Managing Enabled and Enforced GPO Link Settings in Active Directory

When you create a new GPO in a domain, it doesn’t affect any users or computers by default. You must construct a GPO link to attach a policy to the Organizational Unit. This policy has been assigned, and its settings are applied to all nested objects, according to the GPO link with the Enabled status (OUs, computers and users).

With the specific graphical Group Policy Management snap-in, you may manage GPOs and domain links.

In order to run this snap-in, press Win+R and in the window that opens, enter gpmc.msc -> Enter.

If you can’t find this command, use PowerShell to install it (Install-WindowsFeature –Name GPMC) or Server Manager to install it (Add roles and features > Features > Group Policy Management).

To assign a GPO to an OU (create link), right-click on the container and select Link an Existing GPO.

In the GPO list, select the name of the policy you want to assign and click OK.

In the GPMC, select the OU to which you assigned the GPO. As you can see the Link Enabled = Yes. To disable a Group Policy line, click on the name of the policy and click on the Link Enabled menu item.

This GPO stays assigned to the OU even if Link is disabled, but its settings do not apply to domain clients. Please note that there is an Enforced option in the GPO link menu. What is the difference between GPO link enabled mode and GPO link enforced mode?

The status of Link Enabled indicates that this GPO is linked to a certain OU and that its settings are applied to all objects in that OU (users and computers).
The status Enforced indicates that this policy has been assigned and that its settings will not be overwritten by subsequent policies. Enforcing also takes precedence over GPO blocking.

For administering GPOs using PowerShell, there is a particular GroupPolicy module that comes pre-installed on the AD domain controller. The command: List all available cmdlets in the GroupPolicy module returns a list of all accessible cmdlets in the GroupPolicy module.

Get-Command -Module GroupPolicy

Hint: We previously shown how to backup and restore Group Policy objects using the cmdlets in this module (

The PowerShell cmdlet Set-GPLink can be used to link one of the GPOs to an AD object. Consider the following scenario:

New-GPLink –Name “CA_Proxy” -Target “ou=Users,OU=California,ou=USA,dc=solutionviews,dc=com”

GpoId : d61f4a36-b37e-411a-b002-1747a47a3f31

DisplayName : CA_Proxy

Enabled : True

Enforced : False

Target : OU=Users,OU=California,OU=USA,DC=solutionviews,DC=com

Order : 1

As you can see, the policy is assigned and enabled by default, but it is not enforced.

Run the following command to set the Enforced flag for this GPO link:

Set-GPLink -Name “CA_Proxy” -Target "ou=Users,OU=California,ou=USA,dc=solutionviews,dc=com" -Enforced Yes

Run the command to disable the policy (Link Enabled = False), but not to destroy the link:

Set-GPLink -Name “CA_Proxy” -Target "ou=Users,OU=California,ou=USA,dc=solutionviews,dc=com" -LinkEnabled No

Leave a Reply

Your email address will not be published. Required fields are marked *

Enter Captcha Here :