Summary: Microsoft Scripting Guy, Ed Wilson shows you how to force a Group Policy refresh using PowerShell.
Updating group policy in a domain
Sometimes I make changes to group policy on the network and I need to apply the changes to all computers. And sometimes I need to update the local group policy on my computer.
To update group policy settings, I use the utility GPUpdate. It has some options. By default, the utility updates the policy of both the computer and the user. But this can be controlled using the parameter /target. For example, if I only need to update the computer policy, I would specify /target:computer. To update only user policy − /target:user.
PS C:\> gpupdate /target:computer
Updating policy…
Default GPUpdate applies only updated settings group policy. To apply all settings, use the parameter /force. The following command updates all Group Policy settings (regardless of whether they have been changed) for the computer and user.
PS C:\>gpupdate /force
Updating policy…
Computer Policy update has completed successfully.
User Policy update has completed successfully.
First, we get a list of computers in the domain
The first thing I need to do is get a list of all computers in the domain. For this I use the cmdlet Get-ADComputer included in the module Active Directory.
Note: The Active Directory module is part of RSAT.
I store the resulting computer objects in the $cn variable.
$cn = Get-ADComputer -filt *
Secondly, we create remote sessions
The next thing I need to do is create remote sessions with all the computers. To do this, I need to provide credentials for connecting to computers, as well as create the sessions themselves using the cmdlet New-PSSession.
First, I'll use the cmdlet Get Credentials and store the object it returns in the $cred variable.
$cred = Get-Credential iammred\administrator
$session = New-PSSession -cn $cn.name -cred $cred
Keep in mind that there may be computers in the domain that are powered off, so when you run the command, errors may be returned. However, despite the mistakes Windows PowerShell creates sessions with working computers.
The presence of a large number of errors may inspire some concern. Since the session objects are stored in the $sessions variable, I can easily verify that they have been created.
Now run the command on all remote machines
To run a command GPUpdate on all remote machines I use the cmdlet Invoke-Command. It uses the sessions we saved in the $sessions variable. Alias for cmdlet Invoke-Command – icm.
icm -Session $session -ScriptBlock (gpupdate /force)
After running the command, the results are displayed in Windows consoles PowerShell.
Group Policy Update Check
When on workstation there is a successful update of group policy settings, event ID 1502 is written to the System log. I can use the cmdlet Invoke-Command to get this information.
icm -Session $session -ScriptBlock (Get-EventLog -LogName system -InstanceId 1502 -Newest 1)
The command and its results are shown in the figure below.
Another interesting thing about group policy
Sometimes I have to call tech support and they ask me to update the group policy on my local computer. It's not a problem since I can run GPUpdate straight from PowerShell. The difficulty arises when they ask me to update the group policy 5 times with an interval of 5 minutes. But this is also solved with a single line of code.
1..5 | %("refreshing GP $(Get-Date)"; gpupdate /force ; sleep 300)
Ed Wilson, Microsoft Scripting Guy
Original:
The GPUPDATE command is used to update group policies for the user and/or computer.
Format command line:
GPUpdate
Command line options:
/Target:(Computer | User)- Update policy settings for User only or Computer only. If not specified, both policy settings are updated.
/force- Apply all policy settings. If not specified, only the changed policy settings are applied.
/wait:value- Timeout (in seconds) for policy processing to complete. The default is to wait 600 seconds. The value "0" - no waiting. The value "-1" - waiting is not limited. If the timeout occurs, the command prompt window reactivates, but policy processing continues.
/Logoff- Logging out after updating group policy settings. Required for those Group Policy client-side extensions that do not process policy in background, but process it only when the user logs in, such as installing programs for the user or redirecting folders. This setting has no effect unless extensions are invoked that require the user to log out.
/Boot- Performing a reboot after applying Group Policy settings. Required for Group Policy client-side extensions that do not process policy in the background, but only process it at startup, such as computer software installations. This setting has no effect unless extensions are called that require a system restart.
/sync- The next active application of the policy must be performed synchronously. Active policy enforcement occurs when the computer is restarted or when the user logs on. You can use this option for the user, computer, or both by specifying the /Target option. The /Force and /Wait options, if specified, are skipped.
Examples of using:
gpupdate /?- display a tooltip for using the command.
gpupdate- computer policies and user policies are updated. Only the changed policies are applied.
gpupdate /Target:computer- Policies are updated only for the computer.
gpupdate /Force- all policies are updated.
gpupdate /boot- updating group policies with restarting the computer.
The Windows 10 update policy setting is the setting for how Windows 10 receives updates. In Windows 10, Update Center settings have been moved from Control Panel to System Settings. Windows 10 doesn't have the settings that were in the Control Panel, and so there's no way to turn off updates or choose how you get them. However, using the Registry Editor and the Local Group Policy Editor, you can disable updates and set how you receive them.
Configuring updates using the Local Group Policy Editor
Launch the Local Group Policy Editor by pressing two keys on the keyboard at once WIN+R gpedit.msc and click OK.
Windows 10 Update Group Policy
Computer Configuration - Administrative Templates - Windows Components - Windows Update. Click on the last item Windows Update and then on the right side find the item Setting automatic update and change its settings.
Configuring Windows 10 Updates Group Policy To do this, in the window that opens, put a dot at the top of the Enabled item, and then set the update settings below. Click OK. Then, in order for the settings you made to work, open System Settings - Update & Security - Windows Update and press the button Check for updates.
After you've finished configuring Windows 10 policies, run the update After that, the settings you made in the Local Group Policy Editor will take effect.
Configuring updates using the Registry Editor
Launch the Registry Editor by pressing two keys on the keyboard at once WIN+R. The Run window will open in which you enter the command regedit and click OK.
Open the Registry Editor and create four settings there to manage Windows updates 10
In the left part of the editor window that opens, expand HKEY_LOCAL_MACHINE-SOFTWARE-Policies-Microsoft-Windows. Hover over the last Windows item and press the right mouse button. In the opened context menu choose Create - Section. Name the new section windows update.
Then hover over the newly created WindowsUpdate partition and again create a partition that you name AU.
Then hover over the newly created AU partition and press the right mouse button and in the menu that opens select New - DWORD Value (32-bit). The newly created parameter will appear on the right side of the window, name it AUOptions. In the same way, hovering over the AU section, create three more parameters and name the first one NoAutoUpdate, second ScheduledInstallDay, and the third ScheduledInstallTime(optional NoAutoRebootWithLoggedOnUsers). Now in these four new parameters you need to change the value.
For the AUOptions parameter
- 2 - Receive a notification before installing and downloading any updates.
- 3 - Automatically receive updates and notifications about their preparation for installation.
- 4 - Automatically receive and install updates according to a specified schedule.
- 5 - Allow local administrators to choose the update mode and notifications themselves.
For the NoAutoUpdate parameter
- 0 - Enabled automatic installation updates that will be downloaded and installed depending on the settings made in the AUOptions parameter.
- 1 - Automatic installation of updates is disabled.
For the ScheduledInstallDay parameter
- 0 - updates will be installed daily if the AUOptions parameter is set to 4.
- 1 - updates will be installed every Monday if the AUOptions parameter is set to 4.
- 2 - updates will be installed every Tuesday if the AUOptions parameter is set to 4.
- 3 - Updates will be installed every Wednesday if AUOptions is set to 4.
- 4 - updates will be installed every Thursday if the AUOptions parameter is set to 4.
- 5 - updates will be installed every Friday if the AUOptions parameter is set to 4.
- 6 - updates will be installed every Saturday if the AUOptions parameter is set to 4.
- 7 - updates will be installed every Sunday if the AUOptions parameter is set to 4.
For the ScheduledInstallTime parameter
From 0 to 23, updates will be installed at so many hours, depending on the set parameter and with the value of 4 of the AUOptions parameter.
For the NoAutoRebootWithLoggedOnUsers setting
- 0 - When the updates are installed, the computer will automatically restart, it works with the value 4 of the AUOptions parameter.
- 1 - After the installation of updates is completed, the computer will not automatically restart, it works with the value 4 of the AUOptions parameter.
In this article, we will show you a simple way to remotely update group policies on clients (computers and servers) Active domain Directory without needing to access the remote machine's console and without using the gpupdate command.
One of the hardest problems in AD group policy management is testing policies on the fly, without rebooting the computer or accessing the local computer and running the .
The Remote Group Policy Update feature provides the ability to use a single GPO management console (GPMC.msc) to create, modify, apply, and test group policies.
Group Policy remote update functionality first appeared in Microsoft Windows Server 2012, all subsequent versions (Windows Server 2016, Microsoft Windows 10), this functionality and its stability has been gradually improved.
Requirements for Remote Group Policy Update to work:
Server environment requirements:
- Windows Server 2012 and above
- Either Windows 10 with RSAT (Management tools) installed
Requirements for clients:
- Windows 7 and above
Requirements for network interaction (firewalls) between server and clients
- TCP Port 135 must be open
- Enabled windows service Management Instrumentation (Windows Management Service)
- Task Scheduler Service (Task Scheduler Service)
In the event that your environment meets these requirements, open the Group Policy Management Console (GPMC.msc), select the OU (container) in which the target computers are located on which you want to force a GPO update.
Right click on the right container and select the item Group Policy Update.
The window that opens will display information about the number of objects in this OU on which the GPO will be updated. Click the "Yes" button to confirm the action.
In the Remote Group Policy update results window, you will see the status of the policy update, as well as the status of this operation (success / error, error code). Naturally, if a computer is turned off, or access to it is restricted by a firewall, a corresponding error will appear.
After GPO changes, it takes some time (90 minutes +/- 30) for them to spread to other systems, but if they need to be applied urgently, the admin logged on to the remote system and executed the command “ gpupdate". With a large number of PCs, the process took some time, and the process itself is inconvenient. Now you can forget about it. In the management console group policy(GPMC) in the context menu of the domain and department there is a new item “ Group Policy Update” (Group Policy Update) allows you to update system policies starting with Windows Vista / 2008 with two mouse clicks. After activating the task, a list of computers and registered users will be obtained, after which the task “ Gpupdate.exe /force". To avoid network congestion, it will run with a random delay between 0-10 minutes. The result of the task execution is displayed in a separate window, the success of the update can be determined using the Resultant Policy Wizard.
The new function also received its own cmdlet - Invoke-GPUpdate, which allows you to update the GP remotely and provides even more features than GPMC. By the way, now 27 cmdlets are responsible for group policies. one more (get full list you can enter " Get-Command -Module GroupPolicy«).
To immediately update policies on a specific system, just run:
| PS> Invoke-GPUpdate-Computer< имя компьютера> |
PS> Invoke-GPUpdate -Computer< имя компьютера>
Additional key –RandomDelayInMinutes allows you to set a timeout interval, which is useful if the command will be executed on multiple systems.
But most importantly, in the GPMC console, you can only select a department, there is no separate container for computers. This is where Invoke-GPUpdate comes to the rescue, which, together with the Get-ADComputer cmdlet, allows you to select systems by any criterion:
| PS> Get- ADComputer --filter * -Searchbase "cn=computers,dc=example,dc=org"| foreach ( Invoke- GPUpdate --computer $_ .name --force --- RandomDelayInMinutes 5 ) |
PS> Get-ADComputer –filter * -Searchbase "cn=computers, dc=example,dc=org" | foreach( Invoke-GPUpdate --computer $_.name --force --RandomDelayInMinutes 5)
Another important point, on client systems, you need to open several firewall ports. To make life easier for the admin in MS, they offered 2 new initial policies (to the 8 available), allowing you to quickly create and distribute desired settings:
- Firewall ports for remote group policy updates;
- Firewall ports for Group Policy reporting.
Their purpose is clear from the name. We are interested in the first. It is recommended that you create a new GPO and move it to the front, thus giving it a higher priority than the default domain GPO.
The process is simple. Select the domain and select "Create a GPO in this domain" from the menu. In the window that appears, enter a name and select "Firewall ports for remote group policy update" from the list. Alternatively, you can use PowerShell.
