The first article in this series (link here) introduced the DAC functionality in Windows Server 2012. The second article of the series (link here) explained the initial steps of a DAC implementation project. There, detailed step-by-step demonstrations explained how to configure Active Directory, enable support for Kerberos armoring, create user and device claims and implement file classifications.

MCSE Training – Resources (Intense)

This article continues the series using a hands-on approach to explain how DAC is deployed and show how it works. The following tasks are demonstrated in detail to unpack the completion of the project.

Task 1: Configure central access rules.

Task 2: Configure central access policies.

Task 3: Apply the central access policies to the file servers.

Task 4: Validate the DAC configuration.

Task 5: Configure access-denied assistance.

Task 6: Request access remediation.

For this lab, three computers are being used in the domain name lanztek.com. The computer names and roles are as follows:

  • * DC-DNS1 – Windows Server 2012 R2 domain controller and DNS server
  • * FileServer1 – Windows Server 2012 R2 file server member of the lanztek.com domain
  • * Win8A – Windows 8.1 client in the lanztek.com domain

Task 1. Configure central access rules.

  1. In the DC-DNS1 domain controller, in the Active Directory Administrative Center, from the Navigation pane, click Dynamic Access Control, and then double-click Central Access Rules.

  2. From the Tasks pane, click New, and then click Central Access Rule.

  3. In the Create Central Access Rule: type Validate Department in the Name field, and make sure that the Protection for accidental deletion option is checked.
  4. In the Target Resources section, click Edit.
  5. In the Central Access Rule dialog box, click Add a condition.
  6. By using the values in the drop-down boxes, set a condition as follows: Resource – Department – Equals – Value – Sales, and then click OK.
  7. Scroll down to the Permissions section, and click Use following permissions as current permissions.
  8. In the Permissions section, click Edit.
  9. In the Advanced Security Settings for Permissions window, remove permission for Administrators by selecting permission entry for Administrators and clicking Remove.
  10. In the Advanced Security Settings for Permissions window, click Add.
  11. In the Permission Entry for Permissions window, click Select a principal.
  12. In the Select User, Computer, Service Account, or Group window, type Authenticated Users, click Check Names, and then click OK.
  13. In the Permission Entry for Permissions windows, in the Basic permissions section, select the Modify, Read and Execute, Read and Write check boxes. Click Add a condition.
  14. In the Permission Entry for Permissions window, click the Group drop-down list box, and then click LanzTek Department.
  15. Click the Value drop-down list box, and then click Resource. In the last drop-down list box, click Department. Verify that you have this expression as a result: User – LanzTek Department – Equals – Resource – Department. Click OK three times.
  16. In the Active Directory Administrative Center, with Central Access Rules selected, from the Tasks pane, click New, and then click Central Access Rule.
  17. For the name of the rule, input Confidential Reports and ensure that the Protection for accidental deletion option is checked. In the Target Resources section, click Edit.
  18. In the Central Access Rule window, click Add a condition.
  19. In the last drop-down list box, click High. Verify that you have this expression as a result: Resource – Confidentiality – Equals – Value – High. Click OK.
  20. In the Permissions section, click Use following permissions as current permissions. Then click Edit.
  21. In the Advanced Security Settings for Permissions window, remove permission for Administrators by selecting the permission entry for Administrators and clicking Remove.
  22. In the Advanced Security Settings for Permissions window, click Add.
  23. In Permission Entry for Permissions, click Select a principal.
  24. In the Select User, Computer, Service Account, or Group window, type Authenticated Users, click Check Names, and then click OK.
  25. In Permission Entry for Permissions, In the Basic permissions section, select the Modify, Read and Execute, Read, and Write check boxes. Click Add a condition.
  26. Set the first condition to: User – Group – Member of each – Value – Managers. It is possible that Managers is not in the last drop-down list. In that case, click Add items. Then in the Select User, Computer, Service Account, or Group window, type Managers, click Check Names, select Managers, and then click OK twice.

  27. To add a second condition, click Add a condition and set the following settings: Device – Group – Member of each – Value –
    MgrComputers. Click OK three times. Again, it is possible that MgrComputers is not in the last drop-down list. Just click Add items. Then in the Select Computer or Group window, type MgrComputers, click Check Names, and then click OK.

Task 2. Configure central access policies.

    1. On DC-DNS1, in the Active Directory Administrative Center, click Dynamic Access Control, and then double-click Central Access Policies.
    2. In the Tasks pane, click New, and then click Central Access Policy.
    3. In the Name field, type Protect Confidential Reports, and then click Add.
    4. In the Add Central Access Rules window, select the Confidential Reports rule, and then click >>.
    5. Verify that the Confidential Reports rule is on the right side and click OK twice.
    6. In the Tasks pane, click New, and then click Central Access Policy.
    7. In the Name field, type Department Validation, and then click Add.
    8. Click the Validate Department rule, then click >>.
    9. Verify that the Validate department rule is on the right side and click OK twice.

Task 3. Apply the central access policies to the file servers.

      1. On DC-DNS1, in Server Manager, click Tools, and then click Group Policy Management.
      2. In the Group Policy Management Console, expand Forest: Lanztek.com, expand Domains, expand Lanztek.com, right-click DAC-Computers, and then click Create a GPO in this domain, and Link it here.

      3. Type LanzTek DAC Policy, and then click OK.
      4. Click on the DAC-Computers OU, right-click LanzTek DAC Policy, and then click Edit.

      5. Expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand File System, right-click Central Access Policy, and then click Manage Central Access Policies.

      6. In the Central Access Policies Configuration window, press and hold the Ctrl button and click both Department Validation and Protect Confidential Reports, click Add, and then click OK. Close the Group Policy Management Editor and the Group Policy Management Console.
      7. On FILESERVER1, Open a command prompt, type gpupdate /force, and then press Enter. Wait to see confirmation that both the computer and the user policies were updated successfully.
      8. On FILESERVER1, on the taskbar, click the File Explorer icon. In File Explorer, browse to Drive C, right-click the Reports folder, and then click Properties. In the Properties dialog box, click the Security tab, and then click Advanced.
      9. In the Advanced Security Settings for Reports window, click the Central Policy tab, and then click Change.
      10. From the drop-down list box, select Protect confidential Reports, ensure that in the Applies to drop-down menu, “This folder, suborders and files” is selected. Then click OK twice.
      11. Right-click the Sales folder and then click Properties. In the Sales Properties dialog box, click the Security tab, and then click Advanced. In the Advanced Security Settings for Sales window, click the Central Policy tab, and then click Change.
      12. In the drop-down list box, click Department Validation, verify that in the Applies to drop-down menu, “This folder, suborders and files” is selected. Then click OK twice.

Now that the central access policies have been configured and applied to the file server, the next task will be to access file resources to validate our configuration.

Task 4. Validate the DAC configuration.

      1. Sign in on WIN8A with the domain credentials of Rosa Lopez. Click the Desktop tile, and then on the taskbar, click the File Explorer icon. In the File Explorer address bar, type \\FILESERVER1\Sales, and then press Enter.
      2. As Rosa Lopez is a member of the Sales department (that user claim provided by the domain controller), this verifies that she can access this folder and open the documents inside. After confirming that the DAC policy is being applied correctly, sign out.

      3. Sign in to WIN8A with the domain credentials of John Smith. Click the Desktop tile, and then on the taskbar, click the File Explorer icon. In the File Explorer address bar, type \\FILESERVER1\Reports.
      4. Verify that user John Smith has access to the Reports folder and can open the files classified as confidential. John Smith needs to use an authorized device to access these files, in this case the WIN8A client.
      5. Log in to FILESERVER1 with your domain administrator credentials. In the File Explorer window, navigate to C:\Sales, right-click it and select Properties. In the Sales Properties dialog box, click the Security tab, click Advanced, click Effective Access and then click Select a user.

      6. In the Select User, Computer, Service Account, or Group window, type User3, click Check Names, and then click OK.
      7. Click View effective access, and then review the results. The user User3 account does not have access to this folder. This is because the folder is protected with a Dynamic Access Control policy that requires one more condition to be fulfilled. See the “Access limited by” column in the results below.
      8. Click Include a user claim, and then from the drop-down list, select LanzTek Department. In the Enter value here text box, type Sales. Click View effective access. Adding this user claim (LanzTek Department = Sales), would allow User3 to have limited access to the Sales folder.

Preamble to access-denied assistance configuration

This feature is available on Windows 8 and Windows Server2012. It allows administrators to customize access-denied messages and to enable users to request access, reducing the number of help desk support calls when users are denied access to resources.

Using access-denied assistance with DAC may improve the productivity of file server administrators as they typically receive access requests from users that can be related to resource properties issues, user claims or devices claims glitches. Having that information allows administrators to quickly adjust policies and fix user or device attributes.

Typically, you will rely on Group Policy to enable access-denied assistance; however. it is possible to use the File Server Resource Manager to configure customized access-denied assistance messages on individual file servers.

Task 5: Configure access-denied assistance

      1. On DC-DNS1, in Server Manager, click Tools, and then click Group Policy Management. In the Group Policy Management Console, expand Forest: lanztek.com, expand Domains, expand lanztek.com, and then click Group Policy objects. Right-click LanzTek DAC Policy, and then click Edit.
      2. Under Computer Configuration, expand Policies, expand Administrative Templates, expand System, and then click Access-Denied Assistance. In the details pane, double-click Customize message for Access Denied errors.
      3. In the Customize Message for Access Denied errors window, click Enabled. In the Display the following message to users who are denied access text box, type “Current permission policy does not allow you to access this resource. Please request access from your manager or supervisor”. Select the Enable users to request assistance check box, and then click OK.
      4. In the details pane of the Group Policy Management Editor, double-click Enable access-denied assistance on client for all file types, click Enabled, and then click OK.
      5. Close the Group Policy Management Editor and the Group Policy Management Console. Switch to FILESERVER1, and open a command prompt. At the command prompt, type gpupdate /force, and then press Enter. Wait to see confirmation that both the computer and the user policies updated successfully.

Task 6: Request access remediation

  1. Sign in to WIN8A with the User3 domain credentials. Click the Desktop tile, and then on the taskbar, click the File Explorer icon. In the File Explorer address bar, type \\FILESERVER1\Sales, and then press Enter.
  2. User3 is denied access to the folder, but the option to request assistance pops up. Click Request assistance.

  3. The Request Assistance window allows the user to send a message requesting access to the resource.

Closing remarks

Dynamic Access Control (DAC) is a new claims-based authorization functionality introduced in Windows Server 2012. This article demonstrates how conditional statements are created in the central access rules and how the central access rules become part of the central access policies. It shows how to apply the central access policies to the file servers. After applying the central access policies, user and computer accounts are used to validate the Dynamic Access Control authorization process to ensure that it works as expected.