GPUpdate - How to Update Group Policy on Remote Computers

Group Policy is a feature in Microsoft Windows. It is responsible for the management and configuration of operating systems and applications. Normally, Group Policy is updated periodically every 90 minutes. In addition, the Group Policy is automatically refreshed when the computer is restarted.

If you are a system administrator, you may have noticed that not all users are technologically proficient. So, you may need to GPUpdate force remote compute. There are instances when you need to make modifications or create new GPOs (Group Policy Objects) and have them take effect instantly.

Now, let's take a look at 6 methods that can be used to remotely update Group Policy:

How to Update Group Policy on Remote Computers

Administrators typically leverage Group Policy to enforce security settings and apply settings across many computers within a domain.

It is done for all systems within a domain. The purpose is to make all computers adhere to the latest security protocols and functionality.

Next, let's explore in detail the method of manually updating the Group Policy on the computer:

Method 1: Using GPMC

The Group Policy Management Console (GPMC) is an essential tool for managing Group Policy settings across a domain. It provides a centralized platform for the administration of operating systems, user settings, and applications within an Active Directory environment.

GPUpdate may be launched on distant systems using the Group Policy Management interface. This approach is compatible with Windows 2012 or later. You can apply a group policy change to a single OU or many OUs.

First, you need to configure firewall rules on each client that will be managed using remote Group Policy refresh.

Configure Firewall Rules

Step 1: Locate the domain in the GPMC console for which you want to enable remote Group Policy refresh. Right-click the selected domain and click "Create a GPO in this domain, and link it here..."

Step 2: In the "New GPO" window that opens, fill in the name of the new Group Policy object under "Name". In the "Source Starter GPO" list, select the "Group Policy Remote Update Firewall Ports" Starter GPO that you want to use to create a new Group Policy object and click "OK."

Step 3: Click on the domain you selected and go to the "Linked Group Policy Objects" tab in the right pane. Select the GPO you just created and click the up arrow until the GPO is listed above the "Default Domain Policy."

Force Group Policy Update

After remotely creating a GPO from GPMC and updating the firewall port, you can easily use GPMC to update the Group Policy on the remote computer. Follow the steps below:

Step 1: Launch GPMC and locate the OU of the computer you want to update. Right-click on it and select the "Group Policy Update" option.

Step 2: Then a "Force Group Policy Update" window will pop up, where you can see the number of computers to which the action will be applied. Please click "Yes."

Step 3: After running a forced update, it will generate a report to show which devices were updated successfully and which failed.

Method 2: Using Command Prompt

The Command Prompt provides a direct and simple way to execute the "GPUpdate" command, which forces Group Policy updates on local or remote machines.

Basic Command: The "GPUpdate" command without any parameters will refresh Group Policy settings without clearing the cache. This applies changes made to policies since the last update cycle.

Force Update Command: gpupdate /force

This command forcibly re-applies all Group Policy settings. It does not consider any previously downloaded settings. This is useful when policy settings have been changed and need to be immediately applied without waiting for the next refresh cycle.

Target Specific Configuration Command: gpupdate /target:computer /force

This variant of the "gpupdate" command targets computer configuration policies. It forces computers to update immediately. This is particularly useful when changes are made to computer-level settings such as security settings or software installation policies.

Method 3: Using PowerShell

PowerShell provides advanced capabilities for managing Group Policy through the "Invoke-GPUpdate" cmdlet. It can be used to initiate remote Group Policy updates. It means it will provide more control than the Command Prompt.

The following is the basic Group Policy Update command:

Invoke-GPUpdate -Computer "ComputerName" -RandomDelayInMinutes 0 -Target "User"

If you want to target a specific computer, this method is for you. This command remotely triggers a Group Policy update for user settings on the specified computer.

Note : If the Target parameter is not specified, the user and computer policy settings are refreshed.

The "RandomDelayInMinutes 0" parameter ensures that the update occurs immediately without any delay. It is used when it’s important to update policy immediately.

You can use PowerShell to execute the Invoke-GPUpdate command on multiple computers as well.

The commands below will reach out to every computer in the AD domain, store them in a variable, and then apply the command to each object in that variable:

$computers = Get-ADComputer -Filter *

$computers | ForEach-Object -Process {Invoke-GPUpdate -Computer $_.name -RandomDelayInMinutes 0 -Force}

Method 4: Using PsExec

PsExec is a part of the Sysinternals Suite developed by Microsoft. It is a versatile tool that allows administrators to run processes on remote systems. It is particularly useful for interacting with older clients that may not support newer remote management technologies.

Tips : You can download PsTools from the Microsoft website.

The method utilizes a built-in command on computers called "gpupdate." To force an immediate update of group policies on the local computer, use the command:

gpupdate /force

The /force parameter ensures that all policies (not just new ones) are updated.

However, if you need to update multiple computers, it can be cumbersome to manually update each computer individually. You can use the following command:

PsExec \\ComputerName gpupdate

This command uses PsExec to execute the "gpupdate" command on a remote computer identified by "ComputerName." Simply replace "Computername" with the actual hostname of the computer you wish to update. It triggers a refresh of the Group Policy settings and the latest policies will be applied.

Method 5: Using SCCM

System Center Configuration Manager (SCCM) is also known as ConfigMgr. It is a Microsoft software management suite that allows administrators to manage the provisioning and updating of software across a wide range of Microsoft platforms.

SCCM has integrated capabilities for running PowerShell scripts, not only for software distribution, but also for enforcing Group Policy updates across numerous systems.

How to Update Group Policy Using SCCM

Step 1: Navigate to "Software Library" > "Overview" > "Scripts" and create a new script.

Step 2: In "Script Details", fill in the name, description, and language of the script, and then enter the script in the form "gpupdate /force." Click "Next."

Step 3: Select the new GPUpdate script you just created and approve it.

Step 4: Right-click on the computer or collection of computers you want to perform the action, and click "Run Script."

Step 5: In "Run Script", select the new "Group Policy Update" script you just created. Click "Next."

Step 6: The script now runs the Group Policy Refresh script on the computer of your choice and displays the results in the Script Status Monitoring window.

Method 6: Using Third-Party Software

To execute GPUpdate remotely on multiple computers, you can also choose a third-party application such as Specops Gpupdate.

Specops Gpupdate is a tool that allows you to remotely manage any number of computers, extending the functionality of Active Directory users and computers with features such as refreshing Group Policy settings and booting remote systems.

How to Use

When you select the desired computer or object and open the application, you can execute five built-in commands, including GPUpdate.

After executing the GPUpdate command, the application will pop up a results window to show the number of successful or failed computers.

Tried to Solve: Unable to Force Group Policy Update

When you encounter difficulties while attempting to force a Group Policy update on remote computers, several troubleshooting steps can help identify and resolve the issues. Understanding these potential obstacles can streamline the process of ensuring that policies are applied correctly across your network.

Check DNS Resolution

Proper DNS resolution is crucial for networked devices to communicate effectively with domain controllers where Group Policy objects are managed.

Ensure that the DNS settings on remote computers correctly point to the domain controller as the primary DNS resolver.

Use "nslookup" or "ping" to test the ability of remote computers to resolve the domain controller’s address. If there are resolution issues, it could prevent GPUpdate commands from executing successfully.

Check Event Logs

Event logs provide insights into the operations of Windows systems, including successes and failures of Group Policy updates. On the affected remote computer, open the Event Viewer and navigate to the Windows Logs > System logs.

Look for Event IDs like 1058 and 1030 that specifically pertain to Group Policy issues. These logs can provide clues as to why a Group Policy update did not apply successfully.

Check Administrative Rights

Administrative privileges are required to run many system-level commands, including those that force Group Policy updates.

Ensure that the account used for initiating the GPUpdate has administrative rights on the target computer. When using command line tools, ensure they are executed with administrative privileges by right-clicking and selecting "Run as administrator".

Check Network Connections

A stable network connection is essential for managing and applying Group Policy updates, especially when dealing with remote computers.

Check that the remote computer has an active and stable connection to the network. Use tools like "ping" or "tracert" to verify network paths and connectivity to the domain controller.

Check Firewall Rules

Firewalls can block the ports and protocols used by Group Policy management tools, preventing updates from being received and applied.

Ensure that any firewall between the remote computers and the domain controller allows traffic on the necessary ports for Group Policy (typically TCP ports 135, 389, and potentially others depending on configuration).

Make sure that services like Remote Procedure Call (RPC) and Windows Management Instrumentation (WMI) are allowed through the firewall.

Wrapping Up!

GPUpdate remote computer is a necessity for organizations. Troubleshooting Group Policy update issues effectively requires a methodical approach to identifying and resolving problems.

You can run GPUpdate on a remote computer by following the different steps given above. It will help you to maintain operational efficiency and security.