In this article we will show how to update Group Policy (GPO) settings on Windows computers in an Active Directory domain: how to update (refresh) Group Policies automatically, how to use the GPUpdate command, how to update them remotely using the Group Policy Management Console(GPMC.msc) or the Invoke-GPUpdate PowerShell cmdlet.
Contents:
- How to Change Group Policy Refresh Interval?
- Using GPUpdate.exe Command to Force Refresh GPO Settings
- How to Force a Remote GPO Update from the Group Policy Management Console (GPMC)?
- Invoke-GPUpdate: Force Remote Group Policy Update via PowerShell
How to Change Group Policy Refresh Interval?
Prior to the new settings you have set in a local or domain Group Policy (GPO) are applied to Windows clients, the Group Policy Client service must read the policies and make changes to the Windows settings. The process is called a Group Policy Update. GPO settings are updated when the computer boots, the user logs on, and refreshed automatically in the background every 90 minutes + a random time offset of 0–30 minutes (it means that the policy settings will definitely be applied on the clients in 90–120 minutes after you have updated GPO files on the domain controller).
By default, domain controllers update GPO settings more often: every 5 minutes.
You can change the GPO update interval using the Set Group Policy refresh interval for computers option located in Computer Configuration -> Administrative Templates -> System -> Group Policy section of the GPO.
Enable the policy and set the time (in minutes) for the following options:
- This setting allows you to customize how often Group Policy is applied to computers (0 to 44640 minutes) how often the client should refresh the GPO settings in the background. If you set 0 here, the policies will be updated every 7 seconds (it is not worth to do it);
- This is a random time added to the refresh interval to prevent all clients from requesting Group Policy at the same time (0 to 1440 minutes) is a maximum value of a random time interval added as an offset to the previous parameter (used to reduce the number of simultaneous client calls to the DC to download GPO files).
Note that frequent GPO update results in the growth of traffic to the domain controllers and leads to higher network load.
Using GPUpdate.exe Command to Force Refresh GPO Settings
All administrators know the gpupdate.exe command that allows to update Group Policy settings on a computer. To do it, most use the gpupdate /force command without any hesitation. The command forces your computer to read all GPOs from the domain controller and reapply all settings. This means that when the force key is used, the client connects to the domain controller to retrieve the files for ALL policies targeting it. It may result in higher load on your network and domain controller.
A simple gpudate command without any parameters only applies new and changed GPO settings.
If it has been successful, the following message appears:
Updating policy...Computer Policy update has completed successfully.User Policy update has completed successfully.
If some policies or settings have not been applied, use the gpresult command to diagnose the problem and follow the instructions in the article Common Problems Causing Group Policy To Not Apply
You can update only user’s GPO settings:
gpupdate /target:user
or only the computer’s policy settings:
gpupdate /target:computer/force
If some policies cannot be updated in the background, gpupdate can log off the current user:
gpupdate /target:user /logoff
Or restart a computer (if the GPO changes can only be applied when Windows boots):
gpupdate /Boot
How to Force a Remote GPO Update from the Group Policy Management Console (GPMC)?
In Windows Server 2012 and newer, you can update Group Policy settings on domain computers remotely using the GPMC.msc (Group Policy Management Console).
In Windows 10, you will have to install the RSAT to use the GPMC console:
Add-WindowsCapability -Online -Name Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0
Then after changing any settings, or creating and linking a new GPO, it is enough to right-click the Organizational Unit (OU) you want in the GPMC and select Group Policy Update in the context menu. In a new window, you will see the number of computers GPO will be updated on. Confirm the force update of the policies by clicking Yes.
Then the GPO will be remotely updated on each computer in the OU one by one, and you will get the result with the group policy update status on the computers (Succeeded/Failed).
This feature creates a task in the Task Scheduler with the GPUpdate.exe /force command for each logged on user on the remote computer. The task runs in a random period of time (up to 10 minutes) to reduce the network load.
In order the GPMC remote GPO update feature to work on a client, the following conditions must be met:
- TCP Port 135 must be open in Windows Defender Firewall rules;
- Windows Management Instrumentationand Task Scheduler services must be enabled.
If a computer is turned off or a firewall blocks access to it, the ‘The remote procedure call was canceled. Error Code 8007071a’ message appears next to the name of the computer.
Actually, the feature works the same as if you have updated GPO settings manually using the GPUpdate /force command on each computer.
Invoke-GPUpdate: Force Remote Group Policy Update via PowerShell
You can also call the remote GPO update on computers using the Invoke-GPUpdate PowerShell cmdlet (being a part of RSAT Group Policy management module). For example, to remotely update user policy settings on a specific computer, you can use the following command:
Invoke-GPUpdate -Computer "frparsrv12" -Target "User"
If you run the Invoke-GPUpdate cmdlet without any parameters, it will update the GPO settings on the current computer (like gpudate.exe).
Together with the Get-ADComputer cmdlet, you can update GPO on all computers in a specific OU:
Get-ADComputer –filter * -Searchbase "OU=Computes,OU=Mun,OU=DE,dc=woshub,dc=com" | foreach{ Invoke-GPUpdate –computer $_.name -force}
or on all computers meeting the specific requirement (for example, on all Windows Server hosts in a domain):
Get-ADComputer -Filter {enabled -eq "true" -and OperatingSystem -Like '*Windows Server*' }| foreach{ Invoke-GPUpdate –computer $_.name –RandomDelayInMinutes 10 -force}
You can set a random offset to update GPO using RandomDelayInMinutes. Thus, you can reduce the network load if you update Group Policy setting on multiple computers simultaneously. To apply the Group Policy settings immediately, the RandomDelayInMinutes 0 parameter is used.
The Invoke-GPUpdate command returns the following error for unavailable computers:
Invoke-GPUpdate: Computer "frparsrv12" is not responding. The target computer is either turned off or Remote Scheduled Tasks Management Firewall rules are disabled.
If you run the Invoke-GPUpdate cmdlet remotely or update GPO from the GPMC, a console window with the running gpupdate command may appear on a user desktop for a short time.
