This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a directory using the native NT security dialog box. This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not in this mask from being modified. Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change. If not set explicitly this parameter is set to 0777 meaning a user is allowed to modify all the user/group/world permissions on a directory. Note that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most normal systems will probably want to leave it as the default of 0777. See also the force directory security mode, security mask, force security mode parameters. Default: directory security mask = 0777 Example: directory security mask = 0700