AD object permissions:
How to hide AD data:
AD permissions – How Rights are Evaluated ?
Two types of rights exist: permissions (authorization to do something such as read or reset a password on a specific object) and privileges or user rights (authorization to do something, like log on or add users, that affects an entire computer rather than a specific object). Similar to the evaluation of file system access control, the right to access or use AD objects is determined by the security context attached to the application that attempts the access. When users authenticate to a system, the authorization information (their SID, SIDs of groups they belong to, and privileges) they’ve been given is collected and later used to create an access token. The access token is used when they attempt to gain access to some object. Programmatically, an access token can be created using the security context of some other security principal, say, the operating system, and used instead during the applications processing. When the application requires the use of some file system, operating system or AD object, the information in its access token is compared with that in the security descriptor of the object. If a match occurs, and no explicit Deny permission exists, access is granted. If no match occurs, or the explicit Deny exists, the requested access is denied.
|Additional standard access rights not available on all objects. The list and descriptions come from the Platform SDK documentation.|
|A comparison of NTFS and AD Inheritance Choices|