Microsoft Dynamic Access Control (Part 4 – Rules and Policies)

We’ve discussed Initial configuration steps, Claims, and Resource Properties and we’re starting to see the power of Microsoft’s Dynamic Access Control, but we need a better way to manage these and that’s why we’ve come to “Rules and Policies”.

A Central Access Rule can be used to take claims such as users in a department and match them up with permissions on a filefolder with specific resource properties.  This is where the real power comes into play because now we don’t have to go through and map these for each individual file.  We’re setting a general policy for the entire organization all at once.

Create a Central Access Rule

We again go into the Active Directory Administration Center and this time add a new Central Access Rule.

CentralAccessRule1

I’ve given my rule a very descriptive name like “CentralAccessRule01”.

We map target resources.  Here we can use the resource property that we created in part 3 of this series where we label some resources as “UberSecret”.

CentralAccessRule00

 

This screen shows how we added the target resource.

CentralAccessRule01

 

Lastly, we configure the permissions so that anyone in the “Goalies” security group has read and execute permissions as long as their department also equals IT.

CentralAccessRule02

Create Access Policy

The Central Access Rule has been created but it isn’t available to be deployed anywhere yet.  To get the rule ready to be deployed we need a Central Access Policy.

Again, from the ADAC we now create a new Central Access Policy and give it a name.

CentralAccessPolicy1

Give the Policy a name and then add a central access rule that you’ve already created to this new Central Access Policy.  Notice that a Central Access Policy may contain one to many different central access rules.

CentralAccessPolicy01

Choose the central access rule created earlier and move it to the right side using the double arrows.

CentralAccessPolicy02

 

Rules have been created, and added to a policy.  Now that we’re on the subject of policies, we can now add this Central Access Policy through Group Policy.  (I know, a lot of policies right?)

In your Group Policy Management Editor, create a new GPO or modify an existing GPO.  This Group Policy should be placed on an Organizational Unit that houses your File Servers.

Navigate to:  Computer ConfigurationPoliciesWindows SettingsSecurity SettingsFile SystemCentral Access Policy.

Here you will right click and choose new.

CentralAccessPolicy03-GPO1

 

Any Central Access Policies that you’ve created will now be available for you to add to the GPO.

CentralAccessPolicy03-GPO2

 

Policies are in effect on the domain.  One more step.

Assign Policy to Folder

 

Central access policies will be available for use on any folders where the server is bound by the GPO created earlier.  If you look at the security properties on one of your file server you should now see a new tab for Central Policy.  (If you don’t see this tab, try running a GPUpdate /force from a command line and try again.)

From this screen, you only need to select the policy that matches your goals and all of the configuration is now done.  Any resources in that folder that have resource properties should have the proper permissions set.

NOTE:  Be sure that the File System Permissions still allow access to the users.  File System permissions are checked first, and then Central Access Policies are checked second.  If a user is missing file system permissions, they don’t have access.

AssignCentralAccessRule

 

Results

I ran a quick test with a new user named Corey Crawford.  He is a member of the “Goalies” security group, and he is also in the IT Department.  (What like you can’t be a goalie and an IT guy at the same time)

As you can see from his whoami info and bginfo, he does have access to my folder.

CentralAccessPolicyProof1

 

We can also look at the permissions from the folder itself.  Look in the Effective Access Tab and we can see the permissions Mr. Crawford is granted.

EffectiveAccess-ccrawford

 

Alternatively, we see that Mr. Kane is not a member of the Goalies Security Group so therefore he does not have access.

EffectiveAccess-pkane

 

 Dynamic Access Control Series

Initial Configuration Steps for Microsoft Dynamic Access Control- Part 1

Claims – Part 2

Resource Properties – Part 3

Access Rules and Policies Part 4

File Server Resource Manager Auto Classification – Part 5

 

Leave a reply