Exploring Dynamic Access Control Part 1 – Getting Started

This is the first post in a series of 4 covering Dynamic Access Control.

In this post I am going to be looking at the Dynamic Access Control features of Windows Server 2012 and Windows 8.

Dynamic Access Control is a way for you to secure your resources (such as files and folders) without having to manage groups or user lists.

The main idea here is that a user's access rules are based upon Claims from their Active Directory properties. This makes it much easier to manage which users can and which users cannot access a specific resource.

For example, if I have a directory which contains Engineering specific documents, and only members of the Engineering department should be able to view those. Previously I would have either had to find an existing group (or groups) which relate to this department, or create and manage my own.

As 'department' is an attribute within Active Directory, it would be useful if I could specify that only users with a 'department' value of 'Engineering' have access to the resource in question. This is exactly what Dynamic Access Control allows us to do.

DAC also makes managing permissions much easier. As an example, if we have 10 different departments across 5 different countries, we may have upwards of 50 different groups to manage. Instead, by using DAC to set permissions using the 'department' and 'country' Active Directory properties, we can reduce the number of groups we are managing to zero.


Let's look at a simple example of just applying this idea to a directory:

In the security tab of a folders properties, everything looks the same as before:

However, clicking advanced and we see something new:

This is where we can start to create our "Conditions" for permissions on specific "Principals" (types of user).

By default folders and files inherit from their parent directory, but you can customize them by clicking the Disable inheritance button at the bottom of this dialog.

Now we can start to define our rules. As before I just want users who are in the Engineering department to be able to read items in this directory.

Clicking on the Users Principal, and clicking edit opens up a permissions dialog:

Here we can set the explicit permissions to grant users, but also allows us edit the conditions. Above I have added the condition that the Users department equals Engineering.

We also have the ability to combine conditions using And/Or grouping:

This makes the conditions and rules very powerful and customizable.

We can use the Effective Access Tab to test out our new permissions for a given user, and what the effective changes are if we give them additional claims which they may not already have:

However we are not restricted to just Users here, we also have the ability to allow and deny permissions based on the device used as well. This is could be useful for highly sensitive data, e.g. we only want the legal department's data accessed by approved devices within the legal department.

The next post will look at Classification of resources, and how we can automate tasks to run over those resources.


Posts in this series:

Part 1 - Getting Started

Part 2 - Classification

Part 3 - Properties And Claims

Part 4 - Central Access Rules

Skip to main content