How to Set Up Windows Server 2016 Dynamic Access Control
Dynamic Access Control (DAC) is an advanced authorization framework in Windows Server 2016 that allows administrators to apply access control policies based on user attributes, device attributes, and data classification, rather than relying solely on traditional group membership and share permissions. With DAC, you can create policies such as “allow access only from managed devices” or “restrict access to sensitive finance documents to users with a Finance department attribute” — policies that dynamically enforce access based on contextual properties rather than static group assignments.
Core Components of Dynamic Access Control
DAC consists of several interrelated components. Claims are statements about a user or device that are included in their Kerberos authentication ticket. A user claim might state their department, clearance level, or job title. A device claim might state whether the device is domain-joined or managed. Claim Types are defined in Active Directory and map to user or computer attributes. Resource Properties are labels that can be applied to files and folders to classify data (e.g., Confidentiality = High, Department = Finance). Central Access Rules define the conditions under which specific claims or resource properties allow or deny access. Central Access Policies bundle multiple rules and are applied to file servers via Group Policy.
Prerequisites
DAC requires the domain functional level of Windows Server 2012 or higher. The file servers hosting the protected data must run Windows Server 2012 or later. Clients must run Windows 8 or later (Windows 10 recommended) to include device claims in Kerberos tickets. Active Directory Administrative Center (ADAC) is the primary management tool for DAC. Kerberos Armoring (also called Dynamic Access Control: Kerberos Armoring) must be enabled via Group Policy for device claim support. The following ports must be open between clients and DCs: 88 (Kerberos), 389 (LDAP), 636 (LDAPS).
Enabling Kerberos Armoring
Kerberos Armoring protects Kerberos tickets and is required for device claims. Enable it via Group Policy on both Domain Controllers and clients:
# On Domain Controllers GPO:
Computer Configuration > Administrative Templates > System > KDC > KDC support for claims, compound authentication and Kerberos armoring
Set to: Enabled > Supported
# On Client Computers GPO:
Computer Configuration > Administrative Templates > System > Kerberos > Kerberos client support for claims, compound authentication and Kerberos armoring
Set to: EnabledEnabling Dynamic Access Control Support on Domain Controllers
Enable DAC support on Domain Controllers through Group Policy:
Computer Configuration > Administrative Templates > System > KDC > KDC support for claims, compound authentication and Kerberos armoring
Set value to: Always provide claimsCreating Claim Types
Claim types are defined in Active Directory using Active Directory Administrative Center. Open ADAC (dsac.exe), navigate to Dynamic Access Control > Claim Types, and click New > Claim Type in the Tasks pane. Select the source attribute from Active Directory (e.g., department, title, or a custom attribute). Configure the display name, description, and suggested values. Click OK to create the claim type.
Using PowerShell to create a claim type:
New-ADClaimType -AppliesToClasses @("User") -DisplayName "Department" -SourceAttribute "department" -SuggestedValues @(
New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Finance","Finance",""),
New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("IT","Information Technology",""),
New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("HR","Human Resources","")
)Creating Resource Properties
Resource properties are classification tags applied to files and folders. In ADAC, navigate to Dynamic Access Control > Resource Properties and create new properties. For example, a Confidentiality property with values Low, Medium, and High. Enable the properties you want to use by right-clicking each and selecting Enable.
New-ADResourceProperty -DisplayName "Confidentiality" -IsSecured $true -ResourcePropertyValueType MS-DS-SingleValuedChoice -SuggestedValues @(
New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Low","Low Confidentiality",""),
New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("High","High Confidentiality","")
)
Add-ADResourcePropertyListMember -Identity "Global Resource Property List" -Members "Confidentiality"Applying Resource Properties to Files
After deploying the Resource Property List to file servers via Group Policy, administrators can manually classify files and folders, or use File Classification Infrastructure (FCI) to automate classification based on content scanning. To manually apply a classification:
$file = Get-Item "C:FinanceDocsbudget2024.xlsx"
$file.Attributes
Set-Item -LiteralPath $file.FullName -Stream "::$DATA"
# Use Set-FileClassification via File Server Resource Manager
Set-FsrmClassificationPropertyDefinition -Name "Confidentiality" -DisplayName "Confidentiality"Creating Central Access Rules
Central Access Rules define who can access what based on claims and resource properties. In ADAC, navigate to Dynamic Access Control > Central Access Rules. Create a new rule. Configure the Target Resources (what classified data this rule applies to, e.g., Confidentiality = High). Configure the Permissions section — click Edit to define the conditions. The condition expression builder lets you combine claim values using AND/OR logic.
Example condition expression: Grant access if User.Department == “Finance” AND Device.IsManaged == True
Creating and Deploying Central Access Policies
Central Access Policies are collections of Central Access Rules deployed to file servers through Group Policy. In ADAC, navigate to Dynamic Access Control > Central Access Policies and create a new policy. Add the relevant Central Access Rules. Then deploy the policy via Group Policy:
Computer Configuration > Windows Settings > Security Settings > File System > Central Access PolicyRight-click Central Access Policy and select Manage Central Access Policies to add your policy to the file server’s effective policy list.
Applying a Central Access Policy to a Folder
On the file server, right-click the target folder, select Properties, navigate to the Security tab, and click Advanced. In the Advanced Security Settings dialog, click the Central Policy tab, select your Central Access Policy, and click OK. The policy is now active for that folder and will enforce the claims-based conditions defined in the associated rules.
Testing with Access-Denied Remediation
DAC supports Access-Denied Remediation, which shows users a meaningful message when they are denied access and optionally allows them to request access. Configure this in Group Policy:
Computer Configuration > Administrative Templates > System > Access-Denied AssistanceEnable Customize message for Access Denied errors and provide a helpful message with contact information or a request access link.
Best Practices
Start with a pilot deployment on non-sensitive data before applying DAC to production file shares. Use audit-only mode initially to observe what the policy would enforce without actually blocking access. Automate file classification with File Server Resource Manager to reduce manual tagging overhead. Keep claim types aligned with well-maintained AD attributes — stale or incorrect attributes lead to incorrect access decisions. Test access scenarios after any changes to user attributes or Central Access Policies. Document all claim types, resource properties, and policies with clear descriptions in ADAC.
Dynamic Access Control is one of the most powerful and flexible authorization frameworks available in Windows Server 2016. When properly implemented, it allows organizations to enforce data governance policies automatically, ensuring sensitive information is accessible only to the right people from the right devices, regardless of where the data is stored.
