How to Configure Dynamic Access Control with Claims on Windows Server 2012 R2

How to Configure Dynamic Access Control with Claims on Windows Server 2012 R2

Dynamic Access Control (DAC) is a data governance feature introduced in Windows Server 2012 that extends traditional Windows ACLs with claim-based access policies. Rather than managing file permissions purely through user and group membership, DAC allows file access decisions to be based on user attributes (department, clearance level, country) and device attributes (whether the device is compliant, domain-joined, or has specific software). This creates a flexible, auditable, and centrally managed access control layer on top of NTFS. This guide walks through a complete DAC deployment on Windows Server 2012 R2.

Prerequisites

– Windows Server 2012 R2 Domain Controllers (Domain Functional Level 2012 or higher)
– Windows Server 2012 R2 file server as the resource server
– Active Directory with user attributes populated (department, country, etc.)
– Group Policy Management Console access
– File Classification Infrastructure understanding
– Kerberos armoring (FAST) enabled in the environment for full DAC support

Step 1: Enable Kerberos Claims Support

DAC requires Kerberos to carry user claims. Enable this via Group Policy on Domain Controllers and client computers:

Import-Module GroupPolicy

# Create a GPO to enable Kerberos claims on Domain Controllers
$dcGPO = New-GPO -Name "DC - Enable Kerberos Claims"
New-GPLink -Name "DC - Enable Kerberos Claims" `
    -Target "OU=Domain Controllers,DC=corp,DC=local" -LinkEnabled Yes

# The following registry setting enables claims on DCs
# Configure via GPMC: Computer Configuration > Administrative Templates >
# System > KDC > "KDC support for claims, compound authentication, and Kerberos armoring"
# Set to: Enabled, with option "Supported"

$dcGPO | Set-GPRegistryValue `
    -Key "HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemKDCParameters" `
    -ValueName "EnableCbacAndArmor" `
    -Type DWord -Value 1

# Enable on client computers too
# Computer Configuration > Administrative Templates >
# System > Kerberos > "Kerberos client support for claims, compound authentication, and Kerberos armoring"
$clientGPO = New-GPO -Name "Computers - Enable Kerberos Claims"
$clientGPO | Set-GPRegistryValue `
    -Key "HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemKerberosParameters" `
    -ValueName "EnableCbacAndArmor" `
    -Type DWord -Value 1

gpupdate /force

Step 2: Create Claim Types in Active Directory

Claim types define which AD attributes are used in access policies. Create them using Active Directory Administrative Center or PowerShell:

Import-Module ActiveDirectory

# Create a user claim type based on the 'department' AD attribute
New-ADClaimType -AppliesToClasses User `
    -DisplayName "Department" `
    -SourceAttribute department `
    -SuggestedValues @(
        New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Finance","Finance",""),
        New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("HR","Human Resources",""),
        New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("IT","Information Technology",""),
        New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Legal","Legal",""),
        New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Engineering","Engineering","")
    )

# Create a user claim type for clearance level (custom AD attribute)
New-ADClaimType -AppliesToClasses User `
    -DisplayName "ClearanceLevel" `
    -SourceAttribute extensionAttribute1 `  # Map to an existing unused attribute
    -SuggestedValues @(
        New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Public","Public",""),
        New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Internal","Internal",""),
        New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Confidential","Confidential",""),
        New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Restricted","Restricted","")
    )

# Create a device claim type (device must be domain-joined and compliant)
New-ADClaimType -AppliesToClasses Computer `
    -DisplayName "IsCompliantDevice" `
    -SourceAttribute msDS-IsCompliant  # Populated by MDM

# Verify claim types
Get-ADClaimType | Select-Object DisplayName, AppliesToClasses, SourceAttribute | Format-Table -AutoSize

Step 3: Create Resource Properties

Resource Properties define the classification labels that can be applied to files and folders. These are the resource-side equivalent of user claims:

# Create resource properties for data classification
New-ADResourceProperty -DisplayName "Confidentiality" `
    -IsSecured $true `
    -ResourcePropertyValueType MS-DS-MultivaluedChoice `
    -SuggestedValues @(
        New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Public","Public","Public information"),
        New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Internal","Internal","Internal use only"),
        New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Confidential","Confidential","Confidential data"),
        New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("HighlyConfidential","Highly Confidential","Most sensitive data")
    )

New-ADResourceProperty -DisplayName "Department" `
    -IsSecured $true `
    -ResourcePropertyValueType MS-DS-MultivaluedChoice `
    -SuggestedValues @(
        New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Finance","Finance",""),
        New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("HR","Human Resources",""),
        New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("IT","IT",""),
        New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Legal","Legal","")
    )

# Add resource properties to the Global Resource Property List
Add-ADResourcePropertyListMember -Identity "Global Resource Property List" `
    -Members "Confidentiality","Department"

# Verify
Get-ADResourcePropertyList -Identity "Global Resource Property List" | 
    Select-Object -ExpandProperty Members

Step 4: Create Central Access Rules and Policies

Central Access Rules define the conditions under which access is granted or denied. A Central Access Policy groups rules and is deployed to file servers via Group Policy:

# Create a Central Access Rule: Finance data accessible only to Finance department employees
New-ADCentralAccessRule -Name "Finance Data Access Rule" `
    -Description "Allow access to Finance-classified data only to Finance department users" `
    -CurrentAcl "O:SYG:SYD:AR(A;;FA;;;OW)(A;;FA;;;BA)(A;;FA;;;SY)(XA;;0x1200a9;;;AU;(@USER.ad://ext/Department Any_of {`"Finance`"}))" `
    -ResourceCondition "(@RESOURCE.Department Contains {`"Finance`"})"

# Create a Central Access Rule for Confidential data — requires domain-joined compliant device
New-ADCentralAccessRule -Name "Confidential Data Access Rule" `
    -Description "Confidential files: user must have Confidential clearance AND be on a compliant device" `
    -CurrentAcl "O:SYG:SYD:AR(A;;FA;;;OW)(A;;FA;;;BA)(XA;;0x1200a9;;;AU;(@USER.ad://ext/ClearanceLevel Any_of {`"Confidential`",`"Restricted`"} && @DEVICE.ad://ext/IsCompliantDevice == `"true`"))" `
    -ResourceCondition "(@RESOURCE.Confidentiality Contains {`"Confidential`"})"

# Create the Central Access Policy that groups these rules
New-ADCentralAccessPolicy -Name "Corporate Data Policy" `
    -Description "Corporate data access policy based on classification and user attributes"

Add-ADCentralAccessPolicyMember -Identity "Corporate Data Policy" `
    -Members "Finance Data Access Rule","Confidential Data Access Rule"

# Verify
Get-ADCentralAccessPolicy | Format-Table Name, Description
Get-ADCentralAccessRule | Format-Table Name

Step 5: Deploy the Central Access Policy via Group Policy

Deploy the Central Access Policy to file servers by applying it through Group Policy:

Import-Module GroupPolicy

# Create and link a GPO for file server DAC policy
$dacGPO = New-GPO -Name "FileServer - Dynamic Access Control Policy"
New-GPLink -Name "FileServer - Dynamic Access Control Policy" `
    -Target "OU=FileServers,DC=corp,DC=local" -LinkEnabled Yes

# Configure the Central Access Policies setting in the GPO
# This applies the policy to the file system security model
# Path: Computer Configuration > Windows Settings > Security Settings >
#       File System > Central Access Policy
# Add "Corporate Data Policy" to the list

# The policy must be staged first (audit-only) before enforcement
# Staging allows you to see what WOULD be denied without actually denying

Step 6: Apply Classification and Test Access

# On the file server: classify a folder with DAC resource properties
# First, apply the policy via GPUpdate
gpupdate /force

# Use icacls to view current permissions and CAP
icacls "D:FileShareFinance" /caclsinfo

# Use PowerShell to set file classification via FCI (File Classification Infrastructure)
# Set the Confidentiality property on a folder
$folder = Get-Item "D:FileShareFinanceQ4Reports"
$folder | Set-ItemProperty -Name "Confidentiality" -Value "Confidential"

# Alternatively, use the DAC-aware Set-Acl
# Apply the Central Access Policy to a specific folder
$acl = Get-Acl -Path "D:FileShareFinance"
$capAce = New-Object System.Security.AccessControl.CentralAccessPolicy
# CAP association is managed via the registry key populated by GPO

# Verify DAC with effective access tool
# In ADAC or GPMC: use "Effective Access" tab, add a user + device to see computed access
# Via PowerShell (access check simulation):
$user = Get-ADUser "jsmith" -Properties department
Write-Host "User department: $($user.department)"

# Test access by logging in as a Finance user and attempting access
# Non-Finance users should be denied access to Finance-classified folders

Step 7: Configure DAC Audit Policy

# Enable DAC object access auditing
auditpol /set /subcategory:"File System" /success:enable /failure:enable
auditpol /set /subcategory:"Central Policy Staging" /success:enable /failure:enable

# View DAC audit events (Event ID 4818 = Proposed Central Access Policy does not grant same access)
Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    Id      = 4818
    StartTime = (Get-Date).AddHours(-24)
} | Select-Object TimeCreated, Message | Format-Table -Wrap

# Event ID 4656 with Central Policy information shows actual denies
Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    Id      = 4656
} -MaxEvents 20 | Where-Object { $_.Message -like "*CentralPolicy*" } |
    Format-Table TimeCreated, Message -Wrap

Verification

# Verify complete DAC deployment
Write-Host "=== Dynamic Access Control Verification ===" -ForegroundColor Cyan

Write-Host "Claim Types:"
Get-ADClaimType | Select-Object DisplayName, AppliesToClasses | Format-Table

Write-Host "Resource Properties:"
Get-ADResourceProperty | Select-Object DisplayName, IsSecured | Format-Table

Write-Host "Central Access Rules:"
Get-ADCentralAccessRule | Select-Object Name | Format-Table

Write-Host "Central Access Policies:"
Get-ADCentralAccessPolicy | Format-Table Name

Write-Host "Kerberos Claims support (DCs):"
Get-GPRegistryValue -Name "DC - Enable Kerberos Claims" `
    -Key "HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemKDCParameters" `
    -ValueName "EnableCbacAndArmor"

Summary

Dynamic Access Control on Windows Server 2012 R2 transforms file access management from a static, group-membership-only model to a dynamic, attribute-based system. By defining user claim types mapped to AD attributes, creating resource properties for file classification, building Central Access Rules that combine user and resource conditions, deploying policies via Group Policy, and enabling audit logging, you gain fine-grained, policy-driven control over who can access what data. The staged enforcement mode allows safe testing before enforcement, and audit events provide a clear trail of access decisions. DAC is particularly valuable for organizations with regulatory requirements around data access governance.