Group policy is a complex architecture that lets you utilize policy settings to customize a machine’s and user’s experience inside a domain from afar.
Let’s explore how we can use Group Policy to Windows computers on a domain.
Checking Group Policy
First, check to determine if the device or user has received the most current policy settings if the Resultant Set of Policy Settings does not fit your criteria. In prior versions of Windows, this was accomplished by having the users execute GPUpdate.exe on their computer.
You may remotely renew Group Policy settings for all PCs in an organizational unit (OU) using the Group Policy Management Console in Windows Server 2012 and Windows 8. You may also use the Windows PowerShell cmdlet Invoke-GPUpdate to renew Group Policy for a group of machines, even if they aren’t in the OU structure. For example, if they’re in the default computers container.
By using the functionality that has been added to the context menu for an OU in the Group Policy Management Console, the remote Group Policy refresh updates all Group Policy settings, including security settings that have been set on a group of remote computers. For example, the following processes occur when you pick an OU to refresh Group Policy settings on all computers remotely: A query in Active Directory provides a list of all machines in that OU.
- A WMI call collects the list of signed-in users for each computer in the given OU.
- A small scheduled task is established for each signed-in user and once for the machine Group Policy refresh to launch GPUpdate.exe /force. The job is expected to execute with a random delay of up to 10 minutes to reduce network traffic stress. When using the GPMC, you cannot define the random delay for the scheduled task, but when using the Invoke-GPUpdate cmdlet, you may configure the random delay for the scheduled job or set the scheduled task to start immediately.
What exactly are Group policies and Group policies objects?
Group policy is a system that allows administrators to remotely control user and machine configurations in a domain using a variety of policy settings and preferences. A Group Policy object (GPO) is a set of Group Policy settings linked to a specific AD site, domain, or OU.
Security settings like password policies and account lockout policies, administrative templates, and more are examples of Group Policies coupled with a GPO. These GPOs are where Group Policies are updated, and the modifications are carried forward to all objects to which the GPO is linked.
Group policies are a collection of security and management directives managed and updated to keep a network secure and running smoothly. For various reasons, these Group Policies may need to be revised immediately at times.
As a result, Microsoft has included tools to compel Group Policy upgrades. First, we’ll go over Group Policies in this post, then look at the default Group Policy update schedule, why you might need to force updates, and how to force Group Policy updates on a network.
Group Policy Update Default Process
After the Group Policies have been modified, a Group Policy update takes 90 to 120 minutes by default. However, you will have to force the GPO update process if you cannot wait that long for whatever reason. There are several ways to move a GPO update, but first, consider a few instances in which you need to do so.
How to use your group policies update with GPUpdate/force command
Forcing a Group Policy update can be done for a variety of reasons. Perhaps a vital policy setting was neglected, or an organization’s reorganization process resulted in modified policies that needed to go into force right away.
When users log off and log back on, Group Policies are likewise refreshed, but you can’t expect every user to log out and then log back on. In such cases, forcing Group Policy updates can aid in the effort of quickly renewing Group Policies.
For more information check out our guide on using GP result commands.
Why should you demand a group policy update?
The command GPUpdate /force is used to force your company’s group policies to be updated. Changes to the Group Policy aren’t implemented right away; instead, they take 90 minutes to take effect (with a 30-minute lag to distribute the burden).
Using the GPUpdate command, we may force the policy upgrade. To administrate systems and alter security settings, Group Policies are employed (like deploying printers or mapping network drives). When resolving IT difficulties, it’s occasionally required to change the group policy manually.
Plan a Remote Group Policy Update
The Invoke-GPUpdate cmdlet in the GPMC or the Invoke-GPUpdate cmdlet in a Windows PowerShell session can be used to schedule gpupdate.exe to execute on numerous PCs.
Using the GPMC, schedule a Group Policy update to execute on all machines in an OU.
- Locate the OU for which you want to renew Group Policy for all machines in the GPMC console tree.
- Right-click the selected OU and select Update Group Policy
- In the Force Group Policy Update dialogue box, choose Yes. This is the same as using the command line to execute GPUpdate.exe /force.
- The Remote Group Policy Update Results box only displays the progress of scheduling a Group Policy refresh for each computer in the chosen OU and any OUs inside it. This display does not reveal if the real Group Policy change for each computer succeeded or failed.
- Using the Resultant Set of Policies, assess the effectiveness of the proposed Group Policy modification.
Note:
When you confirm the findings for each computer, you should allow up to 10 minutes before starting a Group Policy update.
There are three ways to compel Group Policy modifications to take effect. The following are the details:
- Using the Group Policy Management Console (GPMC) to force a Group Policy update
- Using PowerShell commands to force a Group Policy update
- Using elevated Command Prompt to force a Group Policy change
Group Management Policy Console
The Group Policy Management Console may be used to perform a group policy update across an entire OU. However, you can’t use the technique on a user OU since it requires just computer objects. Instead, simply right-click on the OU where the policy was amended and select Group Policy Update.
This will update all of the machines in the supplied organizational unit’s user and computer rules. The most admirable feature is asking for permission and telling you how many PCs will be updated.
The policies will be changed when you confirm the update, and you will be able to check the status of each machine. Because five machines were switched off in this case, the update failed.
Use PowerShell To Run GPUpdate On A Remote PC
We can also perform gpupdate on remote PCs using PowerShell. The only prerequisite is that you have Windows 2012 or later installed on your computer. It’s also feasible to run it from Windows 10, but you’ll need to use a domain admin account to launch the PowerShell windows.
Invoke-GPUpdate
One of the benefits of the Invoke-GPUpdate cmdlet is that you may modify the delay using the RandomDelayInMinutes option. Set it to 0 if you want to change Group Policy immediately away.
Invoke-GPUpdate –Computer win7 -RandomDelayInMinutes 0
In this case, I restarted the PC labeled “win7” immediately after initiating a Group Policy update.
If everything goes well, the cmdlet doesn’t create any output. Your users may notice a command window with the title taskeng.exe that displays “Updating Policy…” in some situations. After a second or so, the windows vanish.
Updating Policies
If the computer cannot be contacted, the following error message will appear in red: Invoke-GPUpdate does not work on the PC “win8update.” This is because firewall rules are removed when the target computer is turned off in Remote Scheduled Tasks Management.
Another benefit of using the PowerShell cmdlet is that you have more options for selecting which computers to update. For example, the command below will pick all computers in the Active Directory container “test” that start with “win7.”
Get-ADComputer –Filter 'Name –Like "win7*"' -SearchBase "ou=Test, dc=domr2, dc=com" | ForEach {Invoke-GPUpdate –Computer $_.name –Force –RandomDelayInMinutes 0}
The Force option was also included here to ensure that the Group Policy settings are reinstalled even if the client sees that no new GPO versions are available. As a result, when we say “force a Group Policy refresh,” we mean two different things.
We’re forcing an update without delay if we don’t use the Force argument; if we use the Force parameter, we’re forcing an update even if there’s nothing to update. So if you believe anything went wrong with the last GPO update, you can use the Force parameter.
Use the command prompt to force a Group policy
The first alternative is to issue a simple command that instructs the client to bypass the typical background processing period and immediately update all new or altered GPOs on the server. First, however, you must go out to each user machine and manually run the gpupdate command, which will refresh the Group Policy object and any other new or altered GPOs.
The gpupdate command, when called without any parameters, will update both the User and Computer portions of the Group Policy objects. Use the following syntax to refresh only one half:
Gpupdate/Target:Computer,/Target:User
While a user is signed on to a PC, running gpupdate delivers Windows the new GPO settings right away (assuming, of course, that the domain controller has the replicated GPO information).
Fast Boot, Software Distribution, and Folder Redirection are enabled by default in Windows XP and later, so changes are applied only at the next login time. In addition, gpupdate can figure out if newly updated objects require a logoff or reboot to be active if you use the proper switches:
Using the /Logoff switch with gpupdate will determine if a policy change in Active Directory needs the user to log off. If not, the new settings take effect right away; if they don’t, the user will be logged off, and the Group Policy adjustments will take effect when they log back in.
Similarly, if Fast Boot is enabled, applying GPOs with Software Distribution settings necessitates a restart. Running gpupdate with the /boot switch will detect if a policy requires a reboot and automatically restart the machine. The GPO changes are implemented, and the user stays logged in if the modified GPO does not need a reboot.
Your powershell command has an error:
Get-ADComputer –Filter ‘Name –Like “win7*”’ -Seaechbase “ou=Test, dc=domr2, dc=com” | Force
Each {Invoke-GPUpdate –Computer $_.name –Force –RandomeDelayInMinutes 0}
Shoud be:
Get-ADComputer –Filter ‘Name –Like “win7*”’ -Seaechbase “ou=Test, dc=domr2, dc=com” | ForEach {Invoke-GPUpdate –Computer $_.name –Force –RandomeDelayInMinutes 0}
Thank you.
Now corrected. There were also two typo’s. Thank you
Hi,
When you run a remote gpupdate, you’re updating the gpos for the currently logged on user?
I’ve seen some delays after running a gpupdate.
Thank you.
When you run a remote gpupdate using the Invoke-GPUpdate cmdlet, it does update the Group Policy Objects (GPOs) for both the currently logged-on user and the computer itself.