Within Dynamic Access Control is the capability to set up the
domain such that if a user cannot get into a file or folder because of
permissions issues, a customized message displays instructing the user on
how to get access. This involves setting up email notification that gets
sent to the data owner or IT department (or whoever can approve and give
the user access to that data), a functionality known as Access Denied
Remediation.
While Microsoft markets this as yet another advancement in DAC (and
don’t get me wrong, it is), I think a bigger benefit is that Access Denied
Remediation allows for quick resolution to problems that may result during
DAC deployment. DAC is quite a leap from the way most of us have gotten
used to managing permissions in an infrastructure. It’s conceivable that
there will be growing pains with its deployment. With Access Denied
Remediation, permissions issues can be quickly and centrally
addressed.
Access Denied Remediation is carried out in three ways. In the first
scenario, users can self-assist by requesting access from the owner of
that data without involving a server administrator. This is probably the
least likely scenario to be carried out in smaller organizations, and more
likely in larger ones with massive amounts of data, where having IT grant
permissions to every user getting an “access denied” error would be an
incredible waste of IT resources. The second remediation option is when,
for example, a folder owner receives an email notification that a user
requested access. Finally, as we saw in the previous section,
administrators can quickly view the effective permissions of any user
within a folder or file’s properties and configure permissions
accordingly.
You can configure Access Denied Remediation on individual file servers or throughout an entire
domain. The feature is configured in Group Policy for deployment
throughout the domain and via File Server Resource Manager on individual
file servers.
From Group Policy Management, right-click the policy for the domain and click Edit.
Navigate to Computer Configuration→Policies→Administrative Templates→System→Access
Denied Assistance. You will see two options: “Customize messages”
(configure how you want Access Denied Remediation instructions to
appear to users) and “Enable access denied assistance for Windows
clients” (Access Denied Remediation is supported only on Server 2012,
Windows 8, and Windows RT).
To deploy on individual file servers, from the file server, launch File Services Resource Manager. Right-click File Server
Resource Manager (Local), select Configuration Options, and then click
the Access Denied Remediation tab.
You can enter custom text, or you can use the following built-in
macros to create text:
See Figure 1
for an example of an access denied custom message.
You have some flexibility with Access Denied Remediation. For
example, you can specify a separate access denied message for a
specific folder, again using the File Server Resource Manager. You do
so by double-clicking File Server Resource Manager (Local) and then
expanding Classification Management and right-clicking Classification
Properties. Select Set Folder Management Properties.
In the Property box, click Access Denied Assistance Message and
then click Add. Browse to the folder you want to apply the message to
and create your message or use the macros.
Configure email notification by clicking File Server Resource
Manager, right-clicking File Server Resource Manager (Local),
selecting Configure Options, and clicking the “E-mail notification”
tab.
