Administering Windows Server Hybrid Core Infrastructure (AZ-800) Practice

What must an administrator do to prevent GPOs from applying to all computer objects in the domain?

• A. Enable WMI filtering on the GPOs
• B. Link the GPOs to an OU with managed servers
• C. Enable security filtering on the GPOs
• D. Modify GPO permissions

The correct answer is: Enable security filtering on the GPOs

To prevent Group Policy Objects (GPOs) from applying to all computer objects in the domain, enabling security filtering on the GPOs is the most effective solution. Security filtering allows an administrator to specify which users and computers (or groups) have permission to apply a particular GPO. By modifying the filter to include only specific users or groups, the administrator can restrict the scope of the GPO's application to only those entities identified in the filter. This level of control is crucial when you want to ensure that certain policies do not affect all computers or users in the domain. For example, if a GPO includes settings that should only affect servers in a specific organizational unit (OU), the administrator can set the appropriate security groups in the security filtering section of the GPO. Consequently, only computers that are members of those groups will process the GPO, effectively preventing the GPO from being applied broadly across the entire domain. In contrast, WMI filtering, linking to an OU with managed servers, or modifying GPO permissions can provide further control or refinement but do not directly address the specific scope limitation as effectively as security filtering when it comes to excluding certain computer objects from GPO application.