Active Directory: configuring dynamic access control – DAC

Windows Server 2012R2 Windows Server 2016 Windows Server 2019

Creating the central access rule

In this part, we will create the central access rule, which allows you to configure access rights according to the property and the user group.

As a reminder, we will only allow users in the GRP_USERS_IT group to access files with the File Tag DSI property set to Yes.

Return to the ADAC console, in the Dynamic Access Control container, go to the Central Access Rules 1 container.

In the Tasks section, click on New 1 then on Central access rule 2.

Enter the name 1 of the central access rule then click on the Modify button 2 in the Target resources section.

A window opens which allows you to configure the conditions for applying the rule to the resources, click on Add a condition 1.

Configure the condition of the resource, in the example below, we configure the property created previously to the value Yes 1, once the condition has been configured, click OK 2.

It is possible to configure several conditions, depending on the operator used (OR or AND), they will have a different scope. At first, I advise you to use simple conditions.

In the Target resources section, you can see the application condition (s) of the central access rule 1. We will now configure the access rights on the resource, click on the Modify 2 button in the Authorizations section.

The following operation is optional but recommended, select the Administrators group 1 and click on Remove 2.

Removing the Administrators group prevents the rule from applying to this group.

We will now configure to whom the rule applies, click on the Add button 1.

In the Authorizations for Authorizations window, in the first part click on Select a principal 1.

Select the Domain Users group 1 and click OK 2.

If necessary, modify the Basic Authorizations, we will now add a condition in order to limit access to the user of the GRP_USERS_IT group. In the bottom section, click on Add a condition 1.

Configure the condition string as in the screenshot below 1 and click on Add elements 2.

Select the group 1 to which the permissions will apply and click OK 2.

The condition is configured 1, click on OK 2 to validate the authorizations.

The authorizations are configured, we can see the condition 1, click on Apply 2 and OK 3.

Select Use the following permissions as current permissions 1 and click OK 2 to create the central access rule.

If you leave Use the following authorizations as proposed authorizations and you wish to audit before, to apply the authorizations later, you must reopen the rule and at the level of authorizations click on the Apply proposal button.

Central access rule is created 1.