Your network contains an Active Directory domain. The domain is configured as shown in the exhibit. (Click the
Exhibit button.)
Each organizational unit (OU) contains over 500 user accounts.
The Finance OU and the Human Resources OU contain several user accounts that are members of a universal
group named Group1.
You have a Group Policy object (GPO) linked to the domain.
You need to prevent the GPO from being applied to the members of Group1 only.
What should you do?
Exhibit:

A.
Modify the Group Policy permissions.

B.
Enable block inheritance.

C.
Configure the link order.

D.
Enable loopback processing in merge mode.

E.
Enable loopback processing in replace mode.

F.
Configure WMI filtering.

G.
Configure Restricted Groups.

H.
Configure Group Policy Preferences.

I.
Link the GPO to the Finance OU.

J.
Link the GPO to the Human Resources OU.

Explanation:
Practically the same question as J/Q21.
Best way to handle this is how graimer from Norway desribed it in
http://www.examcollection.com/microsoft/Microsoft.BrainDump.70-640.v2012-07-04.by.Andyfx.401q.vce.file.
html
“GPOs are linked to OUs, not groups. Block inhertance blocks all inherited GPOs from being applied to the OU.
The security filter will only help you specify groups. So you have two choices. You could remove authenticated
users in the secuirty filter and add groups containing everyone except group1 members(messy solution) or you
could leave authenticated users there, and specify group1 with deny apply gpo permission for the gpo(since
deny will alwys win over allow).”
The reference below explains a situation where the GPO only needs to be applied to one group, it’s theother
way around so to speak.
Reference:
MS Press – Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012)
page 285, 286
Using Security Filtering to Modify GPO Scope
By now, youve learned that you can link a GPO to asite, domain, or OU. However, you might need to apply
GPOs only to certain groups of users or computers rather than to all users or computers within the scope of the
GPO. Although you cannot directly link a GPO to a security group, there is a way to apply GPOs to specific
security groups. The policies in a GPO apply only to users who have Allow Read and Allow Apply Group
Policy permissions to the GPO.
Each GPO has an access control list (ACL) that defines permissions to the GPO. Two permissions, Allow Read
and Allow Apply Group Policy, are required for a GPO to apply to a user or computer. If a GPO is scoped to a
computer (for example, by its link to the computers OU), but the computer does not have Read and Apply
Group Policy permissions, it will not download and apply the GPO. Therefore, by setting the appropriate
permissions for security groups, you can filter a GPO so that its settings apply only to the computersand users
you specify.
Filtering a GPO to Apply to Specific Groups
To apply a GPO to a specific security group, perform the following steps:
4. Select the GPO in the Group Policy Objects container in the console tree.
5. In the Security Filtering section, select the Authenticated Users group and click Remove.
6. Click OK to confirm the change.
7. Click Add.
8. Select the group to which you want the policy to apply and click OK.