Active Directory will represent a major advance over NT 4.0's simple domain model, since the domains within Active Directory will be able to form a multi-level tree structure. Customers will be able to establish two-way transitive trust relationships among these domains. Lower-level domains trust all the higher-level domains within the hierarchical tree. This arrangement will make trust relationships easier to manage and will make possible the delegation of administrative authority from higher to lower levels within the tree. Active Directory will bear on security in two ways. First, Active Directory will be the repository for security policy information for the enterprise. For example, Active Directory will be able to store domain-wide password restrictions and system access privileges. Second, Active Directory will incorporate the object-based security model, controlling each user or group's right to read or update objects within the directory. The directory will therefore be able to hold such important items as encrypted passwords and user certificates with the assurance that only authorized users will be able to read or change them.