As a follow up to an earlier post I made on Advanced NTFS Permissions I thought I’d post some notes I made recently on Security Principals, ACE, ACLs, DACLs, and SACLs
A security principal is an entity that can be authenticated by the system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account and Security groups of these accounts. The important thing to remember is that each principal is automatically assigned a security identifier (SID)when it is created and that these are unique. This is why a domain computer cannot access domain resources if its account is deleted even when a new account with the same name exists.
Access Control Entry (ACE)
An Access Control Entry (ACE) is an element in an access control list (see below). Each ACE controls or monitors access to an object. We see an ACE when we look in the list of security principals which have access tab on an object.
Access Control Lists (ACL)
Broadly speaking an ACLs are the lists of security principals (users, groups and computers that have access to an object. There are two types of ACL. The DACL and the SACL.
Discretionary access control lists (DACLs).
DACLs identify the users and groups that are assigned or denied access permissions on an object. If a DACL does not explicitly identify a security principal it will be denied access to that object.
System access control lists (SACLs).
SACLs identify the users and groups that you want to audit when they successfully access or fail to access an object. Auditing is used to monitor events related to system or network security. A SACL can be found by selecting the Advanced Security settings on an object button and selecting the Auditing Tab