Active Directory: configuring dynamic access control – DAC

Windows Server 2012R2 Windows Server 2016 Windows Server 2019

In this tutorial, I suggest you discover the dynamic access control available on Windows Server in an Active Directory environment.

Before getting to the heart of the matter, I will introduce you to dynamic access control also called DAC (Dynamic Access Control).

DAC adds additional control over NTFS access rights which allows rights to be extended. Here are some examples :

  • Right according to a classification (subject of the tutorial)
  • Right depending on the computer
  • Entitlement based on an Active Directory attribute

To configure dynamic access control, the File Server Resource Manager (FSRM) role must be installed on the file server and “master” the classification of files.

Rules creation is done through the ADAC console.

Course of the tutorial: to illustrate dynamic access control, we will add a classification (Yes / No) to the file which contains the word “DSI”, in dynamic access control it is a resource property. Then we will create a central access rule where we will configure the access rights by authorizing only the users of the GRP_USERS_IT group to be able to access files that have the File Tag DSI classification set to yes, to finish we will create a Policy of central access that we will publish by GPO in order to be able to apply it.

It is also possible to use claims based on AD attributes of computers and users. In order to facilitate the understanding of dynamic access control, this subject will be discussed in another tutorial.

Leave a Comment