archives or software shares from your file classification schedules since those files, most likely, don't need to be scanned.
Folder Usage property
Pretty thorough coverage
Excellent write up :), thank you so very much.
Thanks Kyle, This is amazing explanation. Better than any other source I came across for this topic.
Cool, but if i run the report for a second time it shows nothing. Only changes (new files) are reported. How can i get my report to show all results, including older ones?
On server 2016 in a 2016 domain btw
@Paul, If you use Storage Reports Management (in the tree above Classification Management in FSRM ) to schedule a report based on the classification property that you have defined it will report on all files, including previously detected ones.