Chapter 5. Managing Users and Data with Dynamic Access Control
Without question, the one major new capability that you will have to get to know at some time or another—and no matter how big or small the infrastructure—is Dynamic Access Control (DAC).
DAC provides rich, centralized control over data and user permissions through various mechanisms, including expression-based access conditions (i.e., if x condition is met, then access is granted), centralized access policies, and centralized auditing.
The reason DAC is so significant is because it reduces many of the pain points that arise when you’re trying to deploy, manage, and keep the reins on permissions throughout a Windows forest or domain. Managing Windows permissions, as many of us know, can easily spiral out of control.
Permissions, in general, have been managed through NTFS, Active Directory, and the use of groups. In many cases, a user who is not a member of a particular group needs access to a file in a shared folder belonging to that group. What often ends up happening in such cases is that unnecessary groups are created. NTFS permissions get sloppy in parent and child folders, and keeping track of which users have access to what data becomes an auditing nightmare. Not only do you face group membership bloat when access permission management gets out of control, but you also encounter the issue of security token overload. As a company grows and more users (employees) are added, very often the number of groups increases. ...
Get Windows Server 2012: Up and Running now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.