Your company has an Active Directory domain. All consultants belong to a global group
named TempWorkers.
The TempWorkers group is not nested in any other groups.
You move the computer objects of three file servers to a new organizational unit named
SecureServers. These file servers contain only confidential data in shared folders.
You need to prevent members of the TempWorkers group from accessing the confidential
data on the file servers.
You must achieve this goal without affecting access to other domain resources.

What should you do?

A.
Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny
access to this computer from the network user right to the TempWorkers global group.

B.
Create a new GPO and link it to the domain. Assign the Deny access to this computer
from the network user right to the TempWorkers global group.

C.
Create a new GPO and link it to the domain. Assign the Deny log on locally user right to
the TempWorkers global group.

D.
Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny
log on locally user right to the TempWorkers global group.

Explanation:
Personal comment:
Basically, you need to create a GPO for the Secure Servers and deny the TempWorkers
access to the shared folders (implies access from the network).
“Deny log on locally” makes no sense in this instance, because we are reffering to shared
folder and supposedly physical access to servers should be highly restricted.
And best practices recommend that you link GPOs at the domain level only for domain wide
purposes.