In this article, we’ll show you how to manage the Group Policy Object Links in Active Directory from the GPMC graphic snap-in and PowerShell, and consider the differences between Enabled and Enforced Link status.
By default, when you create a new GPO in a domain, it doesn’t apply to any user or computer object. To assign a policy to the AD OU you need to create a GPO link. GPO link with the Enabled status means that this policy has been assigned and its settings are applied to all nested objects (OUs, computers, and users).
You can manage GPO and link in the domain with the special graphical Group Policy Management snap-in.
In order to run this snap-in, press Win+R and in the window that opens, enter gpmc.msc > Enter.
Hint. If this command is not found, you can install this console from PowerShell (Install-WindowsFeature –Name GPMC) or through Server Manager (Add roles and features > Features > select Group Policy Management).
You can link a GPO to a site, domain, or organizational unit,
How to Link a GPO to an OU?
To assign a GPO to an OU (create link), right-click on the container and select Link an Existing GPO.
In the GPO list, select the name of the policy you want to assign and click OK.
In the GPMC, select the OU to which you assigned the GPO. As you can see the Link Enabled = Yes. To disable a Group Policy line, click on the name of the policy and click on the Link Enabled menu item.
This will disable the application of the policy to objects in the organizational unit, but will not remove the GPO link.
To completely remove a GPO link, select the Delete item from the context menu. The GPO link will be removed from the GPMC console hierarchy. The GPO is not removed and can be found under Group Policy Objects in the GPMC.
One GPO can be enabled for multiple OUs (or Active Directory sites).
To check the status of a policy, find it in the Group Policy Objects section. Full information about policy links is provided in the right window on the Scope tab.
As you can see, the GPO link has 4 parameters: Location, Enforced, Link Enabled, and Path. The Enforced and Link Enabled options can be set to No/Yes.
If the Group Policy link status is enabled, the policy will be applied. If the status is disabled, the policy does not apply to members within that Organizational Unit.
Enforced vs Enabled GPO Link Status
If you disable Link, this GPO remains assigned to the OU, but its settings don’t apply to domain clients. Please note that the GPO link menu has an Enforced option. What are the differences between GPO link enabled and enforced mode?
- Link Enabled status means that this GPO is linked to the specific OU, and its settings are applied to all objects (users and computers).
- The status Enforced means that this policy has been assigned and its settings cannot be overwritten by other policies that apply later. Also enforcing overrides GPO blocking.
- Blocking inheritance. By default, child OUs inherit all GPOs from the parent OU, but you can block this inheritance using this option.
Enforced GPOs are rarely used. Most often they are needed when some OUs are configured to block inherited GPOs from parent OU. Policies with the Enforcer flag override blocking. The Enforced flag policy applies to all underlying OUs, no matter how deeply they are nested. By default, GPO links are not enforced.
When the Enforced option is enabled, this policy applies to OU objects, even though the Block Inheritance option is enabled for the OU. You can verify this if you select OU and go to the Group Policy Inheritance tab.
As you can see, CA_Proxy has the Enforced status and applies to OU (other policies from the root of the domain, including Default Domain Policy are not applied, because GPO Block Inheritance is enabled for the OU).
On the Linked Group Policy Objects tab, you can change the order of GPO links. The GPO with the lowest reference order is processed last and therefore has the highest priority, overwriting the settings of previous GPOs in case of conflicts. You can change the link using the appropriate buttons.
How to Create and Remove Group Policy Link with PowerShell?
There is a special GroupPolicy module for managing GPOs from PowerShell, which is already installed by default on the AD domain controller.
On desktop versions of Windows 10 and Windows 11, you can install the GroupPolicy module online from the RSAT (Remote Server Administration Tools) package using the Add-WindowsCapability PowerShell cmdlet:
Add-WindowsCapability -Online -Name Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0
You can list all available cmdlets in the GroupPolicy module using the command:
Get-Command -Module GroupPolicy
You can assign one of the GPOs to an AD object using the PowerShell cmdlet Set-GPLink. For example:
New-GPLink –Name “CA_Proxy” -Target “ou=Users,OU=California,ou=USA,dc=theitbros,dc=com”
GpoId : d61f4a36-b37e-411a-b002-1747a47a3f31
DisplayName : CA_Proxy
Enabled : True
Enforced : False
Target : OU=Users,OU=California,OU=USA,DC=theitbros,DC=com
Order : 1
As you can see, the policy is assigned and enabled, but not enforced by default.
To set the Enforced flag for this GPO link, run the command:
Set-GPLink -Name “CA_Proxy” -Target "ou=Users,OU=California,ou=USA,dc=theitbros,dc=com" -Enforced Yes
To disable the policy (Link Enabled = False), but not delete the link, run the command:
Set-GPLink -Name “CA_Proxy” -Target "ou=Users,OU=California,ou=USA,dc=theitbros,dc=com" -LinkEnabled No
To remove a GPO link established between GPO in a specific OU, use the Remove-GPLink cmdlet:
Remove-GPLink -Name " CA_Proxy " -Target "ou=Users,OU=California,ou=USA,dc=theitbros,dc=com"
You can list all GPOs that are assigned to a specific OU in Active Directory. For convenience, you can sort the policies in order of priority (by the Order attrubute):
( Get-ADOrganizationalUnit -Filter * -SearchBase “OU=Computers,OU=Nevada,OU=USA,DC=theitbros,DC=com” | Get-GPInheritance ).gpolinks |select DisplayName, Enabled,Enforced, Order| Sort-Object -Property order |format-table
Over time, a large number of objects appear in the Group Policy list. Some of them are used and some are not. In order to find unlinked GPOs in Active Directory, use the following simple PowerShell script:
Get-GPO -All | Where-Object { $_ | Get-GPOReport -ReportType XML | Select-String -NotMatch "<LinksTo>" } | select DisplayName,owner,CreationTime,ModificationTime|format-table
Later, you can delete found unused GPOs with the Remove-GPO cmdlet.