Eagleman schrijft: "Sommigen zullen dit weer 'moddergooien' noemen, maar je zult toch maar verantwoordelijk zijn voor de Active Directory security issues. Novell besteedt op haar NDS-propanda pagina's aandacht aan het 'zoveelste bezwaar' dat het tegen Active Directory heeft ontdekt":
While Active Directory supports the capability to block inherited access rights, a security flaw exists whereby a blocked administrator can effectively remove this block, thus enabling access to sensitive corporate assets. This security issue was duplicated on multiple Windows 2000 Servers in different configurations. All Windows 2000 servers were running Build 2195, the final release of the Windows 2000 operating system.
If a general administrator uses the "Active Directory Users and Computers" administrative utility to attempt to access information in a hidden organizational unit" that information is not available. This is to be expected.
However, if they select another organizational unit first and select its security tab and then go to the "hidden organizational unit" they can not only see the security settings but can also manage security rights. It appears that simply viewing another object in Active Directory allows access to the blocked object. At this point the general administrator can actually grant other objects rights to this section of the network and then set inherited permissions back on - which effectively allows a method for simple future access and hides the fact that entrance had been gained.
This flaw is not caused by any domain-related groups, such as the built-in "Domains Admins" group because this security hole works even when the "Domains Admins" group is specifically added to the Payroll department with DENY rights.
Here is the million dollar question - is this a bug in the "Active Directory Users and Computers" utility, or is this a problem in Active Directory ? At first glance it certainly appears that this is a bug in the administrative utility, since certain steps taken in the administrative utility suddenly bypass security. However, if this is true, this is VERY DANGEROUS, as it means that it is the utility that enforces security, rather than the directory itself. If decisions about Active Directory security are a function of the client-side utility or application and are not necessarily enforced at the back-end Active Directory server any malicious programmer could user the same access to create a client-side utility that did not enforce security and thus bypass Active Directory security.
Alternatively, if the flaw exists in the directory itself it demonstrates the lack of security architecture necessary to provide an enterprise-ready directory.