Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, January 11, 2008 5:48 PM
in a new GPO or even the defalt GPO, under the Scope tap, there is:
- location, - enforced, - link enabled, - path
by default, enforced is no and link enable is yes.
can somebody tell me the meaning of it?
thanks.
All replies (9)
Saturday, January 12, 2008 6:39 PM | 17 votes
When a Group Policy Object (GPO) is link enabled it means the settings in the Group Policy Object will be applied to the object (can be a Local System, Domain, Site and Organizational Unit) to which it has a link.
By default settings in Group Policy Objects (GPOs) get applied in the following order: Local system policies first, then policies on the Active Directory Domain level, then policies on the Active Directory Site level and then the policies for all the Organization Units the computer and user are members of, starting at the root of the domain. The settings that are last applied are the settings in effect.
When a Group Policy Object (GPO) is enforced it means the settings in the Group Policy Object on an Organization Unit (which is shown as a folder within the Active Directory Users and Computers MMC) cannot be overruled by a Group Policy Object (GPO) which is link enabled on an Organizational Unit below the Organizational Unit with the enforced Group Policy Object (GPO). In Active Directory Users and Computers MMC 'below' means it is a subfolder.
There's more information on Group Policy Objects (GPOs) on Microsoft TechNet.
Thursday, March 4, 2010 12:13 AM
I have an additional question about this... I was trying to use the "enforced" button to make a policy become active but it wasn't seeming to work (which is why the search engine found this forum entry)...
How do you force a GPO to be used when someone logs on immediately? Is there a way to force the GPO into effect? I have linked the GPO I created to the root of my domain and still it is not being followed by users logging on a few hours later.
Thanks,
Shayne
Shayne Neal
Thursday, March 4, 2010 8:48 AM
What setting are you referring to exactly? You need to check the event viewer for any GP related errors and run a gpresult to see if the GPO in question is actually being applied.
Paul Adare CTO IdentIT Inc. ILM MVP
Monday, May 17, 2010 11:00 PM
Shayne,
Try opening a command line on the computer and run "gpupdate /force"(without the quotes). This will force the computer to grab the current computer and user group policy and apply it. Group policy takes a certain amount of time to refresh after changes have been made. I know you can change this interval but if you want to check changes in group policy immediately, run gpupdate.
Hope this helps,
Mirabent
Wednesday, December 7, 2011 11:58 AM | 4 votes
By default settings in Group Policy Objects (GPOs) get applied in the following order: Local system policies first, then policies on the Active Directory Domain level, then policies on the Active Directory Site level and then the policies for all the Organization Units the computer and user are members of, starting at the root of the domain. The settings that are last applied are the settings in effect.
Actually (to avoid possible misunderstandings), the GPO processing order is local, site, domain then OU. Site before domain.
http://technet.microsoft.com/en-us/library/cc736313(WS.10).aspx
Andreas Hultgren
MCTS, MCITP
http://ahultgren.blogspot.com/
Wednesday, February 1, 2012 6:28 AM
Dear Can any one tell me that i have created one user policy in group management policy and i just add one user in the security filtering area on which i want to apply that policy . but when i use to login by that user the policy is also getting apply over the administrator level.
any suggestions please
Thursday, April 26, 2012 4:55 PM | 9 votes
"Enforced" means no override of policies.
"Link Enabled" means the policy is active.
To block inheritance of policies, you have to right-click the OU and check the option to do that.
Previously, when managing group policies was done in AD Users and Computers, these options were check boxes. It took me forever to find how to block inheritance in this new console.
It was a lot more obvious and you didn't need fancy-schmancy verbose technicalese explanations to understand it.
WC
Thursday, July 21, 2016 3:04 PM
Pls modify the GP order processing
Monday, November 21, 2016 3:06 PM
Warren,
So, enforcing a policy means that another one could no override that?
WG