I generally use something like the following subroutine: Imports ActiveDs . . . 'sub get_ntfs_acl(ByVal path As String) ' Dim sdutil As New ADsSecurityUtility Dim sd As SecurityDescriptor = sdutil.GetSecurityDescriptor(path, ADS_PATHTYPE_ENUM.ADS_PATH_FILE, ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID) Dim acl As AccessControlList = sd.DiscretionaryAcl For Each ace As AccessControlEntry In acl console.writeline(ace.Trustee) console.writeline(ace.Flags) console.writeline(ace.AccessMask) console.writeline(ace.AceFlags) console.writeline(ace.AceType) console.writeline(ace.InheritedObjectType) console.writeline(ace.ObjectType) console.writeline() Next ace End sub you have to use the ADSI interop, but it's a lot easer than the alternitives. you will have to translate the AccessMask rights. I usually set it manualy, then look at what the value translates into. I know this isn't a lot of detail. but if you search MSDN for security descriptors, you can get some more info. It's the same technique to read Active Directory Dacls, but you need a different way to creat the security descriptor object.