[This is a guest post from Joe Isenhour, a Senior Program Manager in Windows Server. You may remember him from his previous ADFS claims rule post. If you are not yet up to speed on the DAC security suite in Windows Server 2012, I recommend our own Mike Stephens’ treatise Understand and Troubleshoot Dynamic Access Control in Windows Server "8" Beta - the Neditor]

Hello, my name is Joe Isenhour and I work in the Windows Server team. I’m continuing our blog series on Dynamic Access Control (DAC) with a post that addresses some of the scenarios related to deploying DAC to multiple Forests.

You can find a demo video that shows the examples from this post here:

To give you a little bit of background, DAC objects are stored in the Configuration container in Active Directory. This means that the scope for these objects is the Forest level. All of the Domains in a given Forest will use the same set of DAC objects.

 CN=Claims Configuration,CN=Services,CN=Configuration,<forest-dn>

If your organization has multiple Active Directory Forests then you may encounter some of the scenarios covered in this post:

  1. Manage DAC objects between new and existing Active Directory Forests.
  2. Standardize DAC objects between existing Forests.

We have built a couple of tools that will help you with the scenarios above. The tools are included in the Data Classification Toolkit. You can obtain the beta version of the tools here.

The following conditions are required in order to use the tools that are described in this post:

  • You need an Active Directory Forest with the Windows Server 2012 schema
  • The tools must run on a Windows Server 2012 machine with Windows PowerShell and the Active Directory Administration tools

Export Dynamic Access Control Objects from a Forest

Let’s say that your company has invested some time authoring Central Access Policies and Claims related data for your corporate Active Directory Forest. Now your CTO office is mandating that some or all of your existing DAC objects need to be included in all of your company’s other Active Directory Forests. This can be challenging for several reasons. One challenge is that the task of creating the objects in the new Forest is labor intensive and prone to error. Another challenge is keeping the unique object ID’s consistent between the Forests. Claim Types and Resource Properties have ID’s that will need to be identical across Forests in order to enable more advanced scenarios like Claim Transformations.

The Export-ClaimsConfiguration.ps1 tool will allow you to export specific DAC objects from a given Forest. The tool will allow you to export:

  • Claim Types
  • Resource Properties
  • Central Access Rules
  • Central Access Policies

By default, the tool will export any dependent DAC objects. For example, if you choose to export only Central Access Policies, the tool will also export any Central Access Rules that are defined for the policies and any Claim Types and Resource Properties that are used in the policies.

The following example demonstrates how to export all Central Access Policies from a Forest (including dependent objects). In this example the export will be stored in file called DACExport.xml.

1. Open Windows PowerShell and navigate to the Data Classification Toolkit Tools directory

 C:\Program Files (x86)\Microsoft\Data Classification Toolkit\Tools

2. Execute the following command:

 .\Export-ClaimsConfiguration.ps1 -File "C:\Temp\DACExport.xml" -IncludeCentralAccessPolicies

When the export is finished, you should have a new file called DACExport.xml. Here is an example of the information contained in the file:

image

As you can see, there are many other data types defined in this file besides just Central Access Polices. There are Central Access Rules, Resource Properties, and a section called domainIdentities which we will discuss in a moment. This is because the Central Access Policy that was exported has dependencies on other objects. In order for the Central Access Policy to exist in a new Forest, it will need to have all of these dependent objects.

Take a look at the section titled domainIdentities. This section is used to store a mapping between the Security Identifiers that were found in the Central Access Rules and their friendly SamAccountName. Here is an example of how this section might look:

image

As you can see, the export tool created an entry for every Security Identity that it discovered during the export and stored the id along with the SamAccountName.

Security Identities are unique to a Domain and therefore cannot be exported/imported into other Domains or Forests. This section is used during the import process to map accounts or groups in the target Forest with the accounts found in the export file.

For a detailed list of the options available for exporting DAC objects, execute the following command:

 .\Export-ClaimsConfiguration.ps1 –Help

Import Dynamic Access Control Objects into a Forest

Once you have created your export, you can begin importing the data into other Active Directory Forests. You have a few options when importing:

WhatIf: The import tool implements the standard Windows PowerShell WhatIf condition. If you import using this switch, none of the data will be written to the directory. Instead, you will see the output of what would have been written to the directory had you not chosen the WhatIf switch.

Overwrite: The import process will not write any data to the directory if it finds a conflict with one or more objects. A conflict occurs when a DAC object already exists in the target Forest and has one or more properties that differ from the object in the export file. You may choose the Overwrite option to overwrite the object properties in the target Forest with the properties found in the export file. Certain properties; like IsSingleValued, can’t be overwritten. In this case, the tool will alert you that the property will not be overwritten, but will continue overwriting the other properties.

The following example demonstrates how to import Central Access Policies from an export file. In this example the export will be stored in file called DACExport.xml.

1. Open Windows PowerShell and navigate to the Data Classification Toolkit Tools directory

 C:\Program Files (x86)\Microsoft\Data Classification Toolkit\Tools

2. Execute the following command to import the data in WhatIf mode:

 .\Import-ClaimsConfiguration.ps1 -File "C:\Temp\DACExport.xml" -Server [domaincontroller] –WhatIf

If the import file contains Central Access Rules then you will likely get prompted to match the identities in the source file with identities in the target Domain/Forest. The tool accomplishes this by matching the SamAccountName in the source file with accounts in the target Forest. You may choose to bypass this prompt using the DontPromptForSIDConfirmation switch. This switch will indicate that you want to accept any matches that are found by the tool.

image

In some cases, there may be multiple matching accounts in the target Forest. If that happens, you will be presented with a list of accounts that match the source account and you will need to select the proper account.

If there are no conflicts in the source file and the target Forest, then the script should complete with output similar to the image below.

image

If a conflict was found, then you will instead see a report indicating that there is a conflict. Remember, you can choose to overwrite conflicts using the –Overwrite switch.

If the output from the command looks correct then you can choose to run the command again without the WhatIf switch and write the DAC objects to the target Forest.

For a detailed list of the options available for exporting DAC objects, execute the following command:

 .\Export-ClaimsConfiguration.ps1 –Help

I hope that you’ve found these examples helpful. Watch for more great posts and examples of Dynamic Access Control in Windows Server 2012.

Joe Isenhour