部署中央存取原則(示範步驟)Deploy a Central Access Policy (Demonstration Steps)

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

在本案例中,指定的中央存取原則的需求,讓他們可以保護保存的財經資訊儲存檔案的伺服器上的中央的資訊安全使用財經部門安全性作業。In this scenario, the finance department security operations is working with central information security to specify the need for a central access policy so that they can protect archived finance information stored on file servers. 從每個國家/地區的保存的財經資訊可以存取為唯讀財經員工相同的國家/地區。The archived finance information from each country can be accessed as read-only by finance employees from the same country. 群組中央財經系統管理員可以存取的財經資訊的所有國家/地區。A central finance admin group can access the finance information from all countries.

部署的中央存取原則,包括下列階段:Deploying a central access policy includes the following phases:

階段Phase 描述Description
規劃:找出需原則和部署所需的設定Plan: Identify the need for policy and the configuration required for deployment 找出需原則和部署所需的設定。Identify the need for a policy and the configuration required for deployment.
實作:設定原則和元件Implement: Configure the components and policy 設定原則和元件。Configure the components and policy.
部署的中央存取原則Deploy the central access policy 部署的原則。Deploy the policy.
維護:變更與階段原則Maintain: Change and stage the policy 變更原則和執行。Policy changes and staging.

設定測試環境Set up a test environment

在您開始之前,您需要設定實驗室測試本案例。Before you begin, you need to set up lab to test this scenario. 設定實驗室的步驟會詳述在附錄 b 設定好的測試環境The steps for setting up the lab are explained in detail in Appendix B: Setting Up the Test Environment.

規劃:找出需原則和部署所需的設定Plan: Identify the need for policy and the configuration required for deployment

本節高階一系列,以協助您的部署的規劃階段中的步驟執行。This section provides the high-level series of steps that aid in the planning phase of your deployment.

步驟Step 範例Example
1.11.1 商務用判斷,所需的中央存取原則Business determines that a central access policy is needed 為保護儲存檔案的伺服器上的財經資訊,財經部門安全性作業正在使用指定的中央存取原則需要中央的資訊安全。To protect finance information that is stored on file servers, the finance department security operations is working with central information security to specify the need for a central access policy.
1.21.2 快速存取原則Express the access policy 財經部門的成員,應該只讀取財經文件。Finance documents should only be read by members of the Finance department. 財經部門的成員應該只存取自己的國家/地區中的文件。Members of the Finance department should only access documents in their own country. 只有財經系統管理員必須寫入存取。Only Finance Administrators should have write-access. 將會例外允許 FinanceException 群組成員。An exception will be allowed for members of the FinanceException group. 此群組的可以朗讀存取。This group will have Read access.
1.31.3 快速存取 Windows Server 2012 建構原則Express the access policy in Windows Server 2012 constructs 目標:Targeting:

-Resource.Department 包含財經- Resource.Department Contains Finance

存取的規則:Access rules:

-允許讀取 User.Country=Resource.Country 和 User.department = Resource.Department- Allow read User.Country=Resource.Country AND User.department = Resource.Department
-允許完全控制 User.MemberOf(FinanceAdmin)- Allow Full control User.MemberOf(FinanceAdmin)

例外:Exception:

讓朗讀的 memberOf(FinanceException)Allow read memberOf(FinanceException)
1.41.4 判斷檔案屬性所需的原則Determine the file properties required for the policy 使用標記檔案:Tag files with:

-部門- Department
-國家/地區- Country
1.51.5 判斷群組所需的原則與宣告類型Determine the claim types and groups required for the policy 宣告類型:Claim types:

-國家/地區- Country
-部門- Department

使用者群組:User groups:

-FinanceAdmin- FinanceAdmin
-FinanceException- FinanceException
1.61.6 確定要將這項原則套用伺服器Determine the servers on which to apply this policy 所有財經檔案伺服器上套用原則。Apply the policy on all finance file servers.

實作:設定原則和元件Implement: Configure the components and policy

本節提供的範例部署財經文件的中央存取原則。This section presents an example that deploys a central access policy for finance documents.

否]No 步驟Step 範例Example
2.12.1 建立宣告類型Create claim types 建立理賠要求下列類型:Create the following claim types:

-部門- Department
-國家/地區- Country
2.22.2 建立資源屬性Create resource properties 建立以及下列資源屬性:Create and enable the following resource properties:

-部門- Department
-國家/地區- Country
2.32.3 設定中央存取規則Configure a central access rule 建立財經文件規則包含判斷一節中的原則。Create a Finance Documents rule that includes the policy determined in the previous section.
2.42.4 設定的中央存取原則(端點)Configure a central access policy (CAP) 建立稱為財經原則筆蓋,並新增財經文件規則該筆蓋。Create a CAP called Finance Policy and add the Finance Documents rule to that CAP.
2.52.5 若要將檔案伺服器目標中央存取原則Target central access policy to the file servers 發行的檔案伺服器的財經原則筆蓋。Publish the Finance Policy CAP to the file servers.
2.62.6 讓 \ [KDC 支援宣告、複合驗證以及 Kerberos 保護 \。Enable KDC Support for claims, compound authentication and Kerberos armoring. 讓 \ [KDC 支援宣告、複合驗證以及 Kerberos 保護 \ 的 contoso.com 的。Enable KDC Support for claims, compound authentication and Kerberos armoring for contoso.com.

下列程序,您可以建立兩個宣告類型:國家/地區和部門。In the following procedure, you create two claim types: Country and Department.

若要建立宣告類型To create claim types

  1. 為 contoso\administrator,密碼,在開放伺服器 DC1 HYPER-V 管理員和登入pass@word1Open Server DC1 in Hyper-V Manager and log on as contoso\administrator, with the password pass@word1.

  2. 打開 Active Directory 系統管理員中心。Open Active Directory Administrative Center.

  3. 按一下樹檢視] 圖示,展開動態存取控制,然後選取宣告類型Click the Tree View icon, expand Dynamic Access Control, and then select Claim Types.

    以滑鼠右鍵按一下宣告類型,按一下 [,然後按一下 [宣告類型Right-click Claim Types, click New, and then click Claim Type.

    提示

    您也可以開放建立宣告類型:視窗中的工作窗格。You can also open a Create Claim Type: window from the Tasks pane. 工作窗格中,按,,然後按一下 [理賠要求輸入On the Tasks pane, click New, and then click Claim Type.

  4. 來源屬性清單中,向下捲動清單的屬性,按部門In the Source Attribute list, scroll down the list of attributes, and click department. 這應會填入顯示名稱欄位的部門This should populate the Display name field with department. 按一下[確定]Click OK.

  5. 工作窗格中,按,,然後按一下 [理賠要求輸入In Tasks pane, click New, and then click Claim Type.

  6. 來源屬性清單中,向下捲動清單的屬性,然後按c(國家的名稱)屬性。In the Source Attribute list, scroll down the list of attributes, and then click the c attribute (Country-Name). 顯示名稱欄位中,輸入國家/地區In the Display name field, type country.

  7. 建議值區段中,選取下列值的建議:,然後按一下 [新增In the Suggested Values section, select The following values are suggested:, and then click Add.

  8. 顯示名稱欄位,輸入美國,然後按一下 [ [確定]In the Value and Display name fields, type US, and then click OK.

  9. 重複執行上述步驟。Repeat the above step. 新增建議值對話方塊中,輸入JP顯示名稱的欄位,然後再按一下[確定]In the Add a suggest value dialog box, type JP in the Value and Display name fields, and then click OK.

方案指南Windows PowerShell 相當於命令 * * Windows PowerShell equivalent commands*

下列 Windows PowerShell cmdlet 執行上述程序相同的功能。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 輸入每個 cmdlet 上一行,,即使它們可能會出現換透過以下幾個行因為格式設定的限制。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

New-ADClaimType country -SourceAttribute c -SuggestedValues:@((New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("US","US","")), (New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("JP","JP","")))  
New-ADClaimType department -SourceAttribute department  

提示

您可以使用 Windows PowerShell 歷史檢視器中 Active Directory 管理中心查詢 Active Directory 管理中心您執行每個程序的 Windows PowerShell cmdlet。You can use the Windows PowerShell History Viewer in Active Directory Administrative Center to look up the Windows PowerShell cmdlets for each procedure you perform in Active Directory Administrative Center. 如需詳細資訊,請查看Windows PowerShell 歷史檢視器For more information, see Windows PowerShell History Viewer

下一個步驟是建立資源屬性。The next step is to create resource properties. 下列程序建立會自動新增至通用的資源屬性清單上網域控制站的資源屬性,讓該檔案伺服器即可。In the following procedure you create a resource property that is automatically added to the Global Resource Properties list on the domain controller, so that it is available to the file server.

若要建立以及預先建立的資源屬性To create and enable pre-created resource properties

  1. 在 Active Directory 管理中心的左窗格中,按一下 [樹檢視In the left pane of Active Directory Administrative Center, click Tree View. 展開動態存取控制,然後選取 [資源屬性Expand Dynamic Access Control, and then select Resource Properties.

  2. 以滑鼠右鍵按一下資源屬性,按一下 [,然後按一下 [參考資源屬性Right-click Resource Properties, click New, and then click Reference Resource Property.

    提示

    您也可以選擇的資源屬性工作窗格。You can also choose a resource property from the Tasks pane. 按一下新增],然後按一下 [參考資源屬性Click New and then click Reference Resource Property.

  3. 選擇来分享的理賠要求類型建議值清單,按一下 [國家/地區In Select a claim type to share its suggested values list, click country.

  4. 顯示名稱欄位中,輸入國家/地區,然後按一下 [ [確定]In the Display name field, type country, and then click OK.

  5. 按兩下資源屬性清單中,向下捲動到部門資源屬性。Double-click the Resource Properties list, scroll down to the Department resource property. 按一下滑鼠右鍵,然後按一下Right-click, and then click Enable. 這會讓建部門資源屬性。This will enable the built-in Department resource property.

  6. 資源屬性清單上的 Active Directory 管理中心瀏覽窗格中,您現在將會有兩個讓的資源屬性:In the Resource Properties list on the navigation pane of the Active Directory Administrative Center, you will now have two enabled resource properties:

    • 國家/地區Country

    • 部門Department

方案指南Windows PowerShell 相當於命令 * * Windows PowerShell equivalent commands*

下列 Windows PowerShell cmdlet 執行上述程序相同的功能。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 輸入每個 cmdlet 上一行,,即使它們可能會出現換透過以下幾個行因為格式設定的限制。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

New-ADResourceProperty Country -IsSecured $true -ResourcePropertyValueType MS-DS-MultivaluedChoice -SharesValuesWith country  
Set-ADResourceProperty Department_MS -Enabled $true  
Add-ADResourcePropertyListMember "Global Resource Property List" -Members Country  
Add-ADResourcePropertyListMember "Global Resource Property List" -Members Department_MS  

下一個步驟是建立中央存取規則定義人可以存取的資源。The next step is to create central access rules that define who can access resources. 本案例中的企業規則︰In this scenario the business rules are:

  • 財經文件只可以讀取財經部門的成員。Finance documents can be read only by members of the Finance department.

  • 財經部門的成員可以存取自己的國家/地區中的文件。Members of the Finance department can access only documents in their own country.

  • 只有財經系統管理員可以存取寫入。Only Finance Administrators can have Write access.

  • 我們將允許例外 FinanceException 群組成員。We will allow an exception for members of the FinanceException group. 此群組的可以朗讀存取。This group will have Read access.

  • 系統管理員和文件擁有者仍然可以存取的完整。The administrator and document owner will still have full access.

或快速與 Windows Server 2012 建構的規則:Or to express the rules with Windows Server 2012 constructs:

目標:Resource.Department 包含財經Targeting: Resource.Department Contains Finance

存取的規則:Access Rules:

  • 讓朗讀 User.Country=Resource.Country 和 User.department = Resource.DepartmentAllow Read User.Country=Resource.Country AND User.department = Resource.Department

  • 允許完全控制 User.MemberOf(FinanceAdmin)Allow Full control User.MemberOf(FinanceAdmin)

  • 讓朗讀 User.MemberOf(FinanceException)Allow Read User.MemberOf(FinanceException)

若要建立的中央存取規則To create a central access rule

  1. 在 Active Directory 管理中心的左窗格中,按一下 [樹檢視,請選取動態存取控制,然後按一下 [中央存取規則In the left pane of the Active Directory Administrative Center, click Tree View, select Dynamic Access Control, and then click Central Access Rules.

  2. 以滑鼠右鍵按一下中央存取規則,按一下 [,然後按一下 [中央存取規則Right-click Central Access Rules, click New, and then click Central Access Rule.

  3. 名稱欄位中,輸入財經文件規則In the Name field, type Finance Documents Rule.

  4. 目標資源區段中,按一下 [編輯,在中央存取規則] 對話方塊中,按一下[新增條件In the Target Resources section, click Edit, and in the Central Access Rule dialog box, click Add a condition. 新增下列條件:Add the following condition:
    [資源][部門][等於][Value][財經],然後按[確定][Resource] [Department] [Equals] [Value] [Finance], and then click OK.

  5. 權限]區段中,選取為目前的權限的權限之後使用,按一下 [編輯,在權限] 的進階安全性設定索引標籤中按一下新增In the Permissions section, select Use following permissions as current permissions, click Edit, and in the Advanced Security Settings for Permissions dialog box click Add.

    注意

    使用下列的使用權限建議權限]選項可讓您建立臨時原則。Use the following permissions as proposed permissions option lets you create the policy in staging. 如需有關如何維持參考:變更與階段本主題中的原則一節。For more information on how to do this refer to the Maintain: Change and stage the policy section in this topic.

  6. 權限的項目權限對話方塊中,按一下 [選取主體,輸入Authenticated Users,,然後按一下[確定]In the Permission entry for Permissions dialog box, click Select a principal, type Authenticated Users, and then click OK.

  7. 權限的項目權限對話方塊中,按新增條件,然後新增下列條件:In the Permission Entry for Permissions dialog box, click Add a condition, and add the following conditions:
    [User][國家/地區][Any of][資源][國家/地區][User] [country] [Any of] [Resource] [country]
    按一下[新增條件Click Add a condition.
    [And][And]
    按一下 [使用者] [部門] [的任何] [資源] [部門]。Click [User] [Department] [Any of] [Resource] [Department]. 設定權限]朗讀Set the Permissions to Read.

  8. 按一下[確定],然後按一下 [新增]Click OK, and then click Add. 按一下選取主體,輸入FinanceAdmin,然後按一下 [ [確定]Click Select a principal, type FinanceAdmin, and then click OK.

  9. 選取 [修改、讀取並執行、朗讀、寫入的權限,然後再按一下[確定]Select the Modify, Read and Execute, Read, Write permissions, and then click OK.

  10. 按一下新增,按一下選取主體,輸入FinanceException,然後按一下[確定]Click Add, click Select a principal, type FinanceException, and then click OK. 選取要權限]朗讀讀取和執行Select the permissions to be Read and Read and Execute.

  11. 按一下[確定]以完成,並回到 Active Directory 管理中心三次。Click OK three times to finish and return to Active Directory Administrative Center.

    方案指南Windows PowerShell 相當於命令 * * Windows PowerShell equivalent commands*

    下列 Windows PowerShell cmdlet 執行上述程序相同的功能。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 輸入每個 cmdlet 上一行,,即使它們可能會出現換透過以下幾個行因為格式設定的限制。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

<span data-ttu-id="08f1a-272">$countryClaimType = Get-ADClaimType 國家/地區</span><span class="sxs-lookup"><span data-stu-id="08f1a-272">$countryClaimType = Get-ADClaimType country</span></span>  
<span data-ttu-id="08f1a-273">$departmentClaimType = Get-ADClaimType 部門</span><span class="sxs-lookup"><span data-stu-id="08f1a-273">$departmentClaimType = Get-ADClaimType department</span></span>  
<span data-ttu-id="08f1a-274">$countryResourceProperty = Get-ADResourceProperty 國家/地區</span><span class="sxs-lookup"><span data-stu-id="08f1a-274">$countryResourceProperty = Get-ADResourceProperty Country</span></span>  
<span data-ttu-id="08f1a-275">$departmentResourceProperty = Get-ADResourceProperty 部門</span><span class="sxs-lookup"><span data-stu-id="08f1a-275">$departmentResourceProperty = Get-ADResourceProperty Department</span></span>  
<span data-ttu-id="08f1a-276">$currentAcl = O:SYG:SYD:AR(A;;」FA;;W) (A;FA;;BA)(A; 0x1200a9;;S-1-5-21-1787166779-1215870801-2157059049-1113)(A; 0x1301bf;;S-1-5-21-1787166779-1215870801-2157059049-1112) (A;FA;;SY) (XA; 0x1200a9;;AU;((@USER."</span><span class="sxs-lookup"><span data-stu-id="08f1a-276">$currentAcl = "O:SYG:SYD:AR(A;;FA;;;OW)(A;;FA;;;BA)(A;;0x1200a9;;;S-1-5-21-1787166779-1215870801-2157059049-1113)(A;;0x1301bf;;;S-1-5-21-1787166779-1215870801-2157059049-1112)(A;;FA;;;SY)(XA;;0x1200a9;;;AU;((@USER."</span></span> <span data-ttu-id="08f1a-277">+ $countryClaimType.Name +」Any_of @RESOURCE。」</span><span class="sxs-lookup"><span data-stu-id="08f1a-277">+ $countryClaimType.Name + " Any_of @RESOURCE."</span></span> <span data-ttu-id="08f1a-278">+ $countryResourceProperty.Name +」) 與與 (@USER。」</span><span class="sxs-lookup"><span data-stu-id="08f1a-278">+ $countryResourceProperty.Name + ") && (@USER."</span></span> <span data-ttu-id="08f1a-279">+ $departmentClaimType.Name +」Any_of @RESOURCE。」</span><span class="sxs-lookup"><span data-stu-id="08f1a-279">+ $departmentClaimType.Name + " Any_of @RESOURCE."</span></span> <span data-ttu-id="08f1a-280">+ $departmentResourceProperty.Name +」)))」</span><span class="sxs-lookup"><span data-stu-id="08f1a-280">+ $departmentResourceProperty.Name + ")))"</span></span>  
<span data-ttu-id="08f1a-281">$resourceCondition =」(@RESOURCE。」</span><span class="sxs-lookup"><span data-stu-id="08f1a-281">$resourceCondition = "(@RESOURCE."</span></span> <span data-ttu-id="08f1a-282">+ $departmentResourceProperty.Name +」包含 {`"Finance`「})」</span><span class="sxs-lookup"><span data-stu-id="08f1a-282">+ $departmentResourceProperty.Name + " Contains {`"Finance`"})"</span></span>  
<span data-ttu-id="08f1a-283">New-ADCentralAccessRule「財務文件規則」CurrentAcl $currentAcl-ResourceCondition $resourceCondition</span><span class="sxs-lookup"><span data-stu-id="08f1a-283">New-ADCentralAccessRule "Finance Documents Rule" -CurrentAcl $currentAcl -ResourceCondition $resourceCondition</span></span>  

重要

在上面 cmdlet 範例中,安全性識別碼群組 FinanceAdmin (Sid) 使用者在建立時判斷並將會在您的範例不同。In the above cmdlet example, the security identifiers (SIDs) for the group FinanceAdmin and users is determined at creation time and will be different in your example. 例如,提供的 SID 的值 (S-1-5-21-1787166779-1215870801-2157059049-1113) 針對您想要建立您的部署 FinanceAdmin 群組的實際 sid 更換 FinanceAdmins 需求。For example, the provided SID value (S-1-5-21-1787166779-1215870801-2157059049-1113) for the FinanceAdmins needs to be replaced with the actual SID for the FinanceAdmin group that you would need to create in your deployment. 您可以使用 Windows PowerShell 來尋找此群組的 SID 值、指派給變數,該值,然後使用變數以下。You can use Windows PowerShell to look up the SID value of this group, assign that value to a variable, and then use the variable here. 如需詳細資訊,請查看Windows PowerShell 秘訣:處理 SidFor more information, see Windows PowerShell Tip: Working with SIDs.

您現在應該會有的中央存取規則,可讓使用者從相同的國家/地區和相同部門存取文件。You should now have a central access rule that allows people to access documents from the same country and the same department. 規則允許 FinanceAdmin 群組編輯文件,並可讓朗讀文件 FinanceException 群組。The rule allows the FinanceAdmin group to edit the documents, and it allows the FinanceException group to read the documents. 此規則目標只有歸類為財經文件。This rule targets only documents classified as Finance.

加入的中央存取原則的中央存取規則To add a central access rule to a central access policy

  1. 在 Active Directory 管理中心的左窗格中,按一下 [動態存取控制,然後按的中央存取原則In the left pane of the Active Directory Administrative Center, click Dynamic Access Control, and then click Central Access Policies.

  2. 工作窗格中,按一下,然後按一下 [的中央存取原則In the Tasks pane, click New, and then click Central Access Policy.

  3. 建立的中央存取原則:,輸入原則財經名稱方塊。In Create Central Access Policy:, type Finance Policy in the Name box.

  4. 成員中央存取規則,按一下 [新增]In Member central access rules, click Add.

  5. 按兩下財經文件規則來新增它新增下列中央存取規則清單,然後再按[確定]Double-click the Finance Documents Rule to the add it to the Add the following central access rules list , and then click OK.

  6. 按一下[確定]來完成。Click OK to finish. 您現在應該會有名財經原則的中央存取原則。You should now have a central access policy named Finance Policy.

    方案指南Windows PowerShell 相當於命令 * * Windows PowerShell equivalent commands*

    下列 Windows PowerShell cmdlet 執行上述程序相同的功能。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 輸入每個 cmdlet 上一行,,即使它們可能會出現換透過以下幾個行因為格式設定的限制。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

    New-ADCentralAccessPolicy "Finance Policy" Add-ADCentralAccessPolicyMember   
    -Identity "Finance Policy"   
    -Member "Finance Documents Rule"  
    

將檔案伺服器上套用的中央存取原則,使用群組原則To apply the central access policy across file servers by using Group Policy

  1. [開始]畫面上,在搜尋方塊中,輸入群組原則管理On the Start screen, in the Search box, type Group Policy Management. 按兩下群組原則管理Double-click Group Policy Management.

    提示

    如果顯示系統管理工具]已停用設定,系統管理工具]資料夾和內容將不會出現在 [設定結果。If the Show Administrative tools setting is disabled, the Administrative Tools folder and its contents will not appear in the Settings results.

    提示

    在您的實際執行環境,您應該建立檔案伺服器組織單位(組織單位)及您要將這項原則套用到此組織單位,加入您的所有檔案伺服器。In your production environment, you should create a File Server Organization Unit (OU) and add all your file servers to this OU, to which you want to apply this policy. 然後,您可以建立群組原則,並新增這組織單位該原則。You can then create a group policy and add this OU to that policy..

  2. 在此步驟,您可以編輯群組原則物件您建立組建網域控制站一節包含您建立的中央存取原則測試環境中。In this step, you edit the group policy object you created in Build the domain controller section in the Test Environment to include the central access policy that you created. 群組原則管理編輯器] 中,瀏覽與 (在此範例中 contoso.com) 網域中,選取組織單位:群組原則管理的樹系:contoso.com網域contoso.comContosoFileServerOUIn the Group Policy Management Editor, navigate to and select the organizational unit in the domain (contoso.com in this example): Group Policy Management, Forest: contoso.com, Domains, contoso.com, Contoso, FileServerOU.

  3. 以滑鼠右鍵按一下FlexibleAccessGPO,然後按編輯Right-click FlexibleAccessGPO, and then click Edit.

  4. 在群組原則編輯器] 管理視窗中,瀏覽至電腦設定,展開原則,展開Windows 設定,然後按一下的安全性設定In the Group Policy Management Editor window, navigate to Computer Configuration, expand Policies, expand Windows Settings, and click Security Settings.

  5. 展開檔案系統,以滑鼠右鍵按一下的中央存取原則,然後按一下 [管理中央存取原則Expand File System, right-click Central Access Policy, and then click Manage Central access policies.

  6. 中央存取原則設定對話方塊方塊中,將新增財經原則,然後按一下 [ [確定]In the Central Access Policies Configuration dialog box, add Finance Policy, and then click OK.

  7. 向下捲動進階稽核原則設定,展開它。Scroll down to Advanced Audit Policy Configuration, and expand it.

  8. 展開稽核原則,然後選取 [物件存取]Expand Audit Policies, and select Object Access.

  9. 按兩下稽核中央存取原則階段Double-click Audit Central Access Policy Staging. 選取所有三個核取方塊,然後按一下[確定]Select all three check boxes and then click OK. 這個步驟可讓您收到稽核中央存取臨時原則相關的事件系統。This step allows the system to receive audit events related to Central Access Staging Policies.

  10. 按兩下稽核檔案系統摘要Double-click Audit File System Properties. 選取 [所有三個核取方塊,然後按一下[確定]Select all three check boxes then click OK.

  11. 關閉 「 群組原則管理編輯器。Close the Group Policy Management Editor. 您現在包含在群組原則的中央存取原則。You have now included the central access policy to the Group Policy.

網域的網域控制站提供宣告或裝置授權資料,為網域控制站需要以支援動態存取控制設定。For a domain's domain controllers to provide claims or device authorization data, the domain controllers need to be configured to support dynamic access control.

若要讓支援宣告和 contoso.com 複合驗證To enable support for claims and compound authentication for contoso.com

  1. 打開群組原則管理,請按一下contoso.com,然後按一下 [網域控制站Open Group Policy Management, click contoso.com, and then click Domain Controllers.

  2. 以滑鼠右鍵按一下預設網域控制站原則,然後按編輯Right-click Default Domain Controllers Policy, and then click Edit.

  3. 在群組原則編輯器] 管理視窗中,按兩下 [電腦設定,按兩下 [原則,按兩下 [系統管理範本],按兩下系統,,然後按兩下 [ KDCIn the Group Policy Management Editor window, double-click Computer Configuration, double-click Policies, double-click Administrative Templates, double-click System, and then double-click KDC.

  4. 按兩下\ [KDC 支援宣告、複合驗證以及 Kerberos 保護 \Double-click KDC Support for claims, compound authentication and Kerberos armoring. \ [KDC 支援宣告、複合驗證以及 Kerberos 保護 \對話方塊中,按啟用,然後選取支援選項下拉式清單。In the KDC Support for claims, compound authentication and Kerberos armoring dialog box, click Enabled and select Supported from the Options drop-down list. (您需要,可讓使用者宣告用於中央存取原則這項設定)。(You need to enable this setting to use user claims in central access policies.)

  5. 關閉群組原則管理Close Group Policy Management.

  6. 打開命令提示字元中,輸入gpupdate /forceOpen a command prompt and type gpupdate /force.

部署的中央存取原則Deploy the central access policy

步驟Step 範例Example
3.13.1 將檔案伺服器上的適當的共用資料夾筆蓋。Assign the CAP to the appropriate shared folders on the file server. 將檔案伺服器的適當共用資料夾的中央存取原則。Assign the central access policy to the appropriate shared folder on the file server.
3.23.2 確認已正確設定好存取。Verify that access is appropriately configured. 檢查使用者從不同的國家與部門的存取權。Check the access for users from different countries and departments.

在此步驟您將指派給檔案伺服器的中央存取原則。In this step you will assign the central access policy to a file server. 您將會登入,以接收您所建立的上一個步驟的中央存取原則檔案伺服器,指定原則的共用資料夾。You will log onto a file server that is receiving the central access policy that you created the previous steps and assign the policy to a shared folder.

若要將檔案伺服器的中央存取原則To assign a central access policy to a file server

  1. 在 [HYPER-V 管理員連接伺服器 1。In Hyper-V Manager, connect to server FILE1. 登入密碼使用 contoso\administrator 伺服器:pass@word1Log on to the server by using contoso\administrator with the password: pass@word1.

  2. 打開提升權限的命令提示字元中,輸入: gpupdate /forceOpen an elevated command prompt and type: gpupdate /force. 這樣可確保您的群組原則變更,才會生效,在您的伺服器上。This ensures that your Group Policy changes take effect on your server.

  3. 您也需要重新整理全球 Active directory 資源屬性。You also need to refresh the Global Resource Properties from Active Directory. 打開提升權限的 Windows PowerShell 視窗,並輸入Update-FSRMClassificationpropertyDefinitionOpen an elevated Windows PowerShell window and type Update-FSRMClassificationpropertyDefinition. 按一下 [輸入],然後關閉 [Windows PowerShell。Click ENTER, and then close Windows PowerShell.

    提示

    您也可以登入該檔案伺服器更新全球的資源屬性。You can also refresh the Global Resource Properties by logging on to the file server. 重新整理全球檔案伺服器的資源屬性,請執行下列動作To refresh the Global Resource Properties from the file server, do the following

    1. 若要檔案伺服器 1 contoso\administrator,以使用密碼登入pass@word1Logon to File Server FILE1 as contoso\administrator, using the password pass@word1.
    2. 打開檔案伺服器資源管理員。Open File Server Resource Manager. 若要打開檔案伺服器資源管理員中,按一下 [ [開始],輸入檔案伺服器資源管理員,然後按一下 [檔案伺服器資源管理員To open File Server Resource Manager, click Start, type file server resource manager, and then click File Server Resource Manager.
    3. 檔案伺服器資源管理員] 中,按一下檔案分類管理],以滑鼠右鍵按一下分類屬性,然後按一下 [重新整理In the File Server Resource Manager, click File Classification Management , right-click Classification Properties and then click Refresh.
  4. 打開 Windows 檔案總管],並在左窗格中,按一下 [磁碟機上按一下滑鼠右鍵 D.財經文件資料夾,然後按屬性Open Windows Explorer, and in the left pane, click drive D. Right-click the Finance Documents folder, and click Properties.

  5. 按一下分類索引標籤上,按一下 [國家/地區,],然後選取美國欄位。Click the Classification tab, click Country, and then select US in the Value field.

  6. 按一下部門,然後選取財經欄位,然後按一下套用]Click Department, then select Finance in the Value field and then click Apply.

    注意

    請記住的中央存取原則設定為部門的財經的目標檔案。Remember that the central access policy was configured to target files for the Department of Finance. 上述步驟標記所有國家/地區和部門屬性的資料夾中的文件。The previous steps mark all documents in the folder with the Country and Department attributes.

  7. 按一下安全性索引標籤,然後按一下 [進階]Click the Security tab, and then click Advanced. 按一下的中央原則索引標籤。Click the Central Policy tab.

  8. 按一下變更,請選取原則財經從下拉式功能表,然後按一下 [套用]Click Change, select Finance Policy from the drop-down menu, and then click Apply. 您可以查看財經文件規則列中的原則。You can see the Finance Documents Rule listed in the policy. 展開以檢視所有的設定建立規則 Active Directory 中的權限的項目。Expand the item to view all of the permissions that you set when you created the rule in Active Directory.

  9. 按一下[確定]以返回 [Windows 檔案總管]。Click OK to return to Windows Explorer.

在下一個步驟中,確定已正確設定好存取。In the next step, you ensure that access is appropriately configured. 需要有適當部門屬性設定帳號(設定使用 Active Directory 管理中心)。User accounts need to have the appropriate Department attribute set (set this using Active Directory Administrative Center). 檢視有效的新原則結果的最簡單方式是使用有效的存取索引標籤中 [Windows 檔案總管]。The simplest way to view the effective results of the new policy is to use the Effective Access tab in Windows Explorer. 有效的存取索引標籤顯示特定的帳號的存取權限。The Effective Access tab shows the access rights for a given user account.

若要檢查各種不同的使用者存取To examine the access for various users

  1. 在 [HYPER-V 管理員連接伺服器 1。In Hyper-V Manager, connect to server FILE1. 使用 contoso\administrator 登入伺服器。Log on to the server by using contoso\administrator. 瀏覽至 D:\ Windows 檔案總管] 中。Navigate to D:\ in Windows Explorer. 以滑鼠右鍵按一下財經文件資料夾,然後再按屬性Right-click the Finance Documents folder, and then click Properties.

  2. 按一下安全性索引標籤上,按一下 [進階,然後按一下 [有效的存取索引標籤。Click the Security tab, click Advanced, and then click the Effective Access tab.

  3. 若要檢查使用者的權限,請按一下選取一位使用者,並輸入使用者名稱,然後按一下 [檢視有效的存取來查看有效的存取權限。To examine the permissions for a user, click Select a user, type the user's name, and then click View effective access to see the effective access rights. 例如:For example:

    • Myriam Delesalle (MDelesalle) 財務部門且應該會有讀取的資料夾。Myriam Delesalle (MDelesalle) is in the Finance department and should have Read access to the folder.

    • 英哩 Reid (MReid) FinanceAdmin 群組的成員,並可以修改存取資料夾。Miles Reid (MReid) is a member of the FinanceAdmin group and should have Modify access to the folder.

    • 不財務部門; Esther 耶 (EValle)不過,她 FinanceException 群組的成員,應該朗讀存取。Esther Valle (EValle) is not in the Finance department; however, she is a member of the FinanceException group and should have Read access.

    • Maira Wenzel (MWenzel) 財經部門並不是不的其中一個成員 FinanceAdmin 或 FinanceException 群組。Maira Wenzel (MWenzel) is not in the Finance department and is not a member of either the FinanceAdmin or FinanceException group. 她不應該會有任何存取的資料夾。She should not have any access to the folder.

    請注意,最後一欄名為存取受限於在視窗有效的存取。Notice that the last column named Access limited by in the effective access window. 此欄位會告訴您的 gates 的影響的權限的人員。This column tells you which gates are effecting the person's permissions. 若是如此,共用與 NTFS 權限允許所有使用者完整控制權。In this case, the Share and NTFS permissions allow all users full control. 不過的中央存取原則限制存取根據您之前所設定的規則。However, the central access policy restricts access based on the rules you configured earlier.

維護:變更與階段原則Maintain: Change and stage the policy

數字Number 步驟Step 範例Example
4.14.1 設定為戶端裝置宣告Configure Device Claims for Clients 若要讓裝置宣告的群組原則設定的設定Set the group policy setting to enable device claims
4.24.2 讓裝置理賠要求。Enable a claim for devices. 讓裝置的國家/地區宣告類型。Enable the country claim type for devices.
4.34.3 加入現有的中央存取規則修改您想要執行的原則。Add a staging policy to the existing central access rule that you would like to modify. 修改財經文件以新增原則臨時規則。Modify the Finance Documents Rule to add a staging policy.
4.44.4 檢視臨時原則的結果。View the results of the staging policy. 檢查 Ester Velle 權限。Check for Ester Velle's permissions.

若要設定群組原則設定可讓宣告的裝置To set up group policy setting to enable claims for devices

  1. 登入 DC1,群組原則管理開放,按一下contoso.com,按一下 [預設網域原則,以滑鼠右鍵按一下,然後選取編輯Log on to DC1, open Group Policy Management, click contoso.com, click Default Domain Policy, right-click and select Edit.

  2. 在群組原則編輯器] 管理視窗中,瀏覽至電腦設定原則系統管理範本]系統KerberosIn the Group Policy Management Editor window, navigate to Computer Configuration, Policies, Administrative Templates, System, Kerberos.

  3. 選取 [ Kerberos client 支援宣告、複合驗證以及 Kerberos 保護 \,按一下 [支援Select Kerberos client support for claims, compound authentication and Kerberos armoring and click Enable.

若要讓裝置宣告To enable a claim for devices

  1. 為 contoso\Administrator,密碼,在開放伺服器 DC1 HYPER-V 管理員和登入pass@word1Open Server DC1 in Hyper-V Manager and log on as contoso\Administrator, with the password pass@word1.

  2. 工具功能表上,開放 Active Directory 管理中心。From the Tools menu, open Active Directory Administrative Center.

  3. 按一下樹檢視,展開 [動態存取控制,按兩下 [取得類型,按兩下國家/地區取得。Click Tree View, expand Dynamic Access Control, double-click Claim Types, and double-click the country claim.

  4. 適用於下列類別發出宣告這種類型的,請選取電腦核取方塊。In Claims of this type can be issued for the following classes, select the Computer check box. 按一下[確定]Click OK.
    同時使用者電腦現在選取核取方塊。Both the User and Computer check boxes should now be selected. 國家/地區宣告現在可以搭配使用者除了裝置。The country claim can now be used with devices in addition to users.

下一個步驟是建立臨時的原則。The next step is to create a staging policy rule. 臨時原則用於監視它讓您的新的原則項目效果。Staging policies can be used to monitor the effects of a new policy entry before you enable it. 在下列步驟中,您將會建立臨時的原則項目及監視會影響您的共用資料夾。In the following step, you will create a staging policy entry and monitor the effect on your shared folder.

若要建立臨時原則規則,並將它新增到的中央存取原則To create a staging policy rule and add it to the central access policy

  1. 為 contoso\Administrator,密碼,在開放伺服器 DC1 HYPER-V 管理員和登入pass@word1Open Server DC1 in Hyper-V Manager and log on as contoso\Administrator, with the password pass@word1.

  2. 打開 Active Directory 系統管理員中心。Open Active Directory Administrative Center.

  3. 按一下樹檢視,展開 [動態存取控制,然後選取中央存取規則Click Tree View, expand Dynamic Access Control, and select Central Access Rules.

  4. 以滑鼠右鍵按一下財經文件規則,然後按一下 [屬性Right-click Finance Documents Rule, and then click Properties.

  5. 提議的權限區段中,選取讓執行設定的權限核取方塊、按一下 [編輯,,然後按一下新增In the Proposed Permissions section, select the Enable permission staging configuration check box, click Edit, and then click Add. 權限提議的權限的項目視窗中,按一下 [選取主體連結,輸入Authenticated Users,,然後按一下[確定]In the Permission Entry for Proposed Permissions window, click the Select a Principal link, type Authenticated Users, and then click OK.

  6. 按一下[新增條件連結,並新增下列條件:Click the Add a condition link and add the following condition:
    [User][國家/地區][Any of][資源][國家/地區]。[User] [country] [Any of] [Resource] [Country].

  7. 按一下[新增條件,然後新增下列條件:Click Add a condition again, and add the following condition:
    [And][And]
    [裝置][國家/地區][Any of][資源][國家/地區][Device] [country] [Any of] [Resource] [Country]

  8. 按一下[新增條件,然後新增下列條件。Click Add a condition again, and add the following condition.
    [並][And]
    [User][Group][的任何成員][] \ (FinanceException)[User] [Group] [Member of any] [Value](FinanceException)

  9. 若要設定 FinanceException,群組中,按一下 [新增項目選取 [使用者、電腦、或群組] 視窗中,輸入FinanceExceptionTo set the FinanceException, group, click Add items and in the Select User, Computer, Service Account, or Group window, type FinanceException.

  10. 按一下權限],請選取完全控制,並按一下 [ [確定]Click Permissions, select Full Control, and click OK.

  11. 在 [建議的權限] 視窗進階安全性設定,請選取FinanceException,按一下 [移除In the Advance Security Settings for Proposed Permissions window, select FinanceException and click Remove.

  12. 按一下[確定]以完成兩次。Click OK two times to finish.

方案指南Windows PowerShell 相當於命令 * * Windows PowerShell equivalent commands*

下列 Windows PowerShell cmdlet 執行上述程序相同的功能。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 輸入每個 cmdlet 上一行,,即使它們可能會出現換透過以下幾個行因為格式設定的限制。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

Set-ADCentralAccessRule  
-Identity: "CN=FinanceDocumentsRule,CN=CentralAccessRules,CN=ClaimsConfiguration,CN=Configuration,DC=Contoso.com"  
-ProposedAcl: "O:SYG:SYD:AR(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1301bf;;;S-1-21=1426421603-1057776020-1604)"  
-Server: "WIN-2R92NN8VKFP.Contoso.com"  

注意

上述 cmdlet 範例中,在伺服器值反映伺服器實驗室測試環境中。In the above cmdlet example, the Server value reflects the Server in the test lab environment. 您可以使用 Windows PowerShell 歷史檢視器查詢 Active Directory 管理中心您執行每個程序的 Windows PowerShell cmdlet。You can use the Windows PowerShell History Viewer to look up the Windows PowerShell cmdlets for each procedure you perform in Active Directory Administrative Center. 如需詳細資訊,請查看Windows PowerShell 歷史檢視器For more information, see Windows PowerShell History Viewer

在這個提議的權限設定時,FinanceException 群組成員必須完整存取權的檔案從他們自己的國家/地區時他們透過相同的國家/地區的文件從裝置存取。In this proposed permissions set, members of the FinanceException group will have Full Access to files from their own country when they access them through a device from the same country as the document. 稽核項目提供檔案伺服器安全性登入時財經人員嘗試存取檔案。Audit entries are available in the File Servers security log when someone from the Finance department attempts to access files. 不過的安全性設定未執行直到從臨時升級原則。However, security settings are not enforced until the policy is promoted from staging.

在下一個程序,檢查臨時原則的結果。In the next procedure, you verify the results of the staging policy. 您存取共用的資料夾與權限根據目前規則的使用者名稱。You access the shared folder with a user name that has permissions based on the current rule. Esther 耶 (EValle) FinanceException 的成員,以及她目前已讀取權限。Esther Valle (EValle) is a member of FinanceException, and she currently has Read rights. 根據我們臨時的原則,EValle 不應該會有任何權限。According to our staging policy, EValle should not have any rights.

若要確認臨時原則的結果To verify the results of the staging policy

  1. 連接到檔案伺服器 1 HYPER-V 管理員和登入密碼 contoso\administrator,以pass@word1Connect to the File Server FILE1 in Hyper-V Manager and log on as contoso\administrator, with the password pass@word1.

  2. 打開命令提示字元視窗中,輸入gpupdate /forceOpen a Command Prompt window and type gpupdate /force. 這樣可確保群組原則變更會影響您的伺服器。This ensures that your Group Policy changes will take effect on your server.

  3. 在 [HYPER-V 管理員連接到伺服器 CLIENT1。In Hyper-V Manager, connect to server CLIENT1. 目前登入的使用者關閉登入。Log off the user who is currently logged on. 重新開機一樣,CLIENT1。Restart the virtual machine, CLIENT1. 再登入電腦使用 contoso\EValle pass@word1。Then log on to the computer by using contoso\EValle pass@word1.

  4. 按兩下 \\FILE1\Finance 文件] 桌面捷徑。Double-click the desktop shortcut to \\FILE1\Finance Documents. EValle 應該仍然可以存取檔案。EValle should still have access to the files. 切換回 1。Switch back to FILE1.

  5. 開放事件檢視器]從桌面的快速鍵。Open Event Viewer from the shortcut on the desktop. 展開Windows 登,然後選取 [的安全性Expand Windows Logs, and then select Security. 打開的項目使用事件 ID 4818中央存取原則階段分類工作。Open the entries with Event ID 4818under the Central Access Policy Staging task category. 您將會看到 EValle,已允許存取。不過,根據臨時的原則,使用者會遭拒存取。You will see that EValle was allowed access; however, according to the staging policy, the user would have been denied access.

後續步驟Next Steps

如果您有例如 System Center Operations Manager 中央伺服器管理系統,您可以也設定監視事件。If you have a central server management system such as System Center Operations Manager, you can also configuring monitoring for events. 這可讓系統管理員的中央存取原則效果監視之前,請先執行它們。This allows Administrators to monitor the effects of central access policies before enforcing them.