Once NT can reliably identify (authenticate) every user, it can control the resources that they have access to. The details of which user can access each resource are maintained internally by NT as Access Control Lists (ACLs).
The first and most obvious of these is files or directories stored on the network drives. Under NTFS, each individual file and directory can be assigned permissions using the Security page in the appropriate Properties dialog in Windows NT Explorer. By assigning access permissions only to selected groups of accounts, you deny access to that file or directory to all users who are not a member of those groups (unless you assigned permission directly to that user's account):
The default when you install NT is to allow the special global account Everyone full access to all files and directories, meaning that there are no limitations. Remove this when you add user groups to a directory or file. You can also specify different types of access, such as Full Control, Read, Write or Change; or Special Access where you define the actions that can be performed down to a more granular level.
In other applications, the kinds of permissions you can assign to each group or user vary—for instance it doesn't make sense for a network printer to have a Read permission. In MSMQ, we have events like Create Queue and Receive Dead Letter.