This document discusses assessing the security of Active Directory implementations. It covers weak implementations related to people, processes, and technology. It also discusses Active Directory logical and physical structures, components, and a risk assessment framework. Example recommendations from applying this framework to Company X include disabling booting from alternative OSes, upgrading domain and forest levels, limiting privileged accounts, and implementing secure password and backup policies.