Document Quarantine Using Windows Server 2012 Dynamic Access Controls

Document quarantine refers to a scenario where you want to identify, protect, and take further action on data that matches certain conditions. This means preventing certain types of sensitive files from being stored on files shares where they would be accessible to large numbers of employees.

Let’s assume the sensitive files are those that contain personally identifiable information (PII). After discussing the pros and cons of various approaches and the expected outcome of each, we came up with the following desired behaviors for the quarantine solution:

  • PII is automatically identified and classified.
  • PII is protected regardless of the file share or folder it is stored in.
  • If PII is stored on certain file shares – those with relatively open permissions – the file owner is notified of the policy violation so they can take action
  • If no action is taken, files in violation of corporate policy are moved to a secure location accessible only to administrators.

This can be easily implemented using some of the new Dynamic Access Control capabilities in Windows Server 2012.

If you are interested in how this is accomplished, read the complete post at