Information About DAC or Dynamic Access Control
Dynamic Access control relies on file classification (Which is descriptive metadata about files), on the user and device element. Through Dac, you Configure access to files based on user’s active directory attribute and the file’s content. However, DAC will become an important part of any Windows enterprise in the future for a number of reasons. The most obvious benefit to Active Directory admins is that it implements security without using security groups. As a result, I’ve spent a great amount of time exploring DAC, and I’ll explain what you need to know to start implementing it.
In this post, we will concentrate on Dynamic Access Control (DAC). DAC allows administrators to create and manage central access and audit policies in Active Directory, which can be managed through the AD Administrative Console to help organizations reach data compliance.
- Note: Before Configure Dynamic Access Control you Need to install File Server Resource Manager (FSRM). To install File Server Resource Manager Follow these steps:
Step 1. Install File Server Resource Manager
1. In Server Manager, from the Manage menu, select Add Roles And Features. The Add Roles And Features Wizard starts, displaying the Before You Begin page.
2. Click Next to open the Select Installation Type page.
3. Leave the Role-Based Or Feature-Based Installation option selected and click Next. The
Select Destination Server page opens.
4. On the Select Server Rule page, expand File And Storage Service, and then expand File And iSCSI Services and select File Server Resource Manager. Click Next a couple of times and then Install. For most cases, installing FSRM does not require a server restart.
Step 2. Configure Claim Type
In this step, we will configure Claim type for Users. We will add existing Active Directory attributes to the list of attributes that we can use when evaluating dynamic access control. In our case, the user’s department and his country.
1. In server manager, From the tools menu, select Active Directory Administrative Center. you can use active directory administrative Center to configure the user and device Claim type. Right Click-Click Types, click new, and then select claim type.
2. in the Source Attribute section, Select the Attribute you want to use the basis of the Claim type. you can also specify whether you want this claim type to basis issued for a user, for the computer (Device or both. when select, ok.
3. Repeat for the department attribute with the following suggested value. (HR, Finance, Operations)
3. Select Department then click ok.
Step 3. Configure Resource Properties for Files
In DAC terminology resource properties correspond to meaningful classifications, or tags, that we can apply to our file servers’ shared resources. To get started, open the Active Directory Administrative center from your administrative workstation or domain controller, click the Dynamic Access Control node.
1. Click on Resource Property and here you can select the existing resource properties or also you can create the new ones, I have selected Company and Department. select Company then clicks Properties.
2. On the Company Page, Click on Add Button, Add a Suggest /Valu will open, on the Value, type Marvel, and the display name Right the Same. and then click ok button. when added, on the Resource Properties page, click Enable.
3. Right, Click on Department, click Enable button.
Step 4. Add Resource Property to Global
After you enable your Desired resource Properties, you have to add them to a resource property list before they can be applied to object. Begin by selecting the Resource Property lists container in Active Directory Administrative Center. on the predefined list is available, named Global Recourse property list. if you want the same classification to be available for all objects.
1. To Add Resource Properties you have enabled, Right Click the list and New, Resource Properties list.
2. In the Select Resource properties dialog box that open, Add the desired Resource Properties that you have to enable, Enable and click ok.
Step 5. Create New Central Access Rule
A Central Access Rule is similar to an ACL in that it describes which condition must be met for access to be granted to a resource.
1. To Create a New Central Access rule, in Active Directory Administrative Center, Select tree view in the console tree and then select Central Access Rule.
2. In the task pane, Click New and then click Central Access Rule.
3. In the Text box, type the name you want to give to the rule.
2. In the Target Resource section, click Edit, and in the Central Access Rule Dialog Box, Add the conditions that match the target resource for which you want to define access. for example, if your goal is to define access permission to the resource that has been configured with a department property. then you want to add the two conditions configured.
3. In the Permission Section of the Create Central Access page, select Use Following Permission As Current Permission and then click Edit.
Click Add to open the permission Entry for permission Dialog Box.
4. Near the top of the Dialog box, click select a principal. a principal is another name for a user or group account. To configure DAC. you normally want to select Authenticate User as the principal.
5. In the Middle of the Dialog box, beneath Basic Permission, select the permission that you want to assign to users who match the condition in your rule.
6. Near the Bottom of the Dialog box, Add conditions that match the users for whom you want to define access.
Remember that if Authenticated, the user will be completely denied access( with the exception of the file owner
7. Click Ok three Times to finish and return to active directory Administrative Center.
Step 6. Create Central Access Policy
In the console tree of Active Directory Administrative Center, click central Access Policies. in the task pane, click New and then click Central Access Policy.
1. On the name Text Box, Type the name you want to assign to the Policy.
2. In the member Central Access Rule, click add then add the desired central access rules you have created, click ok twice to return to active directory administrative Center.
Step 7. Enabling Kerberos Support for claim-based Access Control Used GPO
We use Group Policy to make the CAP available to our domain file server(s). Whether you create a new GPO or edit an existing one is completely up to you. In a nutshell, we need to configure the following Group Policy elements.
1. in server manager, select tools menu, click Group Policy Management.
2. in the Group Policy Management Console, Create or edit a Group Policy object (GPO) linked to the domain. Right click on that, click edit.
3. On the Group Policy Management Editor, Click computer configuration/Windows Setting/Security setting/File system and click central Access Policy.
4. Right click and click Manage Central Access Policies, Add the available Central Access Policies. and then click Ok.
5. In the Group Policy Management Console, Create or edit a Group Policy object (GPO) linked to the Domain controller organizational unit (OU)
and then enable the following setting: Computer Configuration/Policies/Administrative Templates/system/KDC/ KDC Support For claim, Compound Authentication and Kerberos armoring.(Within the policy setting dialog box, enable. click ok button.
Step 8. Testing DAC with Effective Access
Our final step in this process is to test user access to the Super-Hero shared folder.
After you perform this step, the resource properties you chose in step 1 appear on the classification tab of every file folder on that file server. first, selects company Value then select Department Value and then apply.
And in the advanced Security Settings, in the Central Policy Tab, change the “No central Access Policy” to “CAP” the policy we defined.. click change to view available central access policies that can be applied to this object.
Add One User.
You can test to see if everything worked well by using the effective Access tab.
It was all about, How To Configure Dynamic Access Control in windows server 2016? I hope you have learned this article, I hope you will ask your questions, give us your suggestions, opinion about what articles we have to write. If you faced any problem tell us below by comment, Feel free to tell us. we’re waiting for your suggestion. Please let me know in the comments of this post if you’d like me to develop a full tutorial for Dynamic Access Control deployment.