Active Directory is a secure directory. The following four security features provide a secure application that serves as the security subsystem for the Windows 2000 operating system:
Discretionary access control list (ACL)—Determines the type of access that an authenticated user or group of users has to an object.
Delegation—Allows administrative authority to be delegated to groups of administrators to manage a specific container or subtree.
Access rights—Can be granted or denied to authenticated users or groups of users on containers, objects, or classes of objects.
Trust relationships—Allow users in one domain to gain access to resources and information throughout the forest. Transitive trusts are created between a new domain and the root domain by default, regardless of the location of the domain within a domain tree. A transitive trust means that the new domain trusts all other domains that are trusted by the root domain. Explicit trusts can be manually created between two domains. Explicit trusts can be created to improve LDAP referrals between two domains that are in different domain trees.