Configuring DACLs to Secure Active Directory Objects
All objects and their properties in Active Directory have security descriptors to control access to the object and the values of the object’s attributes. As with NTFS file system objects, the Active Directory object’s security descriptor includes a discretionary access control list (DACL) and a system access control list (SACL) in addition to the object’s ownership data. Figure 5-1 shows a security descriptor.
Figure 5-1. Contents of a security descriptor for Active Directory objects and attributes
What Are DACLs?
DACLs can be configured at the discretion of any account that possesses the ...