An ADTAce is the link between the security descriptor for a secured object and a security entity. That is, the ACE defines what permissions a particular user or group has for the object to which the ACE applies.

adTempus uses the Windows security API to perform security checks. In that model, when a security check is performed Windows finds all ACEs that apply to the user (i.e., ACEs specifically for the user, those for any groups to which the user belongs, groups to which those groups belong, etc.) and combines the Grant and Deny masks for all of the ACEs found. If a Deny ACE is found for the requested action (even if Grant ACEs are also found) or if no Grant ACE is found, permission is denied. Permission is granted only if one or more Grant ACEs are found and no Deny ACEs are found.