Your company has a single Active Directory forestwith a single domain.
Consultantsin different departments of the company requireaccess to different network resources.
The consultants belongto a global groupnamed TempWorkers.
Three file serversare placed in a new organizational unitnamed SecureServers.
The file servers contain confidential data in shared folders.
You need to prevent the consultants from accessing the confidential data.
What should you do?

A.
Create a new Group Policy Object (GPO) and link it to the SecureServers organizational unit. Assign the
Deny access to this computer from the network user right to the TempWorkers global group.

B.
Create a new Group Policy Object (GPO) and link it to the domain. Assign the Deny access to this computer
from the network user right to the TempWorkers global group.

C.
On the three file servers, create a share on the root of each hard disk. Configure the Deny Full control
permission for the TempWorkers global group on the share.

D.
Create a new Group Policy Object (GPO) and link it to the domain. Assign the Deny log on locally user right
to the TempWorkers global group.

E.
Create a new Group Policy Object (GPO) and link it to the SecureServers organizational unit. Assign the
Deny log on locally user right to the TempWorkers global group.

Explanation:
Same question as D/Q8. Same answer. The other options give the consultants too much or too little rights.
Personal comment:
Basically, you need to create a GPO for the Secure Servers and deny the TempWorkers access to the shared
folders (implies access from the network).
“Deny log on locally” makes no sense in this instance, because we are reffering to shared folder and
supposedly physical access to servers should be highly restricted.
And best practices recommend that you link GPOs at the domain level only for domain wide purposes.