clip_image001Mark Parris is an MVP and MCM in Directory Services, with over 20 years of Experience in IT, specialising in Active Directory and Windows Server. Connect with Mark on his blog, Twitter or LinkedIn.

Last week in Amsterdam, I had the privilege to once again staff the Active Directory stand answering attendee’s technical questions around Active Directory. This year unlike other TechEd’s I have staffed, I seemed to grab the lucky straw and only have to man the stand during evening events or lunchtimes; leaving me with lots of capacity to attend the technical breakout sessions, of which I took full advantage. 

All of my previous visits to TechEd have been as a self-employed consultant; this year for the first time ever, I attended TechEd as an employee of a global organisation and therefore the breakout sessions I went to were focused on the areas of technology that I believed would benefit the company (and not me as an individual).  The breakout sessions I attended in summary were focused around Active Directory, Windows Deployment and Systems Management and out of all the breakout sessions I attended, the technology highlight for me was “Windows Server 2012 - Dynamic Access Control”.

Dynamic Access Control enables centrally controlled access policies for file servers based on an Active Directory attribute, i.e. if a user has the attribute ‘Department’ set to Finance, they will automatically receive access to all of the Finance data permissioned under the centralized file access policy.  Dynamic Access Control, unlike normal Windows groups has the ability to “and” permissions,  for example if the user has their ‘department’ attribute set to Finance and has the ‘Country’ attribute set to United Kingdom and the centralized access policy is defined accordingly, they will only be able to see the United Kingdom, Finance data.

In terms of administration, Dynamic Access Control could help to reduce the burden of support on IT by enabling other departments such as Human Resources the ability to manage users data access by populating the correct attributes when a user joins or by modifying a user’s attributes when they move department.  This does come with a word of caution, where as a user’s Department, used to be just a text description, it could now control how they access the majority of their data and the impact of modification needs to be understood.

For further insight I would recommend viewing these sessions:

Windows Server 2012 Dynamic Access Control Overview

http://channel9.msdn.com/events/TechEd/Europe/2012/SIA207

Windows Server 2012 Dynamic Access Control Deep Dive for Active Directory and Central Authorization Policies

http://channel9.msdn.com/events/TechEd/Europe/2012/SIA341

Windows Server 2012 Dynamic Access Control Best Practices and Case Study Deployments in Microsoft IT

http://channel9.msdn.com/events/TechEd/Europe/2012/SIA316

Over the years that I have been attending, TechEd has changed due to many reasons such as budget, costs and different management; but the two things that have not changed are technical content and networking opportunities, with these two things in mind, I am “Jolly Excited” about the next TechEd, when and wherever that may be.