- the security model in AD where owners of objects like files, folders, user accounts etc has the authority to grant or deny access of the object to other users or groups at their own discretion using Access Control List (ACL)s. the Discretionary Access Control Lists (DACL) contains the lists of users and groups that have been granted or denied access to the object
- improper access control can lead to attacks like Kerberosting