Deploy Automatic File Classification (Demonstration Steps)Deploy Automatic File Classification (Demonstration Steps)

适用于:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本主题介绍如何在 Active Directory 中启用资源属性,在文件服务器上创建分类规则,然后将值分配给文件服务器上文件的资源属性。This topic explains how to enable resource properties in Active Directory, create classification rules on the file server, and then assign values to the resource properties for files on the file server. 在此示例中,将创建以下分类规则:For this example, the following classification rules are created:

  • 用于在一组文件中搜索字符串 "Contoso 机密" 的内容分类规则。A content classification rule that searches a set of files for the string 'Contoso Confidential.' 如果在某个文件中找到该字符串,则在该文件上将“影响”资源属性设置为“高”。If the string is found in a file, the Impact resource property is set to High on the file.

  • 可在一组文件中搜索正则表达式的内容分类规则,该正则表达式在文件中至少匹配 10 次身份证号。A content classification rule that searches a set of files for a regular expression that matches a social security number at least 10 times in one file. 如果找到该模式,则将该文件归类为具有个人身份信息,并且“个人身份信息”资源属性将设置为“高”。If the pattern is found, the file is classified as having personally identifiable information and the Personally Identifiable Information resource property is set to High.

本文档内容In this document

备注

此主题将介绍一些 Windows PowerShell cmdlet 示例,你可以使用它们来自动执行所述的一些步骤。This topic includes sample Windows PowerShell cmdlets that you can use to automate some of the procedures described. 有关详细信息,请参阅 使用 cmdletFor more information, see Using Cmdlets.

步骤 1:创建资源属性定义Step 1: Create resource property definitions

启用“影响”和“个人身份信息”资源属性,以便文件分类基础结构可以使用这些资源属性来标记已在网络共享文件夹上扫描的文件。The Impact and Personally Identifiable Information resource properties are enabled so that File Classification Infrastructure can use these resource properties to tag the files that are scanned on a network shared folder.

使用 Windows PowerShell 执行此步骤Do this step using Windows PowerShell

创建资源属性定义To create resource property definitions

  1. 在域控制器上,以 Domain Admins 安全组成员的身份登录到服务器。On the domain controller, sign in to the server as a member of the Domain Admins security group.

  2. 打开“Active Directory 管理中心”。Open Active Directory Administrative Center. 在服务器管理器中,单击“工具”****,然后单击“Active Directory 管理中心”****。In Server Manager, click Tools, and then click Active Directory Administrative Center.

  3. 展开“动态访问控制”****,然后单击“资源属性”****。Expand Dynamic Access Control, and then click Resource Properties.

  4. 右键单击“影响”****,然后单击“启用”****。Right-click Impact, and then click Enable.

  5. 右键单击“个人身份信息”****,然后单击“启用”****。Right-click Personally Identifiable Information, and then click Enable.

解决方案指南Windows PowerShell 等效命令solution guidesWindows PowerShell equivalent commands

下面一个或多个 Windows PowerShell cmdlet 执行的功能与前面的过程相同。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 在同一行输入每个 cmdlet(即使此处可能因格式限制而出现多行换行)。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

Set-ADResourceProperty '"Enabled:$true '"Identity:'CN=Impact_MS,CN=Resource Properties,CN=Claims Configuration,CN=Services,CN=Configuration,DC=contoso,DC=com'
Set-ADResourceProperty '"Enabled:$true '"Identity:'CN=PII_MS,CN=Resource Properties,CN=Claims Configuration,CN=Services,CN=Configuration,DC=contoso,DC=com'

步骤 2:创建字符串内容的分类规则Step 2: Create a string content classification rule

字符串内容的分类规则将扫描某个文件以查找特定字符串。A string content classification rule scans a file for a specific string. 如果找到该字符串,则可以配置资源属性的值。If the string is found, the value of a resource property can be configured. 在此示例中,我们将扫描网络共享文件夹上的每个文件,并查找字符串 "Contoso 机密"。In this example, we will scan each file on a network shared folder and look for the string 'Contoso Confidential.' 如果找到该字符串,则将关联的文件都归类为具有高业务影响。If the string is found, the associated file is classified as having high business impact.

使用 Windows PowerShell 执行此步骤Do this step using Windows PowerShell

创建字符串内容的分类规则To create a string content classification rule

  1. 以管理员安全组成员的身份登录到文件服务器。Log on to the file server as a member of the Administrators security group.

  2. 在 Windows Powershell 命令提示符下,键入 Update-FsrmClassificationPropertyDefinition,然后按 ENTER。From the Windows PowerShell command prompt, type Update-FsrmClassificationPropertyDefinition and then press ENTER. 这会将域控制器上创建的属性定义同步到文件服务器。This will synchronize the property definitions created on the domain controller to the file server.

  3. 打开文件服务器资源管理器。Open File Server Resource Manager. 在服务器管理器中,单击“工具”****,然后单击“文件服务器资源管理器”****。In Server Manager, click Tools, and then click File Server Resource Manager.

  4. 展开“分类管理”****,右键单击“分类规则”****,然后单击“配置分类计划”****。Expand Classification Management, right-click Classification Rules, and then click Configure Classification Schedule.

  5. 依次选中“启用固定计划”**** 复选框和“允许对新文件进行连续分类”**** 复选框,再选择一周中的某一天来运行分类,然后单击“确定”****。Select the Enable fixed schedule check box, select the Allow continuous classification for new files check box, choose a day of the week to run the classification, and then click OK.

  6. 右键单击“分类规则”****,然后单击“创建分类规则”****。Right-click Classification Rules, and then click Create Classification Rule.

  7. 在“规则名称”**** 框中的“常规”**** 选项卡上,键入规则名称,如 Contoso ConfidentialOn the General tab, in the Rule name box, type a rule name such as Contoso Confidential.

  8. 在“作用域”**** 选项卡上,单击“添加”****,然后选择应该包括在该规则中的文件夹,如 D:\Finance Documents。On the Scope tab, click Add, and choose the folders that should be included in this rule, such as D:\Finance Documents.

    备注

    还可以选择用于作用域的动态命名空间。You can also choose a dynamic name space for the scope. 有关分类规则的动态命名空间的详细信息,请参阅Windows Server 2012 中的文件服务器资源管理器的新增 [ 功能 ] 重定向For more information about dynamic name spaces for classification rules, see What's New in File Server Resource Manager in Windows Server 2012 [redirected].

  9. 在“分类”**** 选项卡上,进行以下配置:On the Classification tab, configure the following:

    • 在“选择用于将属性分配给文件的方法”**** 框中,请确保“内容分类器”**** 处于选中状态。In the Choose a method to assign a property to files box, ensure that Content Classifier is selected.

    • 在“选择要分配给文件的属性”**** 框中,单击“影响”****。In the Choose a property to assign to files box, click Impact.

    • 在“指定一个值”**** 框中,单击“高”****。In the Specify a value box, click High.

  10. 在“参数”**** 标题下,单击“配置”****。Under the Parameters heading, click Configure.

  11. 在“表达式类型”**** 列中,选择“字符串”****。In the Expression Type column, select String.

  12. 在“表达式”**** 列中,键入 Contoso Confidential,然后单击“确定”****。In the Expression column, type Contoso Confidential, and then click OK.

  13. 在“评估类型”**** 选项卡上,选中“重新评估现有属性值”**** 复选框,再单击“覆盖现有值”****,然后单击“确定”****。On the Evaluation Type tab, select the Re-evaluate existing property values check box, click Overwrite the existing value, and then click OK.

解决方案指南Windows PowerShell 等效命令solution guidesWindows PowerShell equivalent commands

下面一个或多个 Windows PowerShell cmdlet 执行的功能与前面的过程相同。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 在同一行输入每个 cmdlet(即使此处可能因格式限制而出现多行换行)。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

$date = Get-Date
$AutomaticClassificationScheduledTask = New-FsrmScheduledTask -Time $date -Weekly @(3, 2, 4, 5,1,6,0) -RunDuration 0;$AutomaticClassificationScheduledTask
Set-FsrmClassification -Continuous -schedule $AutomaticClassificationScheduledTask
New-FSRMClassificationRule -Name 'Contoso Confidential' -Property "Impact_MS" -PropertyValue "3000" -Namespace @('D:\Finance Documents') -ClassificationMechanism "Content Classifier" -Parameters @("StringEx=Min=1;Expr=Contoso Confidential") -ReevaluateProperty Overwrite

步骤 3:创建正则表达式内容的分类规则Step 3: Create a regular expression content classification rule

正则表达式分类规则将扫描某个文件以查找与正则表达式匹配的模式。A regular expression classification rule scans a file for a pattern that matches the regular expression. 若找到与该正则表达式匹配的字符串,则可以配置资源属性的值。If a string that matches the regular expression is found, the value of a resource property can be configured. 在此示例中,我们将扫描网络共享文件夹上的每个文件,并查找与身份证号的模式 (XXX XX XXXX) 匹配的字符串。In this example, we will scan each file on a network shared folder and look for a string that matches the pattern of a social security number (XXX-XX-XXXX). 如果找到该模式,则将关联的文件归类为具有个人身份信息。If the pattern is found, the associated file is classified as having personally identifiable information.

使用 Windows PowerShell 执行此步骤Do this step using Windows PowerShell

创建正则表达式内容分类规则To create a regular expression content classification rule

  1. 以管理员安全组成员的身份登录到文件服务器。Sign in to the file server as a member of the Administrators security group.

  2. 在 Windows Powershell 命令提示符下,键入 Update-FsrmClassificationPropertyDefinition,然后按 ENTER。From the Windows PowerShell command prompt, type Update-FsrmClassificationPropertyDefinition, and then press ENTER. 这会将域控制器上创建的属性定义同步到文件服务器。This will synchronize the property definitions that are created on the domain controller to the file server.

  3. 打开文件服务器资源管理器。Open File Server Resource Manager. 在服务器管理器中,单击“工具”****,然后单击“文件服务器资源管理器”****。In Server Manager, click Tools, and then click File Server Resource Manager.

  4. 右键单击“分类规则”****,然后单击“创建分类规则”****。Right-click Classification Rules, and then click Create Classification Rule.

  5. 在“规则名称”**** 框中的“常规”**** 选项卡上,键入分类规则的名称,如 PII 规则。On the General tab, in the Rule name box, type a name for the classification rule, such as PII Rule.

  6. 在“作用域”**** 选项卡上,单击“添加”****,然后选择应该包括在该规则中的文件夹,如 D:\Finance Documents。On the Scope tab, click Add, and then choose the folders that should be included in this rule, such as D:\Finance Documents.

  7. 在“分类”**** 选项卡上,进行以下配置:On the Classification tab, configure the following:

    • 在“选择用于将属性分配给文件的方法”**** 框中,请确保“内容分类器”**** 处于选中状态。In the Choose a method to assign a property to files box, ensure that Content Classifier is selected.

    • 在“选择要分配给文件的属性”**** 框中,单击“个人身份信息”****。In the Choose a property to assign to files box, click Personally Identifiable Information.

    • 在“指定一个值”**** 框中,单击“高”****。In the Specify a value box, click High.

  8. 在“参数”**** 标题下,单击“配置”****。Under the Parameters heading, click Configure.

  9. 在“表达式类型”**** 列中,选择“正则表达式”****。In the Expression Type column, select Regular expression.

  10. 在 "表达式" 列中,键入 ^ (?!000) # A2 [0-7] \d {2} | 7 ( [0-7] \d | 7 [012] ) # A5 # A6 [-]? ) # A8?!00) \d\d\3 (?0000) \d {4} $In the Expression column, type ^(?!000)([0-7]\d{2}|7([0-7]\d|7[012]))([ -]?)(?!00)\d\d\3(?!0000)\d{4}$

  11. 在“最少出现次数”**** 列中,键入 10,然后单击“确定”****。In the Minimum Occurrences column, type 10, and then click OK.

  12. 在“评估类型”**** 选项卡上,选中“重新评估现有属性值”**** 复选框,再单击“覆盖现有值”****,然后单击“确定”****。On the Evaluation Type tab, select the Re-evaluate existing property values check box, click Overwrite the existing value, and then click OK.

解决方案指南Windows PowerShell 等效命令solution guidesWindows PowerShell equivalent commands

下面一个或多个 Windows PowerShell cmdlet 执行的功能与前面的过程相同。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 在同一行输入每个 cmdlet(即使此处可能因格式限制而出现多行换行)。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

New-FSRMClassificationRule -Name "PII Rule" -Property "PII_MS" -PropertyValue "5000" -Namespace @('D:\Finance Documents') -ClassificationMechanism "Content Classifier" -Parameters @("RegularExpressionEx=Min=10;Expr=^(?!000)([0-7]\d{2}|7([0-7]\d|7[012]))([ -]?)(?!00)\d\d\3(?!0000)\d{4}$") -ReevaluateProperty Overwrite

步骤 4:验证文件是否已正确分类Step 4: Verify that the files are classified correctly

通过查看分类规则中指定的文件夹中已创建的文件的属性,可以验证文件是否已正确分类。You can verify that the files are properly classified by viewing the properties of a file that was created in the folder specified in the classification rules.

验证文件是否已正确分类To verify that the files are classified correctly

  1. 在文件服务器上,通过使用文件服务器资源管理器来运行分类规则。On the file server, run the classification rules by using File Server Resource Manager.

    1. 单击“分类管理”****,右键单击“分类规则”****,然后单击“立即使用所有规则运行分类”****。Click Classification Management, right-click Classification Rules, and then click Run Classification With All Rules Now.

    2. 单击“等待分类完成”**** 选项,然后单击“确定”****。Click the Wait for classification to complete option, and then click OK.

    3. 关闭“自动分类”报告。Close the Automatic Classification Report.

    4. 为此,可以使用 Windows PowerShell,使用以下命令: start-fsrmclassification "" RunDuration 0-Confirm: $falseYou can do this by using Windows PowerShell with the following command: Start-FSRMClassification '"RunDuration 0 -Confirm:$false

  2. 导航至分类规则中已指定的文件夹,如 D:\Finance Documents。Navigate to the folder that was specified in the classification rules, such as D:\Finance Documents.

  3. 右键单击该文件夹中的文件,然后单击“属性”****。Right-click a file in that folder, and then click Properties.

  4. 单击“分类”**** 选项卡,并验证文件是否已正确分类。Click the Classification tab, and verify that the file is classified correctly.

另请参阅See also