Category Archives: Dynamic Access Control

#RutechEd: Answering the questions, part II

imageAt last, two remaining questions to be answered.

1) One of the attendees of the hands-on lab on Dynamic Access Control had read that a normal user (without administrative permissions) can classify files and folders. However, he hadn’t succeeded in achieving it. Here is what I tried and understood:

i. Any user cannot change classification via explorer remotely (or at least I failed to achieve this).

ii. Any user, which has full permissions on files can edit classification locally, e.g. from TS session.

As far as I can understand, the “non-administrative user can edit it” part was related to automated toolkits, which don’t need now to be run under administrative account.

2) And the last question was: can we use Orchestrator to manage classifications?

I’ve asked one of my friends, who specializes in Orchestrator, and here is what he answered me:

“i. Orchestrator can do everything that you can do in any other fashion with, say, PoSh.

ii. I bet there is more standard way to do it.

iii. It’s definitely better to use Data Classification Toolkit: Orchestrator will be a bottleneck if we have many files.”

So, the answer is “yes, but definitely not the best tool”

#RuTeched: answering the questions. Does the Dynamic Access Control work over replication?

imageAs I said previously my labs were a success, still I wasn’t able to answer some questions and promised to answer them later. the time has come for the first of them. One of the visitors told me that he had had an experience when some of files’ attributes wouldn’t replicate over DFSR and asked me if there is any problem with DAC in the same situation. I could definitely experiment myself (and I will), but any experiment of mine would just give me an answer: “yes” or “no”. Or “may be” for that matter. It wouldn’t explain why. As I’m not great with the replication, I had to beg for help and, luckily, I knew were to get it: the AskDS blog.

In no time a received the answer. The short one is: “everything will be ok with your files”. The long one I will just cite here:

“Let me clarify some aspects of your question as I answer each part

When enabling Dynamic Access Control on files and folders there are multiple aspects to consider that are stored on the files and folders.

Resource Properties

– Resource Properties are defined in AD and used as a template to stamp additional metadata on a file or folder that can be used during an authorization decision.  That information is stored in an alternate data stream on the file or folder.  This would replicate with the file, the same as the security descriptor

Security Descriptor

The security descriptor replicates with the file or folder.  Therefore, any conditional expression would replicate in the security descriptor.

All of this occurs outside of Dynamic Access Control– it is a result of replicating the file throughout the topology, for example if using DFSR.  Central Access Policy has nothing to do with these results.

Central Access Policy

Central Access Policy is a way to distribute permissions without writing them directly to the DACL of a security descriptor. So, when a Central Access Policy is deployed to a server, the administrator must then link the policy to a folder on the file system.  This linking is accomplish by inserting a special ACE in the auditing portion of the security descriptor informs Windows that the file/folder is protected by a Central Access Policy.  The permissions in the Central Access Policy are then combined with Share and NTFS permissions to create an effective permission.

If the a file/folder is replicated to a server that does not have the Central Access Policy deployed to it then the Central Access Policy is not valid on that server.  The permissions would not apply”.

Thanks, guys. You’re the best Winking smile