Each Access Control List is made up of Access Control Entries (ACEs). An ACE specifies that a user or group of users has access or auditing permissions for a file or resource. There are three ACE types — two for discretionary access control and one for system security.
The discretionary ACEs are AccessAllowed and AccessDenied. These explicitly grant and deny access to a user or group of users. NTFS always processes an AccessDenied ACE before an AccessAllowed ACE. The first AccessDenied ACE that denies a user access to a resource causes the ACEs to cease further processing.
The Windows NT Server operating system reserves system security ACEs for its own use. For example, SystemAudit is a system security ACE that Windows NT Server uses to log security events. These events range from identifying users who access particular files to generating and logging security audit messages.