Force GPO update on client PC from DC

Posted on 2007-07-29
Last Modified: 2012-05-05
I am trying to disable the windows firewall on client PCs on a remote site. I have set the GPO to disable windows firewall. How do I now push that policy out to the client without having access to the client machine. I cant ask someone to reboot the PC as its sunday night.

I thought the policies updated the clients after a set period of time. Is this correct and can I force it to update right now.
Question by:roy_batty
    LVL 38

    Accepted Solution

    You can setup a batch file:
    shutdown -r -t 05 -f -m \\mymachinename

    This will reboot the machines on the domain that are currently on, and they should be default pick up the new policy settings.

    Default GP update is 90 minutes iirc.

    You could remote into each, logon, and GPUpdate /force at the command line as well.

    LVL 48

    Expert Comment

    computer policies do not auto update. they cache the settings in a normal update sequence but do not apply until you reboot the machine. This is the way its always been. You do not have a choice except to reboot the can use the shutdown /i switch for a gui interface or download psshutdown from Micrsoft and have a play with it in a batch file.....
    LVL 26

    Expert Comment

    Use PsExec:
    Download it from:

    PsExec is Heaven when talking remote execution, first of all because it does not require any agents installed on the remote computers. You need to specify a computer name and the command that should be executed as switches in a command prompt  thats basically it! Behind the scenes a service is being installed ad hoc remotely and removed again when the command has been executed.

    A small tip is to place the PsExec.exe file in the %windir% directory, because then we dont have to specify the complete path to this file when executing it from a command line etc.

    To update group policies on the remote computer Computername all we have to write is the following command: PsExec \\Computername Gpupdate. The user logged on to the remote computer will not see anything happening, but in the background Gpupdate will refresh both user and computer policies and apply any missing settings. You would think that PsExec should run with the -i" switch (interactive) to update the remote users specific user policies, but testing shows that this is not the case.

    Have a look at following:

    You can use PSExec with FOR loop like (Write down all computer names inside Computers.txt file):
    FOR /F %c IN ('Type C:\Computers.txt') Do PsExec \\%c C:\Windows\System32\GPUpdate.exe
    LVL 48

    Expert Comment

    this will not work. It makes no difference using psexec Vs a local update. Computer policies simply dont apply until the registry is unloaded and reloaded (reboot)
    LVL 38

    Expert Comment

    by:Philip Elder
    Jay has a good point. Since logging onto the workstation and running the GPUpdate /force locally will bring up a, "This computer needs to be rebooted" or "The user needs to logoff" for "policies to take" message.


    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
    Learn about cloud computing and its benefits for small business owners.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now