For the sake of keeping it simple -- Access Control Lists provide granular permissions to objects.  Quoting Microsoft:  "Access control for objects in Active Directory Domain Services is based on Windows NT and Windows 2000 access-control models.  Access privileges for resources in Active Directory Domain Services are usually granted through the use of an access control entry (ACE)."

Often times what I find is that a misunderstanding of what permissions do is what gets people into trouble.  Let's look at a standard Active Directory user:

When we attempt to add our user to the DnsAdmins, we get denied.

Let's give our user some extra permissions.

With our newly assigned permissions, we check the group, we add our account to the group, and when we check again, and we're now a member of the DnsAdmins group.  

If you saw my previous post, you can see how we abuse DnsAdmins to take over the Domain Controller.