Authorization & Access Control
Once AD knows who you are, authorization determines what you can do. ACLs, security descriptors, tokens, and group memberships define every permission boundary.
Authentication proves who you are; authorization decides what you are allowed to do. In Active Directory, every resource -- every file, folder, printer, or AD object -- has a list of rules called an Access Control List (ACL) that says which users or groups can read, modify, or delete it. When you log in, Windows creates a special token for your session that contains your identity and all the groups you belong to. Every time you try to access something, Windows compares your token against that resource's ACL to decide whether to allow or deny the request.
When you check in to a hotel, they give you a key card (your access token). That card is programmed to open your room, the pool, and maybe the gym. Every door has a lock (an ACL) that lists which cards are allowed. Your key card also encodes whether you are a regular guest or a VIP (group membership). Authorization in AD works the same way: your token carries your identity and group memberships, and every resource has an ACL that determines who gets in.
Key Takeaways
- DACLs contain ACEs that define who can do what to each object.
- Access tokens carry user SID and all group SIDs for authorization decisions.
- Deny ACEs override allow ACEs in DACL evaluation.
- ACL misconfigurations are a top privilege-escalation vector in AD.
- BloodHound maps ACL-based attack paths across the domain.
Most AD privilege escalation attacks exploit misconfigured ACLs. A single overly permissive ACE can give an attacker a path from a low-privilege account to Domain Admin.