In this lesson, I'll talk about access control within Windows. Access control is different than rights and permissions. Rights and permissions are placed on objects. So think of computers or files, folders, shares, registry objects, anything that you can assign permissions to. Access control is generally something that we put control on many different things. We control many different objects at once. So I'll talk about today, role-based access control, mandatory access control and discretionary access control and the differences between them. When we talked about rights and permissions, I was actually talking about discretionary access control. Okay, discretionary access control allows us to modify things like this. So our access control lists and our access control entries based on users. So permissions and rights. And that's discretionary access control. Mandatory access control is different in that we place certain categories of rights onto different objects. While we don't see this very much in Windows, it comes in the form of mandatory integrity control. We can assign instead of discretionary access control and access control entries, or access control lists. It actually comes in the form, it's called system access control lists. We can modify these via what we call mandatory integrity control. It sits on top of permissions and rights. So it sits on discretionary access control. So let's say that I wanted to place mandatory access control on this Window's folder here. I might do so with the creation of integrity labels or the system access control list. Access control list and mandatory access control, mandatory integrity control, we don't see this very much inside of Windows. We just need to know it's there. The thing that I wanted to stress to you is the importance of role-based access control within Windows. So let's go to Active Directory Users and Computers. We also see the same type of users inside of a normal Windows 10 system, but much less groups. So as you're looking here, what do we notice? So we have DnsAdmins, we have Domain Admins, we have Enterprise Admins, Enterprise Key Admins, RAS and IAS Servers and Stooges, the one that we created a few lessons ago. Now, notice how these all have very specific names. Role-based access control is control based on a user's role within the organization. So essentially, role-based access control assigns permission to particular roles in an organization. Users are then assigned to that particular role. So Domain Users. Remember how we have all of these users in Domain Users? Well that's their role. They are part of the domain. Domain Admins, for example, I only have Administrator. Or the other way I can look that information up is going into a User. So the Admin, Administrator, has access to Administrators, Domain Admins, Domain Users, etc. Role-based access control is very, very important to Windows system administration, granting only permissions based on what role that user has. So how this compares to access control process and rights and permissions is that when an object is accessed, the first access control entry in the file access control list is examined. So it contains the group's administrators. So if a user is not in the administrator's group then he may not have access. The next access control entry in the ACL lists allow us to, again, look at somebody's role and determine what their permission level is. So while we could assign permissions based on a user, access control allows us and role-based access control allows us to place that control on a group of users. This is important to understand so that we can control groups of users for whatever function that they are doing.