Applying Permissions at the Domain Level

When you apply delegated permissions on the domain naming context, the permissions are inherited to all objects (user, contact, group, domain DNS, computers, and so on); regardless if the permissions only apply toward one specific class object.

On domain controllers that are running Microsoft Windows® 2000 Server, adding an inheritable ACE at the domain level will cause the DACL to change for every object within the domain. Depending on the number of ACEs added and the number of objects within the domain, these changes could result in an "ACL bloat" (that is, unnecessary ACEs on objects that increase the size of the ACL). An ACL bloat ultimately increases the physical size of the NTDS.DIT file across all domain controllers within the domain.

On domain controllers that are running Windows Server™ 2003, a unique security descriptor is stored only once rather than being stored for every object that inherits it. For every object that inherits the security descriptor or otherwise stores an identical security descriptor, only a pointer is stored. This change eliminates data redundancy and the database growth that can result from changes to inheritable ACEs.