Your network contains an Active Directory domain named contoso.com.
The domain contains an organizational unit (OU) named OU1 as shown in the OU1 exhibit.
(Click the Exhibit button.)
The membership of Group1 is shown in the Group1 exhibit. (Click the Exhibit button.)
You configure GPO1 to prohibit access to Control Panel. GPO1 is linked to OU1 as shown in the GPO1 exhibit.
(Click the Exhibit button.)
Select Yes if the statement can be shown to be true based on the available information; otherwise select No.
Each correct selection is worth one point.
Hot Area:
Answer: 
Explanation:
Since user4 is not in organizational unit, the filtering the GPO does not apply to him.
http://technet.microsoft.com/en-us/library/cc781988(v=ws.10).aspx
Answer is YNYY
User1 and User2 is located on the OU where the GPO was linked but if you are going to check the GPO you will see that Group1 and User3 are defined on the security filtering which means that these 2 objects has access on the GPO unfortunately User3 is not member of the OU which prohibit User3 on using the linked GPO on the OU. As per user4 it is not member of the OU where the GPO was linked.
User 1 member of group 1, therefore, the GPO also applies to him
The answer is:
– User1: No
– User2: No
– User3: Yes
– User4: Yes
Explanation:
Of the users and computers in the container to which the GPO is linked, only those you select in the Security Filtering pane will receive the settings from the GPO.
The container to which the GPO is linked consists of: User1, User2, User4.
Those in the Security Filtering are: User1, User2, User3.
==>> Only User1 and User2 receive the settings from the GPO, which mean “CANNOT access Control Panel”. User3 and User4 CAN access.
=================
From the book “Exam Ref. Installing and Configuring Windows Server 2012 R2”, page 321-322:
To modify the default security filtering configuration for a GPO, select it in the left pane of the Group Policy Management Console. In the Security Filtering area, you can use the Add button or the Remove button to replace the Authenticated Users special identity with specific user, computer, or group objects. Of the users and computers in the container to which the GPO is linked, only those you select in the Security Filtering pane will receive the settings from the GPO.
Yes
No
Yes
Yes
Linked GPO only applied to Computer/User objects IN the OU1.
A Security Group in an OU is NOT enough it’s not a computer/user object. A member or computer object in the Security Group ALSO has to be in the OU1.
User 1 will have CP Access. They aren’t in the OU1.
User 2 will not have CP Access. They are in the OU1 and the Security Filter affects User 2 since they are in Group1.
User 3 will have CP Access. They are not in the OU1. Doesn’t matter what objects are in the security filter. If they aren’t in the OU1 it doesn’t matter.
User 4 will have CP Access. While that account is in the OU1 the security filter only applies to Group1 and User 3.
NOW if User 3 is moved to the OU1 then the CP will be restricted.
NOW if User 4 is added to the security filter then the CP will be restricted.
NOW if User 1 is added to the OU1 then the CP will be restricted.
As you know, GPO can only be linked to Site, Domain and OU. In addition, GPO will also not applied to the Group objects by design. It only can be applied to User and Computer objects.
To apply the Group Policy on the User and Computer objects based on Security Groups, you will need to use Security Filtering as mentioned above.
So the correct way is link the GPO to an OU where has a lot of objects you want to effect, then use the security group to filter in the security filter