Microsoft DAC 2012

When you know Dynamic Access Control, you know how to take command of your organization’s data for security and control. This book is a practical tutorial that will make you proficient in the main functions and extensions.

(For more resources related to this topic, see here.)

Microsoft DAC 2012 Architecture

Dynamic Access Control is not just a single feature, but an end-to-end file server solution based on the following features in Windows Server 2012:

  • Windows authorization and audit engine supporting expression-based access control
  • Kerberos Version 5 support for user and device claims
  • File classification infrastructure that support claims
  • RMS support that can be extended for further file types from third-party vendors
  • API to extend the solution with custom classification and audit tools

Building blocks

The Dynamic Access Control solution can be logically divided into the following main components to get a better, granular overview:

  • Infrastructure requirements
  • User and device claims
  • Expression-based ACEs
  • Classification enhancements
  • Central access and audit policies
  • Access-denied assistance

You need to get a quick overview of the most important facts of Dynamic Access Control. We will start the overview with the infrastructure requirements.

Infrastructure requirements

For basic deployment of Dynamic Access Control, you do not need to put in a big effort. To use claims for authorization and auditing, there is only a need for the following components:

A Claim is something that Active Directory states about a specific object (user or computer). A Claim may include the user, a unique Security Identifier (SID), department classification of a file or other attributes of a file, user, or computer.

  • At least one Windows 2012, or a newer, domain controller
  • Configure DAC objects, which are:
    • Claim Types
    • Central Access Rules
    • Central Access Policies
  • Administering with Active Directory Administrative Center (ADAC) or Remote Server Administration Tools (RSAT) for installed on Windows 8/ Windows Server 2012 or newer

  • Group policy to deploy Central Access Policies to your file servers
  • Group policy to enable the KDC support for claims
  • Group policy to enable the Kerberos client support for claims
  • All the file servers that use DAC must be 2012 or newer
  • Windows 8 or newer client computers must be part of that domain (only required when using device claims)
  • AD RMS role enabled and configured if you want to use automatic encryption
  • The following figure shows the basic deployment and configuration that needs to be done
  • You need to enable claims support on domain controllers and clients (disabled by default)
  • DAC stores all configurations in the Active Directory configuration partition
  • Group policies are used to configure DAC on file servers and clients
  • The File Server Resource Manager (FSRM) brings up many features such as File Server Classification Infrastructure (FCI)
  • Dynamic Access Control also works over organization boundaries with Claims Transformation Policies (CTP)

However, what's happens if you don't use Windows 8 clients?

For non-Windows 8 / Windows Server 2012, such as XP, Vista or Windows 7, the user doesn't need to worry about claims. In that case, the 2012-based file server will query the Active Directory services and forward the claims request to get information about the claims the user or the machine provides.

As you can see in the previous figure, DAC works between different Active Directory Forests (Active Directory instance of an organization), and Claims Transformation Policies will provide the functionality to translate the claims definitions between two or more organizations. To prepare for this scenario, you need to establish a Forest Trust between the Active Directory Forests and the Domain Function Level (DFL), which in both the Forest Root domains must be Windows 2012 or higher. Right now, this is a challenge but also a necessary requirement. There is no need for Claim Transformation Rules inside a Forest., This works fine out of the box because Dynamic Access Control objects are stored in the configuration part of the Active Directory and the whole Forest knows the relevant information.

User and device claims

Traditionally, you may have secured access to files by using NTFS file permissions and security groups. With this configuration, we were restricted to making policy decisions based on the user's group membership and the number of groups will explode. Therefore, if we wanted to include the device to control access, there was no chance to do this in an earlier version of the Windows Server. Another limitation was the requirement for folder or file access based on a certificate. Before Windows 2012 Dynamic Access Control, there was no way for the built-in functionality to include devices or certificates. DAC now integrates claims into Windows Authentication so that we can use Active Directory attributes from users and computers to control access to our information stored on file servers such as a location, department, or project.

DAC will only be used as complementary technology and is not a replacement for security groups.

The following figure shows the new combinations you can use for authorization:

This opens new ways of giving permissions on files and folders, such as:

Allow | Read, Write | If (@User.Department == @File.Department) AND (@Device.Managed == True)

There is no development knowledge required to implement a Dynamic Access Control solution.


In this article we saw the benefits and the main components of DAC. We saw the Microsoft DAC 2012 as an end-to-end file server solution, which provides a better granular overview of the file servers.

Resources for Article:

Further resources on this subject:

Books to Consider

comments powered by Disqus