Access Control Lists (ACLs) protect Active Directory objects. In much the same way that objects such as files have security applied to them, so too can objects in Active Directory. An object’s security can be viewed in Active Directory Users and Computers on the Security tab of the Properties sheet. If the Properties sheet doesn’t have a Security tab, select Advanced Features from the View menu in Active Directory Users and Computers to enable it. Figure 4-11 shows the Security tab for a computer object.
You can manage security for Active Directory objects at the object level or at the property level.
Active Directory quotas mitigate denial-of-service attacks by limiting the number of objects that a security principal can own or create. You can apply quotas on the security principals at the partition level, such as on domain or application partitions.
Of note when applying quotas is that deleted objects (known as tombstone objects) count toward the quota, even though you can change the percentage of which are applied to the quota with the msDS-TombstoneQuotaFactor attribute found in the NTDS Quotas container.
The value is set to 100 by default, meaning that 100 percent of tombstoned items count against the quota.
During the design of Active Directory permissions, one consideration surrounds highsecurity objects. For example, the design could prevent those with lower security rights, such as help desk staff, from changing high-security passwords.