Configuring DACLs to Secure Active Directory Objects

All objects and their properties in Active Directory have security descriptors to control access to the object and the values of the object’s attributes. As with NTFS file system objects, the Active Directory object’s security descriptor includes a discretionary access control list (DACL) and a system access control list (SACL) in addition to the object’s ownership data. Figure 5-1 shows a security descriptor.

Figure 5-1. Contents of a security descriptor for Active Directory objects and attributes

What Are DACLs?

DACLs can be configured at the discretion of any account that possesses the ...

Get Microsoft® Windows® Security Resource Kit, Second Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.