Introduction
When you run gpupdate /force; When you reboot; All three of these assume you are on a single server domain. If you have multiple servers you need to also add the time it takes to replicate the changes to the DC closest to the PC in question.
There is no gpo enforcement on Macs that can be applied per se. That being said, the AD LDAP integration if you joined your Macs to the domain using the Directory Utility, should automatically enforce your password policy at next logon, when the Macs are connected on your local network. Here is an interactive tutorial: http://ior.ad/6YCl. Someone tell me there is a way to initiate a gpupdate /force on remote machines without the command prompt coming up randomly. I usually just initiate it for the OU in question in the Group Policy Management console. It works, but a command prompt window will pop up on each users machine which causes a slew of help desk tickets.
I needed to script a gpupdate /force and target a group of machines in an OU. The reason I wanted to script this is because I wanted to run the force in real time and also wanted to be sure that it ran successfully on the target machines. This seemed like the best idea and seemed a better option than waiting for the policy to update and hoping it applied the updated policy registry on all systems and worse yet, needing to run reports and troll through the results.
Over the last several years, I have been lucky enough to not rely on Group Policy all that much. With tools like RES ONE and AppSense at my disposal and the fact I have been pretty application focused, Group Policy has been last resort in most environments.
Imagine my delight when I realized I didn’t need to script this!! I found a helpful article and thought I found the holy grail. An option within the Group Policy Management Console within Server 2012 that not only can force the update but also return the results! Eureka!!
In this post I will go through how to remotely execute gpupdate on all systems in an OU using Group Policy Management but importantly, in my conclusion, I will detail why you should use caution when leveraging this feature!
How to Force GPUpdate on an OU from Group Policy Management Console
On Server 2012 or with newer versions of RSAT on your desktop, open Group Policy Management
Browse to the OU which you would like to force the gpupdate for, right click and click on Group Policy Update…
If you are deploying to one or two machines, you’ll just receive a confirmation message. When deploying to several machines you will receiving a warning about possibly straining network resources. If you are daring enough to proceed, click Yes. (I wouldn’t be worried about running it for a few hundred machines but again, check my conclusion at the bottom of this post before proceeding)
As the update runs on the machines, the results will populate. If you get any failures, you will want to investigate on that failed machine.
Conclusion
But Yarrrrrr….let this be a cautionary tale…and also a brain dump for myself to serve as a reminder to never ever do this on machines in a production environment! I got pretty lucky, I ran this against some systems in a non-production environment.
On machines that got the update, the gpupdate ran interactive so the users on the machines at the time saw this prompt which could look like an issue. It’s not in this instance, my updated policy did successfully take hold but the fact this didn’t run silently makes the feature pretty useless for my future use and I would suggest that you only use it in your own home lab or sandbox environment.
If you would like to ensure that the gpupdate run silently, you could change to refresh interval or script this using vbscript, PowerShell and even use PSEXEC.
I think this feature could be pretty useful, if you could be assured the update would run silently on the endpoints. Of course, in most situations you can likely just wait for the refresh interval but sometimes you may want an update to run before you can progress your work. What do you think? If you agree, please up vote this feature request on UserVoice here: User Voice for Group Policy Update Feature in Server 2016.
Get the App-V Decison Matrix and Interactive Tool.
The gpupdate command refreshes a computer's local Group Policy, and any Active Directory-based group policies.
Availability
Gpupdate is an external command and is available for the following Microsoft operating systems as gpupdate.exe.
Gpupdate syntax
/Target:{Computer | User} | Specifies that only user or only computer policy settings be refreshed. By default, both user and computer policy settings are refreshed. |
/Force | Reapplies all policy settings. By default, only policy settings that have changed are applied. |
/Wait:{value} | Sets the number of seconds to wait for policy processing to finish. The default is 600 seconds. The value '0' means not to wait. The value '-1' means to wait indefinitely. When the time limit is exceeded, the command prompt returns, but policy processing continues. |
/Logoff | Causes a logoff after the Group Policy settings are refreshed, which is required for those client-side extensions that don't process policy on a background refresh cycle but do during log on. Examples include user-targeted Software Installation and Folder Redirection. This option has no effect if there are no extensions called that require a logoff. |
/Boot | Causes a reboot after the Group Policy settings are refreshed, for those client-side extensions that don't process policy on a background refresh cycle but do at startup. Examples include computer-targeted Software Installation. This option has no effect if there are no extensions called that require a reboot. |
/Sync | Causes the next foreground policy application to be done synchronously. Foreground policy applications occur at computer boot and user login. You can specify this for the user, computer or both using the /Target parameter. The /Force and /Wait parameters are ignored if specified. |
Gpupdate examples
Running the command alone refreshes the computers policies as shown below in the example output.
How To Run Gpupdate Command
Additional information
Force Gpupdate Via Powershell
- See our Active Directory definition for further information and related links on this term.