I've been hacking around with ADsSecurity and came-up with this script. It's basically a rip from what little i've found on the net ...

This script will enumerate all access control entries ($ace) in a Registry ACL ($dacl) :

code:

---

break on

$KEY = "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT" ; change this key to whatever

$RIGHT_REG_READ = &20019
$RIGHT_REG_FULL = &F003F

$sec = createobject("ADsSecurity")
if $sec
 $sd = $sec.GetSecurityDescriptor("RGY://\$key" )
 if $sd
  ?"$key"?
  $dacl = $sd.DiscretionaryAcl
  if $dacl
   for each $ace in $dacl
    ? $ace.trustee
    select
     case $ace.accessmask = $RIGHT_REG_READ
      " (read)"
     case $ace.accessmask = $RIGHT_REG_FULL
      " (full control)"
     case 1
      " (special)"
    endselect
   next
   $dacl=0
  endif
  $sd=0
 endif
 $sec=0
else
 ?"ADsSecurity not installed on this machine"
endif

exit

---

Just an fyi - never now what might come in handy one day ?

This script just scratches the surface of what ADsSecurity's all about (obviously). In terms of registry security - there's alot more granularity one can get into (query/set/delete/etc). But I imagine that ADsSecurity's file/folder permissioning feature is the big seller - eh ?

-Shawn

[ 10 August 2001: Message edited by: Shawn ]