Since we manage passwords centrally, we don't want user to be able to change their password locallyand so we want to make sure that the "User cant change password" account option is set, and if not, set it. Unfortunately from a sysadmin programmer's point of view, it's an ntSecurityDescriptor ACL and not simply a bit flag in the userAccountControl word. O'Reilly's Active Directory Cookbook (p194) gives a nice exampleof how to set the ACL, and it works quite nicely. Can anybody tell me how to check the ACL to see if it's already set.

Thanks,
Rob