What is Active Directory?
Active Directory, often called AD, is Microsoft's directory service used to manage users, computers, groups, devices, permissions, and policies in enterprise Windows environments.
What is Active Directory?
What is Active Directory?
Active Directory, often called AD, is Microsoft's directory service used to manage users, computers, groups, devices, permissions, and policies in enterprise Windows environments.
In simple terms, Active Directory helps organizations answer questions like:
- Who is this user?
- Which computer belongs to the company?
- Which group is this user a member of?
- Which systems can this user access?
- Which security policies should apply to this device?
- Who has administrative control over this environment?
Microsoft describes Active Directory Domain Services, or AD DS, as a directory service that stores directory data and makes that data available to network users and administrators. It stores information about objects such as user accounts and provides a way for authorized users to access that information.
For many organizations, Active Directory is still the central identity backbone. Even companies that use cloud platforms, SaaS applications, Microsoft Entra ID, AWS, Google Cloud, or modern identity providers often still depend on Active Directory for core authentication, authorization, workstation management, server access, privileged administration, and legacy application access.
Active Directory Definition
Active Directory is a centralized directory service that stores, organizes, and manages identities, devices, groups, permissions, and policies across an organization's network.
It allows IT teams to centrally manage:
- User accounts
- Computer accounts
- Groups
- Password policies
- Access permissions
- Domain controllers
- Organizational units
- Group Policy Objects
- Service accounts
- Administrative privileges
- Trust relationships
- Authentication and authorization workflows
Active Directory is especially important in enterprise environments because it connects identity, access, device management, and security policy enforcement into one centralized structure.
A simple way to explain it:
Active Directory is like the identity control center of a Windows-based enterprise network.
Why is Active Directory Important?
Active Directory is important because it controls access to many of the systems employees use every day.
For example, when an employee logs in to a corporate laptop, accesses a file share, connects to a VPN, opens an internal application, or uses a domain-joined workstation, Active Directory may be involved in the background.
Active Directory is commonly used to manage:
- Employee logins
- Windows computers
- Servers
- File shares
- Printers
- Internal applications
- Security groups
- Administrator access
- Password policies
- Device policies
- Network authentication
In many enterprises, if Active Directory is compromised, the entire environment may be at risk.
This is why attackers frequently target Active Directory. Once attackers obtain valid domain credentials, they can often move across systems, escalate privileges, and attempt to gain control of critical infrastructure. CISA and NSA have warned that malicious actors prioritize obtaining valid domain credentials after gaining access to a network.
Core Components of Active Directory
1. Domain
An Active Directory domain is a logical boundary used to manage users, computers, groups, and policies.
Example:
A company may have a domain like:
company.local
or:
corp.company.com
Users and computers inside this domain can be centrally managed through Active Directory.
A domain usually includes:
- User accounts
- Computer accounts
- Security groups
- Organizational units
- Group Policy Objects
- Authentication rules
- Administrative permissions
2. Domain Controller
A domain controller is a server that runs Active Directory Domain Services.
It is responsible for:
- Authenticating users
- Validating passwords
- Processing logins
- Storing directory data
- Replicating AD data with other domain controllers
- Enforcing domain policies
- Supporting Kerberos authentication
Example:
When an employee logs in to their Windows laptop using a domain account, the domain controller helps verify whether the username and password are valid.
Domain controllers are among the most critical systems in an Active Directory environment. Microsoft states that if an attacker gains privileged access to a domain controller, they can modify, corrupt, or destroy the AD database, potentially threatening all AD-managed systems and accounts.
3. Forest
An Active Directory forest is the highest-level logical container in Active Directory.
A forest can contain one or more domains.
Example:
company.com
├── emea.company.com
├── usa.company.com
└── asia.company.com
A forest defines the overall security boundary for Active Directory. Microsoft's reference architecture documentation describes AD DS as storing identity information in a hierarchical structure, where the top node is the forest, forests contain domains, and domains contain other types of objects.
In large organizations, forests are often used to separate business units, regions, subsidiaries, or security boundaries.
4. Organizational Unit
An Organizational Unit, or OU, is a container inside a domain used to organize users, computers, groups, and other objects.
Example:
Company
├── Users
│ ├── Finance
│ ├── HR
│ └── IT
├── Computers
│ ├── Laptops
│ └── Servers
└── Service Accounts
OUs help administrators apply policies, delegate administration, and organize objects more clearly.
For example:
- HR computers may receive one set of security policies.
- Finance computers may receive stricter policies.
- Server objects may be managed only by infrastructure administrators.
- Help desk users may be delegated limited permissions to reset passwords in specific OUs.
5. User Account
A user account represents a person who needs access to systems.
Examples:
- Employee account
- Contractor account
- Help desk account
- Administrator account
- Temporary user account
A user account may be used to log in to:
- Workstations
- VPN
- File shares
- Internal applications
- Business systems
- Remote desktop services
User accounts are one of the most targeted objects in Active Directory because attackers can use compromised credentials to access systems as legitimate users.
6. Computer Account
A computer account represents a domain-joined device.
Examples:
- Corporate laptop
- Windows workstation
- Application server
- Database server
- File server
Computer accounts allow Active Directory to manage and authenticate devices.
For example, when a company laptop joins the domain, Active Directory creates a computer object for that device. This allows IT teams to apply Group Policy settings, security configurations, and access controls.
7. Group
An Active Directory group is used to assign permissions to multiple users or computers at once.
Example:
Instead of assigning file access to every finance employee individually, an administrator can create a group like:
Finance-FileShare-Read
Then users can be added to that group.
Groups are useful, but they can also create risk. Nested groups, forgotten memberships, and excessive privileges may create hidden access paths.
8. Group Policy
Group Policy is used to centrally manage configuration settings for users and computers.
Microsoft describes Group Policy as a Windows feature that provides centralized management and configuration of operating systems, applications, and user settings. When used with Active Directory, these settings are stored in Group Policy Objects, or GPOs.
Group Policy can be used to configure:
- Password policies
- Account lockout policies
- Firewall settings
- Software deployment
- Desktop restrictions
- Security baselines
- Local administrator settings
- Audit settings
- Browser configurations
- Drive mappings
- Logon scripts
Example:
A company can use Group Policy to require screen lock after 10 minutes of inactivity across all corporate laptops.
9. Service Account
A service account is an account used by an application, service, script, or system process.
Examples:
- Database service account
- Backup software account
- Monitoring agent account
- Application pool identity
- Scheduled task account
- Integration account
Service accounts are often high-risk because they may have:
- Long-lived passwords
- Excessive privileges
- No clear owner
- Weak monitoring
- Passwords stored in scripts or configuration files
- Access to critical systems
A compromised service account can become a powerful entry point for attackers.
10. Trust Relationship
A trust relationship allows users in one domain or forest to access resources in another domain or forest.
Example:
A company acquires another company. Instead of immediately merging both Active Directory environments, they may create a trust relationship so users from one environment can access selected resources in the other.
Trusts are useful for business operations, but they also increase complexity. If not properly managed, a compromise in one domain or forest may create risk for another connected environment.
How Active Directory Works in Real Life
Example 1: Employee Login
A finance employee starts their laptop and enters their username and password.
Behind the scenes:
- The laptop contacts a domain controller.
- The domain controller validates the credentials.
- Active Directory checks the user account status.
- Group memberships are evaluated.
- Group Policy settings are applied.
- The user receives access to approved resources.
The employee may then access:
- Finance file shares
- Internal applications
- Printers
- Department-specific resources
But they should not automatically access:
- HR records
- Domain controller settings
- Security tools
- Production databases
- Executive folders
This is Active Directory doing identity and access management in the background.
Example 2: File Share Access
A company has a file server with folders for each department:
\\fileserver\Finance
\\fileserver\HR
\\fileserver\Engineering
\\fileserver\Sales
The finance team should access the Finance folder, but not the HR folder.
A common AD-based approach:
- Create a security group named
Finance-FileShare-Access - Add finance users to the group
- Grant that group permission to the Finance folder
- Remove users when they leave the department
This is a simple but powerful example of how Active Directory groups control access.
The risk appears when users are added to too many groups, old access is not removed, or highly privileged groups are used for normal access.
Example 3: New Employee Onboarding
A new employee joins the sales department.
The IT team creates an Active Directory account and adds the user to relevant groups.
The user receives access to:
- Domain login
- Sales file shares
- CRM application
- Shared printers
- Standard workstation policies
- VPN access, if required
A mature process should ensure that the user only receives access required for their role.
If the onboarding process is manual and inconsistent, users may receive unnecessary privileges from day one.
Example 4: Employee Changes Department
An employee moves from Finance to Procurement.
The correct AD process should be:
- Remove old Finance group memberships.
- Add Procurement group memberships.
- Review access to shared folders.
- Review application access.
- Confirm that privileged access is not accidentally retained.
If old access is not removed, the user may accumulate permissions over time.
This is called privilege creep.
Privilege creep creates security risk because a normal employee account may slowly become more powerful than intended.
Example 5: Help Desk Password Reset
A help desk employee needs permission to reset passwords for standard users.
Instead of making the help desk employee a Domain Admin, Active Directory allows delegation.
A secure design would allow the help desk to:
- Reset passwords for standard users
- Unlock accounts
- Update basic user attributes
But not:
- Modify Domain Admins
- Change domain controller settings
- Edit critical Group Policy Objects
- Add users to privileged groups
This is a practical example of least privilege administration.
Example 6: Service Account for an Application
An internal HR application needs to connect to a database.
The application uses a service account.
A secure setup:
- The service account has only the required database permissions.
- The account is not a Domain Admin.
- The password is rotated.
- The account has a documented owner.
- Interactive login is restricted.
- Usage is monitored.
An insecure setup:
- The service account has domain-wide privileges.
- The password never expires.
- The password is stored in plain text.
- No one knows who owns the account.
- The account is used by multiple systems.
In many real-world environments, service accounts become hidden risk points because they are created for business continuity but rarely reviewed later.
Common Active Directory Use Cases
| Use Case | Description | Business Value | Security Consideration |
|---|---|---|---|
| User authentication | Allows users to log in to domain-joined systems | Centralized login management | Compromised credentials can expose many systems |
| Device management | Manages corporate computers and servers | Standardized IT operations | Misconfigured devices may weaken domain security |
| Group-based access | Controls access through security groups | Easier permission management | Nested or stale groups can create hidden access |
| Group Policy enforcement | Applies security and configuration settings | Centralized policy control | Weak or conflicting GPOs can create exposure |
| Password policy management | Defines password and lockout rules | Reduces weak credential risk | Legacy password policies may be insufficient |
| Privileged administration | Manages admin rights across the domain | Enables IT operations | Excessive admin rights increase compromise impact |
| File share access | Controls folder and document access | Supports department-level access | Poor permissions may expose sensitive data |
| Application access | Provides identity source for internal apps | Simplifies access management | Legacy apps may require risky permissions |
| Service account management | Supports applications and automation | Keeps business services running | Overprivileged service accounts are high risk |
| Mergers and acquisitions | Uses trusts or migrations between AD environments | Enables business integration | Trusts may create cross-environment attack paths |
Active Directory and Authentication
Active Directory commonly supports authentication protocols such as Kerberos and NTLM.
Kerberos
Kerberos is the primary authentication protocol in modern Active Directory environments.
In simple terms:
- The user logs in.
- The domain controller validates the identity.
- The user receives a ticket.
- The ticket is used to access services without sending the password repeatedly.
Kerberos improves security and efficiency, but misconfigurations can still create attack opportunities.
Examples of Kerberos-related risks include:
- Kerberoasting
- AS-REP Roasting
- Weak service account passwords
- Unconstrained delegation
- Overprivileged service accounts
NTLM
NTLM is an older authentication protocol still present in many environments for compatibility reasons.
NTLM can create security concerns when legacy systems depend on it or when it is not restricted properly.
Examples of NTLM-related risks include:
- Credential relay attacks
- Legacy authentication exposure
- Weak compatibility configurations
- Difficulty enforcing modern authentication controls
Organizations should review where NTLM is still used and reduce unnecessary dependency where possible.
Common Active Directory Security Risks
1. Excessive Privileges
One of the most common AD risks is excessive privilege.
This happens when users, groups, administrators, or service accounts have more access than they need.
Microsoft specifically warns against granting excessive privileges and highlights highly privileged built-in groups such as Enterprise Admins, Domain Admins, and Administrators as groups that must be strongly protected.
Example:
A help desk user only needs to reset passwords, but they are added to a highly privileged admin group for convenience.
This creates unnecessary risk.
If that help desk account is compromised, the attacker may gain far more access than expected.
2. Domain Admin Overuse
Domain Admin rights should be limited to a very small number of controlled accounts.
A risky environment may have:
- Too many Domain Admins
- Admins using privileged accounts for daily work
- Domain Admins logging into workstations
- Shared administrator accounts
- No approval process for privileged access
If a Domain Admin account is compromised, the attacker may gain control over the entire domain.
3. Weak Service Account Security
Service accounts often become dangerous because they are hard to manage.
Common issues include:
- Passwords that never expire
- Passwords stored in scripts
- Excessive privileges
- No clear owner
- Use across multiple systems
- Poor monitoring
- Interactive login allowed
Example:
A backup service account is accidentally added to a privileged group. Years later, attackers compromise the backup server and use the service account to escalate privileges.
4. Stale and Orphaned Accounts
Stale accounts are accounts that are no longer actively used.
Examples:
- Former employee accounts
- Old contractor accounts
- Forgotten test accounts
- Legacy service accounts
- Disabled but still permissioned accounts
These accounts create risk because they may still have access to systems, groups, or data.
Attackers like stale accounts because they are often less monitored.
5. Misconfigured Group Policy Objects
Group Policy is powerful, but misconfigured GPOs can create serious exposure.
Examples:
- Granting local administrator rights too broadly
- Weak password policies
- Insecure script deployment
- Poor audit settings
- Legacy protocol settings
- Incorrect firewall configurations
- Storing sensitive data in policy-related locations
A single misconfigured GPO can affect thousands of users or computers.
6. Nested Group Complexity
Groups can be nested inside other groups.
This is useful for management, but it can also hide privilege.
Example:
User A
└── Member of IT Support
└── Member of Server Operators
└── Has admin access to critical servers
At first glance, User A may look like a standard support user. But through nested group relationships, the user may have powerful access.
This is why identity relationship analysis is important.
7. Uncontrolled Delegation
Delegation allows one account or system to act on behalf of another.
It is useful for business applications, but dangerous when misconfigured.
Examples of risky delegation include:
- Unconstrained delegation
- Overly broad constrained delegation
- Delegation assigned to unnecessary systems
- Delegation involving privileged users
Misconfigured delegation can support privilege escalation and lateral movement.
8. Active Directory Certificate Services Risk
Active Directory Certificate Services, or AD CS, is used to issue and manage certificates.
AD CS is powerful, but misconfigured certificate templates or enrollment permissions can allow attackers to obtain certificates that impersonate privileged users or systems.
Common AD CS risks include:
- Dangerous certificate templates
- Weak enrollment permissions
- Misconfigured authentication certificates
- Overly broad template access
- Lack of monitoring on certificate issuance
AD CS has become an important area of Active Directory security assessment.
9. Poor Domain Controller Security
Domain controllers are critical assets.
Common issues include:
- Domain controllers exposed to unnecessary network access
- Weak patching
- Poor physical security
- Too many administrators
- Lack of monitoring
- Unnecessary services
- Weak backup protection
Microsoft recommends keeping domain controllers secure because compromise of a domain controller can threaten all AD-managed accounts and systems.
10. Hidden Attack Paths
An attack path is a chain of relationships that allows an attacker to move from one identity or system to a more privileged target.
Example:
- A normal user has local admin rights on a workstation.
- A privileged admin logs into that workstation.
- Credentials are exposed.
- The attacker steals credentials.
- The attacker accesses a server.
- The attacker escalates to domain-level privileges.
Individually, each relationship may look normal. Together, they create a path to compromise.
This is one of the biggest challenges in Active Directory security.
Real-World Active Directory Attack Scenario
Imagine a company with 3,000 employees and a traditional Active Directory environment.
The attacker compromises a standard employee account through phishing.
At first, the account has limited access.
But then the attacker discovers:
- The user has local admin rights on several workstations.
- One workstation contains cached credentials.
- A service account password is stored in a script.
- The service account has access to multiple servers.
- One server is managed by a privileged administrator.
- A nested group gives indirect access to sensitive systems.
- A misconfigured GPO grants unnecessary rights.
The attacker does not need to "break" every system.
They simply follow identity relationships and misconfigurations until they reach privileged access.
This is why Active Directory security is not only about passwords or patching. It is about understanding the full identity attack surface.
Active Directory vs Microsoft Entra ID
Active Directory and Microsoft Entra ID are related, but they are not the same.
| Area | Active Directory | Microsoft Entra ID |
|---|---|---|
| Primary environment | On-premises / hybrid | Cloud |
| Common use | Domain login, Windows systems, internal apps | SaaS, cloud apps, modern identity |
| Authentication | Kerberos, NTLM, LDAP-based integrations | OAuth, SAML, OpenID Connect, modern auth |
| Device management | Domain-joined machines, GPO | Cloud identity, Conditional Access, device signals |
| Structure | Forests, domains, OUs | Tenants, users, groups, roles, applications |
| Common risk | Domain compromise, lateral movement, privilege escalation | Consent abuse, risky apps, overprivileged roles |
Many organizations use both.
For example:
- Active Directory manages on-premises identities and systems.
- Microsoft Entra ID manages cloud identity and SaaS access.
- Synchronization connects identities between both environments.
This hybrid model is powerful, but it also creates security complexity.
A weakness in one identity layer may affect the other.
Active Directory Best Practices
1. Protect Domain Controllers
Domain controllers should be treated as Tier 0 assets.
Recommended practices include:
- Limit who can log in to domain controllers.
- Restrict network access.
- Keep domain controllers patched.
- Monitor privileged changes.
- Secure domain controller backups.
- Avoid installing unnecessary software.
- Protect physical and virtual infrastructure hosting domain controllers.
2. Reduce Domain Admin Usage
Domain Admin access should be rare, controlled, and monitored.
Good practices:
- Use separate admin accounts.
- Avoid using Domain Admin accounts for daily work.
- Do not log in to workstations with Domain Admin accounts.
- Use just-in-time or time-limited privileged access where possible.
- Review Domain Admin membership regularly.
3. Apply Least Privilege
Users and administrators should only have the permissions required for their role.
Examples:
- Help desk can reset standard user passwords, but cannot modify privileged groups.
- Server admins can manage servers, but not domain controllers.
- Application owners can manage application groups, but not domain-wide settings.
- Service accounts have only required permissions.
Least privilege reduces the damage caused by compromised accounts.
4. Review Privileged Groups Regularly
Privileged groups should be reviewed frequently.
Examples of groups to review:
- Domain Admins
- Enterprise Admins
- Administrators
- Account Operators
- Server Operators
- Backup Operators
- Group Policy Creator Owners
- DNS Admins
- Schema Admins
- Local Administrators on critical servers
The goal is to understand who has privileged access and whether that access is still required.
5. Separate Administrative and Standard Accounts
Administrators should have at least two accounts:
- A standard user account for daily work
- A separate admin account for administrative tasks
This reduces the risk that email, browsing, or normal workstation activity exposes privileged credentials.
6. Secure Service Accounts
Service accounts should be reviewed and managed carefully.
Best practices:
- Assign a clear owner.
- Document business purpose.
- Avoid Domain Admin privileges.
- Use strong passwords.
- Rotate credentials.
- Restrict interactive login.
- Monitor usage.
- Remove unused service accounts.
- Prefer managed service account options where appropriate.
7. Monitor Group Policy Changes
Group Policy can change security settings across many systems.
Organizations should monitor:
- New GPO creation
- GPO modification
- GPO linking changes
- Permission changes on GPOs
- Scripts added to GPOs
- Local administrator changes
- Security baseline changes
A malicious or accidental GPO change can create broad exposure.
8. Identify and Remove Stale Accounts
Regularly review:
- Inactive users
- Old contractor accounts
- Disabled accounts with permissions
- Unused computer accounts
- Legacy service accounts
- Test accounts
Stale identities should be disabled, removed, or properly documented.
9. Analyze Attack Paths
Traditional access reviews may show direct permissions, but attackers often use indirect paths.
Attack path analysis helps answer:
- Can a standard user reach privileged access?
- Which accounts can control critical systems?
- Which service accounts create escalation paths?
- Which group memberships are dangerous?
- Which machines expose privileged sessions?
- Which misconfigurations create domain compromise risk?
This is one of the most important practices for modern Active Directory security.
10. Continuously Assess Active Directory Security
Active Directory is not static.
It changes every day:
- New users are created.
- Groups are modified.
- Computers join the domain.
- Applications add service accounts.
- Admins change permissions.
- GPOs are updated.
- Cloud integrations are added.
Because of this, Active Directory security should be assessed continuously, not only once a year.
Active Directory Security Checklist
Use this checklist as a practical starting point:
- Are Domain Admins limited and reviewed?
- Are Enterprise Admins protected?
- Are administrators using separate admin accounts?
- Are Domain Admins prevented from logging in to workstations?
- Are domain controllers treated as critical assets?
- Are service accounts documented and owned?
- Are service account passwords rotated?
- Are stale users and computers reviewed?
- Are privileged groups monitored?
- Are Group Policy changes tracked?
- Are risky nested group relationships identified?
- Are unnecessary local admin rights removed?
- Are delegation settings reviewed?
- Are AD CS configurations assessed?
- Are insecure legacy protocols reduced where possible?
- Are attack paths to Tier 0 assets analyzed?
- Are privileged sessions and credential exposures reviewed?
- Are hybrid identity connections assessed?
- Are backups protected from domain compromise?
- Are security findings prioritized by real impact?
How Forestall Helps
Forestall helps organizations understand and reduce Active Directory identity risk by analyzing users, groups, computers, privileges, sessions, misconfigurations, service accounts, exposed credentials, and attack paths.
Instead of only showing isolated configuration issues, Forestall helps security teams answer more important questions:
- Which identities can create real compromise paths?
- Which users or service accounts have excessive privileges?
- Which hidden relationships lead to critical systems?
- Which misconfigurations should be fixed first?
- Which attack paths expose domain-level risk?
- Which identity risks are recurring over time?
With Forestall, organizations can move from basic Active Directory visibility to actionable identity security posture management.
Frequently Asked Questions
What does Active Directory do?
Active Directory stores and manages information about users, computers, groups, and other objects in a network. It helps organizations control authentication, access, policies, and administration from a centralized system.
Is Active Directory still used?
Yes. Active Directory is still widely used by enterprises, especially for Windows environments, internal applications, domain-joined devices, file shares, and hybrid identity architectures.
What is the difference between Active Directory and a domain controller?
Active Directory is the directory service. A domain controller is a server that runs Active Directory Domain Services and handles tasks such as authentication, directory storage, and policy enforcement.
What is an Active Directory domain?
An Active Directory domain is a logical group of users, computers, groups, and resources managed together under the same directory structure and security policies.
What is an Active Directory forest?
An Active Directory forest is the top-level container in AD. It can contain one or more domains and acts as a major security boundary.
What is Group Policy in Active Directory?
Group Policy is a feature used to centrally manage configuration settings for users and computers. It can enforce password policies, security settings, software deployment, desktop restrictions, and many other configurations.
Why do attackers target Active Directory?
Attackers target Active Directory because it controls access to users, computers, servers, applications, and administrative privileges. If attackers compromise AD, they may be able to move laterally, escalate privileges, and control critical systems.
What is the biggest Active Directory security risk?
One of the biggest risks is excessive privilege. Too many administrators, overprivileged service accounts, risky group memberships, and hidden attack paths can allow attackers to escalate from a normal account to domain-level control.
Is Active Directory the same as IAM?
No. Active Directory is a directory service and identity platform commonly used in Windows enterprise environments. IAM is a broader discipline that includes identity management, authentication, authorization, access governance, and lifecycle management across many systems.
Is Active Directory the same as Microsoft Entra ID?
No. Active Directory is primarily used for on-premises and hybrid environments. Microsoft Entra ID is Microsoft's cloud identity platform. Many organizations use both together.
Conclusion
Active Directory is one of the most important identity systems in enterprise IT. It manages users, computers, groups, policies, authentication, and administrative access across business environments.
Because Active Directory is deeply connected to authentication and privilege, it is also one of the most attractive targets for attackers. Weak service accounts, excessive privileges, stale accounts, misconfigured Group Policy, risky delegation, and hidden attack paths can turn a small compromise into a major security incident.
A strong Active Directory security program should go beyond basic administration. Organizations need continuous visibility into identity relationships, privilege exposure, misconfigurations, and real attack paths.
In modern cybersecurity, protecting Active Directory is not only an IT administration task. It is a core identity security requirement.
Reduce real Active Directory identity risk.
Surface excessive privileges, risky service accounts, hidden attack paths, and Tier 0 exposure across your Active Directory environment with Forestall.