DACL - Discretionary Access Control List

An access control list (ACL) is a list of access control entries (ACE). Each ACE in an ACL identifies a trustee and specifies the access rights allowed, denied, or audited for that trustee. The security descriptor for a securable object can contain two types of ACLs: a DACL and a SACL.

A discretionary access control list (DACL) identifies the trustees that are allowed or denied access to a securable object. When a process tries to access a securable object, the system checks the ACEs in the object's DACL to determine whether to grant access to it. If the object does not have a DACL, the system grants full access to everyone. If the object's DACL has no ACEs, the system denies all attempts to access the object because the DACL does not allow any access rights. The system checks the ACEs in sequence until it finds one or more ACEs that allow all the requested access rights, or until any of the requested access rights are denied.

DACL identifies the trustees that are allowed or denied access to a secured object. If you are setting the discretionary access control list (DACL) or system access control list (SACL) of an object, the system automatically propagates any inheritable access control entries (ACEs) to existing child objects, according to the ACE inheritance rules.

ref:

Access Control Lists - http://msdn.microsoft.com/en-us/library/aa374872(VS.85).aspx

Windows Access Control Lists - http://www.tenouk.com/ModuleH.html

The Windows Access Control Model : Part 1 - http://www.codeproject.com/KB/winsdk/accessctrl1.aspx?msg=1081536

The Windows Access Control Model : Part 2 - http://www.codeproject.com/KB/winsdk/accessctrl2.aspx

The Windows Access Control Model : Part 3 - http://www.codeproject.com/KB/system/accessctrl3.aspx