<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview[1]
[{$pagename}] ([ACE]) is an entry in an [Microsoft Windows] [Access Control List] ([ACL]). 


[{$pagename}] contains a set of access [permissions] and a [Security Identifier] ([SID]) that identifies a [trustee] for whom the rights are allowed, denied, or [audit|Auditing]

There are six types of [{$pagename}]s, three of which are supported by all securable objects. 

The other three types are Object-specific [ACEs] supported by directory service objects.

All [Access Control Entry Types] contain the following [Access Control] information:
* [Security Identifier] ([SID]) that identifies the [trustee] to which the [{$pagename}] applies.
* [MS Access Mask] - A 32-[bit] value that specifies the [rights|Privilege] that are allowed or denied in an [{$pagename}]. An access mask is also used to request access rights when an object is opened. specifies the access rights controlled by the [{$pagename}].
* A flag that indicates the [Access Control Entry Type]
* A set of [bit] flags that determine whether child containers or objects can inherit the [ACE] from the primary object to which the [ACL] is attached.


!! [{$pagename}] Inheritance
[{$pagename}] Inheritance is subkey can inherit [ACEs] from the key above it in the hierarchy. Likewise, a file in an NTFS file system can inherit [ACEs] from the directory that contains it.

The ACE_HEADER structure of an ACE contains a set of inheritance flags that control ACE inheritance and the effect of an ACE on the object to which it is attached. The system interprets the inheritance flags and other inheritance information according to the rules of ACE inheritance.\\
These rules have the following features:
* Support for automatic propagation of inheritable ACEs.
* A flag that differentiates between inherited ACEs and ACEs that were directly applied to an object.
* Object-specific ACEs that allow you to specify the type of child object that can inherit the ACE.
* The ability to prevent a [Discretionary Access Control List] or [System Access Control List] from inheriting [ACEs] by setting the 
** SE_DACL_PROTECTED or 
** SE_SACL_PROTECTED bits in the [Security Descriptor]'s control bits except for SYSTEM_RESOURCE_ATTRIBUTE_ACE and SYSTEM_SCOPED_POLICY_ID_ACE.

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Access Control Lists|https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx|target='_blank'] - based on information obtained 2016-08-10
</pre>