We often ask this question: what actually is a boundary for a security system in tear Windows Service T2003 - the domain or forest? Responding briefly to say that even if the domain is the primary administrative boundary, it does not create a continuous border protection, as it was in the systems of Windows NT.  And there are several reasons.

  One reason - the existence of universal groups that may gain the privileges of any domain in the forest, since the transitive two-way trust relationships are established automatically between all domains in the forest. For example, members of the Enterprise Admins group and the Schema Admins by default have access to some of the elements generated by the forest (child forest). To the members of the groups mentioned above could not perform within a given domain, these permissions must be manually removed. It is also necessary to pay attention to the Domain Admins group of all other domains in the forest. In forests in Active Directory network is one little-known property. That being said about him in the leadership of the Windows 2000 Server Resource Kit Deployment Planning Guide: "Administrators of any of the domains in the forest have the potential to become owners and edit the information from the container configuration (Configuration container) to Active Directory. These changes can be duplicated on all domain controllers in the forest . Thus, we can assume that the administrator of any acceding to the forest domain has a trust relationship which equate it possible for any other domain administrator (from the group Domain Admins).