How to Configure Dynamic Access Control on Windows Server 2012 R2
Dynamic Access Control (DAC) is a claims-based access control framework introduced in Windows Server 2012 that extends the traditional permissions model with user and device claims, central access policies, and expression-based access rules. Rather than relying solely on group membership to determine access, DAC allows access decisions to be based on attributes of the user (such as department, clearance level, or employment status), attributes of the computer being used, and attributes of the resource being accessed. This guide covers the components of DAC and walks through a practical configuration on Windows Server 2012 R2.
Prerequisites
Dynamic Access Control requires the following:
The domain functional level must be Windows Server 2012 or higher. The file server must be running Windows Server 2012 or Windows Server 2012 R2. Client machines must be running Windows 8 or later for device claims to function. Group Policy must be configured to enable the Kerberos armoring feature (FAST) and to enable claims support on DCs and clients. The Active Directory module and Group Policy module must be available.
Import-Module ActiveDirectory
Import-Module GroupPolicyStep 1 — Enable Kerberos Armoring (FAST)
Kerberos FAST (Flexible Authentication Secure Tunneling) is required for device claims to be included in Kerberos tickets. Enable it via Group Policy:
# Create a GPO for DAC requirements
New-GPO -Name "DAC-KerberosArmoring" -Domain "contoso.com"
New-GPLink -Name "DAC-KerberosArmoring" -Target "DC=contoso,DC=com" -LinkEnabled YesIn the GPO, navigate to Computer Configuration > Administrative Templates > System > KDC > KDC support for claims, compound authentication and Kerberos armoring — set to Enabled. Also configure Computer Configuration > Administrative Templates > System > Kerberos > Kerberos client support for claims, compound authentication and Kerberos armoring — set to Enabled on client machines.
Step 2 — Create Claim Types
Claim types define which user or computer attributes can be used as claims. In the Active Directory Administrative Center, navigate to Dynamic Access Control > Claim Types, or use PowerShell:
# Create a user claim type based on the department attribute
New-ADClaimType `
-AppliesToClasses @("User") `
-DisplayName "Department" `
-SourceAttribute "department" `
-RestrictValues $false
# Create a user claim type for security clearance (custom extensionAttribute)
New-ADClaimType `
-AppliesToClasses @("User") `
-DisplayName "SecurityClearance" `
-SourceAttribute "extensionAttribute1" `
-SuggestedValues @(
New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Public","Public",""),
New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Confidential","Confidential",""),
New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Secret","Secret","")
)
# Create a device (computer) claim type
New-ADClaimType `
-AppliesToClasses @("Computer") `
-DisplayName "ManagedDevice" `
-SourceAttribute "extensionAttribute2"Step 3 — Create Resource Properties
Resource properties define attributes that can be applied to files and folders, enabling the access rules to match against file classification:
# Enable a built-in resource property
$prop = Get-ADResourceProperty -Identity "Confidentiality"
Set-ADResourceProperty -Identity $prop -Enabled $true
# Create a custom resource property
New-ADResourceProperty `
-DisplayName "ProjectCode" `
-IsSecured $true `
-ResourcePropertyValueType MS-DS-MultivaluedChoice `
-SuggestedValues @(
New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("PRJ-FIN","Finance Project",""),
New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("PRJ-HR","HR Project",""),
New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("PRJ-IT","IT Project","")
)Step 4 — Create Resource Property Lists
Resource property lists are published to file servers via Group Policy. File Server Resource Manager (FSRM) uses these lists for file classification:
# Add properties to the Global Resource Property List
$globalList = Get-ADResourcePropertyList -Identity "Global Resource Property List"
Set-ADResourcePropertyList -Identity $globalList `
-Add (Get-ADResourceProperty -Identity "Confidentiality"),
(Get-ADResourceProperty -Identity "ProjectCode")Step 5 — Create Central Access Rules
Central Access Rules define the conditions under which access is granted or denied to resources based on claims and resource properties:
# Create a Central Access Rule for Finance documents
New-ADCentralAccessRule `
-Name "Finance-Confidential-Rule" `
-ResourceCondition "Resource.Confidentiality == `"High`"" `
-CurrentAcl "O:SYG:SYD:AR(A;;FA;;;OW)(A;;FA;;;BA)(XA;;0x1200a9;;;AU;(@User.Department=={`"Finance`"} && @Device.ManagedDevice=={`"True`"}))" `
-Description "Allow access to confidential finance documents only from managed Finance dept devices"Step 6 — Create Central Access Policies
Central Access Policies group one or more Central Access Rules and are published via Group Policy to file servers:
# Create a Central Access Policy
New-ADCentralAccessPolicy `
-Name "Finance-Access-Policy" `
-Description "Central access policy for Finance department resources"
# Add the rule to the policy
Add-ADCentralAccessPolicyMember `
-Identity "Finance-Access-Policy" `
-Members "Finance-Confidential-Rule"Step 7 — Publish via Group Policy
Publish the Central Access Policy to file servers through Group Policy:
# Create GPO and link to file server OU
New-GPO -Name "DAC-FileServer-Policy"
New-GPLink -Name "DAC-FileServer-Policy" `
-Target "OU=FileServers,OU=Contoso,DC=contoso,DC=com"In the GPO, navigate to Computer Configuration > Windows Settings > Security Settings > File System > Central Access Policy and add “Finance-Access-Policy.” This distributes the policy to all file servers in the target OU.
Step 8 — Apply Classification to Files
On the file server, use File Server Resource Manager (FSRM) to classify files and apply the Central Access Policy to folders:
# Install FSRM on the file server
Install-WindowsFeature FS-Resource-Manager -IncludeManagementTools
# Apply Central Access Policy to a folder via PowerShell (icacls)
# First, apply the CAP to the folder
$folder = "D:FinanceSharesConfidential"
$capSID = "S-1-17-0" # Placeholder — get actual SID from Central Access Policy
# Set classification property on a folder
Set-Item -Path "D:FinanceSharesConfidential" -Force
$acl = Get-Acl -Path $folder
# Central Access Policy is applied via Set-Acl with the CAP SID in the SACLVerifying Dynamic Access Control
# Verify claim types
Get-ADClaimType -Filter * | Select-Object DisplayName, SourceAttribute, AppliesToClasses
# Verify resource properties
Get-ADResourceProperty -Filter * | Select-Object DisplayName, IsSecured, Enabled
# Verify central access policies
Get-ADCentralAccessPolicy -Filter * | Select-Object Name, Description
# Check effective access using access check tool
# On the file server, use whoami /claims to see current user claims
whoami /claimsSummary
Dynamic Access Control on Windows Server 2012 R2 provides a powerful, attribute-based access control system that extends traditional ACLs with claims about users, devices, and resources. The configuration workflow involves enabling Kerberos armoring, defining claim types, creating resource properties, building central access rules and policies, and publishing them via Group Policy. DAC is particularly valuable for organisations that need fine-grained access control based on classification labels or user attributes beyond simple group membership. The ability to stage access policies before enforcement allows safe testing of complex access rules before production deployment.
