We need to write a LDB module which enforces the rules specified in the "systemFlags" and "isCriticalSystemObject" attributes of the objects (deny deletions, moves...).
"isCriticalSystemObject" is only a replication process setting (http://msdn.microsoft.com/en-us/library/cc220034(PROT.10).aspx).
Most of the "systemFlags" constraints should now be enforced after my work has been checked in. I've enhanced also ldap.py in order to test them.