Dynamic Access Control: Scenario Overview


Applies To: Windows Server 2012

In Windows Server 2012, you can apply data governance across your file servers to control who can access information and to audit who has accessed information. Dynamic Access Control lets you:

  • Identify data by using automatic and manual classification of files. For example, you could tag data in file servers across the organization.

  • Control access to files by applying safety-net policies that use central access policies. For example, you could define who can access health information within the organization.

  • Audit access to files by using central audit policies for compliance reporting and forensic analysis. For example, you could identify who accessed highly sensitive information.

  • Apply Rights Management Services (RMS) protection by using automatic RMS encryption for sensitive Microsoft Office documents. For example, you could configure RMS to encrypt all documents that contain Health Insurance Portability and Accountability Act (HIPAA) information.

The Dynamic Access Control feature set is based on infrastructure investments that can be used further by partners and line-of-business applications, and the features can provide great value for organizations that use Active Directory. This infrastructure includes:

  • A new authorization and audit engine for Windows that can process conditional expressions and central policies.

  • Kerberos authentication support for user claims and device claims.

  • Improvements to the File Classification Infrastructure (FCI).

  • RMS extensibility support so partners can provide solutions that encrypt non-Microsoft files.

In this scenario

The following scenarios and guidance are included as part of this content set:

Dynamic Access Control Content Roadmap






Scenario: Central Access Policy

Creating Central access policies for files allow organizations to centrally deploy and manage authorization policies that include conditional expressions using user claims, device claims, and resource properties. These polices are based on compliance and business regulatory requirements. These policies are created and hosted in Active Directory, therefore making it easier to manage and deploy.

Deploying Claims Across Forests

In Windows Server 2012, the AD DS maintains a ‘claims dictionary’ in each forest and all claim types in use within the forest are defined at the Active Directory forest level. There are many scenarios where a principal may need to traverse a trust boundary. This scenario describes how a claim traverses a trust boundary.

Dynamic Access Control: scenario overview

Deploy Claims Across Forests

Plan for a Central Access Policy Deployment

Best Practices for Using User Claims

Using Device Claims and Device Security Groups

Tools for Deployment

Deploy a Central Access Policy (Demonstration Steps)

Deploy Claims Across Forests (Demonstration Steps) 

  • Modeling a central access policy

Scenario: File Access Auditing 

Security auditing is one of the most powerful tools to help maintain the security of an enterprise. One of the key goals of security audits is regulatory compliance. For example, industry standards such as Sarbanes Oxley, HIPAA, and Payment Card Industry (PCI) require enterprises to follow a strict set of rules related to data security and privacy. Security audits help establish the presence or absence of such policies; thereby, they prove compliance or noncompliance with these standards. Additionally, security audits help detect anomalous behavior, identify and mitigate gaps in security policy, and deter irresponsible behavior by creating a record of user activity that can be used for forensic analysis.

Scenario: File Access Auditing

Plan for File Access Auditing

Deploy Security Auditing with Central Audit Policies (Demonstration Steps)

Scenario: Access-Denied Assistance

Today, when users try to access a remote file on the file server, the only indication that they would get is that access is denied. This generates requests to helpdesk or IT administrators that need to figure out what the issue is and often the administrators have a hard time getting the appropriate context from users which makes it harder to resolve the issue.
In Windows Server 2012, the goal is to try and help the information worker and business owner of the data to deal with the access denied issue before IT gets involved and when IT gets involved, provide all the right information for a quick resolution. One of the challenges in achieving this goal is that there is no central way to deal with access denied and every application deals with it differently and thus in Windows Server 2012, one of the goals is to improve the access-denied experience for Windows Explorer.

Scenario: Access-Denied Assistance

Plan for Access-Denied Assistance

Deploy Access-Denied Assistance (Demonstration Steps)

Scenario: Classification-Based Encryption for Office Documents

Protection of sensitive information is mainly about mitigating risk for the organization. Various compliance regulations, such as HIPAA or Payment Card Industry Data Security Standard (PCI-DSS), dictate encryption of information, and there are numerous business reasons to encrypt sensitive business information. However, encrypting information is expensive, and it might impair business productivity. Thus, organizations tend to have different approaches and priorities for encrypting their information.
To support this scenario, Windows Server 2012 provides the ability to automatically encrypt sensitive Windows Office files based on their classification. This is done through file management tasks that invoke Active Directory Rights Management Server (AD RMS) protection for sensitive documents a few seconds after the file is identified as being a sensitive file on the file server.

Scenario: Classification-Based Encryption for Office Documents

Planning Considerations for Encryption of Office Documents

Deploy Encryption of Office Files (Demonstration Steps)

Scenario: Get Insight into Your Data by Using Classification

Reliance on data and storage resources has continued to grow in importance for most organizations. IT administrators face the growing challenge of overseeing larger and more complex storage infrastructures while simultaneously being tasked with the responsibility to ensure total cost of ownership is maintained at reasonable levels. Managing storage resources is not just about the volume or availability of data anymore, but also about the enforcement of company policies and knowing how storage is consumed to enable efficient utilization and compliance to mitigate risk. File Classification Infrastructure provides insight into your data by automating classification processes so that you can manage your data more effectively. The following classification methods are available with File Classification Infrastructure: manual, programmatically, and automatic. This scenario focuses on the automatic file classification method.

Scenario: Get Insight into Your Data by Using Classification

Plan for Automatic File Classification

Deploy Automatic File Classification (Demonstration Steps)

Scenario: Implement Retention of Information on File Servers

A retention period is the amount of time that a document should be kept before it is expired. Depending on the organization, the retention period can be different. You can classify files in a folder as having a short, medium, or long-term retention period and then assign the timeframe for each period. You may want to keep a file indefinitely by putting it on legal hold.
File Classification Infrastructure and File Server Resource Manager uses file management tasks and file classification to apply retention periods for a set of files. You can assign a retention period on a folder and then use a file management task to configure how long an assigned retention period is to last. When the files in the folder are about to expire, the owner of the file gets a notification email. You can also classify a file as being on legal hold so that the file management task will not expire the file.

Scenario: Implement Retention of Information on File Servers

Plan for Retention of Information on File Servers

Deploy Implementing Retention of Information on File Servers (Demonstration Steps)


Dynamic Access Control is not supported on ReFS (Resilient File System).

See also

Content type


Product evaluation




Dynamic Access Control PowerShell Reference

Tools and settings

Data Classification Toolkit

Community resources

Directory Services Forum