In this article, we’ll show you how to manage the Group Policy Object Links in Active Directory from the GPMC graphic snap-in and PowerShell and consider the differences between Enabled and Enforced Link status.
Default GPO link behavior
By default, when you create a new GPO in an Active Directory domain, it doesn’t apply to any user or computer object. To assign a policy to the AD OU, you must create a GPO link. GPO link with the Enabled status means that this policy has been assigned, and its settings are applied to all nested objects (OUs, computers, and users).
You can manage GPO and link in the domain with the special graphical Group Policy Management Console snap-in. The GPMC allows configuring and editing Group Policy settings and linking these to containers.
To run this snap-in, press Win+R, and in the window that opens, enter gpmc.msc > Enter.
Hint. If this command is not found, you can install this console from PowerShell (Install-WindowsFeature –Name GPMC) or through Server Manager (Add roles and features > Features > select Group Policy Management). It will then be found under administrative tools.
You can link a GPO to a site, domain, or organizational unit with the group policy object editor.
How to Link a GPO to an OU?
To assign a GPO to an OU (create link), right-click on the Group Policy objects container and select Link an Existing GPO.
In the GPO list, select the name of the policy you want to assign and click OK.
Enabling or disabling a linked GPO
In the GPMC, select the OU to which you assigned the GPO as you can see the Link Enabled = Yes. To disable a Group Policy line, click on the policy name and click on the Link Enabled menu item. This will disable the group policy and the multiple group policy settings associated with it.
This will disable the application of the policy to objects in the organizational unit, but will not remove the GPO link.
Removing a GPO link
To completely remove a GPO link, select the Delete item from the context menu. The GPO link will be removed from the GPMC console hierarchy. The GPO is not removed and can be found under Group Policy Objects in the GPMC.
One GPO can be enabled for multiple OUs (or Active Directory sites).
Viewing scope and other details
To check the status of a policy, find it in the Group Policy Objects section. Full information about policy links is provided in the right window on the Scope tab.
As you can see, the GPO link has 4 parameters: Location, Enforced, Link Enabled, and Path. The Enforced and Link Enabled options can be set to No/Yes.
If the Group Policy link status is enabled, the policy will be applied. If the status is disabled, the policy does not apply to members within that Organizational Unit.
Under the Delegation tab, you can define which security groups the policy applies. By default, when you link a GPO to a specific domain or OU, Authenticated Users has the read and apply group policy permissions.
Enforced vs Enabled GPO Link Status
If you disable Link, this GPO remains assigned to the OU, but its settings don’t apply to domain clients. Please note that the GPO link menu has an Enforced option. What are the differences between GPO link enabled and enforced mode?
- Link Enabled status means that this GPO is linked to the specific OU, and its settings are applied to all objects (users and computers).
- The status Enforced means that this policy has been assigned and its settings cannot be overwritten by other policies that apply later. Also enforcing overrides GPO blocking.
- Blocking inheritance. By default, child OUs inherit all GPOs from the parent OU, but you can block this inheritance using this option.
Enforced GPOs
Enforced GPOs are rarely used. Most often they are needed when some OUs are configured to block inherited GPOs from parent OU. Policies with the Enforcer flag override blocking. The Enforced flag policy applies to all underlying OUs, no matter how deeply they are nested. By default, GPO links are not enforced.
When the Enforced option is enabled, this policy applies to OU objects, even though the Block Inheritance option is enabled for the OU. You can verify this if you select OU and go to the Group Policy Inheritance tab.
As you can see, CA_Proxy has the Enforced status and applies to OU (other policies from the root of the domain, including Default Domain Policy are not applied, because GPO Block Inheritance is enabled for the OU).
Changing GPO order
On the Linked Group Policy Objects tab, you can change the order of GPO links. The GPO with the lowest reference order is processed last and therefore has the highest priority, overwriting the settings of previous GPOs in case of conflicts. You can change the link using the appropriate buttons.
How to Create and Remove Group Policy Link with PowerShell?
There is a special GroupPolicy module for managing GPOs from PowerShell, which is already installed by default on the AD domain controller.
On desktop versions of Windows 10 and Windows 11, you can install the GroupPolicy module online from the RSAT (Remote Server Administration Tools) package using the Add-WindowsCapability PowerShell cmdlet:
Add-WindowsCapability -Online -Name Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0
You can list all available cmdlets in the GroupPolicy module using the command:
Get-Command -Module GroupPolicy
You can assign one of the GPOs to an AD object using the PowerShell cmdlet Set-GPLink. For example:
New-GPLink –Name “CA_Proxy” -Target “ou=Users,OU=California,ou=USA,dc=theitbros,dc=com”
GpoId : d61f4a36-b37e-411a-b002-1747a47a3f31
DisplayName : CA_Proxy
Enabled : True
Enforced : False
Target : OU=Users,OU=California,OU=USA,DC=theitbros,DC=com
Order : 1
As you can see, the policy is assigned and enabled, but not enforced by default.
To set the Enforced flag for this GPO link, run the command:
Set-GPLink -Name “CA_Proxy” -Target "ou=Users,OU=California,ou=USA,dc=theitbros,dc=com" -Enforced Yes
To disable the policy (Link Enabled = False), but not delete the link, run the command:
Set-GPLink -Name “CA_Proxy” -Target "ou=Users,OU=California,ou=USA,dc=theitbros,dc=com" -LinkEnabled No
To remove a GPO link established between GPO in a specific OU, use the Remove-GPLink cmdlet:
Remove-GPLink -Name " CA_Proxy " -Target "ou=Users,OU=California,ou=USA,dc=theitbros,dc=com"
You can list all GPOs that are assigned to a specific OU in Active Directory. For convenience, you can sort the policies in order of priority (by the Order attrubute):
( Get-ADOrganizationalUnit -Filter * -SearchBase “OU=Computers,OU=Nevada,OU=USA,DC=theitbros,DC=com” | Get-GPInheritance ).gpolinks |select DisplayName, Enabled,Enforced, Order| Sort-Object -Property order |format-table
Over time, a large number of objects appear in the Group Policy list. Some of them are used and some are not. In order to find unlinked GPOs in Active Directory, use the following simple PowerShell script:
Get-GPO -All | Where-Object {
$_ | Get-GPOReport -ReportType XML | Select-String -NotMatch "<LinksTo>"
} | select DisplayName,owner,CreationTime,ModificationTime|format-table
Later, you can delete found unused GPOs with the Remove-GPO cmdlet.
Frequently Asked Questions
1. What’s the difference between “Enabled” and “Enforced” in GPO Link Status?
The “Enabled” status means that the GPO is linked to a specific Organizational Unit (OU), and its settings are applied to all objects, including users and computers. The “Enforced” status means that this policy’s settings cannot be overwritten by other policies that are applied later. Also, enforcing the GPO can override any GPO blocking settings.
2. How do I initiate the Group Policy Management Console (GPMC)?
You can launch the GPMC snap-in by pressing Win+R and entering the command gpmc.msc. If this command doesn’t work, you can install the console either from PowerShell using the command Install-WindowsFeature –Name GPMC or via the Server Manager by selecting Group Policy Management under Features.
3. Is there a way to handle Group Policy Links using PowerShell?
Yes, PowerShell offers the GroupPolicy module, specifically for managing GPOs. For instance, you can use Set-GPLink to assign a GPO to an AD object, Remove-GPLink to delete a link between a GPO and an OU, and there are also commands available for checking unlinked GPOs or modifying GPO statuses.
4. How does GPO order affect policy application?
The GPO order can determine which policy gets applied in case of conflicts. The GPO with the lowest reference order gets processed last, which gives it the highest priority, allowing it to overwrite the settings of previous GPOs.
5. Can you explain what “blocking inheritance” means in the context of GPOs?
Blocking inheritance is an option to prevent child OUs from inheriting all GPOs set at the parent OU level. However, GPOs marked as “Enforced” can override this block, ensuring their settings are applied even if inheritance is blocked for a particular OU.
Wrapping up
Group Policies provide a great way to enforce policy settings across the enterprise environment. Understanding how these are linked, enabled, disabled, and removed in the environment allows admins to control how and when policies are applied. Keeping these capabilities in mind, along with blocking inheritance and GPO ordering, allows fine-tuning policies to meet the needs of the enterprise.
