- In a script, by using this command with a time limit specified, you can run gpupdate and continue with commands that do not depend upon the completion of gpupdate. Alternatively, you can use this command with no time limit specified to let gpupdate finish running before other commands that depend on it are run.
- When the time limit is exceeded, the command prompt returns, but policy processing continues. /Logoff Causes a logoff after the Group Policy settings have been refreshed. This is required for those Group Policy client-side extensions that do not process policy on a background refresh cycle but do process policy when a user logs on.
1 Open an elevated command prompt. 2 Copy and paste the command you want to use below into the elevated command prompt, and press Enter. (see screenshot below) (Updates only changed computer policy settings) gpupdate /target:computer OR (Updates all computer policy settings) gpupdate /target:computer /force.
Applies To: Windows Server 2012 R2, Windows Server 2012
Group Policy is a complicated infrastructure that enables you to apply policy settings to remotely configure a computer and user experience within a domain. When the Resultant Set of Policy settings does not conform to your expectations, a best practice is to first verify that the computer or user has received the latest policy settings. In previous versions of Windows, this was accomplished by having the user run GPUpdate.exe on their computer.
With Windows Server 2012 and Windows 8, you can remotely refresh Group Policy settings for all computers in an organizational unit (OU) from one central location by using the Group Policy Management Console (GPMC). Or you can use the Invoke-GPUpdate Windows PowerShell cmdlet to refresh Group Policy for a set of computers, including computers that are not within the OU structure—for example, if the computers are located in the default computers container.
The remote Group Policy refresh updates all Group Policy settings, including security settings that are set on a group of remote computers, by using the functionality that is added to the context menu for an OU in the Group Policy Management Console (GPMC). When you select an OU to remotely refresh the Group Policy settings on all the computers in that OU, the following operations happen:
- An Active Directory query returns a list of all computers that belong to that OU.
- For each computer that belongs to the selected OU, a WMI call retrieves the list of signed in users.
- A remote scheduled task is created to run GPUpdate.exe /force for each signed in user and once for the computer Group Policy refresh. The task is scheduled to run with a random delay of up to 10 minutes to decrease the load on the network traffic. This random delay cannot be configured when you use the GPMC, but you can configure the random delay for the scheduled task or set the scheduled task to run immediately when you use the Invoke-GPUpdate cmdlet.
This document describes a method to force a remote Group Policy refresh to all computers in an OU and all OUs that are contained within the selected OU by using the GPMC. An equivalent Windows PowerShell method is also presented for each procedure.
In this document
Note
This topic includes sample Windows PowerShell cmdlets that you can use to automate some of the procedures described. For more information, see Using Cmdlets.
Prerequisites
You can only schedule to force a remote Group Policy update by using the GPMC from domain-joined computers that are running:
- Windows Server 2012 or Windows Server 2012 R2
- Windows 8 or Windows 8.1 with Remote Server Administration Tools for Windows 8
You can schedule a remote Group Policy refresh for any computer running:
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
- Windows Server 2008
- Windows 8.1
- Windows 8
- Windows 7
- Windows Vista
Step 1: Configure firewall rules on each client that will be managed with remote Group Policy refresh
To schedule a Group Policy refresh for domain-joined computers by using the GPMC or the Invoke-GPUpdate cmdlet, you must have firewall rules that enable inbound network traffic on the ports listed in the following table.
Server port | Type of network traffic |
---|---|
TCP RPC dynamic ports, Schedule (Task Scheduler service) | Remote Scheduled Tasks Management (RPC) |
TCP port 135, RPCSS (Remote Procedure Call service) | Remote Scheduled Tasks Management (RPC-EPMAP) |
TCP all ports, Winmgmt (Windows Management Instrumentation service) | Windows Management Instrumentation (WMI-in) |
In Windows Server 2012, Group Policy added a Starter GPO called, Group Policy Remote Update Firewall Ports. This Starter GPO includes policy settings to configure the firewall rules that are specified in the previous table. It is a best practice to create a new GPO from this Starter GPO. Link the GPO to your domain at a higher precedence than the Default Domain GPO, and then use it to configure all the computers in the domain to enable a remote Group Policy refresh.
To create a GPO from the Group Policy Remote Update Firewall Ports Starter GPO and link to the domain
- In the GPMC console tree, locate the domain for which you want to configure all the computers to enable a remote Group Policy refresh.
- Right-click the selected domain, and click Create a GPO in this domain, and link it here…
- In the New GPO dialog box, type the name of the new Group Policy object in the Name box.
- In the Source Starter GPO list, select the Group Policy Remote Update Firewall Ports Starter GPO that you want to use to create a new Group Policy object, and click OK.
- In the results pane, click the Linked Group Policy Objects tab.
- Select the GPO that you just created, and click the Up arrow until the GPO is listed above the Default Domain Policy. The new GPO will have a smaller link order value than the Default Domain Policy.
Windows PowerShell equivalent commands
The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.
Use the New-GPO cmdlet with the –StarterGpoName parameter, and then pipe the output to the New-GPLink cmdlet.
For example, to create a new GPO called Configure firewall rules for remote gpupdate by using the Group Policy Remote Update Firewall Ports Starter GPO, then link the new GPO to the Contoso.com domain, use the following script:
For more information about the New-GPO cmdlet and the New-GPLink cmdlet, see:
Step 2: Schedule a remote Group Policy refresh
You can schedule gpupdate.exe to run on multiple computers from the GPMC or from a Windows PowerShell session using the Invoke-GPUpdate cmdlet.
To schedule a Group Policy refresh to run on all computers in an OU by using the GPMC
- In the GPMC console tree, locate the OU for which you want to refresh Group Policy for all computers.NoteGroup Policy will also be refreshed for all computers that are located in the OUs contained in the selected OU.
- Right-click the selected OU, and click Group Policy Update…
- Click Yes in the Force Group Policy update dialog box. This is the equivalent to running GPUpdate.exe /force from the command line.
- The Remote Group Policy update results window displays only the status of scheduling a Group Policy refresh for each computer located in the selected OU and any OUs contained within the selected OU. This display does not show the success or failure of the actual Group Policy refresh for each computer.
- Use Resultant Set of Policy to determine the success of the scheduled Group Policy refresh, Determine Resultant Set of Policy.NoteYou should plan a delay of up to 10 minutes to start a Group Policy refresh when you are verifying the results for each computer.
Windows PowerShell equivalent commands
The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.
The Invoke-GPUpdate cmdlet allows you to schedule a remote Group Policy update for a specified computer with all the options that the GPUpdate.exe command-line utility provides. This allows more freedom to determine which set of computers is to be refreshed than if you schedule the refresh through the GPMC. Additionally, you have the freedom to configure the interval of time to wait before a Group Policy refresh is performed by using the –RandomDelayInMinutes parameter. If set to a zero (0) value, the scheduled task for the Group Policy refresh is configured to start immediately. For more information, see Invoke-GPUpdate.
You can refresh the changed Group Policy settings for the computer that you are signed in to by running the Invoke-GPUpdate cmdlet without including any parameters, for example:
You cannot schedule a Group Policy refresh for the Computers container by using the GPMC Group Policy Update… functionality. The Computers container is a default location for computer accounts. It is not implemented as an OU that can be managed by the GPMC. However, by combining the use of the Windows PowerShell cmdlet, Get-ADComputer, with the Invoke-GPUpdate cmdlet, you can schedule a remote refresh for all computers in the Computers container. For more information about available Windows PowerShell cmdlets for Active Directory, see AD DS Administration Cmdlets in Windows PowerShell.
First obtain the list of computers in the Computers container by using the Get-ADComputer cmdlet. Then supply the name of each computer that is returned to the Invoke-GPUpdate cmdlet. For example, to force a refresh of all Group Policy settings for all computers in the Computers container for the Contoso.com domain, use the following script:
You can force a Group Policy refresh for all Group Policy settings for all computers in a single OU when you combine the Get-ADComputer with the Invoke-GPUpdate cmdlet. For example, to force a refresh of all Group Policy settings for all computers in the Accounting OU of the Contoso.com domain, use the following script:
You can force an immediate Group Policy refresh for all Group Policy settings for all computers in a single OU when you combine the Get-ADComputer with the Invoke-GPUpdate cmdlet and set the –-RandomDelayInMinutes to 0. For example, to force a refresh of all Group Policy settings for all computers in the Accounting OU of the Contoso.com domain, use the following script:
See also
Introduction
I needed to script a gpupdate /force and target a group of machines in an OU. The reason I wanted to script this is because I wanted to run the force in real time and also wanted to be sure that it ran successfully on the target machines. This seemed like the best idea and seemed a better option than waiting for the policy to update and hoping it applied the updated policy registry on all systems and worse yet, needing to run reports and troll through the results.
Over the last several years, I have been lucky enough to not rely on Group Policy all that much. With tools like RES ONE and AppSense at my disposal and the fact I have been pretty application focused, Group Policy has been last resort in most environments.
Imagine my delight when I realized I didn’t need to script this!! I found a helpful article and thought I found the holy grail. An option within the Group Policy Management Console within Server 2012 that not only can force the update but also return the results! Eureka!!
In this post I will go through how to remotely execute gpupdate on all systems in an OU using Group Policy Management but importantly, in my conclusion, I will detail why you should use caution when leveraging this feature!
How to Force GPUpdate on an OU from Group Policy Management Console
On Server 2012 or with newer versions of RSAT on your desktop, open Group Policy Management
Browse to the OU which you would like to force the gpupdate for, right click and click on Group Policy Update…
If you are deploying to one or two machines, you’ll just receive a confirmation message. When deploying to several machines you will receiving a warning about possibly straining network resources. If you are daring enough to proceed, click Yes. (I wouldn’t be worried about running it for a few hundred machines but again, check my conclusion at the bottom of this post before proceeding)
As the update runs on the machines, the results will populate. If you get any failures, you will want to investigate on that failed machine.
Conclusion
But Yarrrrrr….let this be a cautionary tale…and also a brain dump for myself to serve as a reminder to never ever do this on machines in a production environment! I got pretty lucky, I ran this against some systems in a non-production environment.
On machines that got the update, the gpupdate ran interactive so the users on the machines at the time saw this prompt which could look like an issue. It’s not in this instance, my updated policy did successfully take hold but the fact this didn’t run silently makes the feature pretty useless for my future use and I would suggest that you only use it in your own home lab or sandbox environment.
If you would like to ensure that the gpupdate run silently, you could change to refresh interval or script this using vbscript, PowerShell and even use PSEXEC.
I think this feature could be pretty useful, if you could be assured the update would run silently on the endpoints. Of course, in most situations you can likely just wait for the refresh interval but sometimes you may want an update to run before you can progress your work. What do you think? If you agree, please up vote this feature request on UserVoice here: User Voice for Group Policy Update Feature in Server 2016.
Gpupdate Command Force
Get the App-V Decison Matrix and Interactive Tool.
Gpupdate Cmd Windows 10
See what the right deployment option for your applications is.