Each object has a set of security information, or security descriptor, attached to it. Part of the security descriptor specifies the groups or users that can access an object and the types of access (permissions) that are granted to those groups or users. This part of the security descriptor is known as a discretionary access control list (DACL).

A security descriptor for an object also contains auditing information. This auditing information is known as a system access control list (SACL). More specifically, a SACL specifies the following:

You can apply auditing to an object, and any child objects can inherit the auditing. For example, if you want to audit failed access to a folder, this auditing event can be inherited by all files within the folder.

To audit files and folders, you must be logged on as a member of the Administrators group.

Item Description

Apply onto

The object or all the parent and child relationships of that object. You can also apply the auditing entries to objects or containers within the container.


The type of access permitted as listed by each individual permission.


Apply onto this object when accessed successfully for each individual permission.


Apply onto this object when access fails for each individual permission.

Additional references