Gregory Lucand's Blog: [Windows Server 2012] DAC : Implementing Central Access Policy Part 1 of 2

I will start this series of articles on DAC by the implementation of Central Access Policy.

My lab consists of 3 VM :

1 Windows Server 2012 Domain Controller (DAC-SRV-AD01)
1 Windows Server 2012 File Server (DAC-SRV-FIC01)
1 Windows 8 Client (DAC-WIN8-CLT)

The scenario I have choosen is the following :
My File Server hold a share containing data of two departments of the company (Finance and IT).
Access to the share are already configured with group permissions.

We have 3 users with the following access :

Carla Thomas : RW access to Finance
Otis Redding : RW access to Finance and RW access to Confidential data in Finance
Johnnie Taylor : RW access to IT

I want to implement the following rules:

RW access to Finance for users who work at the Finance Department
RW access to Confidential folder for users who work in the Finance department with a computer of the Finance department and member of the Confidential group.
RW access to IT for users who work at the IT department

4 steps have to be done first in Active Directory, so we'll start by that.

First I have to create a claim type :

It can be done through Active Directory Administrative Center (ADAC) or with Powershell Cmdlet.
I will use ADAC with the new Windows Powershell History feature to show you both.

When you open the Overview part in ADAC, you have access to the different steps for implementing Dynamic Access Control.

So I start by creating a claim type. I choose the Department attribute and as I want to use this claim for users and devices, I check both User and Computer.

I can provisioned suggested values for this claim manually or use Data Classification Toolkit for this : http://gregorylucand.blogspot.fr/2012/05/data-classification-toolkit-active.html
But here I'll use the default values provided by the ressource properties.

So I create my claim type and here are the Powershell Cmdlet.