Hyper-Me wrote: » I suspect there is more to the question than that. But if thats all, obviously the simplest way would be to delegate that permission at the "production" OU, as it would inherit down. If the question added "but suzie cannot have control over the production OU" then you could assign the permission to the Region1 and Region2 OU's.
ElwoodBlues wrote: » Well, it states that they run server 08 , single Domain, and 2 more possible answers; but that's it. My entire hangup with this aspect is that it gives the user excessive permissions. Thereofore, it is not the most efficient way, right? Best Practices teaches not to grant permissions beyond what the user requires and they are not required to manage the other OUs. What am I missing here?
colemic wrote: » It's not excessive permissions if the diagram is accurate - there is no reason to specify the four OUs explicitly when there is nothing in between them and the parent OU, and the parent OU doesn't contain anything else. It also makes managing permissions easier to do it at the Production OU level.
ElwoodBlues wrote: » That's just the thing, it doesn't say if the parent OU contains anything or not. Therefore you do not know what else is inherited with applying these policies. I look at it as, "is it more efficient to give a user access to 7 OUs (when they only require 4) or repeat the "clicking process" 3 more times. To me it's similar to providing the most "effiicent" way for 5 different users users to install a different program each. It's easier to make them all admins than to create 5 different installation policies for each user as it involves more time "clicks". I just have a hard time with the verbage.
earweed wrote: » I get your point. She would then be able to create GPO's for all of production, region 1 and region 2. It's not whether there is anything already "in" the parent OU but that she can now put something in or take something out. I guess when they say efficient security gets the back door.
