Deploying and Configuring Central Access Policy for Dynamic Access Control

In Part 4 of this blog series on Dynamic Access Control we discussed how to configure Claim Types in order to be abe to use user claims in Central Access Rules. In Part 3 of the series we discussed how to configure Windows Server 2012 Central Access Rules. In this, the final post of our blog series we’ll discuss how Central Access Rules can be deployed to the enterprise using Central Access Policy.

Windows Server 2012 Central Access Policies allow administrators to deploy a number of Central Access Rules to various servers across your enterprise.  These rules would then be applied to one or more folders on the server(s).  A Central Access Policy simply represents a collection of Central Access Rules.   Once defined, a Central Access Policy can be applied to Windows Server 2012 file servers using Group Policy.  A Central Access Policy object contains a list of associated Central Access Rule objects.  The list of Central Access Rule objects can be managed in the same way you manage a group membership in AD.  Central Access Rules can be added or removed as part of the Central Access Policy.  Like group memberships, Central Access Rule membership is a linked value.  This means that one Central Access Rule can be a member of multiple Central Access Policy.

To create a Central Access Policy:

1. Start the Active Directory Administrative Center.
2. Click Dynamic Access Control in the navigation pane.  Then double-click Central Access Policies in the management list.
3. In the Tasks pane, click New and then select Central Access Policy.
4. Enter the Name and Description of the Central Access Policy.
5. Select or clear the Protect from accidental deletion check box.
6. Click the Add button from the Member Central Access Rules section to add Central Access Rules to the Central Access Policy’s membership list.  Or, select one or more Central Access Rule objects from the membership list and click Remove to remove the rule from the membership list.
7. Click OK to finalize the policy.

Once the policy has been created, it can be activated in two steps.  The first step is to deploy the Central Access Policy to file servers.  The second step is to deploy the policy to one or more folders on the server.

Step 1 – Deploying the DAC Policy to file servers.

Group Policy is used to deploy the Central Access Policy.  Windows 8 has added additional “Central Access Policy” object under the Windows Settings\Security Settings –  File System folder in Group Policy. You can use this object to add Policies (as can be seen in the sceenshot below).  Once this Group Policy object is defined it can be linked to a scope (domain / server etc) using standard Group Policy procedures.

Group Policy Definition

Step 2 – Deploying Central Access Policy to folders

Once Group Policy has deployed the policy to the server(s) you can go into Windows Explorer and select the folders to which you want to apply the policy.  Follow these steps.

1. Start Windows Explorer.
2. Navigate to the file folder to which you want to apply Central Access Policy.
3. Right-click the file folder and select Properties.
4. In the folder’s property dialog box, select Security and then Advanced.
5. Click the Central Policy tab In the Advanced Security Settings editor. Note – this will only show if the file server has received Group Policy objects that receive one or more Central Access Policies.
6. Select Change to enable the Central Access Policy list.
7. Select the Central Access Policy to apply to this folder from the list of Central Access Policies.  After you select the Central Access Policy, a list of Central Access Rules that are members of the selected Central Access Policywill appear below the Central Access Policy list. 
8. Click OK to apply to the Central Access Policy to the folder.

For more information on how Central Access Policy can be used with Microsoft SharePoint see the “Applying Windows Server 2012 DAC to SharePoint” blog

Tags: , , ,

Leave a Reply