https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpol/5c7ecdad-469f-4b30-94b3-450b7fff868f Describes about Allow-Enforced-GPOs-Only: ldap client will retrieve Container GPOs [<GPO DN>;<GPLinkOptions>] <---gpLink format=[[<GPO DN 1>;<GPLinkOption>][<GPO DN 2>;<GPLinkOption>]]-- Algorithm: if(GPLinkOption not present for Directory String) Ignore gpo_dn if(GPLinkOption == 2){ enforced = True }else{ enforced = false } while (SOM_GP_LL != NULL) //traverse if(enforced = false && allow_enforced_gpo_only = false) Prepend this gpo_dn to Begg of NON_ENFORCED_GP_LL remove current gpo_dn from SOM_GP_LL while (SOM_GP_LL != NULL) Append current gpo_dn to end of ENFORCED_GP_LL remove current gpo_dn from SOM_GP_LL if (gpOptions == 1) allow_enforced_gpo_only = 1 while(NON_ENFORCED_GP_LL != NULL) //traverse Append to end of GP_LL while(ENFORCED_GP_LL != NULL) //traverse Append to end of GP_LL But while looking into code and "net ads gpo list <user> -d 100" I am not able to find are we handling 'Allow-Enforced-GPOs-Only' or not?