Access Control Entry (ACE)

Access Control Entry, or ACE, is an entry in a discretionary access control list (DACL) or a system access control list (SACL). An access control entry (ACE) specifies the access or auditing permissions to an object in Active Directory or on a volume formatted using the NTFS file system for a particular user or group.

Access Control List

How It Works

An ACE is part of a DACL or a SACL for an object and contains information that is used to control the access attributes of that object.

An ACE specifies two pieces of information:

  • The security identifier (SID) of the security principal (user, group, or computer) to which the ACE applies
  • The level of access to the object permitted for that security principal

An access mask specifying the possible permissions that can be assigned to the object is included with each ACE. An ACE can provide one of the following:

  • Discretionary access control for explicitly granting or denying access to a specific user or group (AccessAllowed and AccessDenied entries)
  • System security access control for generating security audit logs (SystemAudit entry)


Articles posted after being checked by editors.

Recent Posts