Overview[1]#

Discretionary Access Control List (DACL) are a component of the Security Descriptor which identifies the trustees that are allowed or denied access to a securable object within Microsoft Active Directory or Microsoft Windows

Discretionary Access Control List is accessed when access to a Securable object is requested and the system checks the ACEs in the object's Discretionary Access Control List to determine whether to grant access to the securable object.

• If the securable object does NOT have a Discretionary Access Control List, the system grants full access to everyone.
• If the securable object's Discretionary Access Control List has no Access Control Entry, the system denies all attempts to access the object because the Discretionary Access Control List does not allow any access rights.

The system checks the Access Control Entries in sequence until it finds one or more ACEs that allow all the requested access rights, or until any of the requested access rights are denied.

More Information#

There might be more information for this subject on one of the following:

• Access Control Entry
• Access Control Entry Type
• Access Control List
• DACL
• DACL_SECURITY_INFORMATION
• Mandatory Integrity Control
• NT-Sec-Desc
• Security Descriptor

---

• [#1] - Access Control Lists - based on information obtained 2016-08-10