Access Control Entry, or ACE, is an entry in a discretionary access control list (DACL) or a system access control list (SACL). An access control entry (ACE) specifies the access or auditing permissions to an object in Active Directory or on a volume formatted using the NTFS file system for a particular user or group.

How It Works
An ACE is part of a DACL or a SACL for an object and contains information that is used to control the access attributes of that object.
An ACE specifies two pieces of information:
- The security identifier (SID) of the security principal (user, group, or computer) to which the ACE applies
- The level of access to the object permitted for that security principal
An access mask specifying the possible permissions that can be assigned to the object is included with each ACE. An ACE can provide one of the following:
- Discretionary access control for explicitly granting or denying access to a specific user or group (AccessAllowed and AccessDenied entries)
- System security access control for generating security audit logs (SystemAudit entry)