Site icon Windows Active Directory

Access Control List (ACLs) and Access Control Entries (ACEs)

What you will learn:

In this article, we will take a look at what an access control list (ACL) and an access control entry (ACE) are, the components that make up an ACL and ACE, and also dive into the types of ACLs and ACEs, and their purposes.

What are Access Control Lists, and why do we need them?

In an Active Directory network, not all users or computers would require access to all the objects and files in the network. This limitation of access is for security reasons, and critical resources could be misused in case a user in the environment turns rogue, or a computer is breached. Learn more about Active Directory Object Permissions from here. This is where an access control list (ACL) comes into play.

In Active Directory, access control lists are tables, or simple lists, that define the trustees who have access to the object in question, and also what type of access they have. A trustee may be any security principal such as a user account, group, or login session. Each access control list has a set of access control entries, and each ACE defines the trustee and the type of access the trustee has. So, an object can be accessed by multiple trustees since there can be multiple ACEs. Access control lists are also used for auditing purposes, such as recording the number of access attempts to a securable object, and the type of access. A securable object is any named object in Active Directory that contains a security descriptor, which has the security information about the object, which includes ACLs.

Types of Access Control Lists

Following are two types of access control lists, each of which performs one of the two functions of an ACL.

What is an Access Control Entry?

An access control list contains a list of elements called access control entries. Each access control entry in the ACL names a trustee and defines what type of access the trustee has for the securable object in question. A list of such ACEs in an ACL thus dictates a securable object’s entire access permissions, thereby keeping the object secure from any threat of critical data exposure that might have devastating consequences. Implementation of such security clearance measures keeps the organization secure from potential data breaches or hacks.

Types of access control entries

ACEs are classified into 6 types based on their function. Three of these types are supported by all securable objects. The types of ACEs are as follows:

The following three ACEs are not supported by securable objects. They are called object-specific ACEs, and they are associated with directory service objects.

Components of an Access Control Entry

Every access control entry has the following components:

  1. The security identifier (SID) of a trustee. Each SID is unique to a trustee.
  2. An access mask, which is a 32-bit value that defines the operations that are either allowed or denied for the trustee.
  3. A flag that indicates the type of ACE, such as whether it is an access denied ACE, access allowed ACE, or a system audit ACE.
  4. A set of bit flags that determine if child containers or objects can inherit the ACE from their primary object or parent.

Why the order of Access Control Entries are important

When the system checks an access control list for access permissions, it checks the ACLs in sequence until it finds access denied or allowed ACE, and then grants or rejects access to the trustee accordingly. So, it is important to specify denied access ACEs before specifying ACEs that allow access.

For example, you want to grant access to a shared folder to a group, but you do not want one member of the group to have access. In this case, you would define access denied ACE first for the group member, and then access allowed ACE for the group in the ACL. By default, access-denied ACEs are listed first followed by access allowed ACEs in an ACL.


Active Directory Rights Management Services (AD RMS)

Active Directory objects: All you need to know

Active Directory Object permissions: Step-by-Step guide to managing permissions using GPOs, ADUC, and PowerShell

Exit mobile version