Apples to oranges: we have our own Exchange data in the AD yes, but
don't mess with OS constructs.
One of the ongoing security improvements some of us would like to see in
Windows is a more effective locking mechanism to implement some form of
access control inside the registry so that the only changes that an
application can make directly are the ones that are explicitly permitted to
it. Anything else would have to be passed to the appropriate API.
I would like to have Palladium class machines provide a transaction log that
shows all the changes made to all critical application and platform data
structures.