Can someone explain an answer to me?
ElwoodBlues
Member Posts: 117
I want to ask someone about a practice test question regarding inherited permissions. I understand all concepts of the question, but I disagreee with the answer.
The is not an actual MS Exam quesiton but one that has stemed from a practice test (vendor shall remain nameless). I will rephrase the contents of the question and but the keep the same concept.
Can I ask someone to help me?
The is not an actual MS Exam quesiton but one that has stemed from a practice test (vendor shall remain nameless). I will rephrase the contents of the question and but the keep the same concept.
Can I ask someone to help me?
Comments
-
ElwoodBlues Member Posts: 117Okay, here is a similar question:
You are the administrator of a company and you want to allow Suzie to manage GPO link to users in the following OUs: east, west, north and south. The nested OU structure looks like this:
Production
---Region1
East
West
---Region2
North
South
What is the most efficent way to do this?
run the delegation of control wizard to give Suzie the right to mange the links to all 4 OUs?
run the delegation of control wizard to give Suzie the right to mange the production OU? -
Hyper-Me Banned Posts: 2,059I suspect there is more to the question than that. But if thats all, obviously the simplest way would be to delegate that permission at the "production" OU, as it would inherit down.
If the question added "but suzie cannot have control over the production OU" then you could assign the permission to the Region1 and Region2 OU's. -
ElwoodBlues Member Posts: 117I suspect there is more to the question than that. But if thats all, obviously the simplest way would be to delegate that permission at the "production" OU, as it would inherit down.
If the question added "but suzie cannot have control over the production OU" then you could assign the permission to the Region1 and Region2 OU's.
Well, it states that they run server 08 , single Domain, and 2 more possible answers; but that's it.
My entire hangup with this aspect is that it gives the user excessive permissions. Thereofore, it is not the most efficient way, right? Best Practices teaches not to grant permissions beyond what the user requires and they are not required to manage the other OUs.
What am I missing here? -
dynamik Banned Posts: 12,312 ■■■■■■■■■□No, that is the most efficient way; it takes one change instead of four. Security and efficiency are often at odds.
-
ElwoodBlues Member Posts: 117I thought the exams were based on best practices. So when I'm asked to perform the task that's most efficient, I need to look for the easiest way to acomplish the task with no regard for security?
-
colemic Member Posts: 1,569 ■■■■■■■□□□ElwoodBlues wrote: »Well, it states that they run server 08 , single Domain, and 2 more possible answers; but that's it.
My entire hangup with this aspect is that it gives the user excessive permissions. Thereofore, it is not the most efficient way, right? Best Practices teaches not to grant permissions beyond what the user requires and they are not required to manage the other OUs.
What am I missing here?
It's not excessive permissions if the diagram is accurate - there is no reason to specify the four OUs explicitly when there is nothing in between them and the parent OU, and the parent OU doesn't contain anything else. It also makes managing permissions easier to do it at the Production OU level.Working on: staying alive and staying employed -
ElwoodBlues Member Posts: 117It's not excessive permissions if the diagram is accurate - there is no reason to specify the four OUs explicitly when there is nothing in between them and the parent OU, and the parent OU doesn't contain anything else. It also makes managing permissions easier to do it at the Production OU level.
That's just the thing, it doesn't say if the parent OU contains anything or not. Therefore you do not know what else is inherited with applying these policies. I look at it as, "is it more efficient to give a user access to 7 OUs (when they only require 4) or repeat the "clicking process" 3 more times.
To me it's similar to providing the most "effiicent" way for 5 different users users to install a different program each. It's easier to make them all admins than to create 5 different installation policies for each user as it involves more time "clicks".
I just have a hard time with the verbage. -
earweed Member Posts: 5,192 ■■■■■■■■■□ElwoodBlues wrote: »That's just the thing, it doesn't say if the parent OU contains anything or not. Therefore you do not know what else is inherited with applying these policies. I look at it as, "is it more efficient to give a user access to 7 OUs (when they only require 4) or repeat the "clicking process" 3 more times.
To me it's similar to providing the most "effiicent" way for 5 different users users to install a different program each. It's easier to make them all admins than to create 5 different installation policies for each user as it involves more time "clicks".
I just have a hard time with the verbage.No longer work in IT. Play around with stuff sometimes still and fix stuff for friends and relatives. -
Hyper-Me Banned Posts: 2,059For the test, worry less about "best practices" and more about "what is THIS question asking me to do".
If it asks how to perform something with "the best effeciency" or "least administrative effort" then do just that. Unless they add a modifier....like "how would you perform this with the least administrative effort without giving the user excessive permissions?"
Focus one each question individually and what its asking. -
dynamik Banned Posts: 12,312 ■■■■■■■■■□No, efficiency is ease of administration. The more granular you get, the more administrative overhead there is.
While granularity may be seen as "more secure," you may also make things such as mess that misconfigurations are virtually undetectable. This may not be an issue with four, but look at a larger example. Would you rather do 37 individually or use one that has control over fifty. What happens when you add/change/remove OUs or users change job roles. How much of a nightmare will be to ensure that you clean up permissions that were granted everywhere? What if you have a dozen people with these types of roles? Can you effectively and accurately manage hundreds of these permissions? -
colemic Member Posts: 1,569 ■■■■■■■□□□I am pretty sure though that the practice test would assume no more than what was given, else it would be hard to know what assumptions to make.
"is it more efficient to give a user access to 7 OUs (when they only require 4) or repeat the "clicking process" 3 more times"
...make sure you are comparing apples to apples in terms of efficiency - obviously the most 'efficient' way would be to give her root control, but the ramifications of that far exceed the efficiency factor. Number of clicks isn't a good way to determine whether something security related is efficient.Working on: staying alive and staying employed -
colemic Member Posts: 1,569 ■■■■■■■□□□I get your point. She would then be able to create GPO's for all of production, region 1 and region 2. It's not whether there is anything already "in" the parent OU but that she can now put something in or take something out. I guess when they say efficient security gets the back door.
She would be ABLE to, but one must assume that in a real-world environment, she would have read the AUP she signed giving her elevated access to not do any shenanigans like that.Working on: staying alive and staying employed -
ElwoodBlues Member Posts: 117Well, I will have view each question based on nothing more than they ask.
Thanks to everyone for the clarifications.