1. Implementing Secure Shared File Access
Presentation: 90 minutes
Lab: 110 minutes
After completing this module, students will be able to:
Describe Dynamic Access Control (DAC).
Implement DAC components.
Implement DAC for access control.
Implement access-denied assistance.
Implement and manage Work Folders.
Implement Workplace Join.
Required materials
To teach this module, you need the Microsoft Office PowerPoint file 10969A_11.pptx.
Important: We recommend that you use PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an older version of PowerPoint, all the features of the slides might not display correctly.
Preparation tasks
To prepare for this module:
Read all of the materials for this module.
Practice performing the demonstrations.
Practice performing the labs.
Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance.
As you prepare for this class, it is imperative that you complete the labs yourself, so that you understand how they work and the concepts that each covers. This enables you to provide meaningful hints to students who find themselves stuck during a lab, and it also will help guide your lecture to ensure that you cover the concepts that the labs cover.
Module 11
Implementing Secure Shared File Access

2. Implementing Workplace Join
Module Overview
11: Implementing Secure Shared File Access
Implementing Workplace Join
This module covers two technologies that are probably new to most of the students. Be sure to spend enough time explaining both of them. Also, ensure that you make a clear distinction between these technologies and some older technologies that have a similar purpose.

3. Lesson 1: Overview of DAC
11: Implementing Secure Shared File Access
Requirements for DAC Implementation
This lesson is very important for students to understand what DAC really is. Make sure that you spend enough time explaining claims, resource properties, and describing what has changed in the Kerberos version 5 protocol.

4. Limitations of Current Access Management Methods
11: Implementing Secure Shared File Access
NTFS file system permissions and ACLs provide access control that is based on a user’s SID or group membership SID
AD RMS provides greater protection for documents by controlling how applications use them, and also works with user or group SID
NTFS file system permissions cannot use AND between conditions
In NTFS file system permissions, you cannot build your own conditions for access control
Discuss the current limitations of NTFS file system -based permissions. Emphasize that NTFS file system permissions depend only on security identifiers (SIDs) and cannot use any expressions for access control, nor can you combine more than one access control entry at the same time. For example, you cannot use AND between conditions.

5. DAC is designed for four scenarios:
What Is DAC?
11: Implementing Secure Shared File Access
DAC in Windows Server 2012 is a new access control mechanism for file system resources.
DAC uses claims in the authentication token, resource properties on the resource, and conditional expressions within permission and auditing entries
DAC is designed for four scenarios:
Central access policy for managing access to files
Auditing for compliance and analysis
Protecting sensitive information
Access-denied remediation
Define DAC and explain the main differences between DAC and older access management methods. Describe scenarios when DAC can be used.

6. The claim is something that AD DS states about a specific object
What Are Claims?
11: Implementing Secure Shared File Access
The claim is something that AD DS states about a specific object
In the DAC infrastructure, claims are defined by using specific attributes from a user or device
In Windows Server 2012, the authorization mechanism is extended to support conditional expressions that include claims
In Windows Server 2012, you can create:
User claims
Device claims
It is very important that students understand what a claim is. If they are familiar with Active Directory Federation Services (AD FS), you can remind them of claims being used in federation scenarios. Emphasize that in the context of DAC, claims are used to expose certain attributes that you want to use in conditional expressions when managing access to resources.

7. What Are Resource Properties?
11: Implementing Secure Shared File Access
Resource Properties define attributes of the resource that you want to use
Resource Properties are grouped in Resource Property lists
When creating a Resource Property, you can specify the property type and the allowed or suggested values
Define Resource Property objects. Explain that resource properties are similar to claims for user objects, as they also define some attributes of the resource, which can be used in a conditional expression.

8. Accessing Resources with DAC
11: Implementing Secure Shared File Access
Claim type
Display name
Source
Suggested values
Value type
File Server
AD DS Admin
NT access token
Contoso\Alice
User
Groups:….
Claims: Title=SDE
It is very important that you explain what has changed with the Kerberos protocol in the context of claims and access management. Make sure that you remind students what content was in the access token before, and how it works now.
Enable domain to issue claims
User attempts to logon
Kerberos Ticket
Contoso\Alice
User
Groups:….
Claims: Title=SDE
Receives a Kerberos ticket
AD DS
User

9. Requirements for DAC Implementation
11: Implementing Secure Shared File Access
To implement DAC, you need to have:
Windows Server 2012 or newer with the FSRM
Update AD DS schema, or at least one Windows Server 2012 domain controller
Windows 8 or newer later on clients to use device claims
Enabled support for DAC in AD DS (default domain controllers GPO)
Discuss the requirements for enabling DAC. Make sure that you emphasize that a pure Windows Server 2012 operating system environment is not required for DAC to work. Mention that Windows 8 or newer is necessary if you want to use device claims in conditional expressions.

10. Lesson 2: Implementing DAC Components
11: Implementing Secure Shared File Access
Demonstration: Configuring Classification Rules
After you introduce the main concepts of DAC covered in the previous lesson, you need to explain how to configure the building blocks for DAC. This lesson leads students step-by-step in configuring these DAC components.

11. Creating and Managing Claims
11: Implementing Secure Shared File Access
Use the Active Directory Administrative Center to create attribute-based claims
Use the Active Directory module for Windows PowerShell to create certificate-based claims
Claims are stored within the configuration partition in AD DS
Attributes are used to source values for claims
Make sure that you configure attributes for your computer and user accounts in AD DS with the information that is correct for respective user or computer
Explain how to create claims and what types of claims students can create. Also, be sure that you emphasize the importance of having user and device attributes populated with proper values in Active Directory Domain Services (AD DS).

12. Creating and Managing Resource Properties and Resource Property Lists
11: Implementing Secure Shared File Access
Resource Properties describe resources that you protect with DAC
Several Resource Properties are already predefined in Windows Server 2012
All predefined Resource Properties are disabled
When creating a new Resource Property, you have to set its name, and value type
In Windows Server 2012 R2, you also can create Reference Resource Properties
Resource Properties are grouped in Resource Property Lists
Explain how to create and manage new and existing resource properties. Explain once more the purpose of Resource Properties. Also, mention reference resource properties specific to Windows Server 2012 R2.

13. Creating and Managing Access Control Rules
11: Implementing Secure Shared File Access
A Central Access Rule, contains one or multiple criteria that the Windows operating system uses when evaluating access
You create and configure central access rules in the Active Directory Administrative Center
To create a new central access rule you should:
Provide a name and description for the rule
Configure the target resources
Configure permissions
Central Access Rules are the main component of DAC. Make sure you explain that this is the place where you actually define the scope of work for DAC, and also the place where you define the conditional expressions used to protect resources.

14. Creating and Managing Access Policies
11: Implementing Secure Shared File Access
Central access policies enable you to manage and deploy consistent authorization throughout an organization
The main component of a central access policy is a central access rule
Central access policies act as a security net that an organization applies across its servers
Group Policy is used to deploy a central access policy
Manually apply the policies to all Windows Server file servers
Explain how you build central access policies. Make sure that students understand that a Central Access Policy serves as a method to apply one or more Central Access Rules to file servers. Also, explain that you use Group Policy to publish the Central Access Policy, but that you must assign it to a specific server manually.

15. Demonstration: Configuring Claims, Resource Properties, and Rules
11: Implementing Secure Shared File Access
In this demonstration, you will learn how to configure claims, resource properties, and access rules
Preparation Steps
For this demonstration, you will need the 10969A-LON-DC1, 10969A-LON-DC2, and 10969A-LON-SVR1 virtual machines. Sign in as Adatum\Administrator with the password of Pa$$w0rd.
Note: Before you begin this demonstration, you must perform all the steps from Task 1: Preparing AD DS for DAC deployment, which is in Exercise 1 of the Lab.
Demonstration Steps
On LON-DC1, in Server Manager, click Tools and then open Active Directory Administrative Center.
In the Active Directory Administrative Center, in the navigation pane, click Dynamic Access Control, and then double-click Claim Types.
In the Claim Types container, in the Tasks pane, click New, and then click Claim Type.
In the Create Claim Type window, in the Source Attribute section, select department.
In the Display name text box, type Company Department.
Select both User and Computer check boxes, and then click OK.
In the Active Directory Administrative Center, in the Tasks pane, click New, and then select Claim Type.
In the Create Claim Type window, in the Source Attribute section, click description.
Clear the User check box, select the Computer check box, and then click OK.
In the Active Directory Administrative Center, click Dynamic Access Control.
In the central pane, double-click Resource Properties.
In the Resource Properties list, right-click Department, and then click Enable.
In the Resource Properties list, right-click Confidentiality, and then click Enable.
Double-click Department.
Scroll down to the Suggested Values section, and then click Add.
(More notes on the next slide)

16. 11: Implementing Secure Shared File Access
In the Add a suggested value window, in both the Value and Display name text boxes, type Research, and then click OK two times.
Click Dynamic Access Control, and then double-click Resource Property Lists.
In the central pane, double-click Global Resource Property List, ensure that both Department and Confidentiality display, and then click Cancel. If they do not display, click Add, add these two properties, and then click OK.
In the Active Directory Administrative Center, in the navigation pane, click Dynamic Access Control, and then double-click Central Access Rules.
In the Tasks pane, click New, and then click Central Access Rule.
In the Create Central Access Rule dialog box, in the Name field, type Department Match.
In the Target Resources section, click Edit.
In the Central Access Rule dialog box, click Add a condition.
Set a condition as follows: Resource-Department-Equals-Value-Research, and then click OK.
In the Permissions section, click Use following permissions as current permissions.
In the Permissions section, click Edit.
Remove permission for Administrators.
In Advanced Security Settings for Permissions, click Add.
In Permission Entry for Permissions, click Select a principal.
In the Select User, Computer, Service Account, or Group window, type Authenticated Users, click Check Names, and then click OK.
In the Basic permissions section, select the Modify, Read and Execute, Read and Write check boxes.
Click Add a condition.
Click the Group drop-down list box, and then click Company Department.
(More notes on the next slide)

17. 11: Implementing Secure Shared File Access
Click the Value drop-down list box, and then click Resource.
In the last drop-down list box, click Department, and then click OK three times.
Note: You should have this expression as a result: User-Company Department-Equals-Resource- Department.
In the Tasks pane, click New, and then click Central Access Rule.
For the name of rule, type Access Confidential Docs.
In the Target Resources section, click Edit.
In the Central Access Rule window, click Add a condition.
In the last drop-down list box, click High, and then click OK.
Note: You should have this expression as a result: Resource-Confidentiality-Equals-Value-High.
In the Permissions section, click Use following permissions as current permissions.
In the Permissions section, click Edit.
Remove permission for Administrators.
In Advanced Security Settings for Permissions, click Add.
In the Permission Entry for Permissions, click Select a principal.
In the Select User, Computer, Service Account, or Group window, type Authenticated Users, click Check Names, and then click OK.
In the Basic permissions section, select the Modify, Read and Execute, Read, and Write check boxes. Click Add a condition.
Set the first condition to: User-Group-Member of each-Value-Managers, and then click Add a condition.
(More notes on the next slide)

18. 11: Implementing Secure Shared File Access
Note: If you cannot find Managers in the last drop-down list box, click Add items. Then in the Select user, Computer, Service Account, or Group window, type Managers, click Check Names, and then click OK.
Set the second condition to: Device-Group-Member of each-Value-ManagersWKS, and then click OK three times.

19. Implementing and Managing File Classifications
11: Implementing Secure Shared File Access
Resource Property definitions are defined in AD DS
Resource Property definitions can be used during file classifications
File classifications can be run automatically
Explain what the File Classification Infrastructure (FCI) is and how it works. Also, be sure to put it in the context of DAC, and explain how file classification can help extend DAC functionality.

20. Demonstration: Configuring Classification Rules
11: Implementing Secure Shared File Access
In this demonstration, you will learn how to classify files by using a file classification mechanism
Preparation Steps
For this demonstration, you will need the 10969A-LON-DC1, 10969A-LON-DC2, and 10969A-LON-SVR1 virtual machines. Sign in as Adatum\Administrator with the password of Pa$$w0rd.
You must have completed the previous demonstration successfully before starting this one.
Demonstration Steps
On LON-SVR1, in Server Manager, click Tools, and then click File Server Resource Manager.
In File Server Resource Manager, expand Classification Management.
Select and then right-click Classification Properties, and then click Refresh.
Verify that the Confidentiality and Department properties are listed.
Click Classification Rules.
In the Actions pane, click Create Classification Rule.
In the Create Classification Rule window, for the Rule name, type Set Confidentiality.
Click the Scope tab, and then click Add.
In the Browse For Folder dialog box, expand Local Disk (C:), click the Docs folder, and then click OK.
Click the Classification tab, make sure that following settings are set, and then click Configure:
Classification method: Content Classifier
Property: Confidentiality
Value: High
In the Classification Parameters dialog box, click the Regular expression drop-down list box, and then click String.
In the Expression field, which is next to the word String, type secret, and then click OK.
Click the Evaluation Type tab, select Re-evaluate existing property values, click Overwrite the existing value, and then click OK.
(More notes on the next slide)

21. 11: Implementing Secure Shared File Access
In File Server Resource Manager, in the Actions pane, click Run Classification With All Rules Now.
Click Wait for classification to complete, and then click OK.
After the classification is complete, you will be presented with a report. Verify that two files were classified. You can confirm this in Report Totals section.
Close the report.
On the taskbar, click the File Explorer icon.
In the File Explorer window, expand Local Disk (C:), and then click the Docs folder.
In the Docs folder, right-click Doc1.txt, click Properties, and then click the Classification tab. Verify that Confidentiality is set to High.
Repeat step 20 on files Doc2.txt and Doc3.txt. Doc2.txt should have the same Confidentiality as Doc1.txt, while Doc3.txt should have no value. This is because only Doc1.txt and Doc2.txt have the word “secret” in their content.

22. Lesson 3: Implementing DAC for Access Control
11: Implementing Secure Shared File Access
Demonstration: Evaluating and Managing DAC

23. Planning Central Access Policies for File Servers
11: Implementing Secure Shared File Access
When planning deployment of central access policies, you should:
Identify the resources that you want to protect
Define the authorization policies
Translate the authorization policies that you require into expressions
Identify attributes for access filtering
Discuss DAC policy planning.

24. Demonstration: Creating and Deploying Central Access Policies
11: Implementing Secure Shared File Access
In this demonstration, your instructor will show you how to create and deploy central access policy
Preparation Steps
For this demonstration, you will need the 10969A-LON-DC1, 10969A-LON-DC2, and 10969A-LON-SVR1 virtual machines. Sign in as Adatum\Administrator with the password of Pa$$w0rd.
To perform this demonstration, you must have completed the previous demonstrations successfully.
Demonstration Steps
On LON-DC1, in the Active Directory Administrative Center, click Dynamic Access Control, and then double-click Central Access Policies.
In the Tasks pane, click New, and then click Central Access Policy.
In the Name field, type Protect confidential docs, and then click Add.
Click the Access Confidential Docs rule, click >>, and then click OK twice.
In the Name field, type Department Match, and then click Add.
Click the Department Match rule, click >>, and then click OK twice.
Close the Active Directory Administrative Center.
On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
In the Group Policy Management Console, under Domains, expand Adatum.com, right-click Test, and then click Create a GPO in this domain, and link it here.
Type DAC Policy, and then click OK.
Right-click DAC Policy, and then click Edit.
Expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand File System, right-click Central Access Policy, and then click Manage Central Access Policies.
Press and hold the Ctrl button and click both Department Match and Protect confidential docs, click Add, and then click OK.
(More notes on the next slide)

25. 11: Implementing Secure Shared File Access
Close the Group Policy Management Editor and the Group Policy Management Console.
On LON-SVR1, on the taskbar, click the Windows PowerShell icon.
At a Windows PowerShell command-line interface command prompt, type gpupdate /force, and then press Enter.
Close Windows PowerShell.
On the taskbar, click the File Explorer icon.
In File Explorer, browse to Local Disk (C:), right-click the Docs folder, and then click Properties.
In the Properties dialog box, click the Security tab, and then click Advanced.
In the Advanced Security Settings for Docs window, click the Central Policy tab, and then click Change.
In the drop-down list box, select Protect confidential docs, and then click OK twice.
Right-click the Research folder, and then click Properties.
In the Advanced Security Settings for Research window, click the Central Policy tab, and then click Change.
In the drop-down list box, click Department Match, and then click OK twice.

26. How Does Access Check Work When DAC Is in Use?
11: Implementing Secure Shared File Access
Share security descriptor
Share permissions
Explain how DAC works when it is combined with Share and NTFS file system permissions.
Active Directory
(cached in local registry)
File/Folder security descriptor
Cached central access policy definition
Central access policy reference
Cached central access rule
Cached central access rule
NTFS file system permissions
Cached central access rule
Access control decision
Access check – Share permissions if applicable
Access check – File permissions
Access check – Every matching central access rule in central access policy

27. Managing and Monitoring DAC
11: Implementing Secure Shared File Access
DAC allows you to test a central access policy update by staging it
Windows Server 2012 staging:
Is implemented by deploying proposed permissions
Compares the proposed permissions against the current permissions
Causes audit-log events to appear in the security log on the file server
Explain staging policies and how they work. Make sure that students understand the effects of changing access control policies and rules.
Current Central Access policy for high impact data
Applies = High
Allow | Full Control |
Staging policy
Applies = High
Allow | Full Control | if AND
=High)

28. Demonstration: Evaluating and Managing DAC
11: Implementing Secure Shared File Access
In this demonstration, you will learn how to evaluate and manage DAC
Preparation Steps
For this demonstration, you will need the 10969A-LON-DC1, 10969A-LON-DC2, and 10969A-LON-SVR1 virtual machines. Sign in as Adatum\Administrator with the password of Pa$$w0rd.
To perform this demonstration, you must have completed the previous demonstrations successfully.
Demonstration Steps
On LON-DC1, open Server Manager, click Tools, and then click Group Policy Management.
In the Group Policy Management Console, expand Forest: Adatum.com, expand Domains, expand Adatum.com, and then click Group Policy Objects.
Right-click DAC Policy, and then click Edit.
In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Advanced Audit Policy Configuration, expand Audit Policies, and then click Object Access.
Double-click Audit Central Access Policy Staging, select all three check boxes, and then click OK.
Double-click Audit File System, select all three check boxes, and then click OK.
Close the Group Policy Management Editor and the Group Policy Management Console
On LON-DC1, open Server Manager, click Tools, and then click Active Directory Administrative Center.
In the navigation pane, click Dynamic Access Control.
Double-click Central Access Rules, right-click Department Match, and then click Properties.
Scroll down to the Proposed Permissions section, click Enable permission staging configuration, and then click Edit.
Click Authenticated Users, and then click Edit.
Change the condition to User-Company Department-Equals-Value-Marketing, and then click OK.
Click OK twice to close all windows.
(More notes on the next slide)

29. 11: Implementing Secure Shared File Access
Switch to LON-SVR1.
On the taskbar, click the Windows PowerShell icon.
At the Windows PowerShell command prompt, type gpupdate /force, and then press Enter.
Close Windows PowerShell.

30. Lesson 4: Implementing Access Denied Assistance
11: Implementing Secure Shared File Access
Demonstration: Implementing Access Denied Assistance

31. What Is Access Denied Assistance?
11: Implementing Secure Shared File Access
On file server:
Specify troubleshooting text for access denied
Specify owner’s for share or folder
Access attempt:
User is denied access, sees troubleshooting text or device- state troubleshooting
User can request access via
Data owner or helpdesk:
Owner receives user’s request
Use effective permissions UI to decide appropriate actions
Can forward request to IT admin
Data Owner
User
Explain the purpose of Access Denied Assistance. Make sure that students understand what the benefits of this feature are.
File Server

32. Configuring Access Denied Assistance
11: Implementing Secure Shared File Access
When implementing Access Denied Assistance:
Define messages that users will receive when they attempt to access resources
Determine whether users should be able to send a request for access
Determine recipients for the access-request messages
Consider target operating systems
Use Group Policy to enable and configure Access Denied Assistance
Decide about the method for remediation
Explain what you should plan for and consider when implementing Access Denied Assistance.

33. Demonstration: Implementing Access Denied Assistance
11: Implementing Secure Shared File Access
In this demonstration, your instructor will show you how to configure and implement Access Denied Assistance
Preparation Steps
For this demonstration, you will need the 10969A-LON-DC1, 10969A-LON-DC2, and 10969A-LON-SVR1 virtual machines. Sign in as Adatum\Administrator with the password of Pa$$w0rd.
To perform this demonstration, you must have completed the previous demonstrations successfully.
Demonstration Steps
On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
In the Group Policy Management Console, expand Forest: Adatum.com, expand Domains, expand Adatum.com, and then click Group Policy objects.
Right-click DAC Policy, and then click Edit.
Under Computer Configuration, expand Policies, expand Administrative Templates, expand System, and then click Access-Denied Assistance.
In the details pane, double-click Customize Message for Access Denied errors.
In the Customize Message for Access Denied errors window, click Enabled.
In the Display the following message to users who are denied access text box, type You are denied access because of permission policy. Please request access.
Select the Enable users to request assistance check box. Review other options, but do not make any changes, and then click OK.
In the details pane of the Group Policy Management Editor, double-click Enable access-denied assistance on client for all file types. Click Enabled, and then click OK.
Close the Group Policy Management Editor and the Group Policy Management Console.
Switch to LON-SVR1, and on the taskbar, click the Windows PowerShell icon.
At the Windows PowerShell command prompt, type gpupdate /force, and then press Enter.

34. Lesson 5: Implementing and Managing Work Folders
11: Implementing Secure Shared File Access
Demonstration: Implementing Work Folders

35. Work Folders are managed by administrators
What Are Work Folders?
11: Implementing Secure Shared File Access
Work Folders enable users to access business data securely at any location and on any device
Work Folders are managed by administrators
Currently supported on Windows 8.1 devices, and support also is planned for iOS-based devices
Explain what Work Folders technology is and what issues are solved by implementing Work Folders. Use the table provided to compare Work Folders with other similar technologies. Discuss with students other technologies they have used to achieve similar results.

36. Configuring Work Folders
10969A
Configuring Work Folders
11: Implementing Secure Shared File Access
To use Work Folders, you should:
Have at least one Windows Server 2012 R2 file server
Have at least one Windows Server 2012 R2 domain controller
Install Work Folders functionality on file server
Provision a share where users’ data will be stored
Run New Sync Share Wizard to create Work Folders structure
Configure clients to use Work Folders by using Group Policy or manually
Discuss the requirements and procedures needed to use Work Folders.

37. Demonstration: Implementing Work Folders
11: Implementing Secure Shared File Access
In this demonstration, you will learn how to implement Work Folders
Preparation Steps
For this demonstration, you will need the 10969A-LON-DC1, 10969A-LON-DC2, and 10969A-LON-SVR1 virtual machines. Sign in as Adatum\Administrator with the password of Pa$$w0rd.
Note: To perform this demonstration, you must first perform Tasks 1 and 2, “Installing Work Folders functionality” and “Provisioning a share for Work Folders,” which are in Exercise 4 of the Lab. After you are done with demonstration, you can revert all virtual machines to their initial snapshot.
Demonstration Steps
On LON-SVR2, in Server Manager, click File and Storage Services, and then click Work Folders.
In the WORK FOLDERS tile, click Tasks, and then click New Sync Share…
In the New Sync Share Wizard, on the Before you begin page, click Next.
On the Select the server and path page, click Select by file share, ensure that WF-Share is highlighted, and then click Next.
On the Specify the structure for user folders, accept the default selection (User alias), and then click Next.
On the Enter the sync share name page, accept the default, and then click Next.
On the Grant sync access to groups page, note the default selection to disable inherited permissions and grant users exclusive access, and then click Add.
In the Select User or Group dialog box, in the Enter the object names to select, type WFsync, click Check Names, and then click OK.
On the Grant sync access to groups page, click Next.
On the Specify device policies page, note the selections, accept the default selection, and then click Next.
On the Confirm selections page, click Create.
On the View results page, click Close.
Switch to LON-DC1, and then sign in as Adatum\Administrator with the password Pa$$w0rd.
(More notes on the next slide)

38. 11: Implementing Secure Shared File Access
Open Server Manager, click Tools, and then click Group Policy Management.
Expand Forest: Adatum.com-Domains-Adatum.com, click Group Policy Objects, right-click the Group Policy Objects container, and then click New.
In the New GPO window, type Work Folders GPO in the Name field, and then click OK.
Right-click Work Folders GPO, and then click Edit.
In the Group Policy Management Editor, expand User Configuration / Policies / Administrative Templates / Windows Components, and then click Work Folders.
Double-click Specify Work Folders settings in the details pane.
In the Specify Work Folders settings dialog box, click Enabled.
In the Work Folders URL text box, type and then select Force automatic setup.
Click OK to close the Specify Work Folders settings dialog box, and then close the Group Policy Management Editor.
In the Group Policy Management Console, right-click the Adatum.com domain object, and then select Link an Existing GPO…
In the Select GPO window, select Work Folders GPO, and then click OK.
Close the Group Policy Management Console.

39. Lesson 6: Implementing Workplace Join
11: Implementing Secure Shared File Access
Registering and Enrolling Devices

40. Scenarios for Using Workplace Join
11: Implementing Secure Shared File Access
BYOD concept allows users to use their private devices to do their work
Connecting non-domain, non-managed devices to company networks and resources can pose a security risk
Technology is needed to provide users with flexibility while maintaining security
Windows Server 2012 R2 provides Workplace Join technology
Discuss scenarios where Workplace Join technology is appropriate.

41. How Workplace Join Works
11: Implementing Secure Shared File Access
Workplace Joined devices become known devices to AD DS
Known devices store a subset of their attributes in AD DS
Device Registration Service provisions a device object in AD DS and issues a certificate to known devices
Users on known devices have an SSO experience
Windows Server 2012 R2 with AD FS role service is needed
Windows 8.1 client operating system or iOS-based devices are supported
DRS can be published externally by using Web Application Proxy
Explain how Workplace Join works, and what the difference is between Workplace Join and domain join. Define Device Registration Service (DRS) and explain how it works.

42. Configuring Workplace Join
11: Implementing Secure Shared File Access
To enable Workplace Join, you need to:
Create the appropriate Group Managed Service account
Install and configure the AD FS role service
Enable DRS
Enable device authentication in AD FS
Install an SSL certificate on the federation server
Create the appropriate records in your DNS
Discuss the steps you need to perform to enable Workplace Join technology.

43. Registering and Enrolling Devices
11: Implementing Secure Shared File Access
To enroll a device in the Workplace-Join process, ensure following:
The device trusts the certificate on the federation server
The device can access at least one certificate revocation list distribution point
Record enterpriseregistration is accessible by the device being Workplace-Joined
On Windows 8.1, use the Workplace option
On iOS-based devices, use web-based enrollment with profile installation
Discuss the steps and requirements for Workplace Join from a client’s perspective.

44. Lab: Implementing Secure File Access
11: Implementing Secure Shared File Access
Exercise 4: Implementing Work Folders
Exercise 1: Preparing for DAC Deployment
To address the requirements from the lab scenario, you decided to implement DAC technology. The first step in implementing DAC is to configure the claims for the users and devices that access the files. In this exercise, you will review the default claims and create new claims based on department and computer group attributes. Also, you will configure the Resource Property lists and the Resource Property definitions. You will do this and then use the resource properties to classify files.
Exercise 2: Implementing DAC
The next step in implementing DAC is to configure the Central Access Rules and policies that link claims and property definitions. You will configure rules for DAC to address the requirements from the lab scenario. After you configure DAC rules and policies, you will apply the policy to a file server.
Exercise 3: Validating and Remediating DAC
To ensure that the DAC settings are configured correctly, you will test various scenarios for users to access files. You will use effective access testing to evaluate effects of Dynamic Access Control. You also will validate the access-remediation configuration.
Exercise 4: Implementing Work Folders
To address the requirements for allowing employees to use their own devices to access and synchronize company data, you decide to implement Work Folders for a limited number of users.
Logon Information
Virtual machines: A-LON-DC1
10969A-LON-DC2
10969A-LON-SVR1
10969A-LON-SVR2
10969A-LON-CL1
10969A-LON-CL2
User name: Adatum\Administrator
Password: Pa$$w0rd
Estimated Time: 110 minutes

45. 10969A
Lab Scenario
11: Implementing Secure Shared File Access
You are working as an administrator at A. Datum Corporation. The company has a wide and complex file server infrastructure. It manages access control to folder shares by using NTFS file system ACLs, but in some cases, that approach does not provide the desired results.
Most of the files used by departments are stored in shared folders dedicated to specific departments, but confidential documents sometimes appear in other shared folders. Only members of the Research team should be able to access Research team folders, and only Executive department managers should be able to access highly confidential documents.
The Security department also is concerned that managers are accessing files by using their home computers, which might not be highly secure. Therefore, you must create a plan for securing documents regardless of where they are located, and you must ensure that documents can be accessed from authorized computers only. Authorized computers for managers are members of the security group ManagersWks.
The Support department reports that a high number of calls are generated by users who cannot access resources. You must implement a feature that helps users understand error messages better and will enable them to request access automatically.
Quite a few users use personal devices such as tablets and laptops to work from home and at work. You have to provide them with an efficient way to synchronize business data on all the devices that they use.

46. Can you implement DAC without Central Access Policy?
Lab Review
11: Implementing Secure Shared File Access
Can you implement DAC without Central Access Policy?
Question
How do file classifications enhance the usage of DAC?
Answer
By using file classifications, you can set attributes on files automatically, and then use these attributes in conditional expressions when implementing DAC.
Can you implement DAC without Central Access Policy?
Yes, you can set conditional expressions directly on resources.

47. Module Review and Takeaways
11: Implementing Secure Shared File Access
Common Issues and Troubleshooting Tips
Review Questions
Question
What is a claim?
Answer
A claim is information that AD DS states about an object, which usually is a user or a computer.
What is the purpose of Central Access Policy?
Central access policies enable administrators to create policies that apply to one or more file servers in an organization. Central access policies contain one or more Central Access Policy rules. Each rule contains settings that determine applicability and permissions.
What is the BYOD concept?
BYOD is the policy of permitting employees to bring personal devices, such as laptops, tablets, and smart phones, to the workplace, and allowing employees to use those devices to access privileged company information and applications.
Tools
Tool
Use
Location
Active Directory Administrative Center
Administering and creating claims, resource properties, rules, and policies
Administrative tools
Group Policy Management Console (GPMC)
Managing Group Policy
Group Policy Management Editor
Editing GPOs
GPMC

48. 11: Implementing Secure Shared File Access
Best Practice:
Use central access policies instead of configuring conditional expressions on resources.
Enable Access Denied Assistance settings.
Always test changes that you have made to Central Access Rules and central access policies before implementing them.
Use file classifications to assign properties to files.
Use Work Folders to synchronize business data across devices.
Use Workplace Join in Bring Your Own Device (BYOD) scenarios.
Common Issues and Troubleshooting Tips
Issue
Troubleshooting Tip
Claims are not populated with the appropriate values.
Verify that the correct attribute is selected for the claim. In addition, check that the attribute value for a specific object is populated.  
A conditional expression does not allow access.
Verify that the expression is well defined. In addition, try using the Effective Access tab to troubleshoot the problem.