The Access Mask is part of the Access Control Entry. In earlier versions of Windows, it is a 32-bit value that specifies the rights that are allowed or disallowed for a particular object. Vista began the migration towards 64-bit access masks. For example, if a Word document has rights granted to domain users, then one has to be logged in to the network domain before they have permission to access that document. There are also negative or deny rights, such as denying access to password hashes to users who are part of the guest group.
Iron Noder 2017