What is the difference between Enforced and Block Inheritance in Group Policy?

Enforced is set on a GPO link and forces that GPO's settings to apply to all child containers regardless of any Block Inheritance settings. Block Inheritance is set on an OU and prevents all non-enforced GPOs from higher levels from applying to that OU and its children. Enforced always wins over Block Inheritance.

Does enforcing a GPO make it apply to all users and computers in the domain?

No. Enforcing a GPO only affects the containers where the GPO is linked and their child containers. It ensures that the GPO settings cannot be overridden by lower-level GPOs or blocked by Block Inheritance on child OUs. The GPO still only applies within its linked scope.

When should I use the Enforced setting on a GPO?

Use Enforced for critical security policies that must apply universally and cannot be overridden by lower-level administrators, such as password policies, audit policies, software restriction policies, and security baselines. Avoid overusing enforcement as it reduces the flexibility of delegated administration.

Was macht the Enforced Setting Do in Group Policy?

When working with Group Policy in Active Directory, you may have noticed an option to set a GPO link as “Enforced” and wondered what it actually does. After all, Group Policy Objects are always applied (enforced in the general sense), so why is there a separate “Enforced” setting? The answer lies in understanding GPO inheritance, precedence, and the specific scenario where a child organizational unit (OU) blocks inheritance from parent containers.

How Group Policy Inheritance Works

Group Policy settings are applied to users and computers based on where their accounts are located in the Active Directory hierarchy. GPOs can be linked at four levels:

Local - Group Policy on the individual machine.
Site - GPOs linked to Active Directory sites.
Domain - GPOs linked to the domain root.
Organizational Unit (OU) - GPOs linked to OUs, including nested OUs.

Settings are processed in the order L-S-D-OU (Local, Site, Domain, OU). If there is a conflict between settings, the GPO processed last wins. This means OU-level GPOs have higher precedence than domain-level GPOs, which have higher precedence than site-level GPOs.

Example Hierarchy

Consider this structure:

Domain: contoso.com
  ├── GPO: "Domain Security Policy" (linked at domain)
  ├── OU: Sales
  │     ├── GPO: "Sales Desktop Policy" (linked at Sales OU)
  │     └── Sub-OU: Sales-Managers
  │           └── GPO: "Manager Policy" (linked at Sales-Managers OU)
  └── OU: IT
        └── GPO: "IT Desktop Policy" (linked at IT OU)

A computer in the Sales-Managers OU would receive settings from:

Local policy
Site-level GPOs (if any)
Domain Sicherheit Policy
Sales Desktop Policy (inherited from parent OU)
Manager Policy (directly linked)

If any setting in “Manager Policy” conflicts with “Domain Sicherheit Policy,” the Manager Policy setting wins because it is processed last.

What Does Block Inheritance Do?

OU administrators can set Block Inheritance on their OU, which prevents all GPOs from parent containers (domain and parent OUs) from applying to that OU and its children. This is shown as a blue exclamation mark icon on the OU in the Group Policy Management Console (GPMC).

For example, if the Sales OU has Block Inheritance enabled:

“Domain Sicherheit Policy” would not apply to objects in the Sales OU.
Only “Sales Desktop Policy” and any GPOs directly linked to Sales or its child OUs would apply.

This is useful for delegation, but it creates a problem: what if the domain administrator has critical security policies that absolutely must apply everywhere, even in OUs that block inheritance?

What the Enforced Setting Does

The Enforced setting (historically called “No Override” in older Windows versions) is set on a GPO link, not on the GPO itself. When a GPO link is enforced:

It overrides Block Inheritance - The GPO applies even to OUs that have Block Inheritance enabled.
It has the highest precedence - The enforced GPO’s settings cannot be overridden by any GPO at a lower level. Instead of the normal “last writer wins” rule, the enforced GPO always wins on conflicting settings.

Enforced Precedence Example

Using the same hierarchy, if “Domain Sicherheit Policy” is set to Enforced:

Domain: contoso.com
  ├── GPO: "Domain Security Policy" [ENFORCED]
  ├── OU: Sales [Block Inheritance]
  │     ├── GPO: "Sales Desktop Policy"
  │     └── Sub-OU: Sales-Managers
  │           └── GPO: "Manager Policy"

For a computer in Sales-Managers:

“Domain Sicherheit Policy” applies despite Block Inheritance on the Sales OU.
If “Manager Policy” sets a screen lock timeout to 15 minutes but “Domain Sicherheit Policy” (enforced) sets it to 5 minutes, the 5-minute setting wins because the enforced GPO has highest precedence.

How to Configure the Enforced Setting

Using Group Policy Management Console (GPMC)

Open Group Policy Management (gpmc.msc).
Navigate to the container (domain, site, or OU) where the GPO is linked.
Right-click the GPO link (not the GPO under “Group Policy Objects”).
Select Enforced from the context menu.
A padlock icon appears on the GPO link to indicate enforcement.

Using PowerShell

# View all GPO links and their enforcement status
Get-GPInheritance -Target "OU=Sales,DC=contoso,DC=com"

# Set a GPO link to Enforced
Set-GPLink -Name "Domain Security Policy" -Target "DC=contoso,DC=com" -Enforced Yes

# Remove enforcement from a GPO link
Set-GPLink -Name "Domain Security Policy" -Target "DC=contoso,DC=com" -Enforced No

Using Block Inheritance (for comparison)

# Set Block Inheritance on an OU
Set-GPInheritance -Target "OU=Sales,DC=contoso,DC=com" -IsBlocked Yes

# Remove Block Inheritance
Set-GPInheritance -Target "OU=Sales,DC=contoso,DC=com" -IsBlocked No

GPO Precedence Order Zusammenfassung

When determining which setting wins in a conflict, Windows follows this precedence order (highest to lowest):

Priority	Source	Notes
1 (Highest)	Enforced GPOs at domain level	Enforced + highest in hierarchy
2	Enforced GPOs at parent OU level	Enforced + closer to the object
3	Enforced GPOs at child OU level	Enforced + closest to the object
4	GPOs linked at the closest OU	Normal precedence (last applied wins)
5	GPOs linked at parent OUs	Inherited normally
6	GPOs linked at domain level	Applied early in processing
7	GPOs linked at site level	Applied earliest
8 (Lowest)	Local Group Policy	First to be applied

Important note on enforced GPO precedence: When multiple GPOs are enforced, the one linked at the highest level in the hierarchy wins. This is the reverse of normal precedence. Normally the closest GPO wins, but with enforcement, the domain-level enforced GPO beats an OU-level enforced GPO.

Practical Scenarios

Scenario 1: Domain-Wide Sicherheit Baseline

You have a security baseline GPO that sets password complexity, audit policies, and firewall rules. You want these settings to apply to every computer and user in the domain, regardless of any OU-level customization.

Lösung: Link the security baseline GPO at the domain level and set it to Enforced. This ensures the settings apply everywhere, even to OUs with Block Inheritance enabled.

Scenario 2: Delegated OU Administration

Your IT department has an OU managed by a separate team that uses Block Inheritance to have full control over their own GPO settings. However, the domain security team needs certain audit policies to apply everywhere.

Lösung: Keep Block Inheritance on the IT OU for delegation flexibility, but enforce the domain-level audit policy GPO. The IT team can customize most settings, but the audit policy remains non-negotiable.

Scenario 3: Conflicting GPO Settings at Multiple Levels

A domain GPO sets the wallpaper to the company logo. An OU-level GPO sets it to a department-specific image. You want the company logo to always appear.

Lösung: Enforce the domain-level wallpaper GPO. The OU-level setting will be overridden.

Bewährte Methoden

Use enforcement sparingly - Enforcing too many GPOs reduces flexibility and makes troubleshooting difficult. Reserve enforcement for critical security settings.
Document enforced GPOs - Clearly document which GPOs are enforced and why. This helps other administrators understand the policy landscape.
Use security filtering alongside enforcement - Even with enforcement, you can use security group filtering to limit which users or computers receive the GPO settings.
Test before enforcing - Use gpresult /r or the Group Policy Results wizard to verify how enforcement affects policy application before deploying widely.
Avoid Block Inheritance where possible - Block Inheritance can lead to unintended gaps in security policy. Use WMI filtering or security filtering as alternatives for selective GPO application.
Review regularly - Periodically audit enforced GPOs to ensure they are still necessary and that the settings remain appropriate.

Fehlerbehebung GPO Enforcement

Verify Effective Policies

Use gpresult to see which policies are applied and whether enforcement is affecting the outcome:

gpresult /r
gpresult /h report.html

The HTML report shows the winning GPO for each setting and the reason it won (enforcement, closer link, etc.).

Check GPO Inheritance in GPMC

In the Group Policy Management Console, select an OU and click the Group Policy Inheritance tab. This shows all GPOs that apply to that OU in their effective order, including enforced GPOs marked with a padlock icon.

Zusammenfassung

The “Enforced” setting in Group Policy is a mechanism that ensures a GPO’s settings cannot be overridden by lower-level GPOs or blocked by Block Inheritance on child OUs. It is the domain administrator’s tool for guaranteeing that critical policies — such as security baselines, audit configurations, and compliance settings — apply consistently across the entire domain or site. Use enforcement judiciously for essential policies, and combine it with proper documentation and regular auditing to maintain a manageable Group Policy environment.