For the sake of keeping it simple -- Access Control Lists provide granular permissions to objects.  Quoting Microsoft:  "Access control for objects in Active Directory Domain Services is based on Windows NT and Windows 2000 access-control models.  Access privileges for resources in Active Directory Domain Services are usually granted through the use of an access control entry (ACE)."

Often times what I find is that a misunderstanding of what permissions do is what gets people into trouble.  Let's look at a standard Active Directory user:

"Members of DNSAdmins group have access to network DNS information. The default permissions are as follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions. This group exists only if the DNS server role is or was once installed on a domain controller in the domain."

I thought I'd written about this previously but a quick search yields zero results.  Basically, the idea here is that we've compromised a Joomla system and we want to get a reverse shell on the underlying system.  We could modify the existing site but that's a lot more destructive, and sometimes more difficult, than just figuring out how to make a plugin.  In the example below, I've used the instructions for creating a plugin for an older version of Joomla but I've deployed it on Joomla 4 so it's still a valid method.