How Microsoft IT Helped Secure and Improve Payroll Data Access Management with Windows Server 2012 Dynamic Access Control

Quick Reference Guide

Published January 2013

The following content may no longer reflect Microsoft’s current position or infrastructure. This content should be viewed as reference documentation only, to inform IT business decisions within your own company or organization.

Learn how Microsoft IT helped secure and improve payroll data access management with Windows Server 2012 Dynamic Access Control.


Download Quick Reference Guide, 322 KB, Microsoft Word file

Executive Overview

Microsoft Information Technology (Microsoft IT) supports more than 100,000 employees worldwide by providing key infrastructure and line-of-business (LOB) applications to users and business groups within Microsoft. As the company's first and best customer, Microsoft IT has a mandate to adopt the latest versions of Microsoft products and to use them in real-world, enterprise-scale environments.

With the release of Windows Server 2012, Microsoft IT wanted to run a Proof of Concept (POC) to explore the permissions management benefits offered by Dynamic Access Control in Windows Server 2012. This POC was designed to help the company's payroll department better manage access to the large amount of sensitive data that the payroll team processes every month.

Why You Should Care:

  • Securing access to sensitive data such as personally identifiable information (PII), payroll details, and financial data is an important part of a company's operations and is a critical aspect of maintaining compliance with government regulations.
  • Due to the scale of documents and numbers of users, enterprises can find that managing access permissions to sensitive data can add significant administrative overhead.
  • Businesses need to move away from complexity that makes auditing difficult to perform, to simplistic groups that can be coupled together in order to obtain the correct access permissions.
  • As supporting consumerization of IT in the enterprise becomes more commonplace, providing more secure and flexible access control to data is critical.
  • Enterprises can leverage the best practices used by Microsoft IT to ease their adoption of Dynamic Access Control as a core component of a streamlined, automated permissions management solution.


Existing Payroll Process Supporting Components

The existing payroll process encompasses the following main components:

  • A Microsoft SharePoint site where payroll team members perform work for the current month. At the end of the month, payroll team members run a process that archives the month's data and moves it to an internal File Share (see below)
  • A File Share that acts as the receptacle for long-term archival storage
  • A domainName\userName-based access control model that controls access to the SharePoint and File Share environments
  • A custom tool that payroll personnel use to manually update access permissions on specific folders throughout the File Share

Challenges with the Existing System

  • The permissions audit process on the SharePoint site is unwieldy. The payroll team has to regularly review more than 140 SharePoint groups to confirm that the appropriate people have the proper permissions settings. Any change to a user's permissions must be made manually in SharePoint, and then the custom tool must be run to push the updates back to the archived folders on the File Share.
  • Due to the scale of the data, the team relies on the SharePoint audit process to manage access across both locations. Microsoft IT would have to build another custom tool to enable such a process.
  • The domainName\userName access control is problematic because access would not automatically change when a user's role changed. Instead, payroll admins must manually remove users from the SharePoint site and then must run the custom tool for each country (which could be more than 20 times) to synchronize the updates. For example, if someone left the payroll team, they would still have access to the payroll data until Payroll ran the tool to adjust their permissions in every country folder in the File Share where they previously had access.
  • When copying new archives from the SharePoint site to the File Share, access permissions are brought over with the data. Although users who are currently part of the SharePoint groups can read the archive folder, this is a static setting that requires use of the Microsoft IT custom tool to update access permissions on a per-item basis.
  • Accessing archives can be cumbersome because users are unable to browse files or folders in the archive hierarchy. Instead, a user must provide the exact full path name to the specific sub-folder level where their permissions become valid. For example, the user would have to provide a specific path such as "\\<File_Share>\<Folder>\<Folder>\<Folder>\", but would not be able to navigate up the folder structure to view another time period or country.


  • Microsoft IT designed a POC to investigate how a new solution based on the Windows Server 2012 Dynamic Access Control might help the payroll team better manage data access.
  • In the POC, Payroll is able to continue using their existing SharePoint and File Share environments but without having to use the custom tool to manually apply permissions changes.
  • Permissions in the new system are dynamic: when a user is added to or removed from a security group, the related permissions that allow or prevent access to a particular archive are updated in near real time.
  • Microsoft IT defined rules to support compound security groups (SGs) such as, If in SG1 & SG2, grant access, which reduces the combinations of SGs needed to manage the system.
  • Users can now browse the File Share, stepping up and down through the folder hierarchy to navigate to the desired location. The Dynamic Access Control-based permissions control what each user sees: only the folders and files to which they have access are visible.


  • Using Dynamic Access Control in the POC, Microsoft IT was able to reduce the more than 140 SharePoint groups that Payroll had to manage for access to the archived File Share down to approximately 30 security groups.
  • The new Dynamic Access Control-based system significantly reduces the time needed to change a user’s permissions. A payroll administrator would need approximately two hours to update permissions in the existing system can now be achieved in near real time with the new system.

Best Practices

  • Have a solution manager—who can bridge your IT groups and the business by translating business needs into IT terms—involved as a key member of your implementation/management team.
  • Bring your security team into the conversation to help define the most applicable and manageable set of security groups. Microsoft IT engaged with Windows® 8 and security teams to confirm how their security groups with interact with their SharePoint environment, Active Directory®, and other security-related technologies in the corporate infrastructure.
  • Strive as much as possible to reduce the number of different groups that you need to manage.
  • Determine what type of archival structure you need. In particular, do you require actual folders or just metadata?
    • Do you need to secure items from other groups? If so, try to align permissions at a folder level.
    • Do you just need to separate different types of content to ease discovery? If this is the case, folders might not be necessary. You could opt to apply metadata tags that can be used in both File Share and SharePoint.
  • Consider how your users work with your SharePoint sites. Plan a structured and known hierarchy where users will easily understand where to place and to find their required content. In particular, consider:
    • "Discoverability"/metadata: How long does it take to find a document?
    • "Putability": How much time does it take to put a document where it needs to go?


Using the new system in the POC, Payroll is able to:

  • Significantly improve both the management and user experience while maintaining the same SharePoint and File Share structures that were already in place with the earlier system.
  • Centrally manage access to information based on business and compliance needs.
  • Add a user to the correct security groups in near real time.
  • Shift responsibility for accessing information away from IT administrations and to the appropriate person--the content owner.
  • Improve productivity: provides timely access to archival data.
  • Improve usability: Whereas the existing system requires knowledge of precise hierarchical location/path for any file, the new system in the POC allows users to navigate up/down the folder structure.


  • The POC has demonstrated that Dynamic Access Control enables information governance by introducing new capabilities for centrally controlling and auditing access to information in files. Windows Server 2012 fundamentally changed Payroll's approach to identity and access management, providing a far more manageable and user-friendly solution.
  • Microsoft IT is moving beyond the POC and planning to expand their DAC-based permission control into production for Payroll.
  • In future implementations, Microsoft IT will add the use of Active Directory claims to define permissions based on both security groups and claims.
  • Dynamic Access Control can be used outside of Payroll to achieve similar permissions management benefits. Microsoft IT is currently exploring implementing Dynamic Access Control within the company's legal and product departments.