The security provided by Windows 2000 is designed to meet the following requirements:
One of the ways Windows 2000 meets these requirements is by assigning each user a security ID (SID). Your SID, a gigantic number guaranteed to be unique, follows you around wherever you go in Windows 2000. When you log on, the operating system first validates your user name and password. Then it creates a security access token. You can think of this as the electronic equivalent of an ID badge. It includes your name and SID, plus information about any user groups to which your account belongs. (User groups are described later in this chapter). Any program you start gets a copy of your security access token.
Whenever you attempt to walk through a controlled "door" in Windows 2000 (for example, when you connect to a shared printer), or any time a program attempts to do that on your behalf, the operating system examines your security access token and decides whether to let you pass. If access is permitted, you notice nothing. If access is denied, you see an unavailable menu or dialog-box control, or, in some cases, you get to hear a beep and read a noxious message.
In determining whom to pass and whom to block, Windows 2000 consults the resource's access control list (ACL). This is simply a list showing which SIDs have which kinds of access privileges. Every resource subject to access control has an ACL.