T
Trust No One®
Hi Folks,
I'm working my way through the "Designing the Active Directory Logical
Structure" portion of the Windows 2003 deployment guide. There is one point
I'm not 100% clear on.
This design guide states that because a domain is not a security boundary,
it cannot be used for service or data isolation. It then goes on to say that
in an organizational domain forest model, a malicious service administrator
in one domain can access any other domain in the forest.
I'm not too clear on the latter statement. Lets say we with an AD forest
with a root domain and 2 child domains - A and B. Is this saying that a
domain admin in child domain (A) can maliciously elevate themselves to
domain admin privilege in child domain (B) ? Can they elevate themselves to
Enterprise Admins ?
Clarification appreciated!
I'm working my way through the "Designing the Active Directory Logical
Structure" portion of the Windows 2003 deployment guide. There is one point
I'm not 100% clear on.
This design guide states that because a domain is not a security boundary,
it cannot be used for service or data isolation. It then goes on to say that
in an organizational domain forest model, a malicious service administrator
in one domain can access any other domain in the forest.
I'm not too clear on the latter statement. Lets say we with an AD forest
with a root domain and 2 child domains - A and B. Is this saying that a
domain admin in child domain (A) can maliciously elevate themselves to
domain admin privilege in child domain (B) ? Can they elevate themselves to
Enterprise Admins ?
Clarification appreciated!