×


Updating Group Policy Settings on Windows Domain Computers - How to do it?

Microsoft's Group Policy Object (GPO) is a collection of Group Policy settings that defines what a system will look like and how it will behave for a defined group of users. Microsoft provides a program snap-in that allows you to use the Group Policy Management Console (GPMC).

Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform related GPO queries.

In this context, we shall look into how to update Group Policy (GPO) settings on Windows computers in an Active Directory domain.


How to Update Group Policy Settings on Windows Domain Computers ?

To Change Group Policy Refresh Interval:

Before we apply the new settings in a local or domain Group Policy (GPO)  to Windows clients, the Group Policy Client service must read the policies and make changes to the Windows settings. This process is a Group Policy Update.

GPO settings update when the computer boots and the user logs on. It refreshes automatically in the background every 90 minutes + a random time offset of 0–30 minutes.

We can change the GPO update interval via Computer Configuration -> Administrative Templates -> System -> Group Policy section of the GPO.

Then we enable the policy and set the time (in minutes) for the following options:

This setting allows you to customize how often Group Policy is applied to computers (0 to 44640 minutes). If we set 0 here, the policies will update every 7 seconds.

This is a random time added to the refresh interval to prevent all clients from requesting Group Policy at the same time (0 to 1440 minutes).


GPUpdate.exe Command to Force Refresh GPO Settings

Almost all administrators use the gpupdate /force command to update Group Policy settings on a computer.

The command forces the computer to read all GPOs from the domain controller and reapply all settings. Hence, when we use the force key, the client connects to the domain controller to retrieve the files for ALL policies targeting it.

A simple gpudate command without any parameters only applies new and changed GPO settings.

A successful update will show a message like this:

Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.

We can update only the user's GPO settings:

gpupdate /target:user

Or only the computer’s policy settings:

gpupdate /target:computer /force

However, if we cannot update some policies in the background, gpupdate can log off the current user:

gpupdate /target:user /logoff

Or restart a computer:

gpupdate /Boot


A Remote GPO Update from the Group Policy Management Console (GPMC)

  • In Windows Server 2012 and newer, we can update Group Policy settings on domain computers remotely using the GPMC.msc.
  • Then after any alter in settings, or creating and linking a new GPO, we need to right-click the Organizational Unit (OU) we want in the GPMC and select Group Policy Update in the context menu.
  • In a new window, we can see the number of computers with GPO. Confirm the force update of the policies by clicking Yes.
  • Then the GPO will remotely update on each computer in the OU one by one. Hence, we will get the result with the group policy update status on the computers.
  • This feature creates a task in the Task Scheduler with the GPUpdate.exe /force command for each logged-on user on the remote computer.
  • We see the message, 'The remote procedure call was canceled. Error Code 8007071a' if the computer is turned off or a firewall blocks access to it.


Invoke-GPUpdate: Force Remote Group Policy Update via PowerShell

In addition, we can call the remote GPO update on computers using the Invoke-GPUpdate PowerShell cmdlet.

For example, to remotely update user policy settings on a specific computer, we can run:

Invoke-GPUpdate -Computer "frparsrv12" -Target "User"

If we run this cmdlet without any parameters, it will update the GPO settings on the current computer.

Together with the Get-ADComputer cmdlet, we can update GPO on all computers in a specific OU:

Get-ADComputer –filter * -Searchbase "OU=Computes,OU=Mun,OU=DE,dc=woshub,dc=com" | foreach{ Invoke-GPUpdate –computer $_.name -force}

Or on all computers meeting the specific requirement:

Get-ADComputer -Filter {enabled -eq "true" -and OperatingSystem -Like '*Windows Server*' }| foreach{ Invoke-GPUpdate –computer $_.name –RandomDelayInMinutes 10 -force}

If we run the Invoke-GPUpdate cmdlet remotely or update GPO from the GPMC, we may find a console window with the running gpupdate command on a user desktop for a while.


[Need to fix Windows errors? We'd be happy to assist. ]


Conclusion

This article covers how to update Group Policy Settings on Windows Domain Computers. Group Policy provides centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment. A set of Group Policy configurations is called a Group Policy Object (GPO).


To force a group policy update on a domain:

1. Right-click the selected OU, and click Group Policy Update.

2. Click Yes in the Force Group Policy update dialog box. This is the equivalent to running GPUpdate.exe /force from the command line.