Group Policy settings are applied when client computers restart or when the Group Policy refresh interval expires. This interval can be modified on the Group Policy Object configured on a domain controller. Microsoft provides the Gpupdate.exe command-line tool to refresh the Group Policy settings immediately on a client computer, but Gpupdate.exe does not support refreshing GPO settings on a remote computer.
However, if you need to refresh GPO settings on multiple computers immediately, there are four ways to refresh Group Policy settings on remote computers. They include the Group Policy Management Console (GPMC), a PowerShell cmdlet, the PSexec executable and the Windows Management Instrumentation command line (WMIC). Let's start with the first two.
Using GPMC to refresh GPO settings
Windows Server 2012 introduces a new feature for updating Group Policy Object (GPO) settings on multiple remote computers. The Group Policy Update action, which is available on the right-click context menu of an organizational unit in the GPMC, can be used to refresh GPO settings remotely, as shown in the screenshot to the left (Figure 1).
GPMC allows you to update the GPO settings on multiple computers, but there are a few disadvantages associated with this approach. First, GPMC will process GPO updates on all the computers in the selected organizational unit. So, you cannot select the computers on which you want to update the policy settings.
Second, you cannot specify individual settings to be processed. For example, you cannot specify only user or computer configuration settings to be processed. It processes both user and computer configurations on the target computers.
GPMC creates two scheduled tasks on the remote computers. One task is created to refresh User Configuration using "GPUpdate.exe /target:user /force" command line. The second one is created to refresh Computer Configuration using "GPUpdate.exe /target:computer /force" command line. GPMC will fail to create the scheduled task if you have disabled scheduled task creation on destination computers using Group Policy setting.
GPMC also doesn't verify the presence of GPUpdate.exe. If this executable is missing, the GPO updates will fail, and this failure will not be reported to the GPMC. This method requires that the following firewall rules are opened on the client computers:
- Remote Scheduled Tasks Management (RPC)
- Remote Scheduled Tasks Management (RPC-ERMAP)
- Windows Management Instrumentation (WMI-IN)
If you need to refresh GPO settings on selected remote computers, I recommend creating a text file that contains the computer names against which the GPO Settings will be updated. This text file lists computer names, as shown in Figure 2.
Using Invoke-GPUpdate for Windows 8 Group Policy
The Invoke-GPUpdate PowerShell cmdlet is very similar to what GPMC does, except it provides parameters that you can use to refresh GPO Settings with a preferred setting. This cmdlet must be executed from a computer running Windows 8 or Windows Server 2012. Invoke-GPUpdate also creates scheduled tasks on remote computers, as with the GMPC method. You can use the following parameters with the cmdlet:
- AsJob parameter can be used to run cmdlet as a background job. The cmdlet immediately returns to the command prompt.
- Boot causes a computer restart after the Group Policy settings are applied. This is required if you have configured per-computer software installation policy settings.
- Computer allows you to specify the name of the computer for which to schedule a Group Policy refresh. You can only specify one computer.
- Force causes reapplication of all GPO settings. By default, Group Policy is refreshed only when policy settings have changed.
- LogOff causes a logoff after the policy settings have been updated. This is useful for those Group Policy settings that require users to log off and log on again to apply the policy settings.
- Sync causes the Group Policy update to be done synchronously.
- Target switch allows you to specify that only user or computer policy settings are refreshed.
Let's take a look at some examples of the Invoke-GPUpdate cmdlet. To process GPO updates on a remote computer, run the following command: Invoke-GPUpdate –Computer Computer1.
To refresh only User or Computer Settings, use Target switch: Invoke-GPUpdate –Computer Computer1 –Target User. Similarly, you can use other parameters, as explained earlier.
Since Invoke-GPUpdate method works the same as GPMC, you must open the firewall rules on the client computers for the command to succeed.
While Invoke-GPUpdate cmdlet provides –computer switch to refresh policy settings on the remote computer, you can only specify one computer at a time! If you need to refresh GPO settings on multiple computers, then you must use the Get-Content cmdlet with Invoke-GPUpdate cmdlet: Get-Content C:\Temp\Computers.TXT | Invoke-GPUpdate.
The above command executes Invoke-GPUpdate on all the computers specified in the Computers.TXT file. Get-Content is used to get the contents from Computers.TXT and pass each computer name one by one to Invoke-GPUpdate cmdlet.
Note: Both GPMC and Invoke-GPUpdate do not support refreshing GPO settings on a computer running Windows XP. If you need to refresh GPO settings on Windows XP, then you must use PSExec.exe or WMIC, which I'll explain in my next tip.
About the author:
Nirmal Sharma is a MCSEx3, MCITP and was awarded Microsoft MVP award in Directory Services. He specializes in Directory Services, Microsoft Clustering, Hyper-V, SQL and Exchange and has been involved in Microsoft technologies since 1994. Sharma can be reached at firstname.lastname@example.org.