Overview#MS Access Mask is a component within Access Control Entry which is a is a 32-bit Bitmask value whose bits correspond to the access rights supported by an object.
- Generic access Permissions
- Standard access rights
- System Access Control List (SACL) access right
- Directory services access rights
MS Access Mask Format#All Securable objects use the access mask format shown as follows:
In this format,
- the low-order 16 bits are for object-specific access rights,
- the next 8 bits are for standard access rights, which apply to most types of objects, and
- the 4 high-order bits are used to specify generic access rights that each object type can map to a set of standard and object-specific rights.
- The ACCESS_SYSTEM_SECURITY bit corresponds to the right to access the object's SACL.
MS Access Mask and Microsoft Active Directory#Microsoft Active Directory uses the same basic Access Control Model-Microsoft Windows for Access Control where each Microsoft Active Directory Securable object has a Security Descriptor assigned to it. A set of trustee permissions (MS Access Mask) can be set within these Security Descriptors. These permissions are listed in the following table:
|ACTRL_DS_OPEN||Open a DS object.|
|ACTRL_DS_CREATE_CHILD||Create a child DS object.|
|ACTRL_DS_DELETE_CHILD||Delete a child DS object.|
|ACTRL_DS_LIST||Enumerate a DS object.|
|ACTRL_DS_READ_PROP||Read the properties of a DS object.|
|ACTRL_DS_WRITE_PROP||Write properties for a DS object.|
|ACTRL_DS_SELF||Access allowed only after validated rights checks supported by the object are performed. This flag can be used alone to perform all validated rights checks of the object or it can be combined with an identifier of a specific validated right to perform only that check.|
|ACTRL_DS_DELETE_TREE||Delete a tree of DS objects.|
|ACTRL_DS_LIST_OBJECT||List a tree of DS objects.|
|ACTRL_DS_CONTROL_ACCESS||Access allowed only after extended rights checks supported by the object are performed. This flag can be used alone to perform all extended rights checks on the object or it can be combined with an identifier of a specific extended right to perform only that check.|