Addressing Network Security through Windows 2000 Active Directory: Designing a Single Domain Structure

Windows 2000 provides a remedy for the all-powerful NT Domain Admin group, where traditionally excessive powers were given to groups of users, thereby violating the security principal of least privilege. Microsoft's answer is Windows 2000's Active Directory. However, the complexity of Active Directory makes it difficult to understand how best to design a secure directory structure. This paper provides security design considerations for locating users, computers and groups in the Windows 2000 network environment.