One of the most powerful and, at the same time, most complicated areas in security is that of Access Control Lists (ACL). ACLs are used to secure resources for both local and remote access. Per the official definition, ACLs enumerate which subjects have what type of access to which objects. Subjects in this sense are users and any program acting on their behalf. Objects are everything else that the subjects might want to access. Subjects are often referred to as "security principals" in Windows. A security principal is essentially equivalent to a subject, an entity that can be granted or denied access to something.

The net result of an ACL is that a user has a set of permissions to an object, such as a directory. These permissions can be the result of the user's direct permissions or group memberships. The effective permissions on a folder are show in Figure 5-1.

This chapter is all about ACLs, and specifically how they have changed in Windows Vista and what that means for you, as the administrator of one or more Windows Vista systems. While a comprehensive coverage of ACLs is beyond the scope of this book, we will introduce you to enough of the basics to allow you to understand how access control is changing in Windows Vista. We start by reviewing a bit of terminology about ACLs to ensure that we have a common language for the discussion to follow.