There are two basic components of the access-control model:
When a user logs on to a Windows NT system, the system authenticates the user's account name and password. If the logon is successful, the system creates an access token. Every process executed on behalf of this user will have a copy of this access token. The access token contains security identifiers (SIDs) that identify the user's account and any group accounts to which the user belongs. The token also contains a list of the privileges held by the user or the user's groups. The system uses this token to identify the associated user when a process tries to access a securable object or perform a system administration task that requires privileges.
When a securable object is created, the system assigns it a security descriptor containing security information specified by its creator, or default security information if none is specified. Applications can use Win32 functions to get and set the security information for an existing object.
A security descriptor identifies the object's owner and can also contain the following access-control lists (ACL):
An ACL contains a list of access-control entries (ACEs). Each ACE specifies a set of access rights and contains a SID that identifies a trustee for whom the rights are allowed, denied, or audited. A trustee can be a user account, group account, or logon session.
Use the Win32 functions to manipulate the contents of security descriptors, SIDs, and ACLs rather than accessing them directly. This helps ensure that these structures remain syntactically accurate and prevents future enhancements to the security system from breaking existing code.