Can someone explain an answer to me?

ElwoodBlues · August 2010

I want to ask someone about a practice test question regarding inherited permissions. I understand all concepts of the question, but I disagreee with the answer.

The is not an actual MS Exam quesiton but one that has stemed from a practice test (vendor shall remain nameless). I will rephrase the contents of the question and but the keep the same concept.

Can I ask someone to help me?

nrs · August 2010

Lay it on us

ElwoodBlues · August 2010

Okay, here is a similar question:

You are the administrator of a company and you want to allow Suzie to manage GPO link to users in the following OUs: east, west, north and south. The nested OU structure looks like this:

Production
---Region1

East

West
---Region2

North

South

What is the most efficent way to do this?

run the delegation of control wizard to give Suzie the right to mange the links to all 4 OUs?

run the delegation of control wizard to give Suzie the right to mange the production OU?

Hyper-Me · August 2010

I suspect there is more to the question than that. But if thats all, obviously the simplest way would be to delegate that permission at the "production" OU, as it would inherit down.

If the question added "but suzie cannot have control over the production OU" then you could assign the permission to the Region1 and Region2 OU's.

ElwoodBlues · August 2010

Hyper-Me wrote: »

I suspect there is more to the question than that. But if thats all, obviously the simplest way would be to delegate that permission at the "production" OU, as it would inherit down.

If the question added "but suzie cannot have control over the production OU" then you could assign the permission to the Region1 and Region2 OU's.

Well, it states that they run server 08 , single Domain, and 2 more possible answers; but that's it.

My entire hangup with this aspect is that it gives the user excessive permissions. Thereofore, it is not the most efficient way, right? Best Practices teaches not to grant permissions beyond what the user requires and they are not required to manage the other OUs.

What am I missing here?

dynamik · August 2010

No, that is the most efficient way; it takes one change instead of four. Security and efficiency are often at odds.

ElwoodBlues · August 2010

I thought the exams were based on best practices. So when I'm asked to perform the task that's most efficient, I need to look for the easiest way to acomplish the task with no regard for security?

colemic · August 2010

ElwoodBlues wrote: »

Well, it states that they run server 08 , single Domain, and 2 more possible answers; but that's it.

My entire hangup with this aspect is that it gives the user excessive permissions. Thereofore, it is not the most efficient way, right? Best Practices teaches not to grant permissions beyond what the user requires and they are not required to manage the other OUs.

What am I missing here?

It's not excessive permissions if the diagram is accurate - there is no reason to specify the four OUs explicitly when there is nothing in between them and the parent OU, and the parent OU doesn't contain anything else. It also makes managing permissions easier to do it at the Production OU level.

ElwoodBlues · August 2010

colemic wrote: »

It's not excessive permissions if the diagram is accurate - there is no reason to specify the four OUs explicitly when there is nothing in between them and the parent OU, and the parent OU doesn't contain anything else. It also makes managing permissions easier to do it at the Production OU level.

That's just the thing, it doesn't say if the parent OU contains anything or not. Therefore you do not know what else is inherited with applying these policies. I look at it as, "is it more efficient to give a user access to 7 OUs (when they only require 4) or repeat the "clicking process" 3 more times.

To me it's similar to providing the most "effiicent" way for 5 different users users to install a different program each. It's easier to make them all admins than to create 5 different installation policies for each user as it involves more time "clicks".

I just have a hard time with the verbage.

earweed · August 2010

ElwoodBlues wrote: »

That's just the thing, it doesn't say if the parent OU contains anything or not. Therefore you do not know what else is inherited with applying these policies. I look at it as, "is it more efficient to give a user access to 7 OUs (when they only require 4) or repeat the "clicking process" 3 more times.

To me it's similar to providing the most "effiicent" way for 5 different users users to install a different program each. It's easier to make them all admins than to create 5 different installation policies for each user as it involves more time "clicks".

I just have a hard time with the verbage.

I get your point. She would then be able to create GPO's for all of production, region 1 and region 2. It's not whether there is anything already "in" the parent OU but that she can now put something in or take something out. I guess when they say efficient security gets the back door.

Hyper-Me · August 2010

For the test, worry less about "best practices" and more about "what is THIS question asking me to do".

If it asks how to perform something with "the best effeciency" or "least administrative effort" then do just that. Unless they add a modifier....like "how would you perform this with the least administrative effort without giving the user excessive permissions?"

Focus one each question individually and what its asking.

dynamik · August 2010

No, efficiency is ease of administration. The more granular you get, the more administrative overhead there is.

While granularity may be seen as "more secure," you may also make things such as mess that misconfigurations are virtually undetectable. This may not be an issue with four, but look at a larger example. Would you rather do 37 individually or use one that has control over fifty. What happens when you add/change/remove OUs or users change job roles. How much of a nightmare will be to ensure that you clean up permissions that were granted everywhere? What if you have a dozen people with these types of roles? Can you effectively and accurately manage hundreds of these permissions?

colemic · August 2010

I am pretty sure though that the practice test would assume no more than what was given, else it would be hard to know what assumptions to make.

"is it more efficient to give a user access to 7 OUs (when they only require 4) or repeat the "clicking process" 3 more times"

...make sure you are comparing apples to apples in terms of efficiency - obviously the most 'efficient' way would be to give her root control, but the ramifications of that far exceed the efficiency factor. Number of clicks isn't a good way to determine whether something security related is efficient.

colemic · August 2010

earweed wrote: »

I get your point. She would then be able to create GPO's for all of production, region 1 and region 2. It's not whether there is anything already "in" the parent OU but that she can now put something in or take something out. I guess when they say efficient security gets the back door.

She would be ABLE to, but one must assume that in a real-world environment, she would have read the AUP she signed giving her elevated access to not do any shenanigans like that.

ElwoodBlues · August 2010

Well, I will have view each question based on nothing more than they ask.

Thanks to everyone for the clarifications.

Can someone explain an answer to me?

Comments