Skip to content

#RuTeched: answering the questions. Does the Dynamic Access Control work over replication?

imageAs I said previously my labs were a success, still I wasn’t able to answer some questions and promised to answer them later. the time has come for the first of them. One of the visitors told me that he had had an experience when some of files’ attributes wouldn’t replicate over DFSR and asked me if there is any problem with DAC in the same situation. I could definitely experiment myself (and I will), but any experiment of mine would just give me an answer: “yes” or “no”. Or “may be” for that matter. It wouldn’t explain why. As I’m not great with the replication, I had to beg for help and, luckily, I knew were to get it: the AskDS blog.

In no time a received the answer. The short one is: “everything will be ok with your files”. The long one I will just cite here:

“Let me clarify some aspects of your question as I answer each part

When enabling Dynamic Access Control on files and folders there are multiple aspects to consider that are stored on the files and folders.

Resource Properties

- Resource Properties are defined in AD and used as a template to stamp additional metadata on a file or folder that can be used during an authorization decision.  That information is stored in an alternate data stream on the file or folder.  This would replicate with the file, the same as the security descriptor

Security Descriptor

The security descriptor replicates with the file or folder.  Therefore, any conditional expression would replicate in the security descriptor.

All of this occurs outside of Dynamic Access Control– it is a result of replicating the file throughout the topology, for example if using DFSR.  Central Access Policy has nothing to do with these results.

Central Access Policy

Central Access Policy is a way to distribute permissions without writing them directly to the DACL of a security descriptor. So, when a Central Access Policy is deployed to a server, the administrator must then link the policy to a folder on the file system.  This linking is accomplish by inserting a special ACE in the auditing portion of the security descriptor informs Windows that the file/folder is protected by a Central Access Policy.  The permissions in the Central Access Policy are then combined with Share and NTFS permissions to create an effective permission.

If the a file/folder is replicated to a server that does not have the Central Access Policy deployed to it then the Central Access Policy is not valid on that server.  The permissions would not apply”.

Thanks, guys. You’re the best Winking smile