Your company has an Active Directory domain that has an organizational unit named Sales.
The Sales organizational unit contains two global security groups named sales managers
and sales executives.
You need to apply desktop restrictions to the sales executives group.
You must not apply these desktop restrictions to the sales managers group.
You create a GPO named DesktopLockdown and link it to the Sales organizational unit.
What should you do next?
A.
Configure the Deny Apply Group Policy permission for Authenticated Users on the
DesktopLockdown GPO.
B.
Configure the Deny Apply Group Policy permission for the sales executives on the
DesktopLockdown GPO.
C.
Configure the Allow Apply Group Policy permission for Authenticated Users on the
DesktopLockdown GPO.
D.
Configure the Deny Apply Group Policy permission for the sales managers on the
DesktopLockdown GPO.
Explanation:
http://support.microsoft.com/kb/816100
How to prevent domain Group Policies from applying to certain user or computer accounts
Typically, if you want Group Policy to apply only to specific accounts (either user accounts,
computer accounts, or both), you can put the accounts in an organizational unit, and then
apply Group Policy at that organizational unit level. However, there may be situations where
you want to apply Group Policy to a whole domain, although you may not want those policy
settings to also apply to administrator accounts or to other specific users or groups.
http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-agroup-policy-object/
Best Practice: How to exclude individual users or computers from a Group Policy Object
One of the common question I see on the forums from time to time is how to exclude a user
and/or a computer from having a Group Policy Object (GPO) applied. This is a relatively
straight forward process however I should stress this should be used sparingly and should
always be done via group membership to avoid the administrative overhead of having to
constantly update the security filtering on the GPO.
Step 1. Open the Group Policy Object that you want to apply an exception and then click on
the “Delegation” tab and then click on the “Advanced” button.
Step 2. Click on the “Add” button and select the group (recommended) that you want to
exclude from having this policy applied.
Step 3. In this example I am excluding the “Users GPO Exceptions” group for this policy.
Select this group in the “Group or user names” list and then scroll down the permission and
tick the “Deny” option against the “Apply Group Policy” permission.
Now any members of this “User GPO Exceptions” security group will not have this Group
Policy Object applied.
Having a security group to control this exception makes it much easier to control as
someone only needs to modify the group membership of the group to makes changes to
who (or what) get the policy applied. This makes the delegation of this task to level 1 or level
2 support much more practical as you don’t need to grant them permission to the Group
Policy Objects.
