Set objGroup = GetObject _ ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com")
strManagedBy = objGroup.Get("managedBy")
If IsEmpty(strManagedBy) = TRUE Then WScript.Echo "No user account is assigned to manage " & _ "this group." Else Set objUser = GetObject("LDAP://" & strManagedBy)
Set objNtSecurityDescriptor = objGroup.Get("ntSecurityDescriptor") Set objDiscretionaryAcl = objNtSecurityDescriptor.DiscretionaryAcl
blnMatch = False For Each objAce In objDiscretionaryAcl If LCase(objAce.Trustee) = _ LCase(strDomain & "\" & strSAMAccountName) AND _ objAce.ObjectType = Member_SchemaIDGuid AND _ objAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT AND _ objAce.AccessMask And ADS_RIGHT_DS_WRITE_PROP Then blnMatch = True End If Next If blnMatch Then WScript.Echo "Manager can update the member list" Else WScript.Echo "Manager cannot update the member list." End If End Sub