O'Reilly logo

Windows Server 2012: Up and Running by Samara Lynn

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 5. Managing Users and Data with Dynamic Access Control

Without question, the one major new capability that you will have to get to know at some time or another—and no matter how big or small the infrastructure—is Dynamic Access Control (DAC).

DAC provides rich, centralized control over data and user permissions through various mechanisms, including expression-based access conditions (i.e., if x condition is met, then access is granted), centralized access policies, and centralized auditing.

The reason DAC is so significant is because it reduces many of the pain points that arise when you’re trying to deploy, manage, and keep the reins on permissions throughout a Windows forest or domain. Managing Windows permissions, as many of us know, can easily spiral out of control.

Permissions, in general, have been managed through NTFS, Active Directory, and the use of groups. In many cases, a user who is not a member of a particular group needs access to a file in a shared folder belonging to that group. What often ends up happening in such cases is that unnecessary groups are created. NTFS permissions get sloppy in parent and child folders, and keeping track of which users have access to what data becomes an auditing nightmare. Not only do you face group membership bloat when access permission management gets out of control, but you also encounter the issue of security token overload. As a company grows and more users (employees) are added, very often the number of groups increases. ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required