Force GPO update on client PC from DC

Posted on 2007-07-29
Medium Priority
Last Modified: 2012-05-05
I am trying to disable the windows firewall on client PCs on a remote site. I have set the GPO to disable windows firewall. How do I now push that policy out to the client without having access to the client machine. I cant ask someone to reboot the PC as its sunday night.

I thought the policies updated the clients after a set period of time. Is this correct and can I force it to update right now.
Question by:roy_batty
  • 2
  • 2
LVL 40

Accepted Solution

Philip Elder earned 1500 total points
ID: 19589070
You can setup a batch file:
shutdown -r -t 05 -f -m \\mymachinename

This will reboot the machines on the domain that are currently on, and they should be default pick up the new policy settings.

Default GP update is 90 minutes iirc.

You could remote into each, logon, and GPUpdate /force at the command line as well.

LVL 48

Expert Comment

ID: 19589122
computer policies do not auto update. they cache the settings in a normal update sequence but do not apply until you reboot the machine. This is the way its always been. You do not have a choice except to reboot the machine.....you can use the shutdown /i switch for a gui interface or download psshutdown from Micrsoft and have a play with it in a batch file.....
LVL 26

Expert Comment

by:Farhan Kazi
ID: 19589123
Use PsExec:
Download it from:

PsExec is Heaven when talking remote execution, first of all because it does not require any agents installed on the remote computers. You need to specify a computer name and the command that should be executed as switches in a command prompt  thats basically it! Behind the scenes a service is being installed ad hoc remotely and removed again when the command has been executed.

A small tip is to place the PsExec.exe file in the %windir% directory, because then we dont have to specify the complete path to this file when executing it from a command line etc.

To update group policies on the remote computer Computername all we have to write is the following command: PsExec \\Computername Gpupdate. The user logged on to the remote computer will not see anything happening, but in the background Gpupdate will refresh both user and computer policies and apply any missing settings. You would think that PsExec should run with the -i" switch (interactive) to update the remote users specific user policies, but testing shows that this is not the case.

Have a look at following:

You can use PSExec with FOR loop like (Write down all computer names inside Computers.txt file):
FOR /F %c IN ('Type C:\Computers.txt') Do PsExec \\%c C:\Windows\System32\GPUpdate.exe
LVL 48

Expert Comment

ID: 19589141
this will not work. It makes no difference using psexec Vs a local update. Computer policies simply dont apply until the registry is unloaded and reloaded (reboot)
LVL 40

Expert Comment

by:Philip Elder
ID: 19589187
Jay has a good point. Since logging onto the workstation and running the GPUpdate /force locally will bring up a, "This computer needs to be rebooted" or "The user needs to logoff" for "policies to take" message.


Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question