Having a medium or large -sized AD environment can involve a great deal of day-to-day maintenance work with respect to simple user or computer administrative tasks. This includes password resets, user creation, adding computers, and folder access controls. In a medium-sized organization, the technical staff usually off-loads these activities to a help desk, which is either staffed by the organization or bought as in a third-party service.

AD contains a few security groups that have the power to cause real damage. These are Enterprise Admins, Schema Admins, and Domain Admins. The first, Enterprise Admins comprises the administrators group that has full rights to the entire enterprise, meaning the whole forest. If you are part of this group, you can modify the schema, elevate account privileges in all domains within a forest, and generally have no restrictions on your actions.

The second group, Schema Admins, can modify the AD schema. While they do not have...