Administering Windows Server Hybrid Core Infrastructure (AZ-800) Practice

What is the best approach for an administrator to apply a GPO to all users in the Marketing OU, but not to the Marketing managers?

• A. Create a WMI filter for unique computers
• B. Move the managers to a different OU
• C. Use security filtering to exclude the managers' group
• D. Configure block inheritance on the department root OU

The correct answer is: Use security filtering to exclude the managers' group

Using security filtering to exclude the managers' group is a highly effective approach in this scenario. Security filtering allows an administrator to specify which users or groups can apply a specific Group Policy Object (GPO). This means that while you can apply the GPO to all users in the Marketing organizational unit (OU), you can simultaneously ensure that it does not affect the Marketing managers by removing their access to the GPO through security settings. This method is particularly advantageous because it maintains the current OU structure without requiring any changes, such as moving users to different OUs. It allows for more granular control over who receives the policy application within the existing framework. Implementing a WMI filter for unique computers would not directly address the requirement as it applies to computers rather than users. Configuring block inheritance on the department root OU could introduce complexities, as it may affect other inherited policies that are not intended to be blocked, potentially leading to unintended consequences. Moving the managers to a different OU would also involve additional administrative effort and could disrupt organizational structure. Thus, using security filtering to exclude the managers' group is the most efficient and targeted solution to apply the GPO to the intended users while protecting the managers from being affected by it.