Hi all,
well as I promised earlier, here are the sections:

there are two special groups in an ad-domain the enterpris-admins and the
schema-admins. these two groups are very important regarding security
issues. enterprise-admins do have the most power
on ad-design and they are only able to add or delete domains to the entire
structure. members of the schema-admins can expand the ad-schema. the
ad-schema exist only once in a domain and is
the base for all defined objects and their classes and attributes. today
is it not possible to delete defintions but to disable them. due to this
facts it is recommended to secure the schema and the above mentioned
another signficant feature is that the doamin-admins of the ad-root-domain
can make themselves member of both groups, so that this security relevant
issue spans the whole ad-domain.
to save and secure this ad-root-domain, it is important to isolate it to a
so called dedicated ad-root-domain. the dedicated ad-root-domain features
only standard-users and computer-accounts and no
further accounts. in principal she can be implemented in a tree- or
forest-structure whereas it is preferred to implement here in a
forest-structure where you have no limitations regarding e.g. name


another advantage beneath the security ist the flexibility which you will
get when integrating new companies to the entire structure. you could do
this without changing the entire structure as well as the name
of company which is important regarding corporate identity and of course
political issues ;-)


please forgive me, if there are too many mistakes or grammatically errors

Kind Regards/Freundlichen Gruß

Holger Honert


Joseph-Scherer-Str. 3

44139 Dortmund

Phone: +49 231/135-4043
FAX: +49 231/135-2959

mailto: holger.honert@signal-iduna.de