Your network contains an Active Directory domain named contoso.com.
The domain contains two global groups named Group1 and Group2. A user named User1 is a member of Group1.
You have an organizational unit (OU) named OU1 that contains the computer accounts of computers that contain sensitive data. A Group Policy object (GPO) named GPO1 is linked to OU1. OU1 contains a computer account named Computer1.
GPO1 has the User Rights Assignment configured as shown in the following table.
You need to prevent User1 from signing in to Computer1.
What should you do?
A . Remove User1 to Group2
B . In GPO1, add Group1 as a restricted group
C . On Computer1, modify the Allow log on locally user right
D . In GPO1, add Group2 as a restricted group
Answer: A
Explanation:
“Deny log on locally” Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Determines which users are prevented from logging on at the computer. This policy setting supercedes the Allow Log on locally policy setting if an account is subject to both policies. Therefore, adding User1 to Group2 will let User1 to inherit both policy, and then prevent User1 to sign in to Computer1.
References:
https://technet.microsoft.com/en-us/library/cc957048.aspx