A claim is a unique piece of information about a user, device, or resource that has been published by a domain controller. These are very often attributes that you find if you open the properties of an object in Active Directory – things like a user’s title, department or location are claims that you can define, so is the department classification of a file, or the health state of a computer. An entity can involve more than one claim, and any combination of claims can be used to authorize access to resources. The following types of claims are available in the supported versions of Windows:
- User claims Active Directory attributes that are associated with a specific user.
- Device claims Active Directory attributes that are associated with a specific computer object.
- Resource attributes Global resource properties that are marked for use in authorization decisions and published in Active Directory.
Claims make it possible for administrators to make precise organization- or enterprise-wide statements about users, devices, and resources that can be incorporated in expressions, rules, and policies.
Creating a Claim:
- Open up the Active Directory Administrative Center. Select Dynamic Access Control from list on left:
- Right-Click on Claim Types and select New:
- Select the attribute you want to use for the claim – If we keep the example used when I introduced Dynamic Access Controls, we should create a claim based on the department the user works in…. Finance.
- To keep with the scenario, I’m going to add a claim for office location (Office) and the AD VDI container:
You would create claims to meet the business objectives for securing data- the actual attributes that you use to achieve that goal will likely be very different than what I’m using in this scenario, but I hope I’m showing you the power and flexibility afforded with setting up claims.
The relevant PowerShell cmdlet for setting/reading/creating/deleting claims is ADClaimType: