Consider the following configuration in .htaccess/httpd.conf (or wherever):
AuthName "My Super Secret Area"
Require group bestmates
Require user randomguy
Where user randomguy does not belong to the group bestmates.
By default mod_auth of Apache 2.2 would allow only users from bestmates to authenticate, and randomguy won’t have access because he doesn’t belong to the group. In other words,
require user directive would be entirely ignored.
To allow both group and user, simply add
AuthzGroupFileAuthoritative Off to your configuration (.htaccess/httpd.conf or wherever).
All kudos for the find goes to user newmanium2001 from LinuxQuestions.org.