Access Control List: What is the ACL?
The Access Control List or ACL is used by operating systems to track which accounts hold which permissions for different objects and resources. Read on to learn about the ACL in Windows.
General Information
Access Control Lists (ACL) are generally used to limit access to data objects. An ACL contains a number of entries, which are called ACEs (Access Control Entries); each ACE describes one individual access rule. For example, an entry might set a user’s permissions for an object (like a file on the file server) to a specific level, e.g. “Read”, “Write”, “Full Control”.
The ACL is how Windows authorizes users to access different resources. Read our blog post to learn more about authentication and authorization in Windows.
ACL in Microsoft Windows
In Microsoft Windows, several object types can have an ACL through a security descriptor, e.g. processes, directories, files, organizational units (OU) in Active Directory, Exchange mailboxes and so on. Regarding ACLs in an NTFS file system, the following options for ACEs within an ACL are available:
Both single users and groups can be authorized. Windows will display the name of the user or group, even though the entry will contain the SID of the respective object.
The users and groups could be either local computer users or Active Directory users/groups.
Permissions can be granted or denied (entries that deny permissions are automatically written at the beginning of an ACL, meaning that deny always takes priority).
Entries can either be propagated by the parent folder or they can be set explicitly (explicitly set entries rank above inherited entries).
Each entry can comprise specific permissions (the NTFS specifies which permissions exist).
Best Practices for Access Management In Microsoft® Environments
Our in-depth guide explains how to manage access securely and efficiently from a technical and organizational standpoint, including tips for implentation, reporting and auditing.