Reviewing A Permission Structure Design

By Author: Shirley Green
Total Articles: 129
Comment this article

In this practice, you will review the design of a permission structure for the Windows XP Professional of Tailspin Toys. Read the scenario and then answer the question that follows. If you are unable to answer the question, review the lesson materials and try the question again. You can find the answer to the question in the "Questions and Answers" section at the end of the chapter.

You are the senior security designer for a security firm named Contoso, Ltd. Your company has been contracted to examine the design for the Active Directory permission structure for Tailspin Toys. You have been asked to provide your analysis of the structure of the Finance OU in an initial meeting with Tailspin Toys in a few days. You have been given the following design for the Finance OU:
Finance OU: Groups in the Finance OU and Their Active Directory Permissions
The design includes three Windows groups: Finance, Managers, and Clerical. The delegated permissions for each group are as follows:
The Finance group has no delegated permissions.
The Managers group is delegated ...
... Full Control of all objects in the OU.
The Clerical group is designated free A+ practice exams access, such as resetting passwords, unlocking accounts, adding new user accounts, and so on.

We know that unused accounts should be disabled and removed as soon as possible. We know that it is important to remove and reassign privileges and permissions when an employee changes a job. However, IT might be the last to know when employees leave the company or are transferred to another job. When IT does receive notice, if permissions have been assigned to these user accounts, locating and removing the employees' access across the enterprise is a difficult and time consuming process.
On the other hand, if privileges and permissions are assigned to groups, we only need to remove the user accounts from the groups they are a member of to remove their privileges. There are far fewer groups in the user's domain than there are resources in the enterprise. Even a manual search, group by group, is far less trouble than attempting to find every place that a user account might be assigned access. When best practices are followed, removing a user's access to resources is greatly simplified. When best practices are followed, the possibility that some unknown access permission will provide
free Security+ practice exams inappropriate access is reduced.