Table of Contents
A few days ago we published an article explaining how to disable file copy through RDP using Group Policy for all the Windows clients within the same Active Directory forest. In this post we'll briefly explain how we can force an update of those Group Policies - as well as any other Group Policy which has been globally set up at the Domain Controller level - on any single Windows client machine using either the Group Policy Management Console (GPMC), the GPUpdate command-line tool or a single Powershell script.
Introduction
In a typical Windows Server environment the Group Policy settings can be refreshed in the following ways:
- Using the GPUpdate command-line tool from any Windows Client Machine: such tool can be effectively used to refresh the Group Policy of a single computer.
- Using the Invoke-GPUpdate Windows PowerShell cmdlet to refresh Group Policy for a given set of computers, including computers; such method is great to refresh the Group Policy on multiple clients at the same time, including those that are not within the OU structure (such as the clients located in the default computers container); it's also very versatile, since it can be launched from the client machine (local update) or from the domain controller (remote update).
- Using the Group Policy Management Console (GPMC) to globally refresh all computers in an organizational unit (OU) from one central location. This is the way to go to refresh the Group Policy on all clients using a remote update strategy, thus mimicking the most powerful behaviour of the aforementioned Invoke-GPUpdate cmdlet.
In the next paragraphs we'll see how we can effectively use those three methods to achieve our desired result.
GPUpdate.exe (CMD)
The GPUpdate command-line tool is what we should use whenever we need to refresh the Group Policy on a single Windows client machine.
To use it, perform the following steps:
- Open a command-line prompt (with administrative rights)
- Type the following command: GPUpdate /force
That's it.
For additional info about such method, take a look at the Force a Remote Group Policy Refresh (GPUpdate) post from Microsoft docs.
Invoke-GPUpdate (Powershell)
The Invoke-GPUpdate Powershell cmdlet is the way to go when we need to issue or schedule a remote Group Policy refresh on one or multiple computers from the Domain Controller (instead than doing that from the client machine like the previous method allowed to).
Here's how the cmdlet can be used to refresh the Group Policy on a single remote computer:
1 |
Invoke-GPUpdate -Computer "CONTOSO\COMPUTER-02" -Target "User" |
The Invoke-GPUpdate Powershell cmdlet can also be used to refresh the Group Policy for all the computers in the container. However, in order to do that, we'll also need to use the Get-ADComputer cmdlet to obtain the list of computers in the Computers container: once we do that, we can supply the name of each computer that is returned to the Invoke-GPUpdate cmdlet.
Here's a working example that will force a refresh of all Group Policy settings for all computers in the Computers container for the Contoso.com domain:
1 |
Get-ADComputer –filter * -Searchbase "ou=Accounting, dc=Contoso,dc=com" | foreach{ Invoke-GPUpdate –computer $_.name -force} |
Needless to say, the Invoke-GPUpdate cmdlet can also be used to refresh the Group Policy from the Windows client, thus mimicking the same behaviour of the previously mentioned GPUpdate.exe command-line tool. To use it in such way, just execute the cmdlet without parameters in the following way:
1 |
Invoke-GPUpdate |
For additional info about the Invoke-GPUpdate cmdlet, refer to the Invoke-GPUpdate guide from Microsoft docs.
Group Policy Management Console (GPMC)
Last but not least, let's see how we can take advantage of the Windows Server Group Policy Management Console (GPMC) to issue a Group Policy refresh for all the client registered within the Organizational Unit.
- Launch the Group Policy Management Console (GPMC).
- In the GPMC console tree, locate the OU for which you want to refresh Group Policy for all computers. It's worth noting that Group Policy will also be refreshed for all computers that are located in the OUs contained in the selected OU.
- Right-click the selected OU, and click Group Policy Update.
- Click Yes in the Force Group Policy update dialog box.
Performing the above tasks will have the same effect of running GPUpdate.exe /force from the command line on all the Windows clients individually.
Conclusions
We hope that this tutorial will be useful enough for those System Administrators who are looking for a way to locally or remotely force the update of the Group Policy of their Windows clients.