AUTOMATIC CLASSIFICATION

Windows Server 2012 and Windows Server 2012 R2 include a built-in file classifier that can be configured to automatically classify files within targeted folders. You can automatically classify all files within targeted folders or you can restrict this function to a subset of the files, limiting classification to those Microsoft documents with contents that include a match of a specified expression. You can also restrict classification to the files selected by a custom Windows PowerShell script. Besides this built-in functionality, automatic classification (and DAC in general) can be greatly extended through third-party applications.

To start configuring automatic file classification, you first need to install the FSRM component of the File Server role. Then, in the File Server Resource Manager console tree, navigate to Classification Management\Classification Rules. In the Actions pane, click Create Classification Rule, as shown in Figure 2-19.

FIGURE 2-19 Creating a classification rule

This step opens the Create Classification Rule dialog box. On the General tab, type a name and description for the new rule. The General tab also includes an Enabled check box, which is selected by default.

On the Scope tab, shown in Figure 2-20, click Add to select the folders where this rule will apply. The classification rule applies to all folders and their subfolders in the list. Alternatively, you can target all folders that store any of the following selected classifications of data: Application Files, Backup And Archival Files, Group Files, or User Files.

FIGURE 2-20 Setting the scope for a classification rule

On the Classification tab, shown in Figure 2-21, choose a classification method along with the classification value for one selected property that the rule will assign.

FIGURE 2-21 Configuring a classification method and property value For a classification method, there are three options:

■

■ The Folder Classifier option assigns the property value to all files that fall within the

scope of the rule.

■

■ The Windows PowerShell Classifier prompts you to specify a script to determine the

target files within the scope of the rule.

■

■ The Content Classifier option searches Microsoft documents for a text or regular

expression string. Click Configure to further configure this option with the Classification Parameters dialog box, shown in Figure 2-22.

FIGURE 2-22 Configuring a content search for automatic classification

This dialog box lets you specify an expression that will be searched for in the content of Microsoft documents that fall within the scope of the rule. If the content search results in a match for the specified expression, the file is tagged with the property value specified on the Classification tab of the Create Classification Rule dialog box.

You can choose one of three expression types to search for: string, case-sensitive string, or

regular expression. A regular expression, sometimes called a regex, is used in programming to

match patterns of text strings as opposed to exact sequences of specific numbers or letters. A regular expression is often a useful matching mechanism to classify files that include sensitive numbers, such as credit card numbers.

The following is an example of a regular expression. It matches credit card numbers from most vendors:

The Evaluation Type tab is the final tab of the Create Classification Rule dialog box. On this tab, you choose how to handle files that already exist within the scope of the rule. By default, the classification rule does not apply to preexisting files. You can choose, however, to run the rule against existing files. If matches are found, you can either overwrite any existing classifi- cation that conflicts with the new value or attempt to aggregate them if possible.

After you create the desired classification rule, click Configure Classification Schedule in File Server Resource Manager to determine how often you want the rule to run. This step opens the File Server Resource Manager Options dialog box. On the Automatic Classifica- tion tab, shown in Figure 2-23, select the Enable Fixed Schedule check box. You must then specify days and times at which you want the rule to run. In addition, you can select the Allow Continuous Classification For New Files check box to run the rule on newly created or edited files that fall within the scope of the rule and on existing files that are moved to a new loca- tion that falls within the scope of the rule. (Be sure to remember the option for continuous classification for the exam.)

FIGURE 2-23 Configuring a schedule for a classification rule

After configuring the schedule, you can click Run Classification With All Rules Now in the Actions pane of File Server Resource Manager. This step will run all rules immediately and

ACCeSS-DeNIeD ASSISTANCe

The File Server Resource Manager Options dialog box shown in Figure 2-23 also includes an Access-Denied Assistance tab. You can use this tab to enable the local file server to provide helpful information to a user whose access to a file or folder has been denied.

To enable this functionality, on the Access-Denied Assistance tab, select the Enable Access- Denied Assistance check box. In the Display The Following Message text box, you can type a custom message that users will see when they are denied access to a file or folder. You can also add certain variables in brackets that will insert customized text, such as:

■

■ [Original File Path] The original file path that was accessed by the user. ■

■ [Original File Path Folder] The parent folder of the original file path that was

accessed by the user.

■

■ [Admin Email] The administrator email recipient list. ■

■ [Data Owner Email] The data owner email recipient list.

You can also configure the file server to provide in access denied messages a Request Assistance button, which allows the user who was denied access to send an email to a pre- defined user. To configure this option, click Configure Email Requests, select the Enable Users To Request Assistance check box, and then click OK.

You can also use Group Policy to configure access-denied assistance on all file servers that fall within the scope of a GPO (as opposed to just one server). You use these two policy settings, both found in Computer Configuration\Policies\Administrative Templates\System\ Access-Denied Assistance:

■

■ Enable Access-Denied Assistance On Client For All File Types Use this policy

setting to enable Windows clients for access-denied assistance of all types.

■

■ Customize Message For Access Denied Errors Use this policy setting to custom-

ize the message that users see when access is denied. These message customization options are the same as those you see when you customize access-denied messages by using File Server Resource Manager.

For the 70-412 exam, you need to remember the general steps of how to configure access- denied assistance by using either File Server Resource Manager or Group Policy. For more detailed information about the configuration process, search for “Deploy Access-Denied Assistance (Demonstration Steps)” on TechNet or visit http://technet.microsoft.com/en-us/