Чтобы на компьютере Windows применились новые настройки локальной или доменной групповой политики (GPO), служба Group Policy Client (
gpsvc
) должна перечитать настройки политик и применить изменения. Настройки групповых политик в Windows обновляются при загрузке компьютера, при входе пользователя, и автоматически в фоновом режиме (в течении от 90 до 120 минут). В некоторых случаях администратору нужно, чтобы новые настройки политики применились немедленно, не дожидаясь указанных выше событий.
Содержание:
- Автоматическое применение настроек групповых политик в Windows
- Принудительное обновление групповых политик на компьютере Windows
- Обновить групповые политики на удаленных компьютерах
Автоматическое применение настроек групповых политик в Windows
Выше мы указали, когда настройки GPO автоматически применяются на клиенте:
- Настройки групповых политик, заданные в разделе секции Computer Configuration применяются при загрузке Windows.
- Настройки GPO из секции User Configuration применяются при входе пользователя.
- Фоновое обновление групповых политик выполняется автоматическая раз в 90 минут + случайное смещение времени (offset) в интервале от 0 до 30 минут (рандомный интервал позволяет уменьшить нагрузку на DC одновременным запросами от клиентов). Это означает, что новые политики гарантировано применятся на клиентах в интервале 90 – 120 минут после обновления файлов GPO на контроллере домена.
Контроллеры домена по умолчанию обновляют настройки GPO раз в 5 минут.
Настройки фонового обновления политик можно изменить с помощью параметра следующих параметров GPO в разделе Computer Configuration -> Administrative Templates -> System -> Group Policy:
- Set Group Policy refresh interval for computers — здесь можно изменить частоту обновления настроек GPO со стандартных 90 минут и значение смещения.
- Turn off background refresh of group policy — позволяет полностью отключить фоновое обновление настроек политик
Но в большинстве случаев трогать эти настройки не рекомендуется.
Принудительное обновление групповых политик на компьютере Windows
Для принудительного, немедленного обновления (применения) настроек групповых политик на компьютере Windows используется утилита gpupdate.
Большинство администраторов не задумываясь используют для обновления политик команду:
gpupdate /force
.
Эта команда заставляет компьютер принудительно перечитать все политики с контроллера домена и заново применить все параметры. Т.е. ключ force указывает клиенту что нужно обратиться к контроллеру домена и заново получает файлы ВСЕХ нацеленных на него GPO. Это вызывает повышенную нагрузку на сеть и контроллер домена.
Простая команда
gpudate
без параметров применяет только новые/измененные параметры GPO.
Updating policy... Computer Policy update has completed successfully. User Policy update has completed successfully.
Можно отдельно обновить параметры GPO из пользовательской секции
gpupdate /target:user
или только политики компьютера:
gpupdate /target:computer /force
Если некоторые политики нельзя обновить в фоновом режиме (обычно это клиентские расширения GPO, которые обрабатываются при входе пользователя), gpudate может заверишь сеанс текущего пользователя (logoff):
gpupdate /target:user /logoff
Или выполнить перезагрузку компьютера (некоторые политики, такие как установка программ в GPO, или логон скрипты применяются только при загрузке Windows):
gpupdate /Boot
Обновить групповые политики на удаленных компьютерах
Есть несколько способов для принудительного обновления настроек GPO на удаленных компьютерах Windows.
В самом простом случае вы просто можете выполнить команду gpupdate на удаленном компьютере:
- спомощьюутилиты PSexec:
PsExec \\PC1 gpupdate - через PowerShell Remoting (WinRM):
Invoke-Command -computername PC1 -Scriptblock {gpupdate /force}
Если нужно массово обновить групповые политики на множестве компьютеров, воспользуйтесь консолью Group Policy Management Console (
GPMC.msc
).
В Windows 10 и 11 для использования консоли придется установить компонент RSAT:
Add-WindowsCapability -Online -Name Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0
Чтобы обновить политики на компьютерах, щёлкните в консоли GPMC по нужному Organizational Unit (OU) и выберите Group Policy Update.
Консоль поочерёдно подключится к каждому компьютеру в OU, и вы получите результат со статусом обновления политик (Succeeded/Failed).
Утилита создает на компьютерах задание планировщика с командой
GPUpdate.exe /force
для каждого залогиненого пользователя. Задание запускается через случайный промежуток времени (до 10 минут) для уменьшения нагрузки на сеть.
На клиентах в файерволе Windows Defender должны быть разрешены следующие правила:
- Remote Scheduled Tasks Management (RPC)
- Remote Scheduled Tasks Management (RPC-ERMAP)
- Windows Management Instrumentation (WMI-IN)
Если компьютер выключен, или доступ к нему блокируется файерволом, для него вернется ошибка ‘The remote procedure call was cancelled‘.
Также для удаленного обновления политики можно использовать PowerShell командлет Invoke-GPUpdate, который входит в модуль управления GPO. Например, для обновления политик пользователя на удаленном компьютере, выполните:
Invoke-GPUpdate -Computer PC01 -Target "User"
Вы можете задать случайную задержку обновления GPO с помощью параметра RandomDelayInMinutes. Таким образом вы можете уменьшить нагрузку на сеть, если одновременно обновляете политики на множестве компьютеров. Для немедленного применения политик используется параметр
-RandomDelayInMinutes 0
.
В сочетании с командлетом Get-ADComputer вы можете принудительно обновить настройки групповых политик на всех компьютерах (исключая неактивные) в определенном OU:
Get-ADComputer –filter {enabled -eq "true"} -Searchbase "ou=Computes,OU=SPB,dc=winitpro,dc=com" | foreach{ Invoke-GPUpdate –computer $_.name –RandomDelayInMinutes 10 -force}
При удаленном выполнении командлета Invoke-GPUpdate или обновления GPO через консоль GPMC на мониторе пользователя может на короткое время появиться черное окно консоли с запущенной командой
gpupdate
.
The command gpupdate /force is used to force the update of group policies that are applied by your company. Changes made in the Group Policy are not applied immediately but after 90 mins by default (with a ~30 min offset to spread the load). By using the GPUpdate command we can force the update.
Group Policies are used to change security settings and for system management (like deploying printers or mapping network drives). For troubleshooting IT problems, it’s sometimes necessary to update the group policy manually.
- Press Windows key + X or right-click on the start menu
- Select Windows PowerShell or Command Prompt
- Type gpupdate /force and press enter
Wait for the Computer and User policy to update
- Reboot your computer
A reboot is necessary to be sure that all settings are applied.
GPUpdate vs GPUpdate Force command
The gpupdate /force command is probably the most used group policy update command. When you use the /force switch, all the policy settings are reapplied. For most use cases this is perfectly fine, but keep in mind, when you have a lot of group policies objects (GPO) or in a large environment, using the /force will put a huge load on the domain controllers.
If you have a large tenant or a lot of GPO’s, then it’s better to only run gpupdate without the /force switch to apply new policy settings. This will get only the changes or new group policies, reducing the load on the client and domain controllers.
# Reapply all policies gpupdate /force # Get only the changed / new group policies gpupdate
Update only user or computer group policies
If you have a large environment or need to update the group policies on a lot of computers at the same time, then it can be useful to only update what is needed. This will reduce the load on the domain controllers and it’s of course faster.
To do this you can use the /target switch. This allows you to update only the user or computer GPO’s.
# Update only the user policies gpupdate /target:user # Update only the computer policies gpupdate /target:computer
Automatically reboot or logoff after GPUpdate
Not all policy changes are applied immidiately. Due to Fast Boot, for example, are some settings only applied when the users logs in on the computer. Some settings even require a reboot to be applied.
With the use of the /logoff or /boot switch, we can let gpupdate figure out if a logoff or reboot is necessary. To be clear, if you run gpupdate /boot, then the computer will only reboot if a policy change requires it. Otherwise, the policy will be applied immediately without the reboot.
- GPUpdate /logoff is needed for example after policy changes in the Active Directory like folder redirections or printers. Changes in the AD are only applied when the user logs in on the computer.
- GPUpdate /boot is for example needed when you create Software Distribution changes.
Run GPUpdate on a Remote Computer
Sometimes you may need to update quickly the group policies on multiple computers because you changed the internet proxy settings or maybe to replace a printer for example. There are couple of ways to run GPUpdate on a remote computer
Using the Group Policy Management Console
You can initiate a group policy update on a whole OU with the Group Policy Management Console. It has to be an OU with only computer objects in it, so you can’t use the method on a user OU. Simply right-click on the OU where you have changed a policy and click on Group Policy Update
This will update the user and computer policies on all the computers in the given organization unit. The nice thing is that it will as for confirmation and show you how many computers are going to be updated.
After you have confirmed the update the policies will be updated and you can see the status of each computer. In this example 5 computers where turned off, so the update failed.
Use PowerShell to run GPUpdate on a Remote Computer
We can also use PowerShell to run gpupdate on remote computers. The only requirement is that you have Windows 2012 or later. Running it from Windows 10 is also possible, but then you need to open the PowerShell windows with a domain admin account.
The basis of the command is the Invoke-GPUpdate cmd. We also need to specify the computer and the RansomDelayInMinutes.
The RandomDelayInMinutes is used to lower the network load when you update a lot of computers at the same time. You can set it between 0 and 44640 minutes (31 days). Use 0 to run the update immediately.
Invoke-GPUpdate -Computer "labrat01" -RandomDelayInMinutes 0 -Force
If a user is logged on at the computer, then the Invoke-GPupdate command will ask the user for confirmation. By using the -force switch we can run the updates without the confirmation.
With this, we can create a small script to target all computers in a specific OU and run GPupdate on them.
# Spread the load by setting the delay to between 1 and 30 minutes
$random = Get-Random -Minimum 1 -Maximum 30
# Get the computers in an OU to update and run GPUpdate
Get-AdComputer -SearchBase "OU=Computers,OU=Lab,DC=lazyadmin,DC=com" -Filter * | ForEach-Object -Proces {Invoke-GPUpdate -Computer $_.Name -RandomDelayInMinutes $random -Force}
Or if you want to use a list of computers:
# Based on a list
$computers = "labpc01,labpc02,labpc03"
$computers | ForEach-Object -Proces {Invoke-GPUpdate -Computer $_ -RandomDelayInMinutes $random -Force}
Wrapping Up
I hope this article helped you with the GPUpdate /force command. If you have any questions, then just drop a comment below.
In this guide, you will learn how to use the gpupdate command to immediately apply new group policy settings to users and computers.
I’ll also explain the difference between the gpupdate and gpupdate /force command.
Contents
- What is gpupdate
- How to use the gpupdate command
- GPUpdate vs GPUpdate /force
- Run gpupdate on remote computer
- GPUpdate examples
What is the gpupdate command
The gpupdate command is a tool built into the Windows operating system and is used to update or apply new group policy settings. The gpupdate command is often used by Windows technicians to ensure group policy settings are applied to a computer.
What are group policy settings?
Group policy settings are configurations such as password settings, lockout policy, screen lockout, restrict system changes and so on. These settings are configured in Active Directory and can be applied to specific or all users and computers.
In a Windows domain, the group policy settings automatically refresh every 90 minutes or when the computer is rebooted. There are times when you need to immediately update a computer’s policies and waiting 90 minutes is not an option. With the gpupdate command you can immediately refresh the group policy settings without a reboot.
How to use the gpupdate command
The gpupdate command is very easy to use.
There are several command line switches available with the gpupdate command, to view all the options use this command.
gpupdate /?Key Parameters
- /target:user: Specifies that only user policies are updated.
- /target:computer: Specifies that only computer policies are updated.
- /force: Reapplies all policy settings. By default, only policy settings that have changed are
applied.
To update the group policies, follow the steps below.
Step 1. Start windows PowerShell
Step 2. Type gpupdate and press enter
Step 3. Wait for the command to complete
When the gpupdate command is complete it should say completed successfully for both user and computer policies.
To update only the user policy settings run this command.
gpupdate /target:userTo update only the computer policy settings run this command.
gpupdate /target:computerWhat is the difference between gpupdate and gpupdate /force command?
- GPUpdate – This command performs an increment update. This means it only applies policies that have changed or new settings since the last update. For example, you update the GPO policy that enabled the Windows lock screen. This command will only apply that one policy that changed.
- GPUpdate /force – This command forces all group policies to be reapplied to the computer. If you have 20 group policies, then all 20 will get reapplied.
Here is a table showing the difference between gpupdate and gpupdate /force.
| Feature | gpupdate | gpupdate /force |
|---|---|---|
| Purpose | Updates only policy settings that have changed. | Reapplies all policy settings. |
| When to Use | Refresh existing GPO policies or apply new GPOs. | Troubleshooting or to download and reapply ALL GPOs. |
| Impact | Low – minimal impact as only changes are applied. | High – Can be high if running on multiple computers at the same time. |
| Use Case | You need to immediately apply a new GPO setting such as locking down the control panel or password settings. | The gpupdate command is not applying new GPO changes. |
So which command should you use?
It’s best to start with the GPUpdate command, this should work most of the time. If the gpupdate command didn’t work, then try gpupdate /force.
I would not run gpupdate /force on several devices at one time. If you have a lot of group policies this can be resource intensive on domain controllers.
With that said I’ve not seen any issues running gpupdate /force as the first option. I’ve also seen no reason to run it as the first option. Most of the time I’m able to run gpupdate and everything works. As I mentioned above the main concern with gpupdate /force is running it on multiple computers at once, this could put a major load on your domain controllers.
I often see helpdesk technicians run gpupdate /force as the first option, and again I see no issues with this on a one to one basis.
How to use the gpupdate force command
Only use the gpupdate /force command if you want to reapply all group policy settings.
Step 1. Start windows PowerShell
Step 2. Type gpupdate force and press enter
Step 3. Wait for command to complete
Run gpupdate on a remote computer
There are multiple ways to run gpupdate on remote computers.
Option 1. PowerShell
If you have PowerShell remoting enabled, you can run gpupdate using the command below.
Invoke-Command -ComputerName RemoteComputerName -ScriptBlock { gpupdate }In this example, I’m updating the policies on the remote computer pc2.
To update on multiple remote computers using PowerShell use this command. The below command will update all computers in my Accounting OU. Just change the search base path to the distinguishedName of your OU.
PS C:\> $computers = Get-ADComputer -Filter * -SearchBase "OU=Accounting,OU=ADPRO Computers,DC=ad,DC=activedirectorypro,DC=com"
PS C:\> $computers | ForEach-Object -Process {Invoke-GPUpdate -Computer $_.name -RandomDelayInMinutes 0 -Force}Option 2. Group Policy Management Console
You can force a group policy update on all computers using the group policy management console.
Step 1. Open the Group Policy Management Console
Step 2. Right click an OU and select “Group Policy Update”
This will force an update on all the computers in the selected OU.
GPUpdate Examples
Here are some real-world examples of using the gpupdate command.
Example 1: Add shortcut to users desktop
A user puts in a high priority ticket and says I need the timesheet program installed on my computer ASAP. In this example, the user just needs a desktop shortcut added to the desktop. Ok, no problem.
You go into the group policy management console and apply the GPO to the user. You then remote to the user’s computer and run the gpupdate command.
Here is a before picture.
After running gpupdate you can see the desktop shortcut added to the desktop.
The group policy immediately applies, and the shortcut is added to the desktop. A reboot would also refresh the group policies but sometimes that is inconvenient for your users.
The nice thing about the gpupdate command is it can be run as a user with non admin rights. In the example above you can see I ran the command with the user logged in. Depending on the GPO settings this may not always work. In some cases, you may need to reboot a computer for settings to apply.
Example 2: Your Boss requests for software to be installed
In this example, your boss needs Acrobat Pro installed right away. Sure thing boss. Open the group policy management console and add the user to the GPO that installs Acrobat Pro.
Next, issue the gpupdate command. But this time you get the message below.
I wanted to show this example because not all policies can be applied immediately. Deploying software through group policy can only occur during a restart.
Sorry, boss you need to reboot. 🙂
Related Articles
- GPResult command
- RSoP command
- Group Policy Management Guide
- Invoke-GPUpdate
How to Force Update Group Policy (Command) in Windows 11/10
Group Policy is a powerful tool that allows administrators to manage user and computer settings in Windows environments. It enables the enforcement of security settings, desktop environments, software installations, and much more across all devices in an organization. In Windows 10 and Windows 11, it’s essential for both IT professionals and advanced users to know how to force an update of Group Policy. This article will provide a comprehensive guide on how to achieve this using command-line tools.
Understanding Group Policy
Group Policy works through a system of rules and settings applied throughout a Windows domain. These policies help ensure a consistent environment, control user access, and protect organizational security by defining what users can and cannot do on their computers.
Group Policy settings are stored in Group Policy Objects (GPOs), which can be linked to sites, domains, or organizational units (OUs) in Active Directory. Policies can be applied to users (user configuration) or computers (computer configuration).
Importance of Updating Group Policies
Updates to Group Policies can occur automatically at specific intervals or when certain actions are taken. However, there are cases when you might want to force an immediate update, such as:
- Adding or modifying a Group Policy Object in Active Directory.
- Making changes to local Group Policy settings.
- Troubleshooting issues where policies are not being applied correctly.
Forcefully updating Group Policy ensures that the latest settings are applied without waiting for the next automatic update cycle.
Updating Group Policy Automatically
By default, Windows automatically refreshes Group Policy settings every 90 to 120 minutes. However, this interval is not suitable when immediate changes are required. For instance, if you’re troubleshooting a policy-related issue or have just made changes that need to take effect right away.
The Group Policy refresh occurs in the following manner:
- Computer Policy applications occur every 90 minutes.
- User policies are re-applied on logon or every 90 minutes as long as the user is logged in.
The Command-Line Tool: gpupdate
The primary command used to force an immediate update of Group Policy in Windows is gpupdate. This command-line utility allows you to refresh both user and computer policy settings without the need to restart the system or log off.
Syntax of gpupdate
The basic syntax for the gpupdate command is as follows:
gpupdate [/target:{computer | user}] [/force] [/wait:value] [/logoff] [/boot]Parameters Explained
-
/target:{computer | user}: This parameter allows you to specify whether you want to update the computer policy, user policy, or both. By default, both are updated if no parameter is provided. -
/force: This parameter forces a reapplication of all policy settings, even if they haven’t changed. Without this switch, only settings that have changed will be applied. -
/wait:value: Specifies the number of seconds to wait for the update to finish. The default waits indefinitely. -
/logoff: If the policy requires a logoff to be applied, this option allows the system to log off the user automatically upon completion. -
/boot: Similar to/logoff, but it reboots the computer automatically if a restart is required for policies to be applied.
Forcing a Group Policy Update Using Command Line
To force a Group Policy update in Windows 10 or 11, follow the steps outlined below.
Step 1: Open Command Prompt
- Right-click on the Start menu or press
Win + X. - Select “Windows Terminal (Admin)” or “Command Prompt (Admin)”. If you don’t see these options, search for «cmd» in the start menu, right-click on it, and select «Run as administrator.»
Step 2: Execute the Group Policy Update Command
In the command prompt window, type the following command and hit Enter:
gpupdate /forceThis command will trigger an immediate refresh of all Group Policies.
Step 3: Wait for the Update Process
The command will display progress messages as the policy settings are being updated. Depending on the number of policies applied, this process may take a few seconds to a couple of minutes.
Step 4: Review the Output
Once completed, the command prompt will display messages indicating successful updates or any errors encountered during the update process. If there are policies that require the user to log off or restart the computer, you will get those notifications as part of the output.
Additional Methods to Force Group Policy Update
While gpupdate is the standard way to refresh policies, there are a few additional methods you can use.
Method 1: Using PowerShell
Windows PowerShell, another command-line tool, can also be used to update Group Policy settings. This method is particularly useful for automation scripts or when you are managing multiple machines via remote sessions.
Open PowerShell with administrative privileges and run the following command:
Invoke-GPUpdate -Computer "ComputerName" -ForceReplace "ComputerName" with the name of the computer you wish to update. You can also omit -Computer "ComputerName" if you’re executing the command on the local machine.
Method 2: Using Local Group Policy Editor
While the Group Policy Editor does not provide a direct command for updating policies, you can initiate a manual refresh from the GUI.
- Press
Win + Rto open the Run dialog. - Type
gpedit.mscand pressEnter. - Navigate through the editor, and as you change or modify settings, Group Policy configurations will take effect immediately—though a full refresh may still require
gpupdate.
Troubleshooting Group Policy
If you encounter issues where Group Policy settings are not applying as expected, consider using the following troubleshooting steps.
Step 1: Check for Errors in Event Viewer
- Open the Event Viewer by typing
eventvwrin the Run dialog (Win + R). - Navigate to
Windows Logs>Systemand look for events related to Group Policy. The Event ID 1055, 1085, or 1006 can indicate issues.
Step 2: Run gpresult Command
To see the status of Group Policy settings applied to a user or computer, you can use the gpresult command.
Open Command Prompt as an administrator and type:
gpresult /h report.htmlThis command generates a report in HTML format that you can open in any web browser. It shows all the applied policies and can assist in troubleshooting.
Step 3: Ensuring Permissions
Ensure that the user has the appropriate permissions to read and apply Group Policies. Lack of permissions can prevent policies from being applied effectively.
Resetting Group Policy Settings
If all else fails, you can consider resetting Group Policy settings to their default values. This can be done using the following steps:
Step 1: Open Command Prompt as Administrator
Just as before, open Command Prompt with administrative privileges.
Step 2: Reset Group Policy
Type the following commands one at a time:
rd /s /q "%WinDir%System32GroupPolicy"
rd /s /q "%WinDir%System32GroupPolicyUsers"
gpupdate /forceThese commands will delete the existing Group Policy folder, which will cause Group Policy to reset to default settings. Use this with caution, as it will remove all applied policies.
Conclusion
Group Policy management is a vital skill for both IT administrators and advanced users handling Windows 10 and Windows 11 environments. Knowing how to force an update using the command line is crucial, especially when immediate changes are needed. Through the command gpupdate, you can effectively refresh and apply settings that control a wide range of system and user configurations.
Whether you’re resolving issues on a personal machine or managing policies in a corporate environment, understanding the nuances of Group Policy can significantly enhance productivity and security management. By following the tips and techniques outlined in this article, you’ll be well-equipped to handle Group Policy updates efficiently in Windows 10 and Windows 11.
Imagine that you get a phone call from the security specialist who handles your firewalls and proxy servers. He tells you that he has added an additional proxy server for users going to the internet. You add a new GPO that affects all users so they can use the new proxy server via Internet Explorer. Usually, it takes between 90 and 120 minutes for a new GPO to be applied, but you need the new settings to be applied right now, and you cannot tell your users to log off and log back in to apply them. In cases like these, you might want to bypass the normal wait time before background policy processing kicks in. You can do so using the command prompt, the Group Policy Management Console (GPMC) or PowerShell.
What is GPUupdate
Group Policy is a valuable feature of Active Directory that enables administrators to apply a wide range of settings to users and computers. It is critical for security and productivity that changes to Group Policy objects (GPOs) and new GPOs be applied in a timely manner.
Accordingly, Group Policy is automatically refreshed whenever a domain member computer is restarted or a user logs on to it. It is also automatically updated at a defined background refresh interval (by default, every 90 minutes with a randomized offset of up to 30 minutes).
Sometimes, however, administrators need apply GPO settings to client systems immediately, such as when they create a new policy or make an important change to an existing policy. Furthermore, sometimes they want to not only apply changes but also reapply GPOs that have not been changed usually in order to revert unwanted changes made on local machines.
This document walks you through the ways in which you can force a Group Policy refresh.
GPUpdate vs GPUpdate /force command
The gpupdate /force command is one of the most frequently used commands for updating group policy. The /force switch enables administrators to re-apply all policy settings. However, it’s important to consider that using the /force switch would result in a significant load on Domain Controllers (DCs), especially when there is a large number of Group Policy Objects (GPOs) in the environment.
If you have a substantial tenancy or a large number of GPOs, it is preferable to run gpupdate without the /force switch to implement new policy settings. This approach will only receive changes or new group policies, thereby reducing the workload on both the client and domain controllers.
How to force group policy update
To force a Group Policy update, you can use any of the following options:
- The gpupdate /force command
- The Group Policy Management Console (GPMC)
- PowerShell
Prerequisite: Configure Firewalls before Applying GPOs
Before forcing reapplication of GPOs using any of these options, make sure the firewalls permit inbound network traffic on the applicable ports (by default, TCP port 135), as detailed in the Microsoft documentation.
Force a Group Policy Update using the Command Prompt
gpupdate is a Microsoft Command shell command for Group Policy update on Active Directory computers. It is included in all Window OS versions.
The /force Parameter
Running the gpupdate command with no parameters applies only changed policy settings and new GPOs. But sometimes you need to also re-apply all GPOs that have not changed – such as to revert unwanted modifications made by local administrators (or adversaries who have compromised their accounts).
In that case, you need to use the /force parameter, as follows:
gpupdate /force
There are two key considerations to keep in mind when using this parameter to update Group Policy settings:
- You must physically trot out to each user machine and run the gpupdate /force command manually. (To update computers remotely, use PowerShell, as described below.)
- Using the /force switch can result in significant load on DCs and clients, especially when there are large number of GPOs in an environment. In those cases, it is preferable to run gpupdate without the /force parameter.
Additional Parameters
Running gpupdate while a user is logged on to a machine immediately gives Windows the new GPO settings (assuming, of course, that the domain controller has the replicated GPO information).
If the user is not logged on, in Windows XP and later, by default, GPO settings are processed only at the next logon time. But if you use the right switches, gpupdate can figure out if newly changed items require a logoff or reboot to be active:
- /Logoff – Using this switch will figure out if a policy change requires the user to log off. If not, the new settings are applied immediately; if so, the user will automatically be logged off and the Group Policy settings will be applied when they log back in.
- /boot – Similarly, if Fast Boot is enabled, a restart is required to apply GPOs that have Software Distribution settings. Running gpupdate with the /boot switch will figure out if a policy has something that requires a reboot and automatically reboot the computer. If the updated GPO does not require a reboot, the GPO settings are applied, and the user remains logged on.
Both the /Logoff and /boot switches are optional.
Other useful switches options are available in conjunction with /force
- /Logoff– Log the user off after the Group Policy settings have been updated.
- /Sync – Change the foreground (startup/logon) processing to synchronous.
- /Target – Indicates whether to update policy settings for only Users or Only Computers. Both User and Computer policy settings are updated by default.
- /Boot – Restart the machine after the Group Policy settings are applied.
Force a group policy update using the Group Policy Management Console (GPMC)
The second way to force a Windows Group Policy update is to use the Group Policy Management Console. While the gpupdate command updates all policies for all OUs, GPMC gives you the option to limit the update to a specific OU. Take these steps:
- Open the GPMC (Group Policy Management Console)
- Link the GPO to an OU.
- Right-click the desired OU and choose Group Policy Update” option.
- Confirm the action In the Force Group Policy Update dialog that appears, by clicking Yes.
Force group policy update remotely on computers using Powershell
To update Group Policy remotely, you need to use Powershell. Since Windows Server 2012, you can use the cmdlet Invoke-GPUpdate. to force a Group Policy remote update on Windows client computers. You will need to have both PowerShell and the Group Policy Management Console installed. The cmdlet produces no output.
Examples of using Involve-GPUpdate for Remote Group Policy Update
Another advantage of using the Invoke-GPUpdate cmdlet is that the “RandomDelayInMinutes” option allows you to adjust the delay. If you want to an immediate Group Policy update, set it to 0, as shown here:
Invoke-GPUpdate –Computer LHE-LT-ADAM -RandomDelayInMinutes 0In this instance, a computer identified as “LHE-LT-ADAM” was immediately restarted the after starting a Group Policy update. The cmdlet produces no output. The only downside to using this parameter is that the users will get a cmd screen pop-up.
If you want to force an update on all computers, run the code below. It will get all computers from the domain, put them into a variable, and run the commands for each object.
$compgpoupd = Get-ADComputer -Filter *
$compgpoupd | ForEach-Object -Process {Invoke-GPUpdate -Computer $_.name -RandomDelayInMinutes 0 -Force}
The only downside to using the RandomDelayInMinutes parameter is that the users will get a cmd screen pop-up.
This code will get all computers from the domain, put them into a variable and run the commands for each object.
Configure firewalls before applying GPOs
Make sure the firewalls permit inbound network traffic on particular ports before opening your GPMC. Starting from Windows Server 2012, there is a starter GPO in Group Policy Editor called “ The Group Policy Remote Update Firewall Ports”, which verifies whether TCP port 135 is set up for remote scheduled task management.
To enable Windows Firewall with Advanced Security with a GPO:
- Launch the interface for Group Policy Management.
- In the navigation pane, expand the following: Forest (YourForestName) => Domains (YourDomainName) => Group Policy Objects: (YourDomainName) => right-click the GPO you wish to edit, and select Edit.
- From the navigation bar of the Group Policy Management Editor, Select Computer Configuration => Policies => Windows Settings => Security Settings => Windows Firewall with Advanced Security => Advanced Security for Windows Firewall.
GPO background refresh
All Group Policy clients process GPOs when the background refresh interval comes to pass – but they process only those GPOs that are new or have changed since the last time the client requested them.
However, for security settings, the Group Policy engine works differently. It asks for a special background refresh just for security policy settings. This is called the background security refresh and is valid for every version of Windows Server. Every 16 hours, each Group Policy client asks Active Directory about all the GPOs that contain security settings (not just the ones that have changed) and reapplies those security settings. This ensures that if a security setting has changed on the client (behind the Group Policy engine’s back), it’s automatically reverted to the proper setting within 16 hours.
Background refresh process for local GPOs
As noted earlier, one key reason you might need to force a Group Policy refresh is that local administrators (or adversaries or have compromised their accounts!) can make changes to settings on their machines that nullify a policy you’ve set with a GPO. Those changes can hurt productivity or even security. For example, a local admin might override your GPO setting that prohibits USB drives, enabling both data theft and introduction of malware.
Accordingly, you should grant local administrator rights only when they are truly needed. Regular users should never be given local admin rights.
Mandatory reapplication of non-security group policy settings
As noted above, the regular background update applies only to new and changed GPOs. However, you can modify the regular background refresh to reapply certain settings, even if the GPOs haven’t changed. This is a good way to fix exploits that aren’t security related.
Specifically, you can choose to mandate the reapplication of the following areas of Group Policy during each initial policy processing and background refresh:
- Registry (Administrative Templates)
- Microsoft Edge Maintenance
- IP Security
- EFS Recovery Policy
- Wireless Policy
- Disk Quota
- Scripts
- Security
- Folder Redirection
- Software Installation
- Wired Policy
How Netwrix Can Help
Group Policy is an extremely powerful way to manage settings for your Windows infrastructure. But it is also complex. Indeed, after years of mergers and acquisitions, employee turnover, technology changes, and so on, Group Policy becomes nearly impossible to manage effectively using manual method and native tools.
Netwrix Endpoint Policy Manager simplifies Group Policy management and enables you to clean up and consolidate your GPOs. As a result, your organization will enjoy faster login, higher security, better uptime, and fewer misconfigurations.
Conclusion
Keeping Group Policy settings up to date across your IT estate is critical for productivity, security, compliance and more. While GPO changes are automatically applied at the next refresh interval; you can also force a refresh to apply them immediately. As an extra safety measure, you can ensure that certain Group Policy settings are always reapplied, even if they have not changed, in order to revert any unwanted changes made by local administrators.
FAQ
How to update group policy?
To update Group Policy manually, administrators can use the gpupdate /force command, the Group Policy Management Console (GMPC) or PowerShell. /force switch enables the administrators to re-apply all policy settings
What does gpupdate /force do?
Group Policy is updated automatically according to a background refresh schedule. However, sometimes an update or new policy needs to take effect sooner, or the organization needs to revert improper policy changes made by local administrators. In those cases, an administrator can use the gpupdate command with the /force parameter to apply a Group Policy update immediately.
How long does gpupdate /force take to update Group Policy?
The time required to force an update Group Policy depends on the number of policies being applied. Updating a small number of policies can take just a couple of minutes, but typically, the process involves a 90-minute application time plus a 30-minute delay for workload distribution.
Since 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put Netwrix GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.
