How to Apply Group Policy Again

Originally published February, 2017 and updated May, 2019

Forcing a Group Policy Update

Imagine that y'all become a phone telephone call from the security specialist who handles your firewalls and proxy servers. He tells y'all that he has added an additional proxy server for users going to the internet. Y'all add a new GPO that affects all users so they tin can use the new proxy server via Internet Explorer. Usually, it takes betwixt 90 and 120 minutes for a new GPO to be applied, simply you need the new settings to be applied correct now, and y'all cannot tell your users to log off and log back in to employ them. In cases like these, you might desire to bypass the normal wait time before background policy processing kicks in. You can do so using the command prompt, the Group Policy Management Console (GPMC) or PowerShell.

Forcing a Group Policy Update using the Command Prompt

Your offset option is to run a unproblematic command that tells the customer to skip the normal groundwork processing interval and update all new or changed GPOs from the server right now. Even so, you lot must physically trot out to each user machine and enter the gpupdate command, thereby refreshing the Group Policy object, forth with any other new or changed GPOs, manually.

Note that running the gpupdate control with no parameters will refresh both the User and the Computer halves of the Grouping Policy objects. To refresh simply one half or the other, apply this syntax:

gpupdate /Target:Computer, /Target:User

Running gpupdate while a user is logged on to a machine immediately gives Windows the new GPO settings (assuming, of form, that the domain controller has the replicated GPO data).

In Windows XP and later on, Fast Kick, Software Distribution and Binder Redirection are enabled past default, then settings are processed merely at the adjacent logon time. If y'all use the correct switches, gpupdate tin can effigy out if newly changed items require a logoff or reboot to be active:

• Running gpupdate with the /Logoff switch will effigy out if a policy alter in Active Directory requires the user to log off. If non, the new settings are practical immediately; if so, the user will automatically be logged off and the Group Policy settings will be practical when they log back in.
• Similarly, if Fast Boot is enabled, a restart is required to apply GPOs that accept Software Distribution settings. Running gpupdate with the /kick switch will figure out if a policy has something that requires a reboot and automatically reboot the computer. If the updated GPO does non require a reboot, the GPO settings are applied and the user remains logged on.

Both the /Logoff and /boot switches are optional.

The discussion and then far applies just to new GPOs and changes to existing ones. However, sometimes you might want to utilise all GPOs to a computer — not simply new or inverse GPOs merely quondam ones as well. In that case, you need to employ the /force switch with gpupdate, equally follows:

gpupdate /force

Other options are available in conjunction with /force, including:

• /Logoff — Log the user off after the Group Policy settings have been updated.
• /Sync — Change the foreground (startup/logon) processing to synchronous.
• /Kick — Restart the car subsequently the Group Policy settings are applied.

Forcing a Group Policy Update using the Group Policy Management Console

Equally an alternative to the command-line tools, yous can force a Grouping Policy update using the Group Policy Management Console (GPMC). GPMC is included with every Microsoft Windows Server since Windows Server 2008; you can too get it past installing Remote Server Administration Tools (RSAT).

To forcefulness a GPO to exist applied, have these uncomplicated steps:

1. Open
2. Link the GPO to an OU.
3. Right-click the OU and choose the "Grouping Policy Update" pick.
4. Confirm the action in the Force Grouping Policy Update dialog by clicking "Aye".

Forcing a Group Policy Update using PowerShell

Since Windows Server 2012, you tin can strength a Group Policy refresh using the PowerShell cmdlet Invoke-GPUpdate. This command can be used for Group Policy remote update of Windows client computers. You will need to have both PowerShell and the Group Policy Management Console installed.

Hither is an example of using this cmdlet to force an immediate Group Policy update on a detail estimator:

          Invoke-GPUpdate -Computer WKS0456 = RandomDelayMinutes 0        

The RandomDelayMinutes 0 parameter ensures that the policy is updated instantly. The just downside to using this parameter is that the users will get a cmd screen popular-up.

If y'all want to strength an update on all computers, run these commands:

          $compgpoupd = Go-ADComputer -Filter *          $compgpoupd | ForEach-Object -Process {Invoke-GPUpdate -Computer $_.proper name -RandomDelayInMinutes 0 -Force}        

This code will get all computers from the domain, put them into a variable and run the commands for each object.

GPO Background Refresh

All Group Policy clients process GPOs when the background refresh interval comes to pass — simply they process only those GPOs that are new or accept inverse since the final time the client requested them.

Nevertheless, for security settings, the Group Policy engine works differently. Information technology asks for a special background refresh simply for security policy settings. This is called the groundwork security refresh and is valid for every version of Windows Server. Every 16 hours, each Group Policy client asks Active Directory about all the GPOs that contain security settings (non simply the ones that have inverse) and reapplies those security settings. This ensures that if a security setting has changed on the client (behind the Group Policy engine's back), it's automatically reverted to the proper setting within xvi hours.

Background Refresh Process for Local GPOs

If users are local administrators of their Windows machines, they take total control to get around the Group Policy engine processes and tin make changes to local policies — changes that could nullify a policy y'all've set with a GPO, including things on the system that shouldn't be inverse. To avert this issue, you lot should give local administrator accounts only to some privileged users that cannot work with local administrator rights or give local admin rights but to those applications that privileged users need to run. Yous should never give regular users administrative rights.

Mandatory Reapplication of Non-security Group Policy Settings

As described above, the background security refresh updates all security-related policy settings every 16 hours. Just sometimes you also need to forcefulness non-security settings to exist applied, even if the GPOs on the servers haven't changed in order to set up exploits that aren't specifically security related.

You lot can cull to mandate the reapplication of the following areas of Group Policy during each initial policy processing and background refresh:

• Registry (Administrative Templates)
• Net Explorer Maintenance
• IP Security
• EFS Recovery Policy
• Wireless Policy
• Disk Quota
• Scripts
• Security
• Folder Redirection
• Software Installation
• Wired Policy

Decision

To epitomize, when yous change a GPO in Active Directory, it will be automatically practical at the next refresh interval; you tin can as well strength a refresh to apply it immediately to your client systems. As an extra safe measure out, you can set up mandatory reapplication to ensure that certain Group Policy settings are always reapplied, even if they have non changed. This enables you to revert whatsoever unwanted changes fabricated by local administrators.

Jeff is a former Director of Global Solutions Engineering at Netwrix. He is a long-time Netwrix blogger, speaker, and presenter. In the Netwrix blog, Jeff shares lifehacks, tips and tricks that tin can dramatically improve your organisation administration experience.

wilbankscoperfell.blogspot.com

Source: https://blog.netwrix.com/2017/02/17/group-policy-update/

Share this post