Your network contains an Active Directory domain named contoso.com.
You have an organizational unit (OU) named Sales and an OU named Engineering. Each
OU contains over 200 user accounts.
The Sales OU and the Engineering OU contain several user accounts that are members of a
universal group named Group1.
You have a Group Policy object (GPO) linked to the domain.
You need to prevent the GPO from being applied to the members of Group1 only.
What should you do?

A.
Modify the Group Policy permissions.

B.
Configure Restricted Groups.

C.
Configure WMI filtering.

D.
Configure the link order.

E.
Enable loopback processing in merge mode.

F.
Link the GPO to the Sales OU.

G.
Configure Group Policy Preferences.

H.
Link the GPO to the Engineering OU.

I.
Enable block inheritance.

J.
Enable loopback processing in replace mode.

Explanation:
“GPOs are linked to OUs, not groups. Block inheritance blocks all inherited GPOs from being
applied to the OU. The security filter will only help you specify groups. So you have two
choices. You could remove authenticated users in the security filter and add groups
containing everyone except group1 members(messy solution) or you could leave
authenticated users there, and specify group1 with deny apply gpo permission for the
gpo(since deny will always win over allow).”
The reference below explains a situation where the GPO only needs to be applied to one
group, it’s the other way around so to speak.

MS Press – Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 285, 286
Using Security Filtering to Modify GPO Scope
By now, you’ve learned that you can link a GPO to a site, domain, or OU. However, you
might need to apply GPOs only to certain groups of users or computers rather than to all
users or computers within the scope of the GPO. Although you cannot directly link a GPO to
a security group, there is a way to apply GPOs to specific security groups. The policies in a
GPO apply only to users who have Allow Read and Allow Apply Group Policy permissions to
the GPO.
Each GPO has an access control list (ACL) that defines permissions to the GPO. Two
permissions, Allow Read and Allow Apply Group Policy, are required for a GPO to apply to a
user or computer. If a GPO is scoped to a computer (for example, by its link to the
computer’s OU), but the computer does not have Read and Apply Group Policy permissions,
it will not download and apply the GPO. Therefore, by setting the appropriate permissions for
security groups, you can filter a GPO so that its settings apply only to the computers and
users you specify.
Filtering a GPO to Apply to Specific Groups
To apply a GPO to a specific security group, perform the following steps:
4. Select the GPO in the Group Policy Objects container in the console tree.
5. In the Security Filtering section, select the Authenticated Users group and click Remove.
6. Click OK to confirm the change.
7. Click Add.
8. Select the group to which you want the policy to apply and click OK.