Demonstration script that reads the security descriptor for a folder (specified by the strFolderName variable), checks to ensure it has a DACL and then outputs information about each of the contained ACEs.

Visual Basic
Edit|Remove
strFolderName = "C:\scripts\sec_center"
SE_DACL_PRESENT = &h4
ACCESS_ALLOWED_ACE_TYPE = &h0
ACCESS_DENIED_ACE_TYPE  = &h1

FILE_ALL_ACCESS         = &h1f01ff
FOLDER_ADD_SUBDIRECTORY = &h000004
FILE_DELETE             = &h010000
FILE_DELETE_CHILD       = &h000040
FOLDER_TRAVERSE         = &h000020
FILE_READ_ATTRIBUTES    = &h000080
FILE_READ_CONTROL       = &h020000
FOLDER_LIST_DIRECTORY   = &h000001
FILE_READ_EA            = &h000008
FILE_SYNCHRONIZE        = &h100000
FILE_WRITE_ATTRIBUTES   = &h000100
FILE_WRITE_DAC          = &h040000
FOLDER_ADD_FILE         = &h000002
FILE_WRITE_EA           = &h000010
FILE_WRITE_OWNER        = &h080000

Set objWMIService = GetObject("winmgmts:")
Set objFolderSecuritySettings = _
objWMIService.Get("Win32_LogicalFileSecuritySetting='" & strFolderName & "'")
intRetVal = objFolderSecuritySettings.GetSecurityDescriptor(objSD)

intControlFlags = objSD.ControlFlags

If intControlFlags AND SE_DACL_PRESENT Then
   arrACEs = objSD.DACL
   For Each objACE in arrACEs
      WScript.Echo objACE.Trustee.Domain & "\" & objACE.Trustee.Name
      If objACE.AceType = ACCESS_ALLOWED_ACE_TYPE Then
         WScript.Echo vbTab & "Allowed:"
      ElseIf objACE.AceType = ACCESS_DENIED_ACE_TYPE Then
         WScript.Echo vbTab & "Denied:"
      End If
      If objACE.AccessMask AND FILE_ALL_ACCESS Then
         WScript.Echo vbTab & vbTab & "FILE_ALL_ACCESS "
      End If
      If objACE.AccessMask AND FOLDER_ADD_SUBDIRECTORY Then
         WScript.Echo vbTab & vbTab & " FOLDER_ADD_SUBDIRECTORY "
      End If
      If objACE.AccessMask AND FILE_DELETE Then
         WScript.Echo vbTab & vbTab & "FILE_DELETE "
      End If
      If objACE.AccessMask AND FILE_DELETE_CHILD Then
         WScript.Echo vbTab & vbTab & "FILE_DELETE_CHILD "
      End If
      If objACE.AccessMask AND FOLDER_TRAVERSE Then
         WScript.Echo vbTab & vbTab & " FOLDER_TRAVERSE "
      End If
      If objACE.AccessMask AND FILE_READ_ATTRIBUTES Then
         WScript.Echo vbTab & vbTab & "FILE_READ_ATTRIBUTES "
      End If
      If objACE.AccessMask AND FILE_READ_CONTROL Then
         WScript.Echo vbTab & vbTab & "FILE_READ_CONTROL "
      End If
      If objACE.AccessMask AND FOLDER_LIST_DIRECTORY Then
         WScript.Echo vbTab & vbTab & " FOLDER_LIST_DIRECTORY "
      End If
      If objACE.AccessMask AND FILE_READ_EA Then
         WScript.Echo vbTab & vbTab & "FILE_READ_EA "
      End If
      If objACE.AccessMask AND FILE_SYNCHRONIZE Then
         WScript.Echo vbTab & vbTab & "FILE_SYNCHRONIZE "
      End If
      If objACE.AccessMask AND FILE_WRITE_ATTRIBUTES Then
         WScript.Echo vbTab & vbTab & "FILE_WRITE_ATTRIBUTES "
      End If
      If objACE.AccessMask AND FILE_WRITE_DAC Then
         WScript.Echo vbTab & vbTab & "FILE_WRITE_DAC "
      End If
      If objACE.AccessMask AND FOLDER_ADD_FILE Then
         WScript.Echo vbTab & vbTab & " FOLDER_ADD_FILE "
      End If
      If objACE.AccessMask AND FILE_WRITE_EA Then
         WScript.Echo vbTab & vbTab & "FILE_WRITE_EA "
      End If
      If objACE.AccessMask AND FILE_WRITE_OWNER Then
         WScript.Echo vbTab & vbTab & "FILE_WRITE_OWNER "
      End If
   Next
Else
   WScript.Echo "No DACL present in security descriptor"
End If