You can use the Security Descriptor editor in LDP to remove the abstraction from the ACL. This interface is not very friendly or easy to use, but it will give you the opportunity to dig deeper. If you want to give this a try, use the following steps:

1.   Launch LDP by clicking Start, Run, then typing ldp.exe.

2.   Go to Connection, click Bind, then specify user credentials (if necessary).

3.   Click View, click Tree, then find your domain.

4.   In the tree on the left side of the screen, right-click an object whose ACL you want to look at, and go to Advanced, then Security Descriptor. Click OK on the ensuing dialog. (If you select the SACL check box, you can see what audit settings are on the object as well.)

You’ll be able to double-click the entries in the Security Descriptor display for even more detail, which Figure 2 shows. Note that LDP versions earlier than Windows Server 2008 support only read-only text output of the ACL.