MCSA Lab Scenario - A.

Datum Corp – Part 5 Erfan Taheri

Scenario
You are working as an administrator at A. Datum Corporation. The company has a wide and
complex file server infrastructure. It manages access control to folder shares by using NTFS file
system ACLs, but in some cases, that approach does not provide the desired results.
Most of the files that departments use are stored in shared folders dedicated to specific
departments, but confidential documents sometimes appear in other shared folders. Only
members of the Research team should be able to access Research team folders, and only
Executive department managers should be able to access highly confidential documents.
The Security department also is concerned that managers are accessing files by using their home
computers, which might not be highly secure. Therefore, you must create a plan for securing
documents regardless of where they are located, and you must ensure that documents can be
accessed only from authorized computers. Authorized computers for managers are members of
the security group ManagersWks.
The Support department reports that a high number of calls are generated by users who cannot
access resources. You must implement a feature that helps users understand error messages
better and will enable them to request access automatically.
Many users use personal devices such as tablets and laptops to work from home and while at
work. You have to provide them with an efficient way to synchronize business data on all the
devices that they use.
LAB Setup

Virtual Machines Lon-DC1.Adatum.local

SRV1.Adatum.local
SRV2.Adatum.local
CL1.Adatum.local
CL2.Adatum.local
Username Adatum\Administrator
Password Pa$$w0rd
Lon-DC1.Adatum.local is a promoted writable domain controllers in the London domain
Adatum.local. CL1.Adatum.local and CL2.Adatum.local is a windows 8.1 client.

Exercise 1: Preparing for DAC Deployment

To address the requirements from the lab scenario, you decide to implement DAC technology.
The first step in implementing DAC is to configure the claims for the users and devices that
access the files. In this exercise, you will review the default claims, and create new claims based
on department and computer group attributes. You also will configure the Resource Property

1
MCSA Lab Scenario - A. Datum Corp – Part 5 Erfan Taheri

lists and the Resource Property definitions. You will do this and then use the resource properties
to classify files.

Task 1: Prepare AD DS for DAC deployment

1. On LON-DC1, in Server Manager, open Active Directory Domains and Trusts console.
2. Raise the domain and forest functional level to Windows Server 2012.
3. On LON-DC1, in Server Manager, open Active Directory Users and Computers.
4. Create a new Organizational Unit named DAC-Protected.
5. Move the LON-SVR1 and LON-CL1 computer objects into the DAC-Protected OU.
6. On LON-DC1, from Server Manager, open the Group Policy Management Console.
7. Edit the Default Domain Controllers Policy GPO.
8. In the Group Policy Management Editor, under Computer Configuration, expand Policies,
expand Administrative Templates, expand System, and then click KDC.
9. Enable the KDC support for claims, compound authentication and Kerberos armoring policy
setting.
10. In the Options section, click Always provide claims.
11. On LON-DC1, refresh Group Policy.
12. Open Active Directory Users and Computers, and in the Users container, create a security
group named ManagersWKS.
13. Add LON-CL1 to the ManagersWKS group.
14. Verify that user Aidan Delaney is a member of Managers department, and that Allie Bellew is
the member of the Research department. Department entries should be filled in for the
appropriate Organization attribute in each user profile. After you verify these values, click Cancel
and don’t make any changes.
Task 2: Configure user and device claims
1. On LON-DC1, open the Active Directory Administrative Center.
2. In the Active Directory Administrative Center, in the navigation pane, click Dynamic Access
Control.
3. Open the Claim Types container, and then create a new claim type for users and computers by
using the following settings:

2
MCSA Lab Scenario - A. Datum Corp – Part 5 Erfan Taheri

• Source Attribute: department

• Display name: Company Department
• Suggested values: Managers, Research
4. In the Active Directory Administrative Center, in the Tasks pane, click New, and then click
Claim Type.
5. Create a new claim type for computers by using the following settings:
• Source Attribute: description
• Display name: description
Task 3: Configure resource properties and resource property lists
1. In the Active Directory Administrative Center, click Dynamic Access Control, and then open the
Resource Properties container.
2. Enable the Department and Confidentiality Resource properties.
3. Open Properties for the Department property.
4. Add Research as a suggested value.
5. Open the Global Resource Property List, ensure that Department and Confidentiality are
included in the list, and then click Cancel.
6. Close the Active Directory Administrative Center.
Task 4: Implement file classifications
1. On LON-SVR1, open the File Server Resource Manager.
2. Refresh Classification Properties, and then verify that Confidentiality and Department
properties are listed.
3. Create a classification rule with following values:
• Name: Set Confidentiality
• Scope: C:\Docs
• Classification method: Content Classifier
• Property: Confidentiality
• Value: High
• Classification Parameters: String “secret”

3
MCSA Lab Scenario - A. Datum Corp – Part 5 Erfan Taheri

• Evaluation Type: Re-evaluate existing property values, and then click Overwrite the existing
value
4. Run the classification rule.
5. Open a File Explorer window, browse to the C:\Docs folder, and then open the Properties
window for files Doc1.txt, Doc2.txt, and Doc3.txt.
6. Verify values for Confidentiality. Doc1.txt and Doc2.txt should have confidentiality set to High.
Task 5: Assign a property to the Research folder
1. On LON-SVR1, open File Explorer.
2. Browse to C:\Research, and open its properties.
3. On the Classification tab, set the Department value to Research.

Exercise 2: Implementing DAC

The next step in implementing DAC is to configure the central access rules and policies that link
claims and property definitions. You will configure rules for DAC to address the requirements
from the lab scenario. After you configure DAC rules and policies, you will apply the policy to a
file server.
Task 1: Configure central access rules
1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative
Center.
2. Click Dynamic Access Control, and then open the Central Access Rules container.
3. Create a new central access rule with the following values:
• Name: Department Match
• Target Resource: use condition Resource-Department-Equals-Value-Research
• Current Permissions:
o Remove Administrators
o Add Authenticated Users,
o Modify, with condition User-Company Department-Equals-Resource-Department
4. Create another central access rule with the following values:
• Name: Access Confidential Docs

4
MCSA Lab Scenario - A. Datum Corp – Part 5 Erfan Taheri

• Target Resource: use condition Resource-Confidentiality-Equals-Value-High

• Current Permissions:
o Remove Administrators
o Add Authenticated Users
o Modify, and set the first condition to: User-Company Department-Equals-Value- Managers
o Permissions: Set the second condition to: Device-Group-Member of each-Value- ManagersWKS
Policy Management console.
5. Create new GPO named DAC Policy, and in the Adatum.com domain, link it to the DAC-
Protected OU.
6. Edit the DAC Policy, browse to Computer Configuration /Policies/Windows Settings/Security
Settings/File System, and then right-click Central Access Policy.
7. Click Manage Central Access Policies, click both Department Match and Protect confidential
docs, click Add, and then click OK.
8. Close the Group Policy Management Editor and the Group Policy Management Console.
9. On LON-SVR1, use Windows PowerShell to refresh Group Policy on LON-SVR1.
10. Open File Explorer, and then browse to the C:\Docs folder.
11. Apply the Protect confidential docs central policy to the C:\Docs folder.
12. Browse to the C:\Research folder.
13. Apply the Department Match central policy to the C:\Research folder.

Exercise 3: Validating and Remediating DAC

To ensure that the DAC settings are configured correctly, you will test various scenarios for users
to access files. You will try approved users and devices, and unapproved users and devices. You
also will validate the access-remediation configuration.
Task 1: Access file resources as an approved user
1. Start LON-CL1 and LON-CL2 virtual machines.
2. Sign in to LON-CL1 as Adatum\Allie with the password Pa$$w0rd.
3. Try to open documents inside the \\LON-SVR1\Research folder.
4. Sign out of LON-CL1.

5
MCSA Lab Scenario - A. Datum Corp – Part 5 Erfan Taheri

5. Sign in to LON-CL1 as Adatum\Aidan with the password Pa$$w0rd.

6. Try to open files inside the \\LON-SVR1\Docs folder.
7. Sign out of LON-CL1.
Task 2: Access file resources as an unapproved user
1. Sign in to LON-CL2 as Adatum\Aidan with the password Pa$$w0rd.
2. Open the \\LON-SVR1\Docs folder. Try to open files Doc1.txt and Doc2.txt.
3. Sign out of LON-CL2.
4. Sign in to LON-CL2 as Adatum\April with the password Pa$$word.
5. Open \\LON-SVR1\Docs folder, and then try to open Doc3.txt file. You should be able to open
that document.
6. While still signed in as April, try to open the \\LON-SVR1\Research folder. You should be
unable to access the folder.
7. Sign out of LON-CL2.
Task 3: Evaluate user access with DAC
1. On LON-SVR1, open the Properties for the C:\Research folder.
2. Open the Advanced options for Security, and then click Effective Access.
3. Click select a user, and in the Select User, Computer, Service Account, or Group window, type
April, click Check Names, and then click OK.
4. Click View effective access, and then review the results. The user should not have access to
this folder.
5. Click Include a user claim, and then in the drop-down list box, click Company Department.
6. In the Value text box, type Research, and then click View Effective access. The user should now
have access.
7. Close all open windows.
Task 4: Configure access-denied remediation
1. On LON-DC1, open the Group Policy Management Console, and then browse to Group Policy
objects.
2. Edit the DAC Policy.

6
MCSA Lab Scenario - A. Datum Corp – Part 5 Erfan Taheri

3. Under the Computer Configuration node, browse to Policies\Administrative

Templates\System, and then click Access-Denied Assistance.
4. In the details pane, double-click Customize Message for Access Denied errors.
5. In the Customize Message for Access Denied errors window, click Enabled.
6. In the Display the following message to users who are denied access text box, type You are
denied access because of permission policy. Please request access.
7. Select the Enable users to request assistance check box, and then click OK.
8. Double-click Enable access-denied assistance on client for all file types, enable it, and then
click OK.
9. Close the Group Policy Management Editor and the Group Policy Management Console.
10. Switch to LON-SVR1, and then refresh Group Policy.
Task 5: Request access remediation
1. Sign in to LON-CL1 as Adatum\April with the password Pa$$w0rd.
2. Try to access the \\LON-SVR1\Research folder
3. Request assistance when prompted. Review the options for sending a message, and then click
Close.
4. Sign out of LON-CL1.