HOTSPOT
Your network contains an Active Directory domain named contoso.com.
The domain contains an organizational unit (OU) named OU1 as shown in the OU1 exhibit.
(Click the Exhibit button.)
The membership of Group1 is shown in the Group1 exhibit.(Click the Exhibit button.)
You configure GPO1 to prohibit access to Control Panel.GPO1 is linked to OU1 as shown in
the GPO1 exhibit. (Click the Exhibit button.)
Select Yes if the statement can be shown to be true based on the available information;
otherwise select No. Each correct selection is worth one point.
Answer: 
Explanation:
Since user4 is not in organizational unit, the filtering the GPO does not apply to him.
References:
http://technet.microsoft.com/en-us/library/cc781988(v=ws.10).aspx
YNYY
GPO dont apply to groups, only to user/computer objects in OU
i am confused now. because i have tested it, and i can apple policy to groups.
Why wouldnt it be NNNN? It looks as though user 4 is in OU1 based on the first image.
GPO Security filtering doesn’t apply to user 4
user 1 isn’t in OU, GPO doesnt’t apply to objects outside OU and to groups – can access CP
user 2 reside in OU, GPO apply – cannot access CP
user 3 isn’t in OU, GPO doesnt’t apply to objects outside OU and to groups – can access CP
user 4 GPO Security filtering dont apply to user 4
Thanks!
JOny is correct
YNYY 100%. Checked out.
I just tested this out,it is YNYY.
There is a simple rule, if the object is in the OU listed in the GPO, and also listed in the security filtering (direct or in a group), then the GPO will apply.
YNYY…why user2 cant access ? because in OU ?
Because User2 is in OU1 and a member of Group1.
Sorry guys really i am confused….because first i tried apply a policy to group ! and it worked ! it was for remove – log off from start up.
and now i have tried this question !! and yes policy dosent work on group !
how it can be happen ?
Security Filtering third window.
“The settings in this GPO can only apply to the following groups, users and computers.”
Group 1 (Contains users 1 and 2)
User 3.
User 4 is not listed in the security filtering of the GPO, therefor doesn’t apply.
Answer is N N N Y
yes TOM!! i’ve tested on my lab!
n
n
n
y
It isn´t true. In my lab the result is:
1 – Can access CP
2 – Can´t access CP
3 – Can access CP
4 – Can access CP
Did you apply the security filtering as it is in the picture above? I tested in my lab and got N N N Y….
same result in my lab
sorry, I got,
Y
N
Y
Y
If you link a GPO to an OU it only specifies in which OU the GPO should apply. After that, the security filter specifies further to which of the users and groups in the OU the GPO are applied.
*Group 1 (which is user 1 and 2) and User 3 are in the OU and included in the security filter.
*User 4 is NOT in the OU therefor the GPO doesn’t apply to User 4.
User3 isn’t in the OU, only User2 and User4
Jony is correct YNYY
I’m going with YNYY as well – the GPO will only apply to users that are in OU1 – Users 1 and 3 are NOT in the OU so the policy will not apply to them regardless of the security filtering. The use of the group in sec filtering only serves to narrow the scope of the application of the GPO within the OU it is linked to – so even if someone is in the group, if they are are not also in the OU it won’t apply to them.
If they were moved into OU1 THEN the GPO and filtering would apply and they would not be able to run Control Panel.
https://technet.microsoft.com/en-us/library/cc781988(v=WS.10).aspx (A bit old but still valid)
A GPO with security filtering set to Read and AGP doesn’t necessarily apply to all security principals that have security filtering. It only applies to them if those user or computer objects are in the container or child container that is linked to the GPO.
NNNy
the answer is NO NO NO Yes
because the real example in this video
https://www.youtube.com/watch?v=CWqYCHth0mg
Tried this on my lab.
YNYY
tried on my LAB
Y
N
Y
Y
gpo é definida em sites,domínios e unidades organizacional. Filtros de segurança aplica a gpo para quem fizer parte dela. Sendo assim, user1, user2 e user3 será negado o acesso pois fazem parte do filtro de segurança e user4 mesmo fazendo parte da OU terá o acesso concedido pois não faz parte do filtro de segurança.
YNYY