When a thread tries to access a securable object, the system either grants or denies access. If the object does not have a DACL, the system grants the requested access. Otherwise, the system looks for ACEs in the object's DACL that apply to the thread. Each ACE in the object's DACL specifies the access rights allowed or denied for a trustee, which can be a user account, group account, or logon session.
The system compares the trustee in each ACE to the trustees identified in the thread's access token. An access token contains SIDs that identify the user and the group accounts to which the user belongs. A token also contains a logon SID that identifies the current logon session. During an access check, the system ignores group SIDs that are not enabled. For more information on enabled, disabled, and deny-only SIDs, see SID Attributes in an Access Token.
Typically, the system uses the primary access token of the thread that is requesting access. However, if the thread is impersonating another user, the system uses the thread's impersonation token.
The system examines each ACE in sequence until one of the following events occurs:
The following diagram illustrates how an object's DACL can allow access to one thread while denying access to another.
For Thread A, the system reads ACE 1 and immediately denies access because the access-denied ACE applies to the user in the thread's access token. In this case, the system does not check ACEs 2 and 3. For Thread B, ACE 1 does not apply, so the system proceeds to ACE 2, which allows write access, and ACE 3 which allows read and execute access.
Because the system stops checking ACEs when the requested access is explicitly granted or denied, the order of ACEs in a DACL is important. Note that if the ACE order were different in the example, the system might have granted access to Thread A. For system objects, Microsoft defines a preferred order of ACEs in a DACL.
For some object types, you can use the TrusteeAccessToObject function to determine the types of access that an object's DACL grants to a specified trustee. TrusteeAccessToObject uses a name string to identify an object of interest.
You cannot use TrusteeAccessToObject with mailslot, named pipe, process, thread, window station, and desktop objects. Use the following procedure to determine a trustee's access rights to these types of objects, or to other objects identified by a handle.