In this article

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

This topic outlines the actions to construct a manual lab to test Dynamic Access Control. The instructions are expected to be adhered to sequentially bereason tright here are many components that have dependencies.

You are watching: Why was the contosoadministrator not able to open the file?

Prerequisites

Hardware and software requirements

Requirements for setting up the test lab:

A hold server running Windows Server 2008 R2 through SP1 and also Hyper-V

A copy of the Windows Server 2012 ISO

A copy of the Windows 8 ISO

slrfc.org Office 2010

A server running slrfc.org Exchange Server 2003 or later

You have to construct the following virtual makers to test the Dynamic Access Control scenarios:

DC1 (domain controller)

DC2 (domajor controller)

FILE1 (file server and Active Directory Rights Management Services)

SRV1 (POP3 and also SMTP server)

CLIENT1 (client computer system with slrfc.org Outlook)

The passwords for the virtual makers need to be as follows:

BUILTINAdministrator: pass
word1

ContosoAdministrator: pass
word1

All other accounts: pass
word1

Build the test lab virtual machines

Install the Hyper-V role

You must install the Hyper-V role on a computer system running Windows Server 2008 R2 through SP1.

To install the Hyper-V Role

Click Start, and then click Server Manager.

In the Roles Synopsis location of the Server Manager main home window, click Add Roles.

On the Select Server Roles web page, click Hyper-V.

On the Create Virtual Networks web page, click one or more netjob-related adapters if you desire to make their netjob-related connection available to online equipments.

On the Confirm Installation Selections page, click Install.

The computer system should be restarted to finish the installation. Click Close to complete the wizard, and also then click Yes to rebegin the computer.

After you restart the computer, sign in via the very same account you offered to install the function. After the Resume Configuration Wizard completes the installation, click Close to end up the wizard.

Create an internal digital network

Now you will create an interior virtual network referred to as ID_AD_Netjob-related.

To create a online network

Open Hyper-V Manager.

From the Actions food selection, click Virtual Netoccupational Manager.

Under Create online network, pick the Internal.

Click Add. The New Virtual Network web page shows up.

Type ID_AD_Network as the name for the brand-new network. Rewatch the other properties and also modify them if vital.

Click OK to create the digital network and also cshed Virtual Netoccupational Manager, or click Apply to produce the digital network-related and proceed making use of Virtual Network Manager.

Build the doprimary controller

Build a virtual machine to be offered as the domain controller (DC1). Install the online machine making use of Windows Server 2012 ISO, and also name it DC1.

To install Active Directory Domain Services

Connect the online machine to the ID_AD_Netoccupational. Sign in to the DC1 as Administrator via the password pass
word1
.

In Server Manager, click Manage, and also then click Add Roles and Features.

On the Before you begin page, click Next.

On the Select installation type page, click Role-based or Feature-based Install, and also then click Next.

On the Select location server page, click Next.

On the Select server roles page, click Active Directory Domajor Services. In the Add Roles and Features Wizard dialog box, click Add Features, and also then click Next.

On the Select features page, click Next.

On the Active Directory Domajor Services page, testimonial the indevelopment, and then click Next.

On the Confirm installation selections web page, click Install. The Feature installation development bar on the Results web page indicates that the role is being set up.

On the Results web page, verify that the installation thrived, and click Close. In Server Manager, click the warning icon via an exclamation note on peak right corner of the display screen, beside Manage. In the Tasks list, click the Promote this server to a domajor controller link.

On the Deployment Configuration web page, click Add a new forest, kind the name of the root domajor, contoso.com, and also then click Next.

On the Domajor Controller Options page, select the domain and also woodland functional levels as Windows Server 2012, specify the DSRM password pass
word1
, and then click Next.

On the DNS Options page, click Next.

On the Further Options web page, click Next.

On the Paths web page, kind the places for the Active Directory database, log files, and SYSVOL folder (or accept default locations), and then click Next.

On the Review Options page, confirm your selections, and then click Next.

On the Prerequisites Check page, confirm that the prerequisites validation is completed, and also then click Install.

On the Results web page, verify that the server was successfully configured as a doprimary controller, and also then click Close.

Restart the server to complete the AD DS installation. (By default, this happens immediately.)

Create the following customers by making use of Active Directory Administrative Center.

Create users and also groups on DC1

Sign in to contoso.com as Administrator. Launch Active Directory Administrative Center.

Create the complying with security groups:

Group NameEmail Address
FinanceAdminfinanceadmin
contoso.com
FinanceExceptionfinanceexception
contoso.com

Create the complying with organizational unit (OU):

OU NameComputers
FileServerOUFILE1
To develop a Group Policy Object

Hover the cursor on the top ideal edge of display and also click the search icon. In the Search box, type team plan management, and click Group Policy Management.

Expand Forest: contoso.com, and then expand Domains, navigate to contoso.com, expand (contoso.com), and also then choose FileServerOU. Right-click Create a GPO in this domajor and Link it here

Type a descriptive name for the GPO, such as FlexibleAccessGPO, and also then click OK.

To enable Dynamic Access Control for contoso.com

Open the Group Policy Management Console, click contoso.com, and then double-click Doprimary Controllers.

Right-click Default Doprimary Controllers Policy, and also select Edit.

In the Group Policy Management Editor window, double-click Computer Configuration, double-click Policies, double-click Administrative Templates, double-click System, and then double-click KDC.

Double-click KDC support for claims, compound authentication, and Kerberos armoring and pick the choice beside Enabled. You have to permit this establishing to usage Central Access Policies.

Open an elevated command prompt, and also run the following command:

gpupdate /force

Build the file server and also ADVERTISEMENT RMS server (FILE1)

Build a online machine with the name FILE1 from the Windows Server 2012 ISO.

Connect the digital machine to the ID_AD_Network.

Join the virtual machine to the contoso.com domain, and also then authorize in to FILE1 as contosoadministrator making use of the password pass
word1
.

Install File Services Reresource ManagerTo install the File Services role and the File Server Reresource Manager

In Server Manager, click Add Roles and Features.

On the Before you begin web page, click Next.

On the Select installation type page, click Next.

On the Select location server page, click Next.

On the Select Server Roles page, expand also Documents and Storage Services, select the check-box alongside Data and also iSCSI Services, expand also, and also pick File Server Reresource Manager.

In the Add Roles and Features Wizard, click Add Features, and then click Next.

On the Select features page, click Next.

On the Confirm installation selections web page, click Install.

On the Installation progress web page, click Close.

Install the slrfc.org Office Filter Packs on the file server

You should install the slrfc.org Office Filter Packs on Windows Server 2012 to permit IFilters for a broader selection of Office papers than are provided by default. Windows Server 2012 does not have any kind of IFilters for slrfc.org Office Files mounted by default, and also the file classification framework provides IFilters to perdevelop content evaluation.

To download and install the IFilters, see slrfc.org Office 2010 Filter Packs.

Connumber email notifications on FILE1

When you develop quotas and also file displays, you have actually the option of sending email notifications to users once their quota limit is approaching or after they have actually attempted to save records that have been blocked. If you want to on a regular basis inform specific administrators of quota and also file screening occasions, you have the right to configure one or even more default recipients. To send these notifications, you must specify the SMTP server to be provided for forwarding the email messperiods.

To connumber email alternatives in Data Server Reresource Manager

Open File Server Resource Manager. To open File Server Reresource Manager, click Start, kind file server reresource manager, and also then click Documents Server Reresource Manager.

In the Data Server Reresource Manager interface, right-click File Server Resource Manager, and then click Configure options. The Data Server Resource Manager Options dialog box opens.

On the E-mail Notifications tab, under SMTP server name or IP deal with, form the organize name or the IP attend to of the SMTP server that will certainly forward email notifications.

If you desire to frequently educate specific administrators of quota or file screening occasions, under Default administrator recipients, form each email deal with such as fileadmin
domain, and also usage semicolons to sepaprice multiple accounts.

Create teams on FILE1To develop protection groups on FILE1

Sign in to FILE1 as contosoadministrator, via the password: pass
word1
.

Add NT AUTHORITYAuthenticated Users to the WinRMRemoteWMIUsers__ team.

Create records and also folders on FILE1

Create a brand-new NTFS volume on FILE1 and then produce the following folder: D:Finance Documents.

Create the complying with files via the details specified:

Finance Memo.docx: Add some finance associated text in the record. For instance, "The business rules around that can accessibility finance files have actually readjusted. Finance documents are currently just accessed by members of the FinanceExpert group. No various other departments or teams have actually access." You should evaluate the influence of this change prior to implementing it in the setting. Encertain that this record has actually CONTOSO CONFIDENTIAL as the footer on every web page.

Repursuit for Approval to Hire.docx: Create a type in this document that collects applicant information. You need to have actually the complying with areas in the document: Applicant Name, Social Security number, Job Title, Proposed Salary, Starting Date, Supervisor name, Department. Add a second area in the document that has a kind for Supervisor Signature, Approved Salary, Condevelopment of Offer, and also Status of Offer.Make the document rights-management permitted.

Word Document1.docx: Add some test content to this document.

Word Document2.docx: Add test content to this document.

Workbook1.xlsx

Workbook2.xlsx

Create a folder on the desktop dubbed Regular Expressions. Create a message document under the folder called RegEx-SSN. Type the complying with content in the file, and also then save and also cshed the file:^(?!000)(<0-7>d2|7(<0-7>d|7<012>))(< ->?)(?!00)dd3(?!0000)d4$

Share the folder D:Finance Documents as Finance Documents and also permit everyone to have Read and also Write access to the share.


Install Active Directory Rights Management Services

Add the Active Directory Rights Management Services (ADVERTISEMENT RMS) and also all required functions via Server Manager. Choose all the defaults.

To install Active Directory Rights Management Services

Sign in to the FILE1 as CONTOSOAdministrator or as a member of the Domajor Admins team.


Important

In order to install the AD RMS server function the installer account (in this instance, CONTOSOAdministrator) will certainly need to be given membership in both the neighborhood Administrators group on the server computer system where AD RMS is to be set up and also membership in the Enterpincrease Admins group in Active Directory.


In Server Manager, click Add Roles and also Features. The Add Roles and also Features Wizard appears.

On the Before you Begin display screen, click Next.

On the Select Installation Type display screen, click Role/Feature Based Install, and then click Next.

On the Select Server Targets display screen, click Next.

On the Select Server Roles display screen, choose package beside Active Directory Rights Management Services, and then click Next.

In the Add attributes that are forced for Active Directory Rights Management Services? dialog box, click Add Features.

On the Select Server Roles display, click Next.

On the Select Features to Install screen, click Next.

On the Active Directory Rights Management Services screen, click Next off.

On the Select Role Services display, click Next.

On the Internet Server Role (IIS) screen, click Next.

On the Select Role Services display, click Next.

On the Confirm Installation Selections screen, click Install.

After the installation has actually completed, on the Installation Progress display, click Perform extra configuration. The AD RMS Configuration Wizard shows up.

On the ADVERTISEMENT RMS screen, click Next.

On the AD RMS Cluster screen, select Create a brand-new ADVERTISEMENT RMS root cluster and then click Next.

On the Configuration Database display screen, click Use Windows Internal Database on this server, and then click Next.


Note

Using the Windows Internal Database is recommfinished for test environments just bereason it does not support even more than one server in the ADVERTISEMENT RMS cluster. Production deployments should use a sepaprice database server.


On the Service Account display, in Domain User Account, click Specify and also then specify the user name (contoso ms), and Password (pass
word1
) and also click OK, and also then click Next.

On the Cryptographic Mode screen, click Cryptographic Mode 2.

On the Cluster Key Storage display, click Next.

On the Cluster Key Password display screen, in the Password and Confirm password boxes, form pass
word1
, and then click Next.

On the Cluster Internet Site display, make sure that Default Web Site is schosen, and then click Next.

On the Cluster Address display, pick the Use an unencrypted connection option, in the Fully Qualified Doprimary Name box, kind FILE1.contoso.com, and also then click Next.

On the Licensor Certificate Name display screen, accept the default name (FILE1) in the text box and also click Next.

On the SCP Registration display, pick Register SCP now, and then click Next.

On the Confirmation display screen, click Install.

On the Results screen, click Close, and then click Close on Installation Progress display. When complete, log off and also log on as contoso ms making use of the password provided (pass
word1
).

Launch the AD RMS consingle and navigate to Rights Policy Templates.

To open the AD RMS consingle, in Server Manager, click Local Server in the console tree, then click Tools, and then click Active Directory Rights Management Services.

Click the Create Distributed Rights Policy template situated on the appropriate panel, click Add, and choose the adhering to information:

Language: US English

Name: Contoso Finance Admin Only

Description: Contoso Finance Admin Only

Click Add, and then click Next.

Under the Users and also Rights area, click Users and also rights, click Add, kind financeadmin
contoso.com
, and click OK.

Select Full Control, and leave Grant owner (author) full manage appropriate through no expiration selected.

Click though the remaining tabs with no alters, and also then click Finish. Sign in as CONTOSOAdministrator.

Browse to the folder, C:inetpubwwwroot\_wmcscertification, select the ServerCertification.asmx file, and include Authenticated Users to have actually Read and also Write pergoals to the file.

Open Windows PowerShell and run Get-FsrmRmsTemplate. Verify that you are able to check out the RMS design template you developed in the previous measures in this procedure through this command.


Important

If you want your file servers to immediately readjust so you deserve to test them, you need to carry out the following:

On the file server, FILE1, open up an elevated command prompt, and run the following commands:

gpupdate /pressure.NLTEST /SC_RESET:contoso.com

Optionally, rather of using the Add Roles and Features Wizard in Server Manager, you deserve to usage Windows PowerShell to install and connumber the AD RMS server duty as display in the complying with procedure.

To install and also configure an AD RMS cluster in Windows Server 2012 using Windows PowerShell

Logon on as CONTOSOAdministrator via the password: pass

Important

In order to install the ADVERTISEMENT RMS server duty the installer account (in this instance, CONTOSOAdministrator) will certainly have to be offered membership in both the neighborhood Administrators group on the server computer wbelow AD RMS is to be set up as well as membership in the Enterprise Admins group in Active Directory.


On the Server desktop, right-click the Windows PowerShell icon on the taskbar and choose Run as Administrator to open up a Windows PowerShell prompt via administrative privileges.

To usage Server Manager cmdallows to install the ADVERTISEMENT RMS server duty, type:

Add-WindowsFeature ADRMS ""IncludeAllSubFeature ""IncludeManagementToolsCreate the Windows PowerCovering drive to reexisting the ADVERTISEMENT RMS server you are installing.

For example, to produce a Windows PowerShell drive called RC to install and also configure the first server in an ADVERTISEMENT RMS root cluster, type:

Import-Module ADRMSNew-PSDrive -PSProvider ADRMSInstall -Name RC -Root RootClusterSet properties on objects in the drive namespace that represent compelled configuration settings.

For instance, to set the ADVERTISEMENT RMS service account, at the Windows PowerCovering command also prompt, type:

$svcacct = Get-CredentialWhen the Windows security dialog box shows up, type the AD RMS business account domajor user name CONTOSORMS and also the assigned password.

Next off, to asauthorize the ADVERTISEMENT RMS company account to the AD RMS cluster settings, form the following:

Set-ItemProperty -Path RC: -Name ServiceAccount -Value $svcacctNext off, to set the AD RMS server to usage the Windows Internal Database, at the Windows PowerCovering command also prompt, type:

Set-ItemProperty -Path RC:ClusterDatabase -Name UseWindowsInternalDatabase -Value $trueNext off, to secudepend save the cluster key password in a variable, at the Windows PowerCovering command prompt, type:

$password = Read-Host -AsSecureString -Prompt "Password:"Type the cluster vital password, and also then press the ENTER crucial.

Next off, to asauthorize the password to your AD RMS installation, at the Windows PowerCovering command prompt, type:

Set-ItemProperty -Path RC:ClusterKey -Name CentrallyManagedPassword -Value $passwordNext off, to set the ADVERTISEMENT RMS cluster deal with, at the Windows PowerCovering command prompt, type:

Set-ItemProperty -Path RC: -Name ClusterURL -Value "http://file1.contoso.com:80"Next off, to asauthorize the SLC name for your AD RMS installation, at the Windows PowerShell command also prompt, type:

Set-ItemProperty -Path RC: -Name SLCName -Value "FILE1"Next, to collection the organization link suggest (SCP) for the ADVERTISEMENT RMS cluster, at the Windows PowerCovering command prompt, type:

Set-ItemProperty -Path RC: -Name RegisterSCP -Value $trueRun the Install-ADRMS cmdlet. In enhancement to installing the AD RMS server function and also configuring the server, this cmdlet likewise installs other attributes forced by ADVERTISEMENT RMS if important.

For example, to adjust to the Windows PowerShell drive named RC and also install and also configure ADVERTISEMENT RMS, type:

Set-Location RC:Install-ADRMS -Path.Type "Y" as soon as the cmdlet prompts you to confirm you want to start the installation.

Log out as CONTOSOAdministrator and log on as CONTOSORMS using the provided password ("pass

Important

In order to control the ADVERTISEMENT RMS server the account you are logged on to and also utilizing to regulate the server (in this instance, CONTOSORMS) will need to be given membership in both the neighborhood Administrators team on the ADVERTISEMENT RMS server computer system and also membership in the Enterpclimb Admins group in Active Directory.


On the Server desktop, right-click the Windows PowerCovering symbol on the taskbar and also choose Run as Administrator to open a Windows PowerShell prompt via governmental privileges.

Create the Windows PowerShell drive to reexisting the AD RMS server you are configuring.

For instance, to produce a Windows PowerShell drive named RC to configure the ADVERTISEMENT RMS root cluster, type:

Import-Module ADRMSAdmin `New-PSDrive -PSProvider ADRMSAdmin -Name RC -Root http://localorganize -Force -Scope GlobalTo create new rights layout for the Contoso finance administrator and asauthorize it user legal rights with complete regulate in your ADVERTISEMENT RMS installation, at the Windows PowerCovering command also prompt, type:

New-Item -Path RC:RightsPolicyTemplate ""LocaleName en-us -DisplayName "Contoso Finance Admin Only" -Description "Contoso Finance Admin Only" -UserGroup financeadmin
contoso.com -Right ("FullControl")To verify that you have the right to check out the brand-new civil liberties theme for the Contoso finance administrator, at the Windows PowerShell command also prompt:

Get-FsrmRmsTemplateRewatch the output of this cmdlet to confirm the RMS theme you created in the previous action is existing.

Build the mail server (SRV1)

SRV1 is the SMTP/POP3 mail server. You must set it up so that you deserve to sfinish email notifications as component of the Access-Denied assistance scenario.

Configure slrfc.org Exadjust Server on this computer system. For more information, watch How to Install Exadjust Server.

Build the client online machine (CLIENT1)

To construct the client virtual machine

Connect the CLIENT1 to the ID_AD_Netoccupational.

Install slrfc.org Office 2010.

Sign in as ContosoAdministrator, and also usage the following indevelopment to connumber slrfc.org Outlook.

Your name: Documents Administrator

Email address: fileadmin
contoso.com

Account type: POP3

Incoming mail server: Static IP resolve of SRV1

Outgoing mail server: Static IP resolve of SRV1

User name: fileadmin
contoso.com

Remember password: Select

Create a shortreduced to Outlook on the contosoadministrator desktop computer.

Open Outlook and resolve all the "first time launched" messeras.

Delete any kind of test messperiods that were created.

Create a new short cut on desktop computer for all customers on the client online machine that points to \FILE1Finance Documents.

Reboot as needed.

Enable Access-Denied assistance on the client virtual machine

Open Regisattempt Editor, and also navigate to HKEY_LOCAL_MACHINESOFTWAREPoliciesslrfc.orgWindowsExplorer.

Set EnableShellExecuteFileStreamCheck to 1.

Value: DWORD

Lab setup for deploying claims across woodlands scenario

Build a digital machine for DC2

Build a online machine from the Windows Server 2012 ISO.

Create the digital machine name as DC2.

Connect the virtual machine to the ID_AD_Network.


Important

Joining digital makers to a doprimary and also deploying claim types across forests need that the online equipments be able to settle the FQDNs of the relevant domains. You may need to manually connumber the DNS settings on the online makers to attain this. For even more information, view Configuring a online network.

All the digital machine images (servers and also clients) need to be reconfigured to use a static IP variation 4 (IPv4) address and Doprimary Name System (DNS) client settings. For more indevelopment, watch Connumber a DNS Client for Static IP Address.


Set up a new woodland called adatum.com

To install Active Directory Doprimary Services

Connect the online machine to the ID_AD_Network. Sign in to the DC2 as Administrator via the password Pass
word1
.

In Server Manager, click Manage, and also then click Add Roles and Features.

On the Before you begin page, click Next.

On the Select Installation Type page, click Role-based or Feature-based Install, and also then click Next.

On the Select location server web page, click Select a server from the server pool, click the names of the server where you want to install Active Directory Domain Services (ADVERTISEMENT DS), and also then click Next.

On the Select Server Roles web page, click Active Directory Domain Services. In the Add Roles and Features Wizard dialog box, click Add Features, and then click Next.

On the Select Features page, click Next.

On the AD DS web page, testimonial the indevelopment, and also then click Next.

On the Confirmation web page, click Install. The Feature installation development bar on the Results web page suggests that the role is being installed.

On the Results page, verify that the installation prospered, and then click the warning icon via an exclamation mark on top ideal edge of the display screen, next to Manage. In the Tasks list, click the Promote this server to a domain controller link.


Important

If you cshed the installation wizard at this point quite than click Promote this server to a doprimary controller, you deserve to proceed the ADVERTISEMENT DS installation by clicking Tasks in Server Manager.


On the Deployment Configuration web page, click Add a new forest, kind the name of the root doprimary, adatum.com, and then click Next.

On the Domajor Controller Options page, pick the domajor and woodland sensible levels as Windows Server 2012, specify the DSRM password pass
word1
, and then click Next.

On the DNS Options page, click Next.

On the Additional Options web page, click Next.

On the Paths web page, type the places for the Active Directory database, log documents, and also SYSVOL folder (or accept default locations), and then click Next.

On the Review Options page, confirm your selections, and then click Next.

On the Prerequisites Check web page, confirm that the prerequisites validation is completed, and also then click Install.

On the Results web page, verify that the server was effectively configured as a domain controller, and also then click Close.

Restart the server to finish the AD DS installation. (By default, this happens automatically.)


Important

To encertain that the netjob-related is configured appropriately, after you have set up both the woodlands, you must carry out the following:

Sign in to adatum.com as adatumadministrator. Open a Command Prompt window, form nslookup contoso.com, and also then push ENTER.Sign in to contoso.com as contosoadministrator. Open a Command Prompt window, type nslookup adatum.com, and then push ENTER.

If these commands execute without errors, the forests deserve to interact through each various other. For even more indevelopment on nslookup errors, see the troubleshooting area in the topic Using NSlookup.exe


Set contoso.com as a trusting woodland to adatum.com

In this step, you create a trust connection between the Adatum Corporation website and also the Contoso, Ltd. site.

To collection Contoso as a trusting woodland to Adatum

Sign in to DC2 as administrator. On the Start display, type domajor.msc.

In the console tree, right-click adatum.com, and then click Properties.

On the Trusts tab, click New Trust, and then click Next.

On the Trust Name page, kind contoso.com, in the Doprimary Name System (DNS) name area, and also then click Next.

On the Trust Type web page, click Foremainder Trust, and then click Next.

On the Direction of Trust page, click Two-way.

On the Sides of Trust web page, click Both this domajor and also the mentioned domain, and also then click Next.

Continue to follow the instructions in the wizard.

Create added customers in the Adatum forest

Create the user Jeff Low with the password pass
word1
, and also asauthorize the firm attribute via the worth Adatum.

To produce a user via the Company attribute

Open an elevated command also prompt in Windows PowerCovering, and also paste the complying with code:

New-ADUser `-SamAccountName jlow `-Name "Jeff Low" `-UserPrincipalName jlow
word1" -Force) `-Enabled $true `-PasswordNeverExpires $true `-Path "CN=Users,DC=adatum,DC=com" `-Company kind of Adatum`

Create the Company case kind on adataum.com

To produce a insurance claim type by using Windows PowerShellSign in to adatum.com as an administrator.

Open an elevated command also prompt in Windows PowerCovering, and kind the following code:

New-ADClaimType `-AppliesToClasses:
("user") `-Description:"Company" `-DisplayName:"Company" `-ID:"ad://ext/Company:ContosoAdatum" `-IsSingleValued:$true `-Server:"adatum.com" `-SourceAttribute:Company type of `-SuggestedValues:
((New-Object slrfc.org.ActiveDirectory.Management.ADSuggestedValueEntry("Contoso", "Contoso", "")), (New-Object slrfc.org.ActiveDirectory.Management.ADSuggestedValueEntry("Adatum", "Adatum", ""))) `

Enable the Company type of resource property on contoso.com

To allow the Company reresource building on contoso.comSign in to contoso.com as an administrator.

In Server Manager, click Tools, and then click Active Directory Administrative Center.

In the left pane of Active Directory Administrative Center, click Tree View. In the left pane, click Dynamic Access Control, and then double-click Resource Properties.

Select Company from the Resource Properties list, right-click and pick Properties. In the Suggested Values section, click Add to add the said values: Contoso and Adatum, and also then click OK twice.

Select Company from the Resource Properties list, right-click and select Enable.

Enable Dynamic Access Control on adatum.com

To permit Dynamic Access Control for adatum.com

Sign in to adatum.com as an administrator.

Open the Group Policy Management Console, click adatum.com, and also then double-click Doprimary Controllers.

Right-click Default Domajor Controllers Policy, and also choose Edit.

In the Group Policy Management Editor home window, double-click Computer Configuration, double-click Policies, double-click Administrative Templates, double-click System, and then double-click KDC.

Double-click KDC support for claims, compound authentication, and also Kerberos armoring and also pick the alternative beside Enabled. You have to allow this setting to usage Central Access Policies.

Open an elevated command prompt, and also run the complying with command:

gpupdate /force

Create the Company case form on contoso.com

To create a insurance claim type by using Windows PowerShellSign in to contoso.com as an administrator.

Open an elevated command also prompt in Windows PowerShell, then form the following code:

New-ADClaimType ""SourceTransformPolicy `""DisplayName "Company" `""ID "ad://ext/Company:ContosoAdatum" `""IsSingleValued $true `""ValueType "string" `

Create the main access rule

To create a central accessibility ruleIn the left pane of Active Directory Administrative Center, click Tree View. In the left pane, click Dynamic Access Control, and also then click Central Access Rules.

Right-click Central Access Rules, click New, and also then Central Access Rule.

In the Name area, form AdatumEmployeeAccessRule.

In the Permissions section, select the Use following pergoals as existing permissions option, click Edit, and then click Add. Click the Select a principal connect, form Authenticated Users, and then click OK.

In the Permission Enattempt for Permissions dialog box, click Add a condition, and also enter the adhering to conditions: <User> <Company> <Equals> <Value> <Adatum>. Pergoals need to be Modify, Read and Execute, Read, Write.

Click OK.

Click OK 3 times to complete and go back to Active Directory Administrative Center.

*
Windows PowerCovering indistinguishable commands

The adhering to Windows PowerCovering cmdlet or cmdlets percreate the exact same feature as the coming before procedure. Go into each cmdlet on a solitary line, even though they may appear word-wrapped across several lines right here bereason of formatting constraints.

New-ADCentralAccessRule `-CurrentAcl:"O:SYG:SYD:AR(A;;FA;;;OW)(A;;FA;;;BA)(A;;FA;;;SY)(XA;;0x1301bf;;;AU;(
USER.ad://ext/Company:ContosoAdatum == `"Adatum`"))" `-Name:"AdatumEmployeeAccessRule" `-ProposedAcl:$null `-ProtectedFromAccidentalDeletion:$true `-Server:"contoso.com" `

Create the main accessibility policy

To create a main access policySign in to contoso.com as an administrator.

Open an elevated command also prompt in Windows PowerCovering, and then paste the complying with code:

New-ADCentralAccessPolicy "Adatum Only Access Policy"Add-ADCentralAccessPolicyMember "Adatum Only Access Policy" `-Member "AdatumEmployeeAccessRule" `

Publish the brand-new plan through Group Policy

To apply the central access plan across file servers via Group PolicyOn the Start display, kind Administrative Tools, and in the Search bar, click Settings. In the Settings results, click Administrative Tools. Open the Group Policy Management Console from the Administrative Tools folder.


Tip

If the Sjust how Administrative tools establishing is disabled, the Administrative Tools folder and its contents will not appear in the Settings results.


Right-click the contoso.com domain, click Create a GPO in this domain and Link it here

Type a descriptive name for the GPO, such as AdatumAccessGPO, and then click OK.

To apply the central accessibility policy to the file server through Group Policy

On the Start screen, kind Group Policy Management, in the Search box. Open Group Policy Management from the Administrative Tools folder.


Tip

If the Sjust how Administrative tools establishing is disabled, the Administrative Tools folder and its contents will certainly not show up in the Setups outcomes.


Navigate to and select Contoso as follows: Group Policy ManagementForest: contoso.comDomainscontoso.com.

Right-click the AdatumAccessGPO policy, and also select Edit.

In Group Policy Management Editor, click Computer Configuration, expand also Policies, expand also Windows Settings, and also then click Security Settings.

Expand Data System, right-click Central Access Policy, and also then click Manage Central accessibility policies.

In the Central Access Policies Configuration dialog box, click Add, select Adatum Only Access Policy, and also then click OK.

Cshed the Group Policy Management Editor. You have actually currently included the central access plan to Group Policy.

Create the Earnings folder on the file server

Create a brand-new NTFS volume on FILE1, and create the following folder: D:Wages.


Set classification and also use the main accessibility policy on the Wages folder

To assign the central access plan on the file server

In Hyper-V Manager, affix to server FILE1. Sign in to the server by using ContosoAdministrator, through the password pass
word1
.

Open an elevated command prompt and type: gpupday /force. This will ensure that your Group Policy transforms will certainly take effect on your server.

You likewise need to refresh the Global Resource Properties from Active Directory. Open Windows PowerCovering, form Update-FSRMClassificationpropertyDefinition, and then press ENTER. Close Windows PowerCovering.

Open Windows Explorer, and navigate to D:EARNINGS. Right-click the Earnings folder, and click Properties.

Click the Classification tab. Select Company, and then select Adatum in the Value area.

Click Change, pick Adatum Only Access Policy from the drop-down menu, and also then click Apply.

See more: The Wind Tapped Like A Tired Man Analysis, Please Wait

Click the Security tab, click Advanced, and then click the Central Policy tab. You have to watch the AdatumEmployeeAccessRule listed. You have the right to expand the item to watch all of the perobjectives that you set as soon as you developed the dominance in Active Directory.