I'm trying to write an asp.net (2.0) webservice and have run into a problem: Given just a user's domain\login (no password), is it possible to look at a directory of files and determine for each file the effective permissions to the file that user has?

As an example, the ACL of the file only has two entries: a) Everyone has Read access (inherited); b) ADGroupOne has Read/Write. Domain\JohnDoe is part of ADGroupTwo, with ADGroupOne being the parent of ADGroupTwo. The effective permissions for Domain\JohnDoe would thus be Read/Write to the file...

Hi LeiJun,

Thanks for answering. I had a go and the first part to get the list seems to be quite easy:

Dim objFileInfo As FileInfo = New FileInfo(Me.txtFilePath.Text)
Dim objFileSecurity As FileSecurity = objFileInfo.GetAccessControl()
Dim colRules As AuthorizationRuleCollection = objFileSecurity.GetAccessRules(True, True, GetType(NTAccount))

I can loop through the collection to get each rule to process, and evaluate rules according to whether they are explicit/inherited or allow/deny etc. for each IdentityReference.

However I don't know what the "something" in System.DirectoryServices.ActiveDirectory is. So far I know I can do:

Dim objUser = System.Security.Principal.WindowsIdentity.GetCurrent()
Dim objPrincipal As WindowsPrincipal = New WindowsPrincipal(objUser)

which will give me the current user to test their access to the file or directory against each of those rules:

Dim objRule As FileSystemAccessRule
For Each objRule In colRules
	If objPrincipal.IsInRole(objRule.IdentityReference.Value) Then
		traceMessage &= "Rule: " & objRule .IdentityReference.Value & " is IN role"
	Else
		traceMessage &= "Rule: " & objRule .IdentityReference.Value & " is NOT in role"
	End If
Next

This is okay, however the problem is: Is there a way to establish an arbitrary WindowsPrinciple that is not the current user?

(Or am I totally missing the point?)