Your network contains an Active Directory domainnamed contoso.com.
You have an organizational unit(OU) named Salesand an OUnamed Engineering.
Each OUcontains over 200 user accounts.
The Sales OUand the Engineering OUcontain several user accountsthat are members of a universal
groupnamed Group1.
You have a Group Policy object(GPO) linked to the domain.
You need to prevent the GPO from being applied to the members of Group1 only.
What should you do?

A.
Modify the Group Policy permissions.

B.
Configure Restricted Groups.

C.
Configure WMI filtering.

D.
Configure the link order.

E.
Enable loopback processing in merge mode.

F.
Link the GPO to the Sales OU.

G.
Configure Group Policy Preferences.

H.
Link the GPO to the Engineering OU.

I.
Enable block inheritance.

J.
Enable loopback processing in replace mode.

Explanation:
Practically the same question as K/Q50.
Best way to handle this is how graimer from Norway desribed it in
http://www.examcollection.com/microsoft/Microsoft.BrainDump.70-640.v2012-07-04.by.Andyfx.401q.vce.file.
html
“GPOs are linked to OUs, not groups. Block inhertance blocks all inherited GPOs from being applied to the OU.
The security filter will only help you specify groups. So you have two choices. You could remove authenticated
users in the security filter and add groups containing everyone except group1 members(messy solution) or you
could leave authenticated users there, and specify group1 with deny apply gpo permission for the gpo(since
deny will alwys win over allow).”
The reference below explains a situation where the GPO only needs to be applied to one group, it’s theother
way around so to speak.
Reference:
MS Press – Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012)
page 285, 286
Using Security Filtering to Modify GPO Scope
By now, you’ve learned that you can link a GPO to asite, domain, or OU. However, you might need to apply
GPOs only to certain groups of users or computers rather than to all users or computers within the scope of the
GPO. Although you cannot directly link a GPO to a security group, there is a way to apply GPOs to specific
security groups. The policies in a GPO apply only to users who have Allow Read and Allow Apply Group
Policy permissions to the GPO.
Each GPO has an access control list (ACL) that defines permissions to the GPO. Two permissions, Allow Read
and Allow Apply Group Policy, are required for a GPO to apply to a user or computer. If a GPO is scoped to a
computer (for example, by its link to the computer’s OU), but the computer does not have Read and Apply
Group Policy permissions, it will not download and apply the GPO. Therefore, by setting the appropriate
permissions for security groups, you can filter a GPO so that its settings apply only to the computersand users
you specify.
Filtering a GPO to Apply to Specific Groups
To apply a GPO to a specific security group, perform the following steps:
4. Select the GPO in the Group Policy Objects container in the console tree.
5. In the Security Filtering section, select the Authenticated Users group and click Remove.
6. Click OK to confirm the change.
7. Click Add.
8. Select the group to which you want the policy to apply and click OK.