|Subject:||Forest = Security Boundary?|
|Posted by:||Gabriel/TFI (GabrielT…@discussions.microsoft.com)|
|Date:||Mon, 12 Feb 2007|
I am reading the great book "Active Directory 3rd Edition" by Joe Richards &
In Chapter 8, "Designing the Namespace", it is said that "The Forest, not
the domain, is the security boundary for AD. Anyone with high-level access
rights on any domain controller in any forest can negatively impact or take
control of any other DC or domain in the forest".
I thought that the domain was the security boundary! :-(
- Does this mean that delegating administrative privileges over domains
(e.g. different BUs) is a bad practice?
- How can an evil-administrator of a child domain compromise another domain
or the entire forest? What tecniques can be used to achieve this?