| Platform SDK: Active Directory, ADSI, and Directory Services |
An access-control list (ACL) protects all objects in Active Directory. ACLs determine who can see the object, what attributes they can see, and what actions each user can perform on the object. The existence of an object or an attribute is never revealed to a user who is not allowed to see it.
An ACL is a list of access-control entries (ACEs) stored with the object it protects. In Windows NT/Windows 2000, an ACL is stored as a binary value, called a security descriptor. Each ACE contains a security identifier (SID), which identifies the principal (user or group) to whom the ACE applies, and information on what type of access the ACE grants or denies.
ACLs on directory objects contain ACEs that apply to the object as a whole and ACEs that apply to the individual attributes of the object. This allows an administrator to control not just which users can see an object, but what properties those users can see. For example, all users might be granted read access to the e-mail and telephone number attributes for all other users, but security properties of users might be denied to all but members of a special security administrators group. Individual users might be granted write access to personal attributes such as the telephone and mailing addresses on their own user objects.