You want to view the ACL for an object.
Open the ACL Editor. You can do this by viewing the properties of an object (right-click on the object and select Properties) with a tool, such as Active Directory Users and Computers (ADUC) or ADSI Edit. Select the Security tab. To see the Security tab with ADUC, you must select View Advanced Features from the menu.
Click the Advanced button to view a list of the individual ACEs.
> dsacls <ObjectDN>
Unfortunately, the code to view the ACEs in an ACL is quite messy and long. This will be included as part of the code on the web site for the book (http://www.oreilly.com/catalog/activedckbk/).
Viewing an object's ACL is a common task and should already be familiar to most administrators. The ACL editor is useful for checking the permissions that have been set on objects, especially after running the Delegation of Control Wizard. In addition to viewing permissions, the options available in the GUI include, viewing Auditing settings and the Owner of the object. Knowing the owner of and object is important because ownership confers certain inherent rights.
Because the ACL Editor is the same for NTFS permissions and properties as it is for Active Directory objects, you should feel comfortable with the look and feel of the interfaceit is exactly the same as File and Folder permissions. I also highly recommend getting familiar with the Advanced View of the ACL Editor, as this is truly the view in which you can determine what is going on with permissions. The Basic view presents a list of security principals that have permissions configured, but it will not always show every ACE entry. The Advanced view will show the complete picture including the scope of permissions for ACEs down to the object and even attribute level.
Recipe 14.10 for changing an ACL and Recipe 15.12 for auditing of object access