Active Directory: configuring dynamic access control – DAC

Windows Server 2012R2  Windows Server 2016  Windows Server 2019

In this tutorial, I suggest you discover the dynamic access control available on Windows Server in an Active Directory environment.

Before getting to the heart of the matter, I will introduce you to dynamic access control also called DAC (Dynamic Access Control).

DAC adds additional control over NTFS access rights which allows rights to be extended. Here are some examples :

  • Right according to a classification (subject of the tutorial)
  • Right depending on the computer
  • Entitlement based on an Active Directory attribute

To configure dynamic access control, the File Server Resource Manager (FSRM) role must be installed on the file server and “master” the classification of files.

Rules creation is done through the ADAC console.

Course of the tutorial: to illustrate dynamic access control, we will add a classification (Yes / No) to the file which contains the word “DSI”, in dynamic access control it is a resource property. Then we will create a central access rule where we will configure the access rights by authorizing only the users of the GRP_USERS_IT group to be able to access files that have the File Tag DSI classification set to yes, to finish we will create a Policy of central access that we will publish by GPO in order to be able to apply it.

It is also possible to use claims based on AD attributes of computers and users. In order to facilitate the understanding of dynamic access control, this subject will be discussed in another tutorial.





Related Posts


Active directory: Delete a child domain

In the article Active directory: setting up a child domain where I explain how to configure a child domain in an Active Directory environment, I will explain here how to delete a child domain. As a re

Create an Active Directory environment in PowerShell

Table Of ContentsIntroductionPrerequisitesInstalling the AD DS roleCreating the Active Directory domaincomplements Introduction In this tutorial, we will see how to create an Active Directory environm

Active directory: How to set up a child domain

In this tutorial, we will see how to put a child domain in an Active Directory tree. A child domain is a subdomain of one of the component domains in your Active Directory forest. Subdomain segmentati