Access control information associated with an object is contained in the object's security descriptor . When a user tries to do anything that can be done with the object, the operating system examines the object's security descriptor to determine whether the user is allowed to do what the user wants to do.
Exactly what information is included in a security descriptor depends on the type of object and how it was created. In general, security descriptors can include information about:
Which user owns the object
Which users and groups are allowed or denied access
Which users' and groups' access should be audited
How objects in a container inherit access control information from the container