none
Enforced or Not in Group Policy Object

    Question

  • in a new GPO or even the defalt GPO, under the Scope tap, there is:

     

    - location, - enforced, - link enabled, - path 

     

    by default, enforced is no and link enable is yes.

    can somebody tell me the meaning of it?

     

    thanks.

    Friday, January 11, 2008 5:48 PM

All replies

  • When a Group Policy Object (GPO) is link enabled it means the settings in the Group Policy Object will be applied to the object (can be a Local System, Domain, Site and Organizational Unit) to which it has a link.

     

    By default settings in Group Policy Objects (GPOs) get applied in the following order: Local system policies first, then policies on the Active Directory Domain level, then policies on the Active Directory Site level and then the policies for all the Organization Units the computer and user are members of, starting at the root of the domain. The settings that are last applied are the settings in effect.

     

    When a Group Policy Object (GPO) is enforced it means the settings in the Group Policy Object on an Organization Unit (which is shown as a folder within the Active Directory Users and Computers MMC) cannot be overruled by a Group Policy Object (GPO) which is link enabled on an Organizational Unit below the Organizational Unit with the enforced Group Policy Object (GPO). In Active Directory Users and Computers MMC 'below' means it is a subfolder.

     

    There's more information on Group Policy Objects (GPOs) on Microsoft TechNet.

    • Proposed as answer by John Nobile Wednesday, November 03, 2010 4:39 PM
    Saturday, January 12, 2008 6:39 PM
  • I have an additional question about this... I was trying to use the "enforced" button to make a policy become active but it wasn't seeming to work (which is why the search engine found this forum entry)...

    How do you force a GPO to be used when someone logs on immediately?  Is there a way to force the GPO into effect?  I have linked the GPO I created to the root of my domain and still it is not being followed by users logging on a few hours later.

    Thanks,

    Shayne

    Shayne Neal
    • Proposed as answer by BiggTree Thursday, September 15, 2011 5:36 PM
    Thursday, March 04, 2010 12:13 AM
  • What setting are you referring to exactly? You need to check the event viewer for any GP related errors and run a gpresult to see if the GPO in question is actually being applied.

    Paul Adare CTO IdentIT Inc. ILM MVP
    Thursday, March 04, 2010 8:48 AM
  • Shayne,

    Try opening a command line on the computer and run "gpupdate /force"(without the quotes). This will force the computer to grab the current computer and user group policy and apply it. Group policy takes a certain amount of time to refresh after changes have been made. I know you can change this interval but if you want to check changes in group policy immediately, run gpupdate.

    Hope this helps,

    Mirabent

    Monday, May 17, 2010 11:00 PM
  • By default settings in Group Policy Objects (GPOs) get applied in the following order: Local system policies first, then policies on the Active Directory Domain level, then policies on the Active Directory Site level and then the policies for all the Organization Units the computer and user are members of, starting at the root of the domain. The settings that are last applied are the settings in effect.

    Actually (to avoid possible misunderstandings), the GPO processing order is local, site, domain then OU. Site before domain. 

    http://technet.microsoft.com/en-us/library/cc736313(WS.10).aspx

     


    Andreas Hultgren
    MCTS, MCITP
    http://ahultgren.blogspot.com/
    Wednesday, December 07, 2011 11:58 AM
  • Dear Can any one tell me that i have created one user policy in group management policy and i just add one user in the security filtering area on which  i  want to apply that policy . but when i use to login by that user the policy is also getting apply over the administrator level.

     

    any suggestions please

    • Proposed as answer by Raj000111 Sunday, April 15, 2012 10:28 PM
    Wednesday, February 01, 2012 6:28 AM
  • "Enforced" means no override of policies.

    "Link Enabled" means the policy is active.

    To block inheritance of policies, you have to right-click the OU and check the option to do that.

    Previously, when managing group policies was done in AD Users and Computers, these options were check boxes.  It took me forever to find how to block inheritance in this new console.

    It was a lot more obvious and you didn't need fancy-schmancy verbose technicalese explanations to understand it.


    WC



    • Edited by Warren Chu Thursday, April 26, 2012 5:35 PM
    • Proposed as answer by Joe Albergo Friday, November 09, 2012 3:26 AM
    Thursday, April 26, 2012 4:55 PM