I was recently pinged by a friend who had some consultants in at his company and the consultants I guess were going on about how the domain is the security boundary and it is perfectly safe/acceptable to have a bunch of child domains that are run by disparate groups of admins.
THIS IS INCORRECT!
It has ALWAYS been incorrect.
I expect until there is a really major redesign of AD such as PKI signed updates, etc it WILL REMAIN incorrect.
You cannot, I repeat, cannot protect the forest from any administrator in any domain in the forest. You can think you can, and a lot of people think they can, I see it all the time. But just because you as a technical person can’t think of a way to compromise a forest, doesn’t mean someone else can’t. Do not justify bad security decisions with your own technical shortcomings.
joe
“Do not justify bad security decisions with your own technical shortcomings.”
I might have to get that on a bumper sticker.
Ha!