• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 762
  • Last Modified:

GPUdate /force

I have about 50 machines so far (actually over 1200 in total) in an OU.  I need a way to run gpupdate /force remotely so I can refresh the policy.  I tried Psexec and although it looks like it works, when I run Group Policy Results the new policy isn't showing up.
0
WellingtonIS
Asked:
WellingtonIS
  • 3
  • 2
  • 2
  • +3
1 Solution
 
ComputerTechieCommented:
0
 
cantorisCommented:
Bear in mind that Gpupdate only reapplies any group policy objects and ensures they're up to date.  It does not check to see if the computer account or user account have recently moved and therefore now come under the influence of a different set of group policies.  Don't let this catch you out!
I'm not sure which OS process governs the workstation discovering the GPO list.  I imagine it's the initial Logon process itself.

PSExec ought to work if you're expecting existing GPOs to have their newest settings deployed to PCs.  What syntax did you use?  The assumption of course is that your AD replication infrastructure is healthy and therefore all the DCs have copies of the updated GPOs.  MS have an excellent new AD Replication Status Tool you can download.

There's also the issue of parts of policy not applying over slow links to think about and whether you've taken into account your security and WMI filtering config, blocked inheritance, loopback processing etc etc!
0
 
Tony BarkdullCommented:
There should be 2 logins until a new Group Policy is applied, after first, policy is downloaded (after login) and applied after second login. Both can be just a logoff and login again or reboots.
0
Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

 
TechOps07Commented:
You can use PowerShell to Invoke the Gpupdate command.

Invoke-Command -ComputerName "ComputerName" {gpupdate /force}

You obviously want to create it as a script for the numerous machines.
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
In a way if all machines are restarted they would automatically at next user login GroupPolicy will be updated

- Rancy
0
 
WellingtonISAuthor Commented:
1st:
Bear in mind that Gpupdate only reapplies any group policy objects and ensures they're up to date.  It does not check to see if the computer account or user account have recently moved and therefore now come under the influence of a different set of group policies.  Don't let this catch you out!
I'm not sure which OS process governs the workstation discovering the GPO list.  I imagine it's the initial Logon process itself.

Usually when I do a GPupdate /force via the machine it does fill in the new gpo's I'm seen this myself.
I tried the powershell but that's doesn't seem to be working.
Here's the error
PS C:\> Invoke-Command-wrmdegy01 "wrmdegy01" {gpupdate /force}
The term 'Invoke-Command-wrmdegy01' is not recognized as the name of a cmdlet, function, script file, or operable progr
am. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:25
+ Invoke-Command-computername <<<<  "comutername" {gpupdate /force}
    + CategoryInfo          : ObjectNotFound: (Invoke-Command-wrmdegy01:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
0
 
ComputerTechieCommented:
I update our machines as needed by using psexec and the following command. Psexec -i -s \\* gpupdate.exe / force

 This works well and when I need one machine I just change the * as needed.

You can get psexec from Microsoft download site.

CT
0
 
WellingtonISAuthor Commented:
Psexec -i -s \\*?  does the star represent everyone on the domain? I can't do that since I'm part of an OU in a bigger domain.  Unless there's someway of designating the OU only.
0
 
Tony BarkdullCommented:
Check in the Event log for any WMI errors. If you do find them, you will need to run a repair on the WMI subsystem. I'd use option 3 on this page. You will need a CD or an accessible network location with the Install files.
0
 
cantorisCommented:
Filling in some gaps from above:

Your PowerShell didn't work as you missed a space.  I'll add extras here for clarity:
Invoke-Command   -ComputerName   wrmdegy01   -ScriptBlock   {gpupdate}

BUT, the above will only work if all your PCs have PowerShell 2 or above and are enabled for PSremoting.  If you do have this sort of infrastructure, then there is more PowerShell stuff you can use to get the computers in an OU and pass them all to Invoke-Command.

Server 2012 lets you force a policy refresh against an entire OU natively within GUI tools.

With PSExec, "*" does indeed mean all computers in the domain!
0
 
WellingtonISAuthor Commented:
this worked thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

  • 3
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now