Microsoft Dynamic Access Control (Part 5 – Auto Classification)

April 28, 2014 1 By Eric Shanks

In the first four parts of the Dynamic Access Control Series we covered Initial Configurations, Claims, Resource Properties and Rules Policies.  These are working great in our environment but we still have to go through and manage the classification tags.  Wouldn’t it be easier to have some files automatically tagged with a certain resource classification?

Enter File Server Resource Manager to the rescue!

Classification Rules

From within File Server Resource Manager (FSRM) go to Classification Rules and choose to “Create Classification Rule…”



As usual, give the rule a name and a description.



Select what kind of files or folders the rule will be run on.  In my example we’re only looking at User files.  I’ve also limited the classification rule to run on the “ClassifiedFiles” folder, but you could select entire drives if you’d prefer.



Choose a classification method.  In my example I’ve used a content classifier, which looks at the actual data inside of a file, but you could also use a powershell script or folder classifier.

In the properties, I’ve selected the Hollow-Classified resource property that we created in part 3 of this series.



Then we configure the paramaters.  This is the logic behind the classification.  In my example, I’m looking for any files that have the string “Private” in them two times.  In a corporate file store this might not work, but a suitable expression could be found to fit for almost any situation.




The last step of the configuration is to set an evaluation type.  This is a way to handle any files who already have a classification.  What should happen to those files?  Should you overwrite their classification, add to their classifications or do nothing?



Once the classification rule is configured, you can either setup a schedule, or run the classification process any time from the FSRM console.




Run the Classification Rules

Here I’ve created a file with the word “Private” in it three times.  This file should get reclassified as UberSecret.



Classification process runs and spits out a report.  It looks like one file was affected.FSRM-ResourceProp9


I look at the test .txt file that we used and it has a classification listed now.FSRM-ResourceProp10




Microsoft Dynamic Access Control has many moving parts that can all be used in concert to ease the burden of managing files and folders.  It is well worth the initial setup time to eliminate constant updates to file permissions that come with day to day IT routines.  Plan it out, and use the automation and this could be a wonderful set of tools.


Microsoft Dynamic Access Control Series

Initial Configuration Steps for Microsoft Dynamic Access Control- Part 1

Claims – Part 2

Resource Properties – Part 3

Access Rules and Policies Part 4

File Server Resource Manager Auto Classification – Part 5