$ofs = CreateObject("Scripting.FileSystemObject") 

$sec = CreateObject("ADsSecurity")

$textusr = "BLAH\testuser"

$userdir = "\\PC-BLAH-XP-4\d$\TEST"

$filenm = $userdir

$permspart = "add(" + $textusr + ":E)+add(Administrators:F)" 

;-- Replace ACL on single file or folder------- 

ChangeAcls($filenm, $permspart, "EDIT", "FOLDER")

;  $ofs=nothing



;############################################### Functions ##########################################################



FUNCTION ChangeAcls($file, $perms, $redit, $ffolder)

  ;- Edit ACLS of specified file -----

  $ADS_ACETYPE_ACCESS_ALLOWED = "0"

  $ADS_ACETYPE_ACCESS_DENIED = "1"

  $ADS_ACEFLAG_INHERIT_ACE = "2"

  $ADS_ACEFLAG_SUB_NEW = "9"

  $sd = $sec.GetSecurityDescriptor("FILE://" + $file)

  $dacl = $sd.discretionaryacl

  ;if flagged Replace then remove all existing aces from dacl first

  IF ucase($redit)="REPLACE"

    FOR EACH $existingace IN $dacl

      $dacl.removeace($existingace)

    NEXT

  ENDIF



  ;break up Perms into individual actions

  $cmdarray=split($perms,"+")



  For $x = 0 to Ubound($cmdarray)

    $tmpvar1=$cmdarray[$x]

    IF ucase(left($tmpvar1,3))="DEL"

      $aclaction="DEL"

    ELSE

    $aclaction="ADD"

    EndIf



    $tmpcmdvar=left($tmpvar1,len($tmpvar1)-1)

    $tmpcmdvar=right($tmpcmdvar,len($tmpcmdvar)-4)

    $cmdparts=split($tmpcmdvar,":")

    $namevar=$cmdparts[0]

    $rightvar=$cmdparts[1]



    ; if flagged edit, delete ACE's belonging to user about to add an ace for



    IF ucase($redit)="EDIT"

      FOR EACH $existingAce IN $dacl

        $trusteevar=$existingAce.trustee

        IF instr($trusteeVar,"\")

          $trunamevar=right($trusteevar,len($trusteevar)-instr($trusteevar,"\"))

        ELSE

          $trunamevar=$trusteevar

        ENDIF



        $uctrunamevar=ucase($trunamevar)

        $ucnamevar=ucase($namevar)



        IF $uctrunamevar=$ucnamevar

          $dacl.removeace($existingace)

        ENDIF

      NEXT

    ENDIF

    ; if action is to del ace then following clause skips addace

    IF $aclaction="ADD"

      IF ucase($ffolder)="FOLDER"

        ; folders require 2 aces for user (to do with inheritance)

        addace($dacl, $namevar, $rightvar, $ADS_ACETYPE_ACCESS_ALLOWED, $ADS_ACEFLAG_SUB_NEW)

        addace($dacl, $namevar, $rightvar, $ADS_ACETYPE_ACCESS_ALLOWED, $ADS_ACEFLAG_INHERIT_ACE)

      ELSE

        addace($dacl, $namevar, $rightvar, $ADS_ACETYPE_ACCESS_ALLOWED, "0")

      ENDIF

    ENDIF

  NEXT



  FOR EACH $ace IN $dacl

    ; for some reason if ace includes "NT AUTHORITY" then existing ace does not get readded to dacl



    IF instr(ucase($ace.trustee),"NT AUTHORITY\")

      $newtrustee=right($ace.trustee, len($ace.trustee)-instr($ace.trustee,"\"))

      $ace.trustee=newtrustee

    ENDIF

  NEXT

ENDFUNCTION



FUNCTION addace($dacl, $trustee, $maskvar, $acetype, $aceflags)

  ; add ace to the specified dacl

  $RIGHT_READ = +H80000000

  $RIGHT_EXECUTE = +H20000000

  $RIGHT_WRITE = +H40000000

  $RIGHT_DELETE = +H10000

  $RIGHT_FULL = +H10000000

  $RIGHT_CHANGE_PERMS = +H40000

  $RIGHT_TAKE_OWNERSHIP = +H80000



  $ace = CreateObject("AccessControlEntry")

  $ace.trustee = $trustee



  $case = ucase($maskvar)

  SELECT



  CASE ($case = "F")

    $ace.accessmask = $RIGHT_FULL

  CASE ($case = "C")

    $ace.accessmask = $RIGHT_READ OR $RIGHT_WRITE OR $RIGHT_EXECUTE OR $RIGHT_DELETE

  CASE ($case = "R")

    $ace.accessmask = $RIGHT_READ OR $RIGHT_EXECUTE

  CASE ($case = "E")

    $ace.accessmask = $RIGHT_EXECUTE

  ENDSELECT



  $ace.acetype = $acetype

  $ace.aceflags = $aceflags

  $dacl.addace($ace.trustee)

ENDFUNCTION