Windows - Force a Remote Group Policy Refresh with GPUpdate, Invoke-GPUpdate or GPMC How to force the update / refresh of the local Group Policy settings of an Active Directory Windows Client using either the GPMC, the GPUpdate command-line tool or Powershell

How to stop (or prevent) massive login attempts to Remote Desktop RDP on Windows Server

A few days ago we published an article explaining how to disable file copy through RDP using Group Policy for all the Windows clients within the same Active Directory forest. In this post we'll briefly explain how we can force an update of those Group Policies - as well as any other Group Policy which has been globally set up at the Domain Controller level - on any single Windows client machine using either the Group Policy Management Console (GPMC), the GPUpdate command-line tool or a single Powershell script.

Introduction

In a typical Windows Server environment the Group Policy settings can be refreshed in the following ways:

  • Using the GPUpdate command-line tool from any Windows Client Machine: such tool can be effectively used to refresh the Group Policy of a single computer.
  • Using the Invoke-GPUpdate Windows PowerShell cmdlet to refresh Group Policy for a given set of computers, including computers; such method is great to refresh the Group Policy on multiple clients at the same time, including those that are not within the OU structure (such as the clients located in the default computers container); it's also very versatile, since it can be launched from the client machine (local update) or from the domain controller (remote update).
  • Using the Group Policy Management Console (GPMC) to globally refresh all computers in an organizational unit (OU) from one central location. This is the way to go to refresh the Group Policy on all clients using a remote update strategy, thus mimicking the most powerful behaviour of the aforementioned Invoke-GPUpdate cmdlet.

In the next paragraphs we'll see how we can effectively use those three methods to achieve our desired result.

GPUpdate.exe (CMD)

The GPUpdate command-line tool is what we should use whenever we need to refresh the Group Policy on a single Windows client machine.

To use it, perform the following steps:

  • Open a command-line prompt (with administrative rights)
  • Type the following command: GPUpdate /force

That's it.

Windows - Force a Remote Group Policy Refresh with GPUpdate, Invoke-GPUpdate or GPMC

For additional info about such method, take a look at the Force a Remote Group Policy Refresh (GPUpdate) post from Microsoft docs.

Invoke-GPUpdate (Powershell)

The Invoke-GPUpdate Powershell cmdlet is the way to go when we need to issue or schedule a remote Group Policy refresh on one or multiple computers from the Domain Controller (instead than doing that from the client machine like the previous method allowed to).

Here's how the cmdlet can be used to refresh the Group Policy on a single remote computer:

The Invoke-GPUpdate Powershell cmdlet can also be used to refresh the Group Policy for all the computers in the container. However, in order to do that, we'll also need to use the Get-ADComputer cmdlet to obtain the list of computers in the Computers container: once we do that, we can supply the name of each computer that is returned to the Invoke-GPUpdate cmdlet.

Here's a working example that will force a refresh of all Group Policy settings for all computers in the Computers container for the Contoso.com domain:

Needless to say, the Invoke-GPUpdate cmdlet can also be used to refresh the Group Policy from the Windows client, thus mimicking the same behaviour of the previously mentioned GPUpdate.exe command-line tool. To use it in such way, just execute the cmdlet without parameters in the following way:

For additional info about the Invoke-GPUpdate cmdlet, refer to the Invoke-GPUpdate guide from Microsoft docs.

Group Policy Management Console (GPMC)

Last but not least, let's see how we can take advantage of the Windows Server Group Policy Management Console (GPMC) to issue a Group Policy refresh for all the client registered within the Organizational Unit.

  • Launch the Group Policy Management Console (GPMC).
  • In the GPMC console tree, locate the OU for which you want to refresh Group Policy for all computers. It's worth noting that Group Policy will also be refreshed for all computers that are located in the OUs contained in the selected OU.
  • Right-click the selected OU, and click Group Policy Update.
  • Click Yes in the Force Group Policy update dialog box.

Performing the above tasks will have the same effect of running GPUpdate.exe /force from the command line on all the Windows clients individually.

The Remote Group Policy update results window displays only the status of scheduling a Group Policy refresh for each computer located in the selected OU and any OUs contained within the selected OU:  the success or failure of the actual Group Policy refresh for each computer won't be shown.

Conclusions

We hope that this tutorial will be useful enough for those System Administrators who are looking for a way to locally or remotely force the update of the Group Policy of their Windows clients.

 

About Ryan

IT Project Manager, Web Interface Architect and Lead Developer for many high-traffic web sites & services hosted in Italy and Europe. Since 2010 it's also a lead designer for many App and games for Android, iOS and Windows Phone mobile devices for a number of italian companies. Microsoft MVP for Development Technologies since 2018.

View all posts by Ryan

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.

This site uses Akismet to reduce spam. Learn how your comment data is processed.