Kenneth Platt
asked on
Command needed to Force Group Policy to Process on all domain computers
I need a command that will force Group Policy to process on all computers in a domain
ASKER
I need a command that will update all computers in a domain not just one computer
Using GPO will update all computers
That's the reason why you do it as a login or logoff script
https://docs.microsoft.com/en-us/powershell/module/grouppolicy/invoke-gpupdate?view=win10-ps
That's the reason why you do it as a login or logoff script
https://docs.microsoft.com/en-us/powershell/module/grouppolicy/invoke-gpupdate?view=win10-ps
#Run from a domain controller
Import-Module ActiveDirectory
Import-Module GroupPolicy
Get-AdComputer -filter {enabled -eq $true} | select DNSHostName,Enabled | %{
if(Test-Connection -Count 1 -ComputerName $_.DNSHostName ){
Invoke-GPUpdate -computer $_.DNSHostName
}
else{
Write-Host -ForegroundColor Red "Computer $($_.DNSHostname) is offline"
}
}
ASKER
If I run this as a log in script in a GPO, doesn't the user need local administrator credentials vs a computer start up script does NOT require any credentials for it to run ???
It depends upon GPO setting configured
Not all computer settings get updated with gpupdate /force because some settings only update during computer reboot / startup
Either run above script from domain controller manually or wait for computer reboot, upon reboot computer must refresh all computer based GPO
Not all computer settings get updated with gpupdate /force because some settings only update during computer reboot / startup
Either run above script from domain controller manually or wait for computer reboot, upon reboot computer must refresh all computer based GPO
You COULD construct a GPO to edit the GPO refresh interval. Of course, it needs to fire in the usual time before the new refresh rate applies.
The default is 90 mins, with a random 30 min offset. The offset stops all machines for trying to process GPOs at the exact same time in the event of returning from a power failure.
Although Windows will let you drop the refresh period to as low as 7seconds, this tends to annoy users, and can generate a lot of traffic if you have many machines and a slow network link. The user desktop redraws where GPOs are applied, users usually don't notice. When trying out new GPOs, I have set this to 5mins in the past. That is a reasonable compromise. Change a setting, wait 5 mins, all machines will have applied it. Of course, you can change this back once you finish playing.
More here: https://social.technet.microsoft.com/wiki/contents/articles/31623.modify-group-policy-refresh-interval-for-computers.aspx
The default is 90 mins, with a random 30 min offset. The offset stops all machines for trying to process GPOs at the exact same time in the event of returning from a power failure.
Although Windows will let you drop the refresh period to as low as 7seconds, this tends to annoy users, and can generate a lot of traffic if you have many machines and a slow network link. The user desktop redraws where GPOs are applied, users usually don't notice. When trying out new GPOs, I have set this to 5mins in the past. That is a reasonable compromise. Change a setting, wait 5 mins, all machines will have applied it. Of course, you can change this back once you finish playing.
More here: https://social.technet.microsoft.com/wiki/contents/articles/31623.modify-group-policy-refresh-interval-for-computers.aspx
you can do with group policy management console or power shell
Power Shell cmd
Get-ADComputer –filter * -Searchbase "ou=LAB, dc=lab,dc=local" | foreach{ Invoke-GPUpdate –computer $_.name -force}
gpo.docx
Power Shell cmd
Get-ADComputer –filter * -Searchbase "ou=LAB, dc=lab,dc=local" | foreach{ Invoke-GPUpdate –computer $_.name -force}
gpo.docx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@Lee:
Thanks for reminding option
Thanks for reminding option
ASKER
Thank you all for your efforts. I agree it's a solution. I have to test it in terms of network usage.
Open in new window
copy the line and save it into a "name.bat"
and you can save the file into a new GPO and add it on the login script or logoff script
https://www.websense.com/content/support/library/web/v78/logon_agent/la_configure_scripts.aspx