Your network contains an Active Directory domain named contoso.com.
The domain contains an organizational unit (OU) named OU1 as shown in the OU1 exhibit.
(Click the Exhibit button.)
The membership of Group1 is shown in the Group1 exhibit. (Click the Exhibit button.)
You configure GPO1 to prohibit access to Control Panel. GPO1 is linked to OU1 as shown in the GPO1 exhibit. (Click the Exhibit button.)
Select Yes if the statement can be shown to be true based on the available information; otherwise select No. Each correct selection is worth one point.
Hot Area:
Answer: 
Explanation:
Since user4 is not in organizational unit, the filtering the GPO does not apply to him.
http://technet.microsoft.com/en-us/library/cc781988(v=ws.10).aspx
Correct answer: YNYY
GPO only applies to Site, Domain and OU. Linking GPO on OU1 does not means that it will be applied on all the users and groups under that OU we also need to consider the security that was set to on GPO. It stated that only user2 is the valid user that the GPO will be applied hence user2 will not be able to access control panel.
ReferenceL:
http://www.aiotestking.com/microsoft/select-yes-if-the-statement-can-be-shown-to-be-true-based-on-the-available-information-otherwise-select-no-3/
Ammm. GPO1 is Linked to OU1 and have security fitering Group1 and User3.
Group1 have a memebers User1 and user2.
I think, GPO1 can be aplyed to: ((User1, User2)-are members of Group1), User3.
OU1 consist of: Group1 (User1, User2), User4.
So i think GPO1 will be aplyed to User1 and User2 only.
User3 isn’t member of OU1 and User4 isn’t part of secure filter of GPO1.
NNYY
Sorry, User1 isn’t part of OU1. So, GPO1 applyed only to user2 and answer will be
YNYY.
Drin is wright.
user 1 is part of Group1, NNYY
You can only link a GPO to Site, Domain, OU, that doesnt mean it doesnt affect the users/groups/computers in them. NNYY. GPO doesnt apply to user 3 because he is not in the OU.
Went back and tested. GPO does not apply to user1 because the user isn’t physically in the OU, regardless if he is in a group that the OU applies to. GPOs affect only the users and computers in OUs. YNYY
User1 is not in OU1 either. So the GPO will not apply to User1. Yes, User1 is a member of Group1, but the actual User1 object does not reside in the OU so it will not apply. Security filtering only filters through the objects that reside in that OU. This does not include members of the Group that the member object itself does not reside in the OU.
YNYY
YNYY
I checked it in the lab
agreed YNYY, tested
the user and/or computer must be in the group listed on the security filtering list, plus be in the OU (if the GPO is linked to the OU), in order to get the setting defined in the GPO
This is a good question, it tests your understanding Group Policy processing.
GPO1 is linked to OU1 = Only users in OU1 can be targeted
So, potentially User2 and User4 might get settings from the GPO, no-one else can be considered.
However security filtering on GPO1 limits who can get settings from it, if you’re not in Group1 or not User3, you cannot get settings from this policy.
User3 is not in the OU, and is already excluded form settings from GPO1.
So, are there any accounts in the OU that are a member of Group1?
Yes, User2 has an account in the OU, and is a member of the group that has the necessary permissions.
So, User2 alone will be prohibited from using control panel
YNYY
User 1 and user 2 are in the Group 1 , so they can’t
User 3 is in the filter of the GPO, so he can’t
User 4 is in the OU1 , so they can’t, where im wrong? :S
But user 4 is not in the filter of the GPO so he can, answer is correct i think