In 70-740 I'm confused by discretionary access control lists

---

Cherokee touches on them but I need a little more explanation. Is there any reading people could recommend? I read that dacl are used for objects but another article says they apply to all objects. Help?

Hey @John-DeWilde ,

Discretionary access control lists (DACLs) are lists of Access control entries (ACEs) that are used to control access (grant, deny, audit) to an object. The DACL (and SACL) make up the security descriptor for an object.

Not sure about the articles you are referring to, see if this helps.

In a Windows world, all objects on an NTFS formatted volume have a DACL associated with them. When you look at the properties of an object (like a folder or a file), the security tab is a representation of the DACL for that object. You can add ACEs to control access to that object (full control, deny write, etc).

DACLs are (by default) inherited from parent object to child object. If you add an ACE to the DACL for a folder, the permissions assigned will inherit to objects inside the folder. There is, for example, a DACL for the volume itself. Permissions assigned here would (by default) apply to all objects on that volume.

Here are a couple of links for some more information.

https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists
https://docs.microsoft.com/en-us/windows/win32/secauthz/dacls-and-aces

Hope this helps,

@Mike-Rodrick Thank you, So have I been incorrectly referring to dacl's as acl's? And there is no acl unless there are dacl's?

Thanks Mike for answering.
John I will be looking into your other questions too.
I wouldn't say you are wrong a DACL is technically a type of ACL, just more specific :)

Hey @John-DeWilde ,

Glad I could help!

As @Cherokee-Boose said, ACL is not wrong. A DACL is a type of ACL, just more specific. Just like SACL (System Access Control List) is also a type of ACL.