In this article, we’ll show you how to manage the Group Policy Object Links in Active Directory from the GPMC graphic snap-in and PowerShell, and consider the differences between Enabled and Enforced Link status.
By default, when you create a new GPO in a domain, it doesn’t apply to any users or computers. To assign a policy to the Organizational Unit you need to create a GPO link. GPO link with the Enabled status means that this policy has been assigned and its settings are applied to all nested objects (OUs, computers and users).
You can manage GPO and link in the domain with the special graphical Group Policy Management snap-in.
In order to run this snap-in, press Win+R and in the window that opens, enter gpmc.msc -> Enter.
Hint. If this command is not found, you can install this console from PowerShell (Install-WindowsFeature –Name GPMC) or through Server Manager (Add roles and features > Features > select Group Policy Management).
To assign a GPO to an OU (create link), right-click on the container and select Link an Existing GPO.
In the GPO list, select the name of the policy you want to assign and click OK.
In the GPMC, select the OU to which you assigned the GPO. As you can see the Link Enabled = Yes. To disable a Group Policy line, click on the name of the policy and click on the Link Enabled menu item.
If you disable Link, this GPO remains assigned to the OU, but its settings don’t apply to domain clients. Please note that the GPO link menu has an Enforced option. What are the differences between GPO link enabled and enforced mode?
- Link Enabled status means that this GPO is linked to the specific OU, and its settings are applied to all objects (users and computers).
- The status Enforced means that this policy has been assigned and its settings cannot be overwritten by other policies that apply later. Also enforcing overrides GPO blocking.
Enforced GPOs are rarely used. Most often they are needed when some OUs are configured to block inherited GPOs from parent OU. Policies with the Enforcer flag override blocking. The Enforced flag policy applies to all underlying OUs, no matter how deeply they are nested. By default, GPO links are not enforced.
When the Enforced option is enabled, this policy applies to OU objects, even though the Block Inheritance option is enabled for the OU. You can verify this if you select OU and go to the Group Policy Inheritance tab.
As you can see, CA_Proxy has the Enforced status and applies to OU (other policies from the root of the domain, including Default Domain Policy are not applied, because GPO Block Inheritance is enabled for the OU).
There is a special GroupPolicy module for managing GPOs from PowerShell, which is already installed by default on the AD domain controller. You can list all available cmdlets in the GroupPolicy module using the command:
Get-Command -Module GroupPolicy
Hint. Earlier, we showed how to use the cmdlets of this module to backup and restore Group Policy objects (https://theitbros.com/backup-restore-group-policy-objects/).
You can assign one of the GPOs to an AD object using the PowerShell cmdlet Set-GPLink. For example:
New-GPLink –Name “CA_Proxy” -Target “ou=Users,OU=California,ou=USA,dc=theitbros,dc=com”
GpoId : d61f4a36-b37e-411a-b002-1747a47a3f31
DisplayName : CA_Proxy
Enabled : True
Enforced : False
Target : OU=Users,OU=California,OU=USA,DC=theitbros,DC=com
Order : 1
As you can see, the policy is assigned and enabled, but not enforced by default.
To set the Enforced flag for this GPO link, run the command:
Set-GPLink -Name “CA_Proxy” -Target "ou=Users,OU=California,ou=USA,dc=theitbros,dc=com" -Enforced Yes
To disable the policy (Link Enabled = False), but not delete the link, run the command:
Set-GPLink -Name “CA_Proxy” -Target "ou=Users,OU=California,ou=USA,dc=theitbros,dc=com" -LinkEnabled No