How Access Control Works in Active Directory

Platform SDK: Active Directory, ADSI, and Directory Services

How Access Control Works in Active Directory

Access control for Active Directory objects is based on Windows NT/Windows 2000 access-control model. For a detailed description of this model and its components such as security descriptors, access tokens, SIDs, ACLs, ACEs, see Access Control Model.

The basic outline of this model is as follows:

Security descriptor. Each directory object has its own security descriptor containing security information that protects the object. Among other things, the security descriptor can contain a discretionary access-control list (DACL). A DACL contains a list of access-control entries (ACEs). Each ACE allows or denies a set of access rights to a user or group. The access rights correspond to the operations, such as reading and writing properties, that can be performed on the object.
Security context. When you try to access a directory object, your application specifies the credentials of the security principal who is making the access attempt. Once authenticated, these credentials determine your application's security context, which includes the group memberships and privileges associated with the security principal. See Security Contexts and Active Directory.
Access check. The system grants access to an object only if the object's security descriptor grants the necessary access rights to the security principal attempting the operation (or to groups to which the security principal belongs).