This article is Part 26 in a series of articles on the “Top 31 Favorite Features in Windows Server 2012” with my fellow IT Pro Technical Evangelists. Be sure to follow them on Twitter and check out their blogs this month for the other parts of this series:

The full list of 31 things can be found here:


big-dataData continues to grow at an exponential pace in our businesses and our analysis show that over 80% of this data still resides on file servers. Often it is challenging to take your business needs and match them up to Windows security and authorization to set the access to this data. Windows Server 2012 tries to help address these challenges by introducing a new feature called Dynamic Access Control. This feature was originally named “claim-based access control,” but was renamed to Dynamic Access Control because the new access control system does much more than just claims.

In Windows Server 2012, you can apply data governance across your file servers to control who can access information and to audit who has accessed information. Dynamic Access Control lets you:

  • Identify data by using automatic and manual classification of files. For example, you can add tags to your data in file servers.
  • Control access to files by applying automatic policies that use central access policies. For example, you could define who can access health information within the organization.
  • Audit access to files by using central audit policies for compliance reporting and forensic analysis. For example, you could identify who accessed highly sensitive information.
  • Apply Rights Management Services (RMS) protection by using automatic RMS encryption for sensitive Microsoft Office documents. For example, you could configure RMS to encrypt all documents that contain credit card numbers.
  • Access Denied Assistance. For example, when a user receives an access denied dialog it provides a way to request access from a data owner. See the dialogs below.

image Click to Enlarge

image Click to Enlarge

  • Setting conditional access to files and folders. This is immediately available on a Windows Server 2012 File Server and enables you to setup access to files based on then need to belong to a list of AD groups or have an  AD attribute such as Department or Country for access.

image Click to Enlarge

There are several Windows components that make this high-level capability work. AD was updated to comprehend claims. NTFS was updated to be able to use regular expressions in the file system ACLs in addition to security principals such as users and groups. File Server Resource Manager automates setting classifications on files. ADAC was updated to give administrators a nice GUI to manage their file access policies.

For a good solid hands on understanding of Dynamic Access Control try the hands on Virtual Lab on the Microsoft web site. In just 20 minutes you can have the hands on experience you need!

Technet Windows Server 2012 Virtual Labs
The lab at the bottom of this list is:
Using Dynamic Access Control to Automatically and Centrally Secure Data
In this lab, you will explore Dynamic Access Control in Windows Server 2012. You will learn how to create Central Access Policies, explore the new Access Denied Remediation features, as well as learn how to use the audit capabilities built into Dynamic Access Control.