Access control overview

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Access control overview

Access control is the process of authorizing users, groups, and computers to access objects on the network. Key concepts that make up access control are permissions, user rights, and object auditing.


Permissions define the type of access granted to a user or group for an object or object property. For example, the Finance group can be granted Read and Write permissions for a file named Payroll.dat.

Permissions are applied to any secured objects such as files, Active Directory® objects, or registry objects. Permissions can be granted to any user, group, or computer. It is a good practice to assign to groups.

You can assign permissions for objects to:

  • Groups, users, and Security identifiers in the domain.

  • Groups and users in that domain and any trusted domains.

  • Local groups and users on the computer where the object resides.

The permissions attached to an object depend on the type of object. For example, the permissions that can be attached to a file are different from those that can be attached to a registry key. Some permissions, however, are common to most types of objects. These common permissions are:

  • Read permissions

  • Modify permissions

  • Change owner

  • Delete

When you set up permissions, you specify the level of access for groups and users. For example, you can let one user read the contents of a file, let another user make changes to the file, and prevent all other users from accessing the file. You can set similar permissions on printers so that certain users can configure the printer and other users can only print from it.

If you need to change the permissions on an individual object, you can simply start the appropriate tool and change the properties for that object. For example, to change the permissions on a file, you can run Windows Explorer, right-click the file name, and click Properties. On the Security tab, you can change permissions on the file. For more information, see Permissions.

Ownership of objects

An owner is assigned to an object when that object is created. By default, the owner is the creator of the object. No matter what permissions are set on an object, the owner of the object can always change the permissions on an object. For more information, see Ownership.

Inheritance of permissions

Inheritance allows administrators to easily assign and manage permissions. This feature automatically causes objects within a container to inherit all the inheritable permissions of that container. For example, the files within a folder, when created, inherit the permissions of the folder. Only permissions marked to be inherited will be inherited.

User rights

User rights grant specific privileges and logon rights to users and groups in your computing environment. For information on user rights, see the following: For more information, see User rights.

Object auditing

You can audit users' access to objects. You can then view these security-related events in the security log with the Event Viewer. For more information, see Auditing overview.

For more information about authorization and access control, see the Windows Server 2003 Technical Reference Web site. For information about authorization strategy, see "Designing a Resource Authorization Strategy" at the Microsoft Windows Server 2003 Deployment Kit Web site.