Discretionary Access Control List

The DACL is a list of ACE Access Control Entries. Each entry defines access permissions for an individual or group of users. If no entry corresponds to a user then access is denied.

New in Windows 2000 security is the ability of an ACE to deny specific permissions. Windows processes all of the AccessDenied entries before the AccessAllowed entries thereby giving precedence to the Access Denied entries, i.e. if there is a conflict then the AccessDenied entry applies. If you deny permissions, the following dialog appears.

The following example DACL shows how the AccessDenied entries appear before the AccessAllowed entries.

Windows checks each ACE in a DACL as follows.

• Access is denied if an ACE denies access to any of the requested permissions
• Access is allowed if all of the requested permissions are allowed in the DACL
• Access is denied if any of the permissions are not explicitly allowed

Consider the example DACL above where JoeUser is a member of SalesGroup. The following table shows examples of access request and the resulting access that is granted.

Creator Owner

Normally users and groups are specified in an ACE, but there is a special trustee known as Creator Owner. This allows for a default ACE to be established in a parent object which will be automatically set when the child object is created.

		ACE
		Creator Owner Full control
	—	JoeUser Full control - Automatically set if JoeUser creates the file

For printer queues, Creator Owner is set to have the Manage Documents permission so that users can delete their own print jobs if necessary.

Keyboard Exercise

Find the DACL for a folder and look at both the standard and advanced view.