As the name suggests, Group Policy is a feature that controls the users' working environment in an organization. It aims to provide a uniform look and feel and security features to all the computers and workstations.
From an administrator's standpoint, it gives them centralized control over the configuration and management of all the systems in the network, along with control over user settings in Active Directory.
While Group Policy has many benefits, it is also a complicated aspect to implement as all the settings have to be controlled remotely to provide a uniform user experience across the entire domain.
One of the primary drawbacks of a Group Policy is that it will be updated in the background once every 90 minutes. Further, the group policy settings are changed when a system boots. To add to this, there is a random offset of up to 30 minutes, which means all computers in a network may not update the group policy simultaneously.
These are some reasons why you may have to force a group policy update to ensure that the changes take effect immediately.
In this article, we will look at the different ways by which this group policy can be updated remotely.
Using Group Policy Management Console
In Windows Server 2012 and later versions, you can remotely force a group policy update through the Group Policy Management Console (GPMC).
This is one of the easiest methods to update one or more OUs through a UI. However, note that this works only for domain-joined computers that use Windows Server 2012 and later and Windows 8 or later with Remote Server Administration Tools.
Here is a step-by-step guide on how you can use GPMC to force a group policy update.
Configure Firewalls
Before opening your GPMC, ensure that the firewalls enable inbound network traffic on specific ports.
Windows Server 2012 comes with a Starter GPO called the Group Policy Remote Update Firewall Ports that check if TCP port 135 is configured for Remote Scheduled Tasks Management.
Microsoft recommends you create a new GPO from the Starter GPO and link it to your domain higher than the existing default GPO. This will make it easy for you to configure all the computers for a remote Group Policy update.
So, how can you do this?
- Open the GPMC Console. Note that you can do this only when a computer has RSAT tools or if the server has a DHCP role.
- Identify and navigate the domain for which you want to do the group policy update.
- Right-click on this domain and choose “Create a GPO in this domain and link it here…”
- A New GPO dialog box will open and give a name to the GPO Object.
- Navigate to the “Source Starter GPO” list, and choose the Group Policy Remote Update Firewall Ports used to create a new GPO object.
- Navigate to the results pane and click the “Linked Group Policy Objects” tab.
- Select the GPO and move it up. Make sure it is listed right above the Default Domain Policy.
You can also execute the above actions through PowerShell cmdlets if that works easier for you.
Simply use the New-GPO cmdlet with the -StarterGpoName parameter and pipe the output to the
New-GPLink cmdlet.
Here is a sample code from Microsoft
New-GPO –Name “Configure firewall rules for remote gpupdate” –StarterGpoName “Group Policy Remote Update Firewall Ports” | New-GPLink –target “dc=Contoso,dc=com” –LinkEnabled yes
Schedule a Group Policy Update
After configuring the firewalls, you are all set to use GPMC to force a group policy update.
To do this,
- Open the GPMC and navigate to the OU you want to update.
- Right-click on the OU and select “Group Policy Update”.
- You will be asked to confirm if you want to force a group policy update on the chosen computers remotely. Click the “Yes” button.
- The following window will show the live update status on each computer. You'll also be able to see any errors or if some computer's status is not updated, though these are relatively rare.
When the update progress bar ends, all the computers in your OU will have the latest group policy.
Using PowerShell Scripts
Another option is to use PowerShell cmdlets to remotely force a group policy update, especially if you're comfortable using PowerShell scripts.
The cmdlet that you can use to force a group update is Invoke-GPUpdate
However, when you use this cmdlet without any parameters, you can only refresh the group policy in the computer on which you are logged in. Therefore, you will have to use it with other cmdlets like Get-ADComputer; you can update the group policy for all the computers located within a container.
Here's how you can combine the cmdlets. In the below example, we will show you how to update the Sales OU of the comparitech.com domain.
Get-ADComputer –filter * -Searchbase “ou=Sales, dc=comparitech,dc=com” | foreach{ Invoke-GPUpdate –computer $_.name -force}
You can even add a delay if you like.
Using the GPUpdate Command
Client computers support a command called gpupdate to force a group policy on a single computer. In some ways, this is similar to the Invoke-GPUpdate command without parameters.
The code for this command is,
gpupdate /force
The “force” parameter will update all the policies, not just the new ones. This way, you can be assured that all the edited policies will also be updated in your system.
However, you will have to log in to each computer and type gpupdate /force in the command line. To overcome this limitation, you can use the PsExec command along with it. This is a lightweight tool similar to telnet that allows you to execute programs in other systems remotely. It comes with full interactivity and doesn't require additional installations on different client systems.
You can leverage this tool to run gpupdate on other systems remotely.
Here's an example of how you can do it.
PsExec \\HostName Gpupdate
The HostName is the computer’s name that you want to connect to remotely.
If you have a lot of computers that you want to update, simply replace the HostName with a text file containing the names of all the computers you wish to update.
It can be something like this,
Psexec.exe -@ComputerNames.txt Gpupdate.exe
This command will force a group policy update on all the computer names present in the list.
Thus, these are the three ways to force a group policy update.
We hope this was a valuable read for you!
Force Group Policy Update Remotely FAQs
Why would I want to force a Group Policy update remotely?
There are several reasons why you might want to force a Group Policy update remotely, including when you have made changes to Group Policy settings and need them to be applied immediately, or when you need to troubleshoot Group Policy issues on remote computers.
How can I force a Group Policy update remotely?
You can force a Group Policy update remotely using the "Invoke-GPUpdate" PowerShell cmdlet. For example: "Invoke-GPUpdate -Computer ComputerName -Force"
What other parameters can be used with the "Invoke-GPUpdate" cmdlet?
Other parameters that can be used with the "Invoke-GPUpdate" cmdlet include "-RandomDelay" to add a random delay to the update to prevent network congestion, "-Target" to specify which Group Policy settings to update, and "-Credential" to specify the credentials to use to perform the update.
Can I force a Group Policy update on multiple remote computers at once?
Yes, you can force a Group Policy update on multiple remote computers at once by using the "-ComputerName" parameter with a list of computer names separated by commas. For example: "Invoke-GPUpdate -ComputerName Computer1,Computer2,Computer3 -Force"
Are there any prerequisites for using the "Invoke-GPUpdate" cmdlet?
Yes, the "Invoke-GPUpdate" cmdlet requires that the Remote Registry service is running on the remote computer, and that the current user has administrative privileges on the remote computer.
Is there a graphical user interface (GUI) for forcing a Group Policy update remotely?
Yes, you can use the Group Policy Management Console (GPMC) to force a Group Policy update on remote computers. Simply right-click on the domain or organizational unit (OU) that contains the target computers, and select "Group Policy Update".
