How NTFS folder access is checked in a Active Directory domain?

I understand that both NTFS folders and AD objects use security descriptors and DACL’s to check user/process access MS Learn - How access check works

However, how does the access check resolves ACE’s for nested AD groups? For example:

• AD group AD-Parent is granted Modify rights on F:\Restrict
• AD group AD-VIPs is a child of AD-Parent
• User vip is a member of AD-VIPs

My understanding is that

• vip security descriptor will have an ACE referring to AD-VIPs and
• F:Restrict DACL Will have an ACE referring to AD-Parent

How and which process in windows finds the `vip -> AD-VIPs -> AD-Parent’ chain and grants access?

Let's start from the link you provided (emphasis mine) :

The system compares the trustee in each ACE to the trustees identified in the thread's access token. An access token contains security identifiers (SIDs) that identify the user and the group accounts to which the user belongs.

In fact, "the group accounts to which the user belongs" is taken from the Kerberos Ticket the user received when he logged in. The ticket contains the SIDs of all of the groups that the user belongs to, regardless of whether the group is nested within another group or not.

Specifically, to answer your question:

How and which process in windows finds the `vip -> AD-VIPs -> AD-Parent’ chain and grants access?

This task is performed by the Domain Controller when generating a Ticket-granting Ticket (TGT) (typically, when the user logged in). The TGT contains the SIDs of all of the groups that the user belongs to.

You can do an experiment and see a bit of that with Process Explorer: Start Process Explorer, double click on a process started by a domain user (for example notepad.exe), click on the Security tab and here you'll be able to see the group membership even if the groups are nested.