Question

You are a domain administrator for a large domain. Recently, you have been asked to make changes to some of the permissions related to OUs within the domain. To restrict security for the Texas OU further, you remove some permissions at that level. Later, a junior system administrator mentions that she is no longer able to make changes to objects within the Austin OU (which is located within the Texas OU). Assuming that no other changes have been made to Active Directory permissions, which of the following characteristics of OUs might have caused the change in permissions?
a. Inheritance
b. Group Policy
c. Delegation
d. Object properties

Answer 1

Explanation:

Since the Austin OU (organization unit) is a descendant of the Texas OU, it naturally inherits the permissions from its parent/ancestors.

Any restriction (permissions removed) from the Texas OU will be inherited onto the Austin OU.  This is exactly the intended purpose of organizing groups in OU's because all changes will automatically inherited within the OU without having to work down the tree.

This can be confirmed by checking with other cities to see if they too have the same restriction.

The proper way the request should have been done is to apply the changes to the most specific unit possible, be that OU's, groups, etc.