Active Directory Management Framework

Configuration driven Active Directory management.

Group Policy Links


Group policy links are among the most fiddly aspects of defining Contexts. They govern where group policies are applied, and are thus the key element bringing your security configuration to life.

As such, a link is defined by three aspects:

Note: Defining any link for an organizational unit will cause the ADMF to consider that to be the defining list of links and remove all undesired/undefined links.

Example Configuration

Configuration sets for group policy links are rather simple from a setting perspective:

        "PolicyName":  "AD-SEC-D-Tier0-Logon-Permission",
        "OrganizationalUnit":  "OU=Servers,OU=Tier 0,OU=Tiering,%DomainDN%",
        "Precedence":  200

However the true complexity ensues when combining multiple Contexts and ensuring proper order in multiple combinations. As such, a certain amount of planning is unavoidable when designing precedence.


function Get-GPLinkConfiguration {
    param (


        [Parameter(Mandatory = $true, ValueFromPipeline = $true)]
    begin {
        $parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Include Server, Credential
        $module = Get-Module DomainManagement
        $command = & $module { Get-Command ConvertTo-GPLink }
        $policyMapping = @{ }
        foreach ($adGpo in (Get-ADObject @parameters -LDAPFilter '(objectCategory=GroupPolicyContainer)' -Properties DisplayName)) {
            $policyMapping[$adGpo.DistinguishedName] = $adGpo.DisplayName
        $convertCmd = { & $command -PolicyMapping $policyMapping }.GetSteppablePipeline()
    process {
        foreach ($ouString in $OrganizationalUnit) {
            $ouObject = Get-ADObject @parameters -Identity $ouString -Properties gPLink
            $data = $convertCmd.Process($ouObject) | Select-PSFObject 'DisplayName as PolicyName', 'Precedence*100 as Precedence', 'ADObject as OrganizationalUnit to String'
            foreach ($datum in $data) {
                $datum.OrganizationalUnit = $datum.OrganizationalUnit -replace 'DC=.+$','%DomainDN%'
    end {
Get-ADOrganizationalUnit -Server -SearchBase 'OU=PAW,DC=contoso,DC=com' -Filter * |
  Get-GPLinkConfiguration -Server |



The name of the group policy being linked.

Supports string expansion.


The organizational unit (or domain root) being linked to.

Supports string expansion.


A filter string for an organizational unit. The filter must be a wildcard-pattern supporting distinguishedname.


Numeric value representing the order it is linked in. The lower the number, the higher on the list, the more relevant the setting.


The tier of a link is a priority ordering on top of Precedence. While precedence determines order within a given tier, each tier is processed separately. The higher the tier number, the higher the priority. In additive mode, already existing linked policies have a Tier 0 priority. If you want your own policies to be prepended, use Tier 1 or higher. If you want your own policies to have the least priority however, user Tier -1 or lower.

Default: 1


The state the link should be in. Supported states:

Defaults to: Enabled


In which way GPO links are being processed:

By default, constrained mode is being used. If any single link for a given Organizational Unit is in constrained mode, the entire OU is processed under constraind mode.


Whether the link should be present at all. Relevant in additive mode, to retain the capability to delete undesired links.