Force a Remote Group Policy Refresh (GPUpdate)

You can only schedule to force a remote Group Policy update using the GPMC from domain-joined computers running:

• Windows Server 2012
  
  
• Windows 8 with Remote Server Administration Tools for Windows 8
  
  

You schedule a remote Group Policy refresh for any computer running:

• Windows Server 2012
  
  
• Windows Server 2008 R2
  
  
• Windows Server 2008
  
  
• Windows 8
  
  
• Windows 7
  
  
• Windows Vista
  
  

In order to successfully schedule a Group Policy refresh for domain-joined computers using either the GPMC or the Invoke-GPUpdate cmdlet, you must set firewall rules to support the inbound network traffic on ports to support the remote Group Policy refresh.

To schedule a Group Policy refresh for domain-joined computers using either the GPMC or the Invoke-GPUpdate cmdlet through the firewall, you must have firewall rules that enable inbound network traffic on the ports listed in the following table.

In Windows Server 2012, Group Policy adds a new Starter GPO called, Group Policy Remote Update Firewall Ports. This Starter GPO includes policy settings to configure the firewall rules, specified in the previous table that enables inbound network traffic on the ports necessary to allow the remote Group Policy refresh to be run. It is a best practice to create a new GPO from this Starter GPO and link the GPO to your domain, at a higher precedence than the Default Domain GPO, in order to configure all computers in the domain to enable a remote Group Policy refresh.

Do this step using Windows PowerShell

Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

You can use the New-GPO cmdlet with the –StarterGpoName parameter to create a GPO a new GPO. You can then pipe the output from the New-GPO cmdlet to the New-GPLink cmdlet.

For example, to create a new GPO, called Configure firewall rules for remote gpupdate, using the Group Policy Remote Update Firewall Ports Starter GPO and link the Configure firewall rules for remote gpupdate GPO to the Contoso.com domain, type the following:

New-GPO –Name "Configure firewall rules for remote gpupdate" –StarterGpoName "Group Policy Remote Update Firewall Ports" | New-GPLink –target "dc=Contoso,dc=com" –LinkEnabled yes

For more information about the New-GPO cmdlet and the New-GPLink cmdlet, see:

• New-GPO
  
  
• New-GPLink
  
  

You can schedule gpupdate.exe to run on multiple computers from either the GPMC or from a Windows PowerShell session using the new Invoke-GPUpdate cmdlet. This procedure demonstrates both methods of forcing a remote Group Policy refresh.

Do this step using Windows PowerShell

Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

The Invoke-GPUpdate cmdlet allows you to schedule a remote Group Policy update for a specified computer with all the options that the gpupdate.exe command-line utility provides. This allows for more freedom to determine which the set of computers to be refreshed than scheduling the refresh through GPMC. Additionally, you have the freedom to configure the interval of time to wait before a Group Policy refresh is performed using the –RandomDelayInMinutes parameter. If set to a zero (0) value, the scheduled task for the Group Policy refresh will be configured to start immediately. For more information about the Invoke-GPUpdate cmdlet, see Invoke-GPUpdate.

You can refresh the changed Group Policy settings for the computer you are logged on by running the Invoke-GPUpdate cmdlet without including any parameters. For example:

Invoke-GPUpdate

You cannot schedule a Group Policy refresh for the Computers container using the GPMC Group Policy Update… functionality. The Computers container is a default location for computer accounts. It is not implemented as an OU that can be managed by the GPMC. By combining the use of the Active Directory cmdlet, Get-ADComputer with the Invoke-GPUpdate cmdlet, you can schedule a remote refresh for all computers in the Computers container. For more information about available Active Directory cmdlets for Windows Server 2012 see AD DS Administration Cmdlets in Windows PowerShell.

First obtain the list of computers in the Computers container using the Get-ADComputer cmdlet. Then supply the name of each computer that is returned to the Invoke-GPUpdate cmdlet.

For example, to force a refresh of all Group Policy settings for all computers in the Computers container for the Contoso.com domain, type the following:

Get-ADComputer –filter * -Searchbase "cn=computers, dc=Contoso,dc=com" | foreach{ Invoke-GPUpdate –computer $_.name -force}

You can force a Group Policy refresh for all Group Policy settings for all computers in a single OU when you combine the Get-ADComputer with the Invoke-GPUpdate cmdlet. For example, to force a refresh of all Group Policy settings for all computers in the Accounting OU of the Contoso.com domain, type the following:

Get-ADComputer –filter * -Searchbase "ou=Accounting, dc=Contoso,dc=com" | foreach{ Invoke-GPUpdate –computer $_.name -force}

You can force an immediate Group Policy refresh for all Group Policy settings for all computers in a single OU when you combine the Get-ADComputer with the Invoke-GPUpdate cmdlet and set the –-RandomDelayInMinutes to 0. For example, to force a refresh of all Group Policy settings for all computers in the Accounting OU of the Contoso.com domain, type the following:

Get-ADComputer –filter * -Searchbase "ou=Accounting, dc=Contoso,dc=com" | foreach{ Invoke-GPUpdate –computer $_.name –force –-RandomDelayInMinutes 0}

• Group Policy Overview
  
  
• Group Policy Analysis and Troubleshooting Overview