Windows 2012 - Central Access Policy Manual Classification

In my lab environment I and practicing using Windows 2012 Central Access Policies.

I am able to get automatic classification to work but not manual.

Here is what I have done.
-The claim type : country is enabled
-Resource Property for County is set and suggested values of US and Canada

On my lab server when I right click on a folder and select classification I get the following message:

"There are no properties defined in the system an no properties were found in the selected files"...
LVL 21
compdigit44Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
On the file server go to a powershell console and type

Update-FsrmClassificationPropertyDefinition

http://technet.microsoft.com/en-us/library/jj900657.aspx

Thanks

Mike
0
compdigit44Author Commented:
Thanks!!!!

For the suggested values for a claim, should the suggested value be listed under the Claims-Type or Resource-Property?
0
Mike KlineCommented:
It can be in either, if using it for a file server like you are doing it would be under resource property.

For those not working in 2012 for this comp added US and Canada under suggest values for resource properties.

Thanks

Mike
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

compdigit44Author Commented:
Thanks..

I just find it a bit of confusing that you can list Suggest Value under the claim-type and resource properties. But if I am understanding you correctly, if you want to use DAC for file shares you should place the suggest values under the resource properties. When would you place suggested values under claim type? Maybe when using AD FS??
0
Mike KlineCommented:
I think the confusing aspect is why the adoption rate hasn't been higher and people are just used to NTFS permissions as we have used these for so long.

You could use claim type if you want the claims for the users.  For example if you type

whoami /claims it will not be populated without claim types being defined

You also have to set the GP for "Support for CBAC and Kerberos armoring"

Do you mind if I use this question for a few blog entries...you are one of the first learning about DAC so nice work!

Thanks

Mike
0
compdigit44Author Commented:
Thanks for your reply. I am actually studying for my MCSE 2012 upgrade exam and have setup a Lab environment so I can actually work hands-on on what i am studying.

I am still bit confused of when you would apply the "suggest values" to resource properties vs. Claim-type..

Would you mind explains this further.

Feel free to post this question on your blog!!!! ;-)
0
Mike KlineCommented:
They are for different things, the resource property is for the folders/files, claims are for the user objects for example.
0
compdigit44Author Commented:
For example you would specific suggested values in claims-type for: ADFS????
0
Mike KlineCommented:
That I'm not sure for ADFS...don't want to blow smoke and make up an answer.  I look at it more of using it inside DAC not in conjunction with ADFS.

Thanks

Mike
0
compdigit44Author Commented:
Still confused on this but i believe you are trying to convey the following:

If you want to use a DAC to control file share access they added Suggest Values to the Resourse Property list.

What is the difference between the different resource property typesin DAC?
0
Mike KlineCommented:
There are two resource property types  Resource and Reference Resource.  From the DAC guide

Resource Property object
A Resource Property is a complete instance of a Resource Property in which any suggested values defined for the object are stored in the msDS-ClaimPossibleValues attribute of that object.

Reference Resource Property object
Reference Resource Property objects differ from Resource Property objects in that they do not store their own suggested values. Reference resource properties use the suggested values of a claim type object referenced by a distinguished name stored in the msDS-ClaimSharesPossibleValuesWith attribute of reference Resource Property object.  The benefit of using referenced Resource Property objects over Resource Property objects is to guarantee that an expression similar to user.PII == resource.PII is comparable, which reduces the manual maintenance of data consistency.

So the claim types you defined appear when you create a new reference resource property.

Thanks

Mike
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
compdigit44Author Commented:
So a Reference Resource Property object, pulls it's suggest values from the Claim-type directly so the Reference Resource Property object could be used for DAC on file share or any other type of claims aware app then correct???????
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.