Imagine that the security expert who manages your firewalls and proxy servers contacts you by phone. You answer the call and find out that they have an urgent matter. He informs you that he has created a supplementary proxy server for people who are going to be accessing the internet. You create a new GPO that applies to all users so that they may access the newly installed proxy server using Internet Explorer.
It takes anything from 90 to 120 minutes for a new GPO to be implemented. However, you need the new settings to be applied immediately, and you cannot advise your users to log off and log back in for the adjustments to take effect. In circumstances such as these, you might want to skip the typical waiting period that occurs before the background policy processing begins. You can accomplish this goal by employing the use of the command prompt, the Group Policy Management Console (GPMC), or PowerShell.
Utilizing the Command Prompt to Compulsorily Update the Group Policy
Your first choice is to execute a straightforward command that notifies the client to bypass the typical background processing interval and instead immediately update any GPOs that have been added, modified, or deleted on the server. However, you need to physically go to each user machine and run the gpupdate command to refresh the Group Policy object. This must be done manually along with the addition or modification of any other GPOs.
It is important to keep in mind that to renew both the User and the Computer half of the Group Policy objects, you must use the gpupdate command without any arguments. Use this syntax to update only one part of the sentence or the other:
gpupdate /Target:Computer, /Target:User
When gpupdate is run on a computer when a user is signed in to that system, Windows receives the updated GPO settings immediately (assuming, of course, that the domain controller has the replicated GPO information).
Because Fast Boot, Software Distribution, and Folder Redirection are all enabled by default in Windows XP and subsequent versions, the processing of settings is delayed until the next time the user logs on. If you apply the appropriate options, gpupdate will be able to determine if newly modified items need a logoff or a reboot to become active:
- If the user executes gpupdate with the /Logoff switch, the command will determine whether or not a policy change in Active Directory needs the user to log off. If not, the new settings will be implemented immediately; if so, the user will be automatically logged off, and the Group Policy settings will be applied when they log back in.
- In a similar vein, if Fast Boot is enabled, a restart is necessary to apply GPOs that include Software Distribution settings. If you run gpupdate with the /boot switch, it will determine whether or not a policy contains something that requires a restart of the machine, and it will then do the restart for you. The GPO settings are implemented, but the user is allowed to stay signed in if the revised GPO does not necessitate a restart of the computer.
The /Logoff and /boot options are both considered to be optional.
The discussion up to this point is solely applicable to newly created GPOs and changes to previously existing ones. On the other hand, there are situations when you might wish to apply all GPOs to a machine, not only the GPOs that have been updated or newly created, but also the older ones. If this is the case, you will need to run gpupdate with the /force switch applied, as seen below:
gpupdate /force
In addition to these choices, the /force switch can also be used with the following ones:
- /Logoff: After the Group Policy settings have been modified, log the user out by using this command.
- /Sync: will change the processes in the foreground (setup and login) to be synchronous.
- /Boot: After the Group Policy settings have been implemented, restart the device.
Forcing a Group Policy Update using the Group Policy Management Console
You may use the Group Policy Management Console to force an update of the Group Policy, which is an alternative to utilizing the command-line tools (GPMC). Since Microsoft Windows Server 2008, GPMC has been included in all editions of Windows Server; moreover, it is available through the installation of Remote Server Administration Tools (RSAT).
Follow these easy procedures to compel the application of a GPO:
- Open.
- Connect the GPO to an existing OU.
- Select “Group Policy Update” from the context menu that appears after right-clicking the OU.
- In the dialogue box titled “Force Group Policy Update,” confirm the operation by clicking the “Yes” button.
Forcing a Group Policy Update using PowerShell
Using the PowerShell cmdlet Invoke-GPUpdate, it is possible to trigger a refresh of the Group Policy using Windows Server 2012 and later. This command may be utilized to perform a remote update of Group Policy on Windows client PCs. Both PowerShell and the Group Policy Management Console need to be installed on your system before you can proceed.
To demonstrate how to use this cmdlet to prompt an instant update of Group Policy on a specific machine, consider the following example:
Invoke-GPUpdate -Computer WKS0456 = RandomDelayMinutes 0 Invoke-GPUpdate -Computer WKS0456
The instantaneous updating of the policy may be guaranteed thanks to the RandomDelayMinutes 0 option. The only drawback to utilizing this argument is that it will cause a pop-up command prompt to appear for the users.
Execute the following instructions to have all machines automatically upgrade to the newest version:
$compgpoupd equals Get-ADComputer with the Filter parameter *
$compgpoupd is invoked by ForEach-Object-Process with the command “Invoke-GPUpdate -Computer $_.name -RandomDelayInMinutes 0 -Force”.
This piece of code will retrieve all of the computers in the domain, save them in a variable, and then execute the commands for each object individually.
Conclusion
To review, every time you modify a GPO in Active Directory, that change will take effect at the next scheduled refresh period. You have the option, however, to force a refresh, which will cause the change to take effect on all of your client systems instantly.
You have the option of enabling required reapplication as an additional layer of protection, which enables you to make particular Group Policy settings subject to perpetual reapplication regardless of whether or not they have been modified. You will now have the ability to undo any undesirable modifications that were made by the local authorities.