Demonstration script that reads the security descriptor for the Finance OU in Active Directory.

Visual Basic
Edit|Remove
Const ADS_RIGHT_DELETE = &H10000
Const ADS_RIGHT_READ_CONTROL = &H20000
Const ADS_RIGHT_WRITE_DAC = &H40000
Const ADS_RIGHT_OWNER = &H80000
Const ADS_RIGHT_SYNCHRONIZE = &H100000
Const ADS_RIGHT_ACCESS_SYSTEM_SECURITY = &H1000000
Const ADS_RIGHT_GENERIC_READ = &H80000000
Const ADS_RIGHT_GENERIC_WRITE = &H40000000
Const ADS_RIGHT_GENERIC_EXECUTE = &H20000000
Const ADS_RIGHT_GENERIC_ALL = &H10000000
Const ADS_RIGHT_DS_CREATE_CHILD = &H1
Const ADS_RIGHT_DS_DELETE_CHILD = &H2
Const ADS_RIGHT_ACTRL_DS_LIST = &H4
Const ADS_RIGHT_DS_SELF = &H8
Const ADS_RIGHT_DS_READ_PROP = &H10
Const ADS_RIGHT_DS_WRITE_PROP = &H20
Const ADS_RIGHT_DS_DELETE_TREE = &H40
Const ADS_RIGHT_DS_LIST_OBJECT = &H80
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
Const ADS_ACETYPE_ACCESS_ALLOWED = &H0
Const ADS_ACETYPE_ACCESS_DENIED = &H1
Const ADS_ACETYPE_SYSTEM_AUDIT = &H2
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &H7

Set objSdUtil = GetObject("LDAP://OU=Finance,DC=fabrikam,DC=Com")
Set objSD = objSdUtil.Get("ntSecurityDescriptor")
Set objDACL = objSD.DiscretionaryACL

For Each objACE in objDACL
    Wscript.Echo "Trustee: " & objACE.Trustee

    If objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED Then
        Wscript.Echo "Ace Type: Access Allowed"
    ElseIf objACE.AceType = ADS_ACETYPE_ACCESS_DENIED Then
        Wscript.Echo "Ace Type: Access Denied"
    ElseIf objACE.AceType = ADS_ACETYPE_SYSTEM_AUDIT Then
        Wscript.Echo "Ace Type: System Audit "
    ElseIf objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT Then
        Wscript.Echo "Ace Type: Access Allowed"
    ElseIf objACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT Then
        Wscript.Echo "Ace Type: Access Denied"
    ElseIf objACE.AceType = ADS_ACETYPE_SYSTEM_AUDIT_OBJECT Then
        Wscript.Echo "Ace Type: System Audit"
    Else
        Wscript.Echo "Ace type could not be determined."
    End If

    If objACE.AccessMask And ADS_RIGHT_DELETE Then
        Wscript.Echo vbTab & "Delete"
    End If

    If objACE.AccessMask And ADS_RIGHT_READ_CONTROL Then
        Wscript.Echo vbTab & "Read from the security descriptor (not including the SACL)"
    End If

    If objACE.AccessMask And ADS_RIGHT_WRITE_DAC Then
        Wscript.Echo vbTab & "Modify the DACL"
    End If

    If objACE.AccessMask And ADS_RIGHT_OWNER Then
        Wscript.Echo vbTab & "Take ownership"
    End If

    If objACE.AccessMask And ADS_RIGHT_SYNCHRONIZE Then
        Wscript.Echo vbTab & "Use the object for synchronization"
    End If

    If objACE.AccessMask And ADS_RIGHT_ACCESS_SYSTEM_SECURITY Then
        Wscript.Echo vbTab & "Get or set the SACL"
    End If

    If objACE.AccessMask And ADS_RIGHT_GENERIC_READ Then
        Wscript.Echo vbTab & "Read permissions and properties"
    End If

    If objACE.AccessMask And ADS_RIGHT_GENERIC_WRITE Then
        Wscript.Echo vbTab & "Write permissions and properties"
    End If

    If objACE.AccessMask And ADS_RIGHT_GENERIC_EXECUTE Then
        Wscript.Echo vbTab & "Read permissions on and list the contents of the container"
    End If

    If objACE.AccessMask And ADS_RIGHT_GENERIC_ALL Then
        Wscript.Echo vbTab & "Create or delete child objects, delete a subtree, read and write " & _
            "properties, examine child objects and the object itself, add and remove the " & _
                "object from the directory, and read or write with an extended right"
    End If
  
    If objACE.AccessMask And ADS_RIGHT_DS_CREATE_CHILD Then
        Wscript.Echo vbTab & "Create child objects"
    End If

    If objACE.AccessMask And ADS_RIGHT_DS_DELETE_CHILD Then
        Wscript.Echo vbTab & "Delete child objects"
    End If

    If objACE.AccessMask And ADS_RIGHT_ACTRL_DS_LIST Then
        Wscript.Echo vbTab & "List child objects"
    End If

    If objACE.AccessMask And ADS_RIGHT_DS_SELF Then
        Wscript.Echo vbTab & "Perform an operation controlled by a validated write access right"
    End If

    If objACE.AccessMask And ADS_RIGHT_DS_READ_PROP Then
        Wscript.Echo vbTab & "Read properties"
    End If

    If objACE.AccessMask And ADS_RIGHT_DS_WRITE_PROP Then
        Wscript.Echo vbTab & "Write properties"
    End If

    If objACE.AccessMask And ADS_RIGHT_DS_DELETE_TREE Then
        Wscript.Echo vbTab & "Delete all child objects"
    End If

    If objACE.AccessMask And ADS_RIGHT_DS_LIST_OBJECT Then
        Wscript.Echo vbTab & "List the object"
    End If

    If objACE.AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS Then
        Wscript.Echo vbTab & "Perform an operation controlled by an extended access right"
    End If

    Wscript.Echo

Next