Autonomy and Isolation in Active Directory
In Microsoft Windows NT, members of the Domain Admins group have complete control over all objects in their own domain but no inherent control over any objects in a trusting domain. Similarly, changes made to one domain do not affect trusting or trusted domains. Furthermore, within the domain, the primary domain controller (PDC) owns the only writeable copy of the Security Accounts Manager (SAM). For these reasons, domains are considered discrete security boundaries in Windows NT.
Unlike Windows NT, Active Directory domains are not security boundaries because they are not fully isolated from each other. Understanding how autonomy and isolation operate in Active Directory is critical when designing and ...
Get Microsoft® Windows® Security Resource Kit, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
