This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
MS Access Mask
MS Access Mask

Version management

Difference between version and

At line 1 added 237 lines
!!! Overview
[{$pagename}] is a component within [Access Control Entry] which is a is a 32-bit [Bitmask] value whose bits correspond to the [access] [rights] supported by an object.
All [Microsoft Windows] [Securable objects] use an [{$pagename}] format that includes [bits] for the following types of access [Permission]:
* Generic access [Permissions]
* Standard access rights
* [System Access Control List] ([SACL]) access right
* Directory services access rights
!! [{$pagename}] Format
All [Securable objects] use the access mask format shown as follows:
[MS Access Mask/ms-accctrl4.png]
In this format,
* the low-order 16 [bits] are for object-specific access rights,
* the next 8 bits are for standard access rights, which apply to most types of objects, and
* the 4 high-order bits are used to specify generic access rights that each object type can map to a set of standard and object-specific rights.
* The ACCESS_SYSTEM_SECURITY [bit] corresponds to the right to access the object's [SACL].
!! [{$pagename}] and [Microsoft Active Directory]
Microsoft Active Directory uses the same basic [Access Control Model-Microsoft Windows] for [Access Control] where each [Microsoft Active Directory] [Securable object] has a [Security Descriptor] assigned to it. A set of [trustee] [permissions] ([MS Access Mask]) can be set within these [Security Descriptors]. These [permissions] are listed in the following table:
%%zebra-table
%%sortable
%%table-filter
||Rights||Meaning
|ACTRL_DS_OPEN|Open a DS object.
|ACTRL_DS_CREATE_CHILD|Create a child DS object.
|ACTRL_DS_DELETE_CHILD|Delete a child DS object.
|ACTRL_DS_LIST|Enumerate a DS object.
|ACTRL_DS_READ_PROP|Read the properties of a DS object.
|ACTRL_DS_WRITE_PROP|Write properties for a DS object.
|ACTRL_DS_SELF|Access allowed only after validated rights checks supported by the object are performed. This flag can be used alone to perform all validated rights checks of the object or it can be combined with an identifier of a specific validated right to perform only that check.
|ACTRL_DS_DELETE_TREE|Delete a tree of DS objects.
|ACTRL_DS_LIST_OBJECT|List a tree of DS objects.
|ACTRL_DS_CONTROL_ACCESS|Access allowed only after extended rights checks supported by the object are performed. This flag can be used alone to perform all extended rights checks on the object or it can be combined with an identifier of a specific extended right to perform only that check.
/%
/%
/%
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Access Rights and Access Masks|https://docs.microsoft.com/en-us/windows/desktop/secauthz/access-rights-and-access-masks|target='_blank'] - based on information obtained 2018-12-04-
* [#2] - [Directory Services Access Rights|https://docs.microsoft.com/en-us/windows/desktop/secauthz/directory-services-access-rights|target='_blank'] - based on information obtained 2018-12-04-
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop