The security and access control model for application directory partitions is the same as that for other partitions in Active Directory. Normal users can access objects in an application directory partition subject to the ACLs placed on those objects. For more information, see Controlling Access to Active Directory Objects.
However, because application directory partitions can span multiple Active Directory security domains, there arises the question of how to interpret domain-relative well-known SID string constants in the defaultSecurityDescriptor of an object's schema class at the time of object creation in an application directory partition. For example, if "DA" refers to the domain administrators group, but in an application directory partition, it is not known which domain the "DA" group refers to.
To solve this problem, the crossRef object of an application directory partition has an msDS-SDReferenceDomain attribute that contains the distinguished name of the reference domain for that application directory partition. The security system uses the specified domain to interpret local domain references for default security descriptors attached to objects created in that application directory partition. The reference domain can be specified when the crossRef object for an application directory partition is created. This requires, however, that a crossRef object be pre-created for the application directory partition. If no reference domain is specified, the system automatically sets the reference domain based on one of the following conditions:
A similar issue arises if a local group is specified in an ACL for an object in an application directory partition. In this case, the msDS-SDReferenceDomain attribute cannot be used to interpret the reference domain for a local group. To avoid this problem, local groups should not be used in the ACLs of application directory partition objects.