Microsoft Dynamic Access Control (Part 4 – Rules and Policies)April 28, 2014
We’ve discussed Initial configuration steps, Claims, and Resource Properties and we’re starting to see the power of Microsoft’s Dynamic Access Control, but we need a better way to manage these and that’s why we’ve come to “Rules and Policies”.
A Central Access Rule can be used to take claims such as users in a department and match them up with permissions on a filefolder with specific resource properties. This is where the real power comes into play because now we don’t have to go through and map these for each individual file. We’re setting a general policy for the entire organization all at once.
Create a Central Access Rule
We again go into the Active Directory Administration Center and this time add a new Central Access Rule.
I’ve given my rule a very descriptive name like “CentralAccessRule01”.
We map target resources. Here we can use the resource property that we created in part 3 of this series where we label some resources as “UberSecret”.
This screen shows how we added the target resource.
Lastly, we configure the permissions so that anyone in the “Goalies” security group has read and execute permissions as long as their department also equals IT.
Create Access Policy
The Central Access Rule has been created but it isn’t available to be deployed anywhere yet. To get the rule ready to be deployed we need a Central Access Policy.
Again, from the ADAC we now create a new Central Access Policy and give it a name.
Give the Policy a name and then add a central access rule that you’ve already created to this new Central Access Policy. Notice that a Central Access Policy may contain one to many different central access rules.
Choose the central access rule created earlier and move it to the right side using the double arrows.
Rules have been created, and added to a policy. Now that we’re on the subject of policies, we can now add this Central Access Policy through Group Policy. (I know, a lot of policies right?)
In your Group Policy Management Editor, create a new GPO or modify an existing GPO. This Group Policy should be placed on an Organizational Unit that houses your File Servers.
Navigate to: Computer ConfigurationPoliciesWindows SettingsSecurity SettingsFile SystemCentral Access Policy.
Here you will right click and choose new.
Any Central Access Policies that you’ve created will now be available for you to add to the GPO.
Policies are in effect on the domain. One more step.
Assign Policy to Folder
Central access policies will be available for use on any folders where the server is bound by the GPO created earlier. If you look at the security properties on one of your file server you should now see a new tab for Central Policy. (If you don’t see this tab, try running a GPUpdate /force from a command line and try again.)
From this screen, you only need to select the policy that matches your goals and all of the configuration is now done. Any resources in that folder that have resource properties should have the proper permissions set.
NOTE: Be sure that the File System Permissions still allow access to the users. File System permissions are checked first, and then Central Access Policies are checked second. If a user is missing file system permissions, they don’t have access.
I ran a quick test with a new user named Corey Crawford. He is a member of the “Goalies” security group, and he is also in the IT Department. (What like you can’t be a goalie and an IT guy at the same time)
As you can see from his whoami info and bginfo, he does have access to my folder.
We can also look at the permissions from the folder itself. Look in the Effective Access Tab and we can see the permissions Mr. Crawford is granted.
Alternatively, we see that Mr. Kane is not a member of the Goalies Security Group so therefore he does not have access.
Dynamic Access Control Series