The purpose of access control is to grant and deny access to objects, based on defined rules. Windows supports this goal through definitions of users, groups, and object DACLs. Every object may have a DACL that includes several ACEs. Since an ACE is defined for a specific user or group, it is possible to introduce conflicts. How does the Windows operating system resolve conflicting ACEs?

Windows resolves object access requests by following this procedure:

1. Retrieves user and group SIDs from the process’s SAT.

2. Examines all ACEs in the object’s DACL for requested permission.

   1. If no DACL or ACE is defined for the requested access, Windows allows the access.

   2. If only one ACE exists for the requested access, access is based on whether the ACE is defined as “allow” or “deny.”

   3. If multiple ACEs exist for the same requested access, all ACEs must be defined as “allow” for Windows to allow the access. Any ACE defined as “deny” will result in Windows denying the access.

3. Returns an access approval or denial based on permissions.

Since overlapping ACEs can be confusing, Windows makes it easy to see the permissions in effect for any object. The Advanced Security Settings dialog box contains the Effective Access page to display calculated permissions for any user or group (FIGURE 3-9).

Choose the Select a User link to open the Select User or Group dialog box, type the desired user or group name, and then select OK. Select the View Effective Access button to display the effective permissions calculated for the entered user or group. Any permission checked in the Effective Access display means that permission is allowed for this user or group. An unchecked checkbox means the permission is denied.