Shawn, here's the ASP code where it's written using get:

Code:

	'*** Get Win32_SecurityDescriptor class and create an instance of it ***



	Set oClass = oConnectCIMv2.Get("Win32_SecurityDescriptor")



	Set oSecDescriptor = oclass.SpawnInstance_()

	

	'*** End Get Win32_SecurityDescriptor class and create an instance of it ***



	

	'*** Prepare the security descriptor ***



	'A set the control flags property of the security descriptor

	'this value designates a set of control bits that qualify the

	'meaning of a security descriptor or its individual members.

	'a value of 4 (SE_DACL_PRESENT) indicates a security descriptor 

	'containing a DACL.

	oSecDescriptor.Properties_.Item("ControlFlags") = SE_DACL_PRESENT

	

	Set oClass = Nothing

	

	'*** End Prepare the security descriptor ***





	'*** Add a new ACE to the DACL ***

	Set ACE = SetACE(oConnectCIMv2, sPermission, _  

	 									CUSTCON_ACE_INHERIT, _

	 									ACETYPE_ACCESS_ALLOWED, _

	 									SetTrustee(oConnectCIMv2, _

	 									sDomain, _

	 									sAccountName, _

										sidval))



	'build the array containing all ACEs. In this case, one ACE is being 

	'added to the security descriptor.	  		 

	 oSecDescriptor.Properties_.Item("DACL") = Array(ACE)

	 

	 'clean up

	 Set ACE = Nothing

	

	'*** End Add a new ACE to the DACL ***

		

	'*** Modify the security descriptor ***

	

	Set oDir = oConnectCIMv2.Get("Win32_Directory='" & sHomePath & "'") 



	Set oInParam = oDir.Methods_("ChangeSecurityPermissions"). _

									InParameters.SpawnInstance_()



	oInParam.Properties_.Item("Option") = CHANGE_DACL_SECURITY_INFORMATION



	oInParam.Properties_.Item("SecurityDescriptor") = oSecDescriptor



	oSecDescriptor.Properties_.Item("ControlFlags") =  CUSTCON_ALLOW_INHERIT

	

	

	'*** End Modify the security descriptor ***



	'*** Execute the method ***



	Set oOut = oDir.ExecMethod_("ChangeSecurityPermissions", oInParam)



	If not oOut is nothing then



	        Response.Write "<li>The folder permissions were " & _

						"successfully updated."



	Else



	        Response.Write "<li class = warning>The folder permissions were " & _

						"not successfully applied to the directory. "

				

	End If


Regarding complication, I found an opensource tool that's miles ahead of subinacl and doesn't suffer the dreaded "ACL reodering". SetACL It, like subinacl, is not exactly user friendly. They developed a front end to write command lines. They're developing an ActiveX dll, so again we're SOL. Anyway, point is, the architecture of the SD is insane. Simplifying it is not possible. Sounds like a challenge Howard! =)
_________________________
-Jim

...the sort of general malaise that only the genius possess and the insane lament.