Your network contains an Active Directory domain.
The domain is configured as shown in the exhibit:
Each organizational unit (OU) contains over 500 user accounts.
The Finance OU and the Human Resources OU contain several user accounts that are members of a universal group named Group1.
You have a Group Policy object (GPO) linked to the domain.
You need to prevent the GPO from being applied to the members of Group1 only.
What should you do?
Exhibit:
A. Modify the Group Policy permissions.
B. Enable block inheritance.
C. Configure the link order.
D. Enable loopback processing in merge mode.
E. Enable loopback processing in replace mode.
F. Configure WMI filtering.
G. Configure Restricted Groups.
H. Configure Group Policy Preferences.
I. Link the GPO to the Finance OU.
J. Link the GPO to the Human Resources OU.
Correct Answer: A
Explanation/Reference:
Practically the same question as J/Q21.
Best way to handle this is how graimer from Norway desribed it in http://www.examcollection.com/microsoft/Microsoft.BrainDump.70-640.v2012-07- 04.by.Andyfx.401q.vce.file.html
"GPOs are linked to OUs, not groups. Block inhertance blocks all inherited GPOs from being applied to the OU. The security filter will only help you specify groups. So you have two choices. You could remove authenticated users in the secuirty filter and add groups containing everyone except group1 members (messy solution) or you could leave authenticated users there, and specify group1 with deny apply gpo permission for the gpo(since deny will alwys win over allow)."
The reference below explains a situation where the GPO only needs to be applied to one group, it’s the other way around so to speak.
Reference:
MS Press – Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012)
page 285, 286
Using Security Filtering to Modify GPO Scope
By now, you’ve learned that you can link a GPO to a site, domain, or OU. However, you might need to apply GPOs only to certain groups of users or computers rather than to all users or computers within the scope of the GPO. Although you cannot directly link a GPO to a security group, there is a way to apply GPOs to specific security groups. The policies in a GPO apply only to users who have Allow Read and Allow Apply Group Policy permissions to the GPO.
Each GPO has an access control list (ACL) that defines permissions to the GPO. Two permissions, Allow Read and Allow Apply Group Policy, are required for a GPO to apply to a user or computer. If a GPO is scoped to a computer (for example, by its link to the computer’s OU), but the computer does not have Read and Apply Group Policy permissions, it will not download and apply the GPO. Therefore, by setting the appropriate permissions for security groups, you can filter a GPO so that its settings apply only to the computers and users you specify.
Filtering a GPO to Apply to Specific Groups
To apply a GPO to a specific security group, perform the following steps:
4. Select the GPO in the Group Policy Objects container in the console tree.
5. In the Security Filtering section, select the Authenticated Users group and click Remove.
6. Click OK to confirm the change.
7. Click Add.
8. Select the group to which you want the policy to apply and click OK.
