How Access Control Works

When you attempt to access an object or container, Windows XP takes a look at your access token. This token contains a list of SIDs, including the unique user SID and the SIDs for each group to which a user belongs. If any of the SIDs associated with your account match any of the SIDs present in the DACL on the resource you are attempting to access, Windows XP evaluates the applicable ACEs to determine whether or not you should be allowed to interact with the resource.

Windows XP will check local ACEs before inherited ACEs, and Deny ACEs (which prevent a specified type of access) are evaluated before Allow ACEs (which, as the name suggests, allow a specific type of access). So, effective permissions are determined with ...

Get Platinum Edition Using® Microsoft® Windows® XP now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.