Security

Authorization in Windows 2000 Server

Authorization is determined by using DACLs. These can be set on any Windows object, but the most common are DACLS on files, as well as on registry nodes, and Active Directory nodes. For more information about using the Windows DACL Editor, see “Access Control” in the Distributed Systems Guide.

To demonstrate how access is determined, it is necessary to look at how DACLs are structured. As mentioned previously, a DACL is a series, or list, of ACEs; each ACE contains the SID of a user or group account and indicates whether that account has access to the object in question. For example, a DACL may contain four ACEs:

• Guests (No access)
• System (Full access)
• Administrator (Full access)
• Everyone (Read access)

  Note   The deny access ACE is placed first. No matter in what order you place the ACEs when you set permissions on an object, for speed reasons Windows 2000 Server will always move deny access ahead of allow access.

When determining access, Windows 2000 Server looks at the DACL on the object and compares the user SID and group membership SIDs in the calling token to see if this SID is listed in the DACL. If a SID matches the SID in an ACE and if the ACE allows access, then access to the object is granted. Otherwise, it is denied.

© 1997-1999 Microsoft Corporation. All rights reserved.