Microsoft Dynamic Access Control (Part 1)
April 28, 2014Microsoft Dynamic Access Control is a new way to deploy access rules to your file shares. For many moons now, System Administrators have had a tedious task of managing tens, hundreds, or thousands of security groups to control how files are accessed.
Groups of users have always needed to maintain different sets of security rules to prevent people from accessing confidential files. Human Resources obviously doesn’t want people outside their department to have access to personnel files, separate office locations may not want to share data with other offices in the same domain, and countries or cities might have different restrictions about sharing files with each other.
Typically administrators would add users to many security groups to manage the permissions but was a tedious task prone to errors and even worse, what would happen if someone moved or changed roles. Usually this required removing and then adding different roles, often leading to mistakes. Dynamic Access Control is a method that uses properties to determine access instead of just security groups.
Dynamic Access Control (DAC) Prerequisites
Before you get too far into configuring DAC, you should make sure the prerequisites are available:
- A Windows Server 2012 File Server
- At least one Windows Server 2012 domain controller accessible by the Windows client in the user’s domain
- A Windows 8 client (only needed if using device claims)
As well as the software requirements that are needed, there are also a few policies that should created before the guts of the configuration is done.
Kerberos Authentication needs to be enabled on the domain controllers. Yes, I would think this was enabled by default, but it isn’t, so turn it on!
Create the GPO, attach it to the Domain Controllers OU and in the settings, look for “Computer ConfigurationPoliciesAdministrative TemplatesSystemKDC”
The setting should be “KDC support for claims, compound authentication and Kerberos armoring”; change this setting to enabled and supported.
Next, On the Windows Server 2012 File Server, be sure to install the File Server Resource Management (FSRM) feature either by going through the Server Manager and adding the role, or using powershell by running the following command:
Install-WindowsFeature –Name FS-Resource-Manager –IncludeManagementTools
Once the FSRM feature is installed, you should be ready to start claims which are discussed in part 2.
Dynamic Access Control Series
Initial Configuration Steps for Microsoft Dynamic Access Control- Part 1
Access Rules and Policies Part 4
Thank you very much for this great explanation about Dynamic Access Control.
You make this little perplexing topic easy to understand.
I read some other articles but only this one brings light in the dark.