HOTSPOT
Your network contains an Active Directory domain named contoso.com.
Computer accounts for the marketing department are in an organizational unit (OU) named
Departments\\Marketing\\Computers. User accounts for the marketing department are in an OU
named Departments\\Marketing\\Users.
Marketing users can only log on to the client computers in the Departments\\Marketing\\Computers
OU.
You need to apply an application control policy to all of the marketing users.
Which Group Policy Object (GPO) should you configure?
To answer, select the appropriate GPO in the answer area.
Answer: 
Explanation:
Application control policies specify which programs are allowed to run on the local computer and
which are not.
References:
http://technet.microsoft.com/en-us/library/hh125923(v=ws.10).aspx
http://technetHYPERLINK “http://technet.microsoft.com/enus/library/cc781458(v=WS.10).aspx#_blank”.HYPERLINK “http://technet.microsoft.com/enus/library/cc781458(v=WS.10).aspx#_blank”microsoftHYPERLINK “http://technet.microsoft.com/enus/library/cc781458(v=WS.10).aspx#_blank”.comHYPERLINK “http://technet.microsoft.com/enus/library/cc781458(v=WS.10).aspx#_blank”/en-us/library/cc781458(v=WSHYPERLINK
“http://technet.microsoft.com/en-us/library/cc781458(v=WS.10).aspx#_blank”.HYPERLINK
“http://technet.microsoft.com/en-us/library/cc781458(v=WS.10).aspx#_blank”10)HYPERLINK
“http://technet.microsoft.com/en-us/library/cc781458(v=WS.10).aspx#_blank”.HYPERLINK
“http://technet.microsoft.com/en-us/library/cc781458(v=WS.10).aspx#_blank”aspx
http://technetHYPERLINK “http://technet.microsoft.com/enus/library/hh967461.aspx#_blank”.HYPERLINK “http://technet.microsoft.com/enus/library/hh967461.aspx#_blank”microsoftHYPERLINK “http://technet.microsoft.com/enus/library/hh967461.aspx#_blank”.comHYPERLINK “http://technet.microsoft.com/enus/library/hh967461.aspx#_blank”/en-us/library/hh967461HYPERLINK
“http://technet.microsoft.com/en-us/library/hh967461.aspx#_blank”.HYPERLINK
“http://technet.microsoft.com/en-us/library/hh967461.aspx#_blank”aspx
http://technetHYPERLINK “http://technet.microsoft.com/enus/library/ee461050.aspx#_blank”.HYPERLINK “http://technet.microsoft.com/enus/library/ee461050.aspx#_blank”microsoftHYPERLINK “http://technet.microsoft.com/enus/library/ee461050.aspx#_blank”.comHYPERLINK “http://technet.microsoft.com/enus/library/ee461050.aspx#_blank”/en-us/library/ee461050HYPERLINK“http://technet.microsoft.com/en-us/library/ee461050.aspx#_blank”.HYPERLINK
“http://technet.microsoft.com/en-us/library/ee461050.aspx#_blank”aspx
http://technetHYPERLINK “http://technet.microsoft.com/enus/library/ee461044.aspx#_blank”.HYPERLINK “http://technet.microsoft.com/enus/library/ee461044.aspx#_blank”microsoftHYPERLINK “http://technet.microsoft.com/enus/library/ee461044.aspx#_blank”.comHYPERLINK “http://technet.microsoft.com/enus/library/ee461044.aspx#_blank”/en-us/library/ee461044HYPERLINK
“http://technet.microsoft.com/en-us/library/ee461044.aspx#_blank”.HYPERLINK
“http://technet.microsoft.com/en-us/library/ee461044.aspx#_blank”aspx
The scenario says to apply an application control policy to all marketing users.
All marketing users can only use computers in the marketing\computers OU.
It is possible that sales users can also access computers in that OU, so an application control policy set on GP03 would restrict that application for Sales users as well, and we may not want that. Why isn’t GP04 a better solution? Can someone provide clear documentation on why GP03 is the correct answer?
I agree with you and answered GPO4 too, but “AppLocker is a computer-based policy implementation” (1st table on https://technet.microsoft.com/en-us/library/ee449496(v=ws.11).aspx) so, I think, it’s a better way to link it to computers OU. To not apply to an other department (like sales department), you can use “security filtering” to only apply to marketing users.