Default Security of the Domain Directory Partition

The domain directory partition object is derived from the object class domainDNS; therefore, the default security is equivalent to the default security for the object class domainDNS.

The default security descriptor for the domain directory partition comprises the following:

• Full control permissions to the Domain Administrators group and the System group, and Read permissions to the Authenticated Users group.
• Read property on all properties to the Everyone group. This permission provides backward compatibility for application programming interfaces (APIs).
• Replicating Directory Changes, Replication Synchronize, and Manage Replication Topology permissions to the Enterprise Domain Controllers group. These permissions allow members of the Enterprise Domain Controllers group to manage replication automatically.
• Replicating Directory Changes, Replication Synchronize, and Manage Replication Topology permissions to the Builtin Administrators group. Administrators of individual domain controllers can use these permissions to troubleshoot replication problems.
• Inheritable Full Control to the Enterprise Administrators group. Enterprise Administrators, by definition, have complete control of each domain.
• Inheritable List Contents to the Pre-Windows 2000 Compatible Access group.
• Inheritable Read Property on RAS Information, General Information, Membership, User Account Restrictions, and User Logon on all User Objects permissions to the Pre-Windows 2000 Compatible Access group.
• Inheritable Read on all Group objects.
• Inheritable Auditing successful/failed Writes to the Everyone group.

Activating the auditing policy ensures that writes that are performed on the directory (on any object) are audited immediately without the need for any extra user intervention. Inheritable access control entry (ACE) provides a convenient way of removing auditing policy.

© 1985-2000 Microsoft Corporation. All rights reserved.