Your network contains an Active Directory domain. The domain is configured as shown in
the exhibit. (Click the Exhibit button.)
Each organizational unit (OU) contains over 500 user accounts.
The Finance OU and the Human Resources OU contain several user accounts that are
members of a universal group named Group1.
You have a Group Policy object (GPO) linked to the domain.
You need to prevent the GPO from being applied to the members of Group1 only.
What should you do?
A.
Modify the Group Policy permissions.
B.
Enable block inheritance.
C.
Configure the link order.
D.
Enable loopback processing in merge mode.
E.
Enable loopback processing in replace mode.
F.
Configure WMI filtering.
G.
Configure Restricted Groups.
H.
Configure Group Policy Preferences.
I.
Link the GPO to the Finance OU.
J.
Link the GPO to the Human Resources OU.
Explanation:
“GPOs are linked to OUs, not groups. Block inhertance blocks all inherited GPOs from being
applied to the OU. The security filter will only help you specify groups. So you have two
choices. You could remove authenticated users in the secuirty filter and add groups
containing everyone except group1 members(messy solution) or you could leave
authenticated users there, and specify group1 with deny apply gpo permission for the
gpo(since deny will alwys win over allow).”
The reference below explains a situation where the GPO only needs to be applied to one
group, it’s the other way around so to speak.MS Press – Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 285, 286
Using Security Filtering to Modify GPO Scope
By now, you’ve learned that you can link a GPO to a site, domain, or OU. However, you
might need to apply GPOs only to certain groups of users or computers rather than to all
users or computers within the scope of the GPO. Although you cannot directly link a GPO to
a security group, there is a way to apply GPOs to specific security groups. The policies in a
GPO apply only to users who have Allow Read and Allow Apply Group Policy permissions to
the GPO.
Each GPO has an access control list (ACL) that defines permissions to the GPO. Two
permissions, Allow Read and Allow Apply Group Policy, are required for a GPO to apply to a
user or computer. If a GPO is scoped to a computer (for example, by its link to the
computer’s OU), but the computer does not have Read and Apply Group Policy permissions,
it will not download and apply the GPO. Therefore, by setting the appropriate permissions for
security groups, you can filter a GPO so that its settings apply only to the computers and
users you specify.
Filtering a GPO to Apply to Specific Groups
To apply a GPO to a specific security group, perform the following steps:
4. Select the GPO in the Group Policy Objects container in the console tree.
5. In the Security Filtering section, select the Authenticated Users group and click Remove.
6. Click OK to confirm the change.
7. Click Add.
8. Select the group to which you want the policy to apply and click OK.