What Are Security Descriptors and Access Control Lists?

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

In this section

  • Technologies Related to Security Descriptors and Access Control Lists

  • Related Information

All objects in Active Directory, and all securable objects on a local computer or on the network, have security descriptors to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors, in turn, contain the access control list (ACL) of an object, which includes all of the security permissions that apply to that object. An object’s security descriptor can contain two types of ACLs:

  • A discretionary access control list (DACL) that identifies the users and groups who are allowed or denied access

  • A system access control list (SACL) that controls how access is audited

You can use this access control model to individually secure objects such as files and folders, Active Directory objects, registry keys, and printers, as well as devices, ports, services, processes, and threads. Because of this individual control, you can adjust the security of objects to meet the needs of your organization, delegate authority over objects or attributes, and create custom objects or attributes that require unique security protections to be defined.

Security descriptors and ACLs are closely related to the technologies and components of the Windows Server 2003 security architecture that are described in the following sections.

Authentication and Access Tokens

Access tokens are created by the security system, and they contain security information about users who have logged on and been authenticated. When a user requests access to an object, the access token of the account requesting access is compared to the object’s DACL.


Each permission that an object’s owner grants to a particular user or group is stored as an access control entry (ACE) in a DACL that is part of the object’s security descriptor. In the user interface, ACEs are displayed as Permission Entries.


If auditing is configured for an object, the object’s security descriptor also contains a SACL that controls how the security subsystem audits attempts to access the object.

The following figure shows the relationship of security descriptors and ACLs to other key components of the authorization and access control model.

Relationship of Security Descriptors and ACLs to Other Authorization and Access Control Components

Authorization and Access Control Model

The following resources contain additional information that is relevant to this section: