The AD security model is just asking for it. Its assorted mechanisms are ridiculously over-complicated.
You need to spend weeks learning about them to get even a fair appreciation, and it can take years to get into the dusty corners.
Join a new comany with an old system and try to tighten it up and you'll soon have a queue of angry users at your desk asking why XYfuckingZ application won't let them piss on the floor any more because they've always logged in as Administrator to do it.
The various graphical user interfaces don't make it easy to know what's going to break when you change anything nor what's likely to hit you on the back of the head without warning - as we've seen here.
If security is the question, AD is definitely not the answer.
Biting the hand that feeds IT
