Last Update: Apr 28, 2023 | Published: Jun 13, 2022
With GPUpdate, administrators can update Group Policy settings from a central location and set configuration settings for computers in an Active Directory domain. In this guide, I’ll show you how to use GPUpdate to refresh local and Active Directory–based Group Policy settings.
I can’t tell you (accurately) how many times I have typed ‘gpupdate /force‘ at an administrative Command Prompt. It must be between 750 and 1000 times. No, really!
But, why is this command so popular, you may be wondering? And why is it absolutely essential for IT pros to understand what it is and how it can save you a LOT of time, not waiting around for regular group policy update intervals?
Read on to get all your questions answered.
To force Windows to reapply all user and computer Group Policy settings, regardless of whether they have changed, use GPUpdate as shown here:
gpupdate /force
For more details on how to use GPUpdate, keep reading!
‘GPUpdate’ is short for Group Policy update. It is a command-line tool used to update the group policy on a local or remote computer in an Active Directory domain environment.
After you make changes in the Group Policy Management Console, GPUpdate a nice and quick tool to run on a client or server machine to verify if the settings are being applied correctly in the domain and on the computer itself.
It’s important to remember that Group Policy Objects (GPOs), which are a virtual collection of policy settings, almost exclusively just update the registry on a computer.
So, after you’ve added a new GPO or modified one or two, even updated the Windows Management Instrumentation (WMI) filter on a GPO to target specific Windows 10 versions, you’re ready to see if your client machines received the updated configuration. That’s where using GPUpdate can be your silver bullet.
The prerequisites for using GPUpdate are rather straightforward, but let’s go through them for completeness:
So, like me and I’m sure many other IT Pros, you’ve probably been using ‘gpupdate /force’ more often than just ‘gpupdate’. What’s the difference? Well, let me explain.
Running ‘gpupdate’ will update only GPOs that are new or have changed since Group Policy was last checked on the computer or server.
When you add the /force switch, it forces the Group Policy client to contact the closest domain controller, read ALL applicable GPOs for the user/computer, and process them all, regardless of if the machine ‘needs to’ or not. This is why this switch is so useful in troubleshooting, especially on more tricky or finicky GPO settings.
In larger environments, processing Group Policy can take a long time. There are many variables that are taken into account when running GPUpdate.
If your environment is small, it could take only seconds to process all GPOs on a computer. However, in larger organizations, I’m sure there are hundreds (if not thousands) of GPOs that could potentially apply to a user or computer.
Granted, there would probably be a single configuration item in each GPO, but still. Running through a thousand GPOs, you may want to save some time.
So, if you are working on a user-specific setting or a computer-specific setting, you can use the /target switch to tell GPUpdate to only process the respective section of the GPO, user, or computer.
To target only the ‘user’ settings with GPUpdate, use the following command:
gpupdate /target:user
To target only the ‘computer’ settings and use the /force switch to make sure all settings are checked, use the following command:
gpupdate /target:computer /force
When working with certain GPO settings, especially client-side settings that can’t be run while a user is logged in, you can use the /logoff switch to automatically have GPUpdate process the GPOs and then log off the user after processing is complete.
Here’s the command you need to use:
gpupdate /target:user /logoff
In a similar fashion, some computer settings need a reboot to take effect; use the /boot switch as so:
gpupdate /target:computer /boot
If you want to force the policy processing to run synchronously, use the /sync switch. Here are the details from Microsoft documentation.
The /sync flag causes the next foreground policy application to be done synchronously. Foreground policy is applied at computer boot and user logon. You can specify this for the user, computer, or both, by using the /target parameter. The /force and /wait parameters are ignored if you specify them.
Checking updates to Group Policy on a local computer or server is one thing, but what if you have a few hundred computers you want to quickly update Group Policy on in an efficient manner?
Well, that’s where PowerShell and the Invoke-GPUpdate cmdlet come in. This allows you to run a remote group policy update, en masse.
To update a single computer remotely and check only the ‘User’ settings, run the following command:
Invoke-GPUpdate -Computer "TestComputer01" -Target "User"
If you have a new GPO targeting a single OU, you probably want to blanket all the computers/servers in that OU. In that case, use the following command:
Get-ADComputer -filter * -Searchbase "OU=TestOfficeUsers,DC=reinders,DC=local" | foreach{ Invoke-GPUpdate -computer $_.name -force}
Pretty slick, huh? There are quite a few moving pieces here, so let me go through what’s happening:
Well, now we get to another pretty cool command, a boon for when you need to carefully test or roll out changes to your servers. Here it is:
Get-ADComputer -Filter {enabled -eq "true" -and OperatingSystem -Like '*Windows Server*' } | foreach{ Invoke-GPUpdate -computer $_.name -RandomDelayInMinutes 10 -force}
Awesome!
To finish off this guide, let me give you a refresher on how often Group Policy is applied and how you can change the various intervals throughout your domain.
First, a Group Policy Update occurs when a computer boots, after a user logs in, then it will be refreshed in the background every 90 minutes plus a random offset between 0-30 minutes. So, as long as a client machine is on the network and has access to your DCs, it will never be two hours ‘out of date’ (Domain controllers update Group Policy changes every 5 minutes).
If you want to change the refresh interval for computers, go ahead and open the local Group Policy Editor (gpedit.msc) and navigate to Computer Configuration -> Administrative Templates -> System -> Group Policy. Access the following setting: Set Group Policy refresh interval for computers
This setting establishes the update rate for computer Group Policy. Enable the policy and set the time for the following options.
To set an update rate for user policies, navigate to User Configuration -> Administrative Templates -> System -> Group Policy. Access this setting:
Set Group Policy refresh interval for users
You can then change the range between refresh intervals from 0 minutes to 44640 minutes (Yep…31 days…).
Next, you can alter the random interval, too, from between 0 minutes and 1440 minutes (24 hours). I recommend staying away from the extremes.
It’s fascinating to me when I dig into the documentation for some of these everyday commands to discover all the new switches, flags, etc. that I never knew existed. Honestly, I wasn’t aware that you could issue the GPUpdate command to a thousand servers from a single command/script using PowerShell. That would have helped me in my prior IT pro lives, let me tell you.
Please feel free to leave a comment or question below. Thank you!
Related Article: