Dynamic Access Control: Scenario Overview

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

In Windows Server 2012 , you can apply data governance across your file servers to control who can access information and to audit who has accessed information. Dynamic Access Control lets you:

  • Identify data by using automatic and manual classification of files. For example, you could tag data in file servers across the organization.

  • Control access to files by applying safety-net policies that use central access policies. For example, you could define who can access health information within the organization.

  • Audit access to files by using central audit policies for compliance reporting and forensic analysis. For example, you could identify who accessed highly sensitive information.

  • Apply Rights Management Services (RMS) protection by using automatic RMS encryption for sensitive Microsoft Office documents. For example, you could configure RMS to encrypt all documents that contain Health Insurance Portability and Accountability Act (HIPAA) information.

The Dynamic Access Control feature set is based on infrastructure investments that can be used further by partners and line-of-business applications, and the features can provide great value for organizations that use Active Directory. This infrastructure includes:

  • A new authorization and audit engine for Windows that can process conditional expressions and central policies.

  • Kerberos authentication support for user claims and device claims.

  • Improvements to the File Classification Infrastructure (FCI).

  • RMS extensibility support so partners can provide solutions that encrypt non-Microsoft files.

In this scenario

The following scenarios and guidance are included as part of this content set:

Dynamic Access Control Content Roadmap

Scenario Evaluate Plan Deploy Operate
Scenario: Central Access Policy

Creating Central access policies for files allow organizations to centrally deploy and manage authorization policies that include conditional expressions using user claims, device claims, and resource properties. These polices are based on compliance and business regulatory requirements. These policies are created and hosted in Active Directory, therefore making it easier to manage and deploy.

Deploying Claims Across Forests

In Windows Server 2012 , the AD DS maintains a 'claims dictionary' in each forest and all claim types in use within the forest are defined at the Active Directory forest level. There are many scenarios where a principal may need to traverse a trust boundary. This scenario describes how a claim traverses a trust boundary.

Dynamic Access Control: Scenario Overview

Deploy Claims Across Forests

Plan: A Central Access Policy Deployment

- Process to map a business request to a central access policy
- Delegating of administration for Dynamic Access Control
- Exception Mechanisms for Planning Central Access Policies

Best Practices for Using User Claims

- Choosing the right configuration to enable claims in your user domain
- Operations to enable user claims
- Considerations for using user claims in the file server discretionary ACLs without using Central Access Policies

Using Device Claims and Device Security Groups

- Considerations for using static device claims
- Operations to enable device claims

Tools for Deployment


Deploy a Central Access Policy (Demonstration Steps)

Deploy Claims Across Forests (Demonstration Steps)

- Modeling a central access policy
Scenario: File Access Auditing

Security auditing is one of the most powerful tools to help maintain the security of an enterprise. One of the key goals of security audits is regulatory compliance. For example, industry standards such as Sarbanes Oxley, HIPAA, and Payment Card Industry (PCI) require enterprises to follow a strict set of rules related to data security and privacy. Security audits help establish the presence or absence of such policies; thereby, they prove compliance or noncompliance with these standards. Additionally, security audits help detect anomalous behavior, identify and mitigate gaps in security policy, and deter irresponsible behavior by creating a record of user activity that can be used for forensic analysis.

Scenario: File Access Auditing Plan for File Access Auditing Deploy Security Auditing with Central Audit Policies (Demonstration Steps) - Monitor the Central Access Policies that Apply on a File Server
- Monitor the Central Access Policies Associated with Files and Folders
- Monitor the Resource Attributes on Files and Folders
- Monitor Claim Types
- Monitor User and Device Claims During Sign-in
- Monitor Central Access Policy and Rule Definitions
- Monitor Resource Attribute Definitions
- Monitor the Use of Removable Storage Devices.
Scenario: Access-Denied Assistance

Today, when users try to access a remote file on the file server, the only indication that they would get is that access is denied. This generates requests to helpdesk or IT administrators that need to figure out what the issue is and often the administrators have a hard time getting the appropriate context from users which makes it harder to resolve the issue.
In Windows Server 2012 , the goal is to try and help the information worker and business owner of the data to deal with the access denied issue before IT gets involved and when IT gets involved, provide all the right information for a quick resolution. One of the challenges in achieving this goal is that there is no central way to deal with access denied and every application deals with it differently and thus in Windows Server 2012 , one of the goals is to improve the access-denied experience for Windows Explorer.

Scenario: Access-Denied Assistance Plan for Access-Denied Assistance

- Determine the access-denied assistance model
- Determine who should handle access requests
- Customize the access-denied assistance message
- Plan for exceptions
- Determine how access-denied assistance is deployed

Deploy Access-Denied Assistance (Demonstration Steps)
Scenario: Classification-Based Encryption for Office Documents

Protection of sensitive information is mainly about mitigating risk for the organization. Various compliance regulations, such as HIPAA or Payment Card Industry Data Security Standard (PCI-DSS), dictate encryption of information, and there are numerous business reasons to encrypt sensitive business information. However, encrypting information is expensive, and it might impair business productivity. Thus, organizations tend to have different approaches and priorities for encrypting their information.
To support this scenario, Windows Server 2012 provides the ability to automatically encrypt sensitive Windows Office files based on their classification. This is done through file management tasks that invoke Active Directory Rights Management Server (AD RMS) protection for sensitive documents a few seconds after the file is identified as being a sensitive file on the file server.

Scenario: Classification-Based Encryption for Office Documents Plan to deploy for classification-based encryption of documents Deploy Encryption of Office Files (Demonstration Steps)
Scenario: Get Insight into Your Data by Using Classification

Reliance on data and storage resources has continued to grow in importance for most organizations. IT administrators face the growing challenge of overseeing larger and more complex storage infrastructures while simultaneously being tasked with the responsibility to ensure total cost of ownership is maintained at reasonable levels. Managing storage resources is not just about the volume or availability of data anymore, but also about the enforcement of company policies and knowing how storage is consumed to enable efficient utilization and compliance to mitigate risk. File Classification Infrastructure provides insight into your data by automating classification processes so that you can manage your data more effectively. The following classification methods are available with File Classification Infrastructure: manual, programmatically, and automatic. This scenario focuses on the automatic file classification method.

Scenario: Get Insight into Your Data by Using Classification Plan for Automatic File Classification Deploy Automatic File Classification (Demonstration Steps)
Scenario: Implement Retention of Information on File Servers

A retention period is the amount of time that a document should be kept before it is expired. Depending on the organization, the retention period can be different. You can classify files in a folder as having a short, medium, or long-term retention period and then assign the timeframe for each period. You may want to keep a file indefinitely by putting it on legal hold.
File Classification Infrastructure and File Server Resource Manager uses file management tasks and file classification to apply retention periods for a set of files. You can assign a retention period on a folder and then use a file management task to configure how long an assigned retention period is to last. When the files in the folder are about to expire, the owner of the file gets a notification email. You can also classify a file as being on legal hold so that the file management task will not expire the file.

Scenario: Implement Retention of Information on File Servers Plan for Retention of Information on File Servers Deploy Implementing Retention of Information on File Servers (Demonstration Steps)


Dynamic Access Control is not supported on ReFS (Resilient File System).

See also

Content type References
Product evaluation - Dynamic Access Control Reviewers Guide
- Dynamic Access Control Developer Guidance
Planning - Planning a Central Access Policy Deployment
- Plan for File Access Auditing
Deployment - Active Directory Deployment
- File and Storage Services Deployment
Operations Dynamic Access Control PowerShell Reference

|Community resources|Directory Services Forum|