A GPO must be linked to the OU AND the security filter must grant Apply Group Policy permission. 8. Common Myths | Myth | Reality | |-------|---------| | "GPLink order only matters if conflict exists" | False – All settings are processed in link order, with later links overwriting earlier ones per setting type. | | "Enforced overrides everything" | False – Security filtering still applies. If the user/computer isn't in the security filter, enforced does nothing. | | "Block Inheritance stops all GPOs above" | False – It stops non-enforced GPOs. Enforced GPOs ignore Block Inheritance. | 9. Advanced Script: Bulk GPLink Report function Get-AllGPLinks $forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() $domains = $forest.Domains $allLinks = @() foreach ($domain in $domains) $root = $domain.GetDirectoryEntry() $searcher = [ADSISearcher]"(objectCategory=organizationalUnit)" $searcher.SearchRoot = $root $searcher.PageSize = 1000 foreach ($ou in $searcher.FindAll()) $gplinkRaw = $ou.Properties["gplink"] if ($gplinkRaw) $allLinks += [PSCustomObject]@ OU = $ou.Path GPLinkRaw = $gplinkRaw BlockInheritance = $ou.Properties["gpoptions"] -eq 1
return $allLinks | Action | Command/Path | |--------|---------------| | View links on OU | Get-GPLink -Target "OU=..." | | Link GPO | New-GPLink -Name "GPO" -Target "OU=..." | | Enforce | Set-GPLink ... -Enforced Yes | | Disable link | Set-GPLink ... -LinkEnabled No | | Block inheritance on OU | Set-ADOrganizationalUnit -Identity "OU=..." -Replace @gpOptions=1 | | Remove link | Remove-GPLink -Name "GPO" -Target "OU=..." | | List all enforced GPOs | Get-GPO -All \| Get-GPLink \| Where-Object Enforced | This guide gives you both the theoretical foundation and practical tools to master gPLink – the backbone of Group Policy targeting in Active Directory. gplink
# List current order Get-GPLink -Target "OU=Sales,DC=ad,DC=com" Remove-GPLink -Name "OldPriority" -Target "OU=Sales,DC=ad,DC=com" New-GPLink -Name "OldPriority" -Target "OU=Sales,DC=ad,DC=com" -Order 1 GPLink for Sites Sites have a gPLink attribute too. A GPO must be linked to the OU
