We can configure user and device claim types in Active Directory which can be used as part of Dynamic Access Control (DAC) in a Windows based environment.
DAC was added in Windows Server 2012 to allow administrators to configure custom authorization to a file server by using conditional logic using user and device claim types. This is quite powerful, we can have permissions to a user change and update automatically based on changes to attributes to the user or device itself.
About Dynamic Access Control
Within a domain, DAC allows us to define access control permissions based on rules that we create that set the sensitivity of resources, the job or role of the user, and configuration of the device that will be accessing these resources. A good example of this, is that a user may be assigned different levels of permissions based on how they are accessing a network. They may be assigned a lower level of permissions when connecting from a laptop remotely, and higher permissions from their office machine.
Dynamic Access Control, as per the name, allows a user’s permissions to change dynamically without any extra administrative overhead. DAC is supported in Windows 8 and Windows Server 2012 and above.
Now let’s discuss the different claim types that we’ll be dealing with here.
User Claims: These are Active Directory attributes which are associated with a certain user.
Device Claims: More commonly known as a computer claim, these are Active Directory attributes which are associated with a certain computer object.
Keep in mind that these claims are based on the schema attributes available in AD. If what you need doesn’t exist, it is possible to extend the schema to add what you want. The names on the schema side of things aren’t always clear, I suggest using this table of mappings for user interface objects. For example we can see that ‘l’ is Locality-Name, which is used for specifying a town or city.
For instance we could say a user has a location claim of being in the location of US. We might then have a computer with a device claim listing its location as the US. We could then have a central access policy that says users in the location US are allowed access to devices in the location US. If we update the location of the user object in AD, the user will no longer have access.
Configure User and Device Claim Types
First open Active Directory Administrative Center. This can be done through Server Manager > Tools > Active Directory Administrative Center, or by simply typing ‘dsac’ into PowerShell. Select Dynamic Access Control from the menu on the left, followed by Claim Types.
From here we can select New from the menu on the right to create a new claim type. This opens the Create Claim Type window.
From here you can select which claims are to be used when defining permissions. In the select an AD attribute to base this claim type on search box, we simply enter ‘l’. As mentioned previously, this is Locality-Name. We can then specify a display name for this claim type, I’ve named this one “City”. We can then tick to select if the claim can be issued by users or computers, as this is a user claim this has been selected. The claim can optionally be filled with suggested values to use.
Finally select OK to create the claim type. We should now see it listed under the list of claim types.
We have now successfully created a user claim type based on the Locality-Name attribute. In the same way we could also configure a device claim type by instead selecting the computer check box rather than user.
As shown we can configure user and device claim types from within Active Directory Administrative Center in Windows Server 2016. This is done through Dynamic Access Control > Claim Types, followed by selecting new claim type.