A trustee is the user account, group account, or logon session to which an access control entry (ACE) applies. Each ACE in an access control list (ACL) has one security identifier (SID) that identifies a trustee.

User accounts include accounts that human users or programs such as Windows Services use to log on to the local computer.

Group accounts cannot be used to log on to a computer, but they are useful in ACEs to allow or deny a set of access rights to one or more user accounts.

A logon SID that identifies the current logon session is useful to allow or deny access rights only until the user logs off.

The access control functions use the TRUSTEE structure to identify a trustee. The TRUSTEE structure enables you to use a name string or a SID to identify a trustee. If you use a name, the functions that create an ACE from the TRUSTEE structure perform the task of allocating the SID buffers and looking up the SID that corresponds to the account name. There are two helper functions, BuildTrusteeWithSid and BuildTrusteeWithName, that initialize a TRUSTEE structure with a specified SID or name. BuildTrusteeWithObjectsAndSid and BuildTrusteeWithObjectsAndName allow you to initialize a TRUSTEE structure with object-specific ACE information. Three other helper functions, GetTrusteeForm, GetTrusteeName, and GetTrusteeType, retrieve the values of the various members of a TRUSTEE structure.

The ptstrName member of the TRUSTEE structure can be a pointer to an OBJECTS_AND_NAME or OBJECTS_AND_SID structure. These structures specify information about an object-specific ACE in addition to a trustee name or SID. This enables functions such as SetEntriesInAcl and GetExplicitEntriesFromAcl to store object-specific ACE information in the Trustee member of the EXPLICIT_ACCESS structure.