Sane permissions assigned to the root partitions (such as domain root, configuration partition, and schema) have an impact on the entire Active Directory domain. If set incorrectly, they can pose a threat to the AD environment and its objects. Furthermore, dangerous permissions could serve as a means for an attacker to maintain persistence after an attack.
Perform a security assessment on the permissions applied to domain root objects to identify the ones that you can safely remove or adapt. Only authorize a dangerous permission if the Active Directory environment already considers the configured account or group as privileged.