Today I will show you how to force a group policy update on remote computers.
- Gpupdate /force The /force will force all policies to update not just the new ones. Now, if you have a bunch of computers that need updated it would be a pain to log into each one and run this command. To run this on a remote computer you can use the PsExec command from the Sysinternals toolset.
- This example will run the command GPUpdate.exe /force If you wish to run something else. Replace this with the command you wish to run. Your command will execute on the remote system.
Computers will update group policy in the background every 90 minutes, in addition, group policy is updated when the computer starts up.
The wscript.exe will wait until the gpupdate.exe is closed. If you choose 'false' it will not wait and just close independed of the gpudpate.exe. If you run the script with user rights (user logon script) it will update the user policy part. If you run it with computer rights (computer starup script) it will update the computer policy part.
There are times when you make changes or create new GPOs (Group Policy Objects) and you need the changes to go into effect immediately.
There are a few different methods for remotely updating group policy.
Let’s take a look.
Tip: Method 1 is best for older clients, Method 2 and 3 are for systems running 2012 and later.
Method 1: Using the gpupdate command with PsExec
This first method uses a built in command on the client computers called gpupdate.
To immediately force a group policy update on the local computer use this command
Now, if you have a bunch of computers that need updated it would be a pain to log into each one and run this command.
To run this on a remote computer you can use the PsExec command from the Sysinternals toolset.
Here is an example of using PsExec to remotely update group policy
Just replace Computername with the actual hostname of the computer.
Method 2: Using Group Policy Management Console
With Windows Server 2012 and later versions, you can now force a group policy update on remote computers from the Group Policy Management Console.
This method is super easy and allows you to run an update on a single OU or all OUs.
Here are the steps
Step 1: Open the Group Policy Management Console
You can open this console on a computer that has the RSAT tools installed or a server running the DHCP role.
Step 2: Right click an OU to update
You can update an individual OU or a parent OU and it will update all sub OUs.
I’m going to update my parent OU “ADPRO Computers” this OU has a few sub OUs broken out into departments. This will run a group policy update on all computers.
I’ll click yes to confirm to run the update.
Now this is pretty cool, I get a window showing me the status of group policy being updated on each computer.
There you have it, that’s how easy it is to use the group policy management console to remotely force a group policy update.
If you are a Powershell nerd then check out the next method.
Related: GPResult Tool: How To Check What Group Policy Objects are Applied
Method 3: Using Powershell Invoke-GPUpdate
In Windows 2012 you can now force an immediate update using the powershell invoke-GPUupdate cmdlet.
This command can be used to update Windows 10 and Windows 7 clients.
You will need Powershell installed as well as the Group Policy Management Console (GPMC).
Here is the command:
The RandomDelayInMinutes 0 specifies the delay. Setting it to 0 will update group policy right away.
The only downside to using this command is that the clients will get a CMD screen pop up like below.
It only displays for about 3 seconds then closes.
If you want to use the PowerShell command to force an update on all computers you can use these commands:
The above commands will pull in every computer from the domain, put them into a variable and run the commands for each object in the variable.
As always I hope you find this article useful.
How To Run Gpupdate In Powershell
Recommended Tool: SolarWinds Server & Application Monitor
This utility was designed to Monitor Active Directory and other critical services like DNS & DHCP. It will quickly spot domain controller issues, prevent replication failures, track failed logon attempts and much more.
What I like best about SAM is it’s easy to use dashboard and alerting features. It also has the ability to monitor virtual machines and storage.
There are times when you need to remotely refresh the group policy on a group of computers, bypassing the 90 minute (+30 minute offset) default interval. Let’s look at 3 ways to achieve that, two of the methods require Server 2012 or Windows 8 with the remote administration tools to initiate the refresh, and the 3rd method can be initiated from Windows 7 or Server 2008 R2.
Method 1. Server 2012 introduced the functionality to remotely refresh Group Policy settings for all computers in an OU from the Group Policy Management Console (GPMC). When you use this method, there is a random delay of up to 10 minutes, with the view of decreasing load on network traffic- this random delay cannot be configured when using the GUI. This method supports a Group Policy refresh for Windows Server 2012 R2 Preview, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8.1 Preview, Windows 8, Windows 7 and Windows Vista clients.
Open the GPMC, right click the OU of Computers you’d like to refresh and select Group Policy Update.
This will return the number of computer objects in the OU, and ask if you’re sure.
This will run a GPUpdate /force on all computer objects in the OU selected and any child OUs and will refresh both the computer and user policies.
Method 2. This method, requires Server 2012, or Windows 8 with the remote server administration tools. The following command will retrieve the computer objects from the Servers OU and run the Invoke-GPUpdate against them.
Be aware, this method will display the command prompt with “Updating Policy” on the computer objects you run it against. So bear this in mind if you’re running this against your desktops or laptops with users logged in.
How To Run Gpupdate Command
Method 3. Fear not! If you’re not using Server 2012, you can still achieve the above with fairly little effort using Powershell to generate a list of computers and PSEXEC to run the GPUpdate command. The following Powershell will get you a list of computers from the Servers OU and export them to a text file on the C drive. You can replace this with a UNC path if desired. I’ve added a dummy first entry to the text file, for some reason PSExec fails the first entry so this gets around that.
PSEXEC will connect to each of the machines in the Desktops.text and run a gpupdate /force, this method isn’t particuarly quick but it gets the job done.