VBScript to read Active Directory user permissions (ntsecuritydescriptor)

Reading AD ACLs isn’t particularly hard, the hard part is translating the information you get to something useful. The VBScript listed below contains all the constants required for you to do the translation to whatever you like.

strUserODN = wscript.arguments(0)
strExportFile = wscript.arguments(1)
Const ADS_RIGHT_DELETE = &H10000
Const ADS_RIGHT_READ_CONTROL = &H20000
Const ADS_RIGHT_WRITE_DAC = &H40000
Const ADS_RIGHT_WRITE_OWNER = &H80000
Const ADS_RIGHT_SYNCHRONIZE = &H100000
Const ADS_RIGHT_ACCESS_SYSTEM_SECURITY = &H1000000
Const ADS_RIGHT_GENERIC_READ = &H80000000
Const ADS_RIGHT_GENERIC_WRITE = &H40000000
Const ADS_RIGHT_GENERIC_EXECUTE = &H20000000
Const ADS_RIGHT_GENERIC_ALL = &H10000000
Const ADS_RIGHT_DS_CREATE_CHILD = &H1
Const ADS_RIGHT_DS_DELETE_CHILD = &H2
Const ADS_RIGHT_ACTRL_DS_LIST = &H4
Const ADS_RIGHT_DS_SELF = &H8
Const ADS_RIGHT_DS_READ_PROP = &H10
Const ADS_RIGHT_DS_WRITE_PROP = &H20
Const ADS_RIGHT_DS_DELETE_TREE = &H40
Const ADS_RIGHT_DS_LIST_OBJECT = &H80
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100

Const ADS_ACETYPE_ACCESS_ALLOWED = &H0
Const ADS_ACETYPE_ACCESS_DENIED = &H1
Const ADS_ACETYPE_SYSTEM_AUDIT = &H2
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &H7
Const ADS_ACETYPE_SYSTEM_ALARM_OBJECT = &H8
Const ADS_ACETYPE_ACCESS_ALLOWED_CALLBACK = &H9
Const ADS_ACETYPE_ACCESS_DENIED_CALLBACK = &HA
Const ADS_ACETYPE_ACCESS_ALLOWED_CALLBACK_OBJECT = &HB
Const ADS_ACETYPE_ACCESS_DENIED_CALLBACK_OBJECT = &HC
Const ADS_ACETYPE_SYSTEM_AUDIT_CALLBACK = &HD
Const ADS_ACETYPE_SYSTEM_ALARM_CALLBACK = &HE
Const ADS_ACETYPE_SYSTEM_AUDIT_CALLBACK_OBJECT = &HF
Const ADS_ACETYPE_SYSTEM_ALARM_CALLBACK_OBJECT = &H10

Const SENDAS_GUID = “{AB721A54-1E2F-11D0-9819-00AA0040529B}”
Const RECEIVEAS_GUID = “{AB721A56-1E2F-11D0-9819-00AA0040529B}”

set ObjUser = GetObject(“LDAP://” & strUserODN)
set fso = CreateObject(“Scripting.FileSystemObject”)
set output = fso.CreateTextFile(strExportFile, True)

Set objsd = objUser.Get(“ntSecurityDescriptor”)
Set dacl = objsd.DiscretionaryAcl

For Each ace In dacl
strAceType = “”
If (ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED) Then
strAceType = “Allow”
ElseIf (ace.AceType = ADS_ACETYPE_ACCESS_DENIED) Then
strAceType = “Deny”
ElseIf (ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT) Then
strAceType = “Allow”
End If

strObjectType = “”
if (ace.ObjectType = SENDAS_GUID) Then
strObjectType = “SendAs”
End if

if (ace.ObjectType = RECEIVEAS_GUID) Then
strObjectType = “ReceiveAs”
End If

if len(strObjectType) > 0 and not Instr(ace.Trustee, “SELF”) > 0 then
output.Write strUserODN & “;”
output.Write ace.Trustee & “;”
output.Write strAceType & “;”
output.Write strObjectType & “;”
output.WriteLine “#”
End if
Next