Overview#

MS Access Mask is a component within Access Control Entry which is a is a 32-bit Bitmask value whose bits correspond to the access rights supported by an object.

All Microsoft Windows Securable objects use an MS Access Mask format that includes bits for the following types of access Permission:

• Generic access Permissions
• Standard access rights
• System Access Control List (SACL) access right
• Directory services access rights

MS Access Mask Format#

All Securable objects use the access mask format shown as follows:

In this format,

• the low-order 16 bits are for object-specific access rights,
• the next 8 bits are for standard access rights, which apply to most types of objects, and
• the 4 high-order bits are used to specify generic access rights that each object type can map to a set of standard and object-specific rights.
• The ACCESS_SYSTEM_SECURITY bit corresponds to the right to access the object's SACL.

MS Access Mask and Microsoft Active Directory#

Microsoft Active Directory uses the same basic Access Control Model-Microsoft Windows for Access Control where each Microsoft Active Directory Securable object has a Security Descriptor assigned to it. A set of trustee permissions (MS Access Mask) can be set within these Security Descriptors. These permissions are listed in the following table:

More Information#

There might be more information for this subject on one of the following:

• Access Control Entry
• MS Access Mask

---

• [#1] - Access Rights and Access Masks - based on information obtained 2018-12-04-
• [#2] - Directory Services Access Rights - based on information obtained 2018-12-04-