5.1.3.3 Checking Access
Before performing a requested access on an object in Active Directory, the DC performs an access check to confirm that the security context of the requester is authorized for the type of access requested. This determination is made by using the following information:
The requester's security context
The requester's desired access mask
An appropriate security descriptor (the security descriptor used for the access check is typically the security descriptor of the object itself, but for some types of access the security descriptor of the object's parent and/or other objects in the directory might be used).
Note that a special principal called "Principal Self," identified by the fixed SID value of S-1-5-10, can appear in the SID field of an ACE in the security descriptor of an object. This fixed SID value represents the object itself in an ACE on a security principal object. For example, when an ACE on a user object grants certain access rights to Principal Self, it essentially grants those access rights to the user represented by that object. During an access check for object O, if O!nTSecurityDescriptor contains any ACEs with the fixed SID for Principal Self the server replaces them with O!objectSid before proceeding with the access check.
For the access check behavior described in the following sections, it is assumed that any security descriptor used as input to that process has already undergone the SID substitution for Principal Self (as described in this section), if necessary.