Your network contains an Active Directory domain named contoso.com. All user accounts are in an
organizational unit (OU) named Employees.
You create a Group Policy object (GPO) named GP1. You link GP1 to the Employees OU.
You need to ensure that GP1 does not apply to the members of a group named Managers.
What should you configure?

A.
The Security settings of Employees

B.
The WMI filter for GP1

C.
The Block Inheritance option for Employees

D.
The Security settings of GP1

Explanation:
Set Managers to – Members of this security group are exempt from this Group Policy object.
Security settings.
You use the Security Settings extension to set security options for computers and users within the scope of a
Group Policy object. You can define local computer, domain, and network security settings.
Figure below shows an example of the security settings that allow everyone to be affected by this GPO except
the members of the Management group, who were explicitly denied permission to the GPO by setting the Apply
Group Policy ACE to Deny. Note that if a member of the Management group were also a member of a group
that had an explicit Allow setting for the Apply Group Policy ACE, the Deny would take precedence and the
GPO would not affect the user.