Creating Custom DLP Classification Rules and Policy

When at first I was looking into this the TechNet documentation was extensive and yet not as specific as I would prefer, so here is the quick and dirty DLP classification!

Creating and importing custom Classifications

  1. First you need to create your custom policy XML (Example Below)
  2. Save as XML Unicode file type (C:\MyNewPolicy.xml)
  3. Open the XML in internet explorer if its formatted correctly you will see the XML.
  4. Then import with Powershell
    New-ClassificationRuleCollection –FileData ([Byte[]]$(Get-Content -path C:\MyNewPolicy.xml -Encoding byte -ReadCount 0))
  5. Once its imported you should be able to create a new DLP policy using the EAC

Creating a custom DLP Rule

  1. Login to EAC (i.e
  2. Click Compliance Management, data loss prevention
  3. Click the Plusimage , then New custom policy
  4. Name your policy and Choose your mode (I like to test with Policy tags), and click Save
  5. Select the policy and click the image edit your new policy
  6. Select Rules from the left
  7. Click the imageto Create a new rule
  8. On the Apply this rule if field choose The message contains Sensitive information..
  9. Click *Select sensitive information types….. (if applicable)
  10. Click the imageto choose from the list,
  11. You should now see your new classification (from the example below it would be Secure Product Codes\ DLP by


Useful Tools

Example of a Rule Classification XML

 <?xml version=”1.0″ encoding=”utf-16″?>

 <RulePackage xmlns=””&gt;

 <RulePack id=”b4b4c60e-2ff7-47b2-a672-86e36cf608be”>

  <Version major=”1″ minor=”0″ build=”0″ revision=”0″/>

  <Publisher id=”7ea13c35-0e58-472a-b864-5f2e717edec6″/>

  <Details defaultLangCode=”en-us”>

  <LocalizedDetails langcode=”en-us”>

  <PublisherName>DLP by</PublisherName>

  <Name>Secure Product Codes</Name>

  <Description>Secure Products</Description>





  <!– Product Code –>

  <Entity id=”acc59528-ff01-433e-aeee-13ca8aaee159″ patternsProximity=”300″ recommendedConfidence=”75″>

 <Pattern confidenceLevel=”75″>

  <IdMatch idRef=”Regex_Product_Code” />

  <Match idRef=”Code” />



  <Regex id=”Regex_Product_Code”>[A-Z]{3}[0-9]{9}


  <Keyword id=”Code”>

  <Group matchStyle=”word”>





  <Resource idRef=”acc59528-ff01-433e-aeee-13ca8aaee159″>

  <Name default=”true” langcode=”en-us”>

  Product Code


  <Description default=”true” langcode=”en-us”>

 A custom classification for detecting product codes that have 3 uppercase letters and 9 numbers






/Preparedomain error when security customizations have been done to Active Directory


Configuring Microsoft Exchange Server

    Organization Preparation                                  FAILED
     The following error was generated when "$error.Clear();
          if ($RolePrepareAllDomains)
              initialize-DomainPermissions -AllDomains:$true -CreateTenantRoot:(
$RoleIsDatacenter -or $RoleIsPartnerHosted);
          elseif ($RoleDomain -ne $null)
              initialize-DomainPermissions -Domain $RoleDomain -CreateTenantRoot
:($RoleIsDatacenter -or $RoleIsPartnerHosted);
              initialize-DomainPermissions -CreateTenantRoot:($RoleIsDatacenter
-or $RoleIsPartnerHosted);
        " was run: "PrepareDomain for domain Domain was unable to add the group CN=Exchange Install Domain Servers,CN=Microsoft Exchange System Objects,DC=domain,DC=local to the group CN=Exchange Servers,OU=Microsoft Exchange Security Groups,DC=domain,DC=local on domain controller server.domain.local, because the current user does not have permissions to modify Exchange Servers. Please ensure that the current user can modify the membership of Exchange Servers and run PrepareDomain again.".

The user doesn’t have permission to modify the AD groups it needs to modify.
“Exchange Server” group that was created by /preparedomain is member of “Windows Authorization Access Group” group. 
If the permission on that group are changed, /preparedomain may not be able to modify the membership of it. 
Of course, exchange setup gives you some bogus error, which does not make any sense. Winking smile


  1. Verify that you are running the /preparedomain as a domain admin
  2. Once we reset it’s permission by checking “inherted” option on the “Windows Authorization Access Group”,  we can manually add Exchange Server group as a member of “Windows Authorization Access Group” Group, and re run /preparedomain and it should run without error.