Hi all,

I'm interested in the forums views on where the Security Boundary exists in MS Windows Active Directory.

MS assert that this exists at the Forest level, as this is the only point at which a SysAdmin from one forest cannot acheive SysAdmin rights in another forest without those rights being explicitly granted.

Many text books and AD consultants however put this boundary at the domain level.

What is the consensus amongst AO security people?

At what point can I guarantee seperation of data, given that I want to keep rogue SysAdmins on one system/network gaining surreptitous access to data on another system/network?

Thanking you all in advance,

Alan Mott