Force a Remote Group Policy Refresh (GPUpdate)

Applies To: Windows Server 2012 R2, Windows Server 2012

Group Policy is a complicated infrastructure that enables you to apply policy settings to remotely configure a computer and user experience within a domain. When the Resultant Set of Policy settings does not conform to your expectations, a best practice is to first verify that the computer or user has received the latest policy settings. In previous versions of Windows, this was accomplished by having the user run GPUpdate.exe on their computer.

With Windows Server 2012 and Windows 8, you can remotely refresh Group Policy settings for all computers in an organizational unit (OU) from one central location by using the Group Policy Management Console (GPMC). Or you can use the Invoke-GPUpdate Windows PowerShell cmdlet to refresh Group Policy for a set of computers, including computers that are not within the OU structure—for example, if the computers are located in the default computers container.

The remote Group Policy refresh updates all Group Policy settings, including security settings that are set on a group of remote computers, by using the functionality that is added to the context menu for an OU in the Group Policy Management Console (GPMC). When you select an OU to remotely refresh the Group Policy settings on all the computers in that OU, the following operations happen:

An Active Directory query returns a list of all computers that belong to that OU.

For each computer that belongs to the selected OU, a WMI call retrieves the list of signed in users.

A remote scheduled task is created to run GPUpdate.exe /force for each signed in user and once for the computer Group Policy refresh. The task is scheduled to run with a random delay of up to 10 minutes to decrease the load on the network traffic. This random delay cannot be configured when you use the GPMC, but you can configure the random delay for the scheduled task or set the scheduled task to run immediately when you use the Invoke-GPUpdate cmdlet.

This document describes a method to force a remote Group Policy refresh to all computers in an OU and all OUs that are contained within the selected OU by using the GPMC. An equivalent Windows PowerShell method is also presented for each procedure.

In this document

This topic includes sample Windows PowerShell cmdlets that you can use to automate some of the procedures described. For more information, see Using Cmdlets.

Prerequisites

You can only schedule to force a remote Group Policy update by using the GPMC from domain-joined computers that are running:

Windows Server 2012 or Windows Server 2012 R2

Windows 8 or Windows 8.1 with Remote Server Administration Tools for Windows 8

You can schedule a remote Group Policy refresh for any computer running:

Windows Server 2012 R2

Windows Server 2012

WindowsВ ServerВ 2008В R2

WindowsВ ServerВ 2008

Step 1: Configure firewall rules on each client that will be managed with remote Group Policy refresh

To schedule a Group Policy refresh for domain-joined computers by using the GPMC or the Invoke-GPUpdate cmdlet, you must have firewall rules that enable inbound network traffic on the ports listed in the following table.

Type of network traffic

TCP RPC dynamic ports, Schedule

(Task Scheduler service)

Remote Scheduled Tasks Management (RPC)

TCP port 135, RPCSS

(Remote Procedure Call service)

Remote Scheduled Tasks Management (RPC-EPMAP)

TCP all ports, Winmgmt

(Windows Management Instrumentation service)

Windows Management Instrumentation (WMI-in)

In Windows Server 2012, Group Policy added a Starter GPO called, Group Policy Remote Update Firewall Ports. This Starter GPO includes policy settings to configure the firewall rules that are specified in the previous table. It is a best practice to create a new GPO from this Starter GPO. Link the GPO to your domain at a higher precedence than the Default Domain GPO, and then use it to configure all the computers in the domain to enable a remote Group Policy refresh.

To create a GPO from the Group Policy Remote Update Firewall Ports Starter GPO and link to the domain

In the GPMC console tree, locate the domain for which you want to configure all the computers to enable a remote Group Policy refresh.

Right-click the selected domain, and click Create a GPO in this domain, and link it here…

In the New GPO dialog box, type the name of the new Group Policy object in the Name box.

In the Source Starter GPO list, select the Group Policy Remote Update Firewall Ports Starter GPO that you want to use to create a new Group Policy object, and click OK.

In the results pane, click the Linked Group Policy Objects tab.

Select the GPO that you just created, and click the Up arrow until the GPO is listed above the Default Domain Policy. The new GPO will have a smaller link order value than the Default Domain Policy.

Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

Use the New-GPO cmdlet with the –StarterGpoName parameter, and then pipe the output to the New-GPLink cmdlet.

For example, to create a new GPO called Configure firewall rules for remote gpupdate by using the Group Policy Remote Update Firewall Ports Starter GPO, then link the new GPO to the Contoso.com domain, use the following script:

For more information about the New-GPO cmdlet and the New-GPLink cmdlet, see:

Step 2: Schedule a remote Group Policy refresh

You can schedule gpupdate.exe to run on multiple computers from the GPMC or from a Windows PowerShell session using the Invoke-GPUpdate cmdlet.

To schedule a Group Policy refresh to run on all computers in an OU by using the GPMC

In the GPMC console tree, locate the OU for which you want to refresh Group Policy for all computers.

Group Policy will also be refreshed for all computers that are located in the OUs contained in the selected OU.

Right-click the selected OU, and click Group Policy Update…

Click Yes in the Force Group Policy update dialog box. This is the equivalent to running GPUpdate.exe /force from the command line.

The Remote Group Policy update results window displays only the status of scheduling a Group Policy refresh for each computer located in the selected OU and any OUs contained within the selected OU. This display does not show the success or failure of the actual Group Policy refresh for each computer.

Use Resultant Set of Policy to determine the success of the scheduled Group Policy refresh, Determine Resultant Set of Policy.

You should plan a delay of up to 10 minutes to start a Group Policy refresh when you are verifying the results for each computer.

Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

The Invoke-GPUpdate cmdlet allows you to schedule a remote Group Policy update for a specified computer with all the options that the GPUpdate.exe command-line utility provides. This allows more freedom to determine which set of computers is to be refreshed than if you schedule the refresh through the GPMC. Additionally, you have the freedom to configure the interval of time to wait before a Group Policy refresh is performed by using the –RandomDelayInMinutes parameter. If set to a zero (0) value, the scheduled task for the Group Policy refresh is configured to start immediately. For more information, see Invoke-GPUpdate.

You can refresh the changed Group Policy settings for the computer that you are signed in to by running the Invoke-GPUpdate cmdlet without including any parameters, for example:

You cannot schedule a Group Policy refresh for the Computers container by using the GPMC Group Policy Update… functionality. The Computers container is a default location for computer accounts. It is not implemented as an OU that can be managed by the GPMC. However, by combining the use of the Windows PowerShell cmdlet, Get-ADComputer, with the Invoke-GPUpdate cmdlet, you can schedule a remote refresh for all computers in the Computers container. For more information about available Windows PowerShell cmdlets for Active Directory, see AD DS Administration Cmdlets in Windows PowerShell.

Обновление групповой политики Refresh Group Policy

Применяется к: Windows Server (Semi-Annual Channel), Windows Server 2016 Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016

Эту процедуру можно использовать для ручного обновления групповая политика на локальном компьютере. You can use this procedure to manually refresh Group Policy on the local computer. Когда групповая политика обновляется, если автоматическая регистрация сертификатов настроена и работает правильно, локальный компьютер автоматически регистрирует сертификат центром сертификации (ЦС). When Group Policy is refreshed, if certificate autoenrollment is configured and functioning correctly, the local computer is autoenrolled a certificate by the certification authority (CA).

Групповая политика автоматически обновляется при перезагрузке компьютера, который является членом домена, или при входе пользователя в систему компьютера, который является членом домена. Group Policy is automatically refreshed when you restart the domain member computer, or when a user logs on to a domain member computer. Кроме того, групповая политика периодически обновляется. In addition, Group Policy is periodically refreshed. По умолчанию это периодическое обновление выполняется каждые 90 минут со случайным смещением в течение 30 минут. By default, this periodic refresh is performed every 90 minutes with a randomized offset of up to 30 minutes.

Членство в группах « Администраторы» или «эквивалентное» является минимальным требованием для выполнения этой процедуры. Membership in Administrators, or equivalent, is the minimum required to complete this procedure.

Обновление групповая политика на локальном компьютере To refresh Group Policy on the local computer

На компьютере, на котором установлен сервер политики сети, откройте Windows PowerShell с ® помощью значка на панели задач. On the computer where NPS is installed, open Windows PowerShell® by using the icon on the taskbar.

В командной строке Windows PowerShell введите gpupdate и нажмите клавишу ВВОД. At the Windows PowerShell prompt, type gpupdate, and then press ENTER.

How to change Group Policy Refresh Interval for Windows 10 computers

The Group Policy in Windows allows administrators to set and enforce settings on their computer systems. By default Group Policy gets updated in the background every 90 minutes, after a change is recorded in active object. But if you wish you can change – reduce or increase – the Group Policy Refresh Interval using the Group Policy Editor on Windows 10/8/7.

Change Group Policy Refresh Interval

To do so, Run gpedit.msc and hit Enter to open the Local Group Policy Editor. Navigate to the following setting:

Computer Configuration > Administrative Templates > System > Group Policy

Now in the right pane, double-click on Set Group Policy Refresh Interval for computers to open its Properties box. This policy setting specifies how often Group Policy for computers is updated while the computer is in use, in the background. In addition to background updates, Group Policy for the computer is always updated when the system starts or a user logs in.

As we mentioned earlier, by default, Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes. But if you Enable this setting, you can specify an update rate from 0 to 64,800 minutes or 45 days. If you select 0 minutes, the computer tries to update Group Policy every 7 seconds. To avoid performance degradation, you should not set it to a low figure.

If you do not want Group Policy to be updated while the computer is in use, you will have to configure Turn off background refresh policy – and if the Disable background refresh of Group Policy policy is enabled, this policy is ignored.

The Set Group Policy refresh interval for computers policy also lets you specify how much the actual update interval varies – the offset interval for computers. The number you type in the random time box sets the upper limit for the range of variance.

Configure the setting using the Registry Editor

To change the Group Policy Refresh Interval for computers, navigate to the following Registry key:

Create a DWORD GroupPolicyRefreshTime and give it a value between 0 to 64800.

To change the offset interval for computers, navigate to the following Registry key:

Create a DWORD GroupPolicyRefreshTimeOffset and give it a value between 0 to 1440.

How to Disable or Turn off Group Policy Refresh while Computer is in use

Group Policy, an administrative tool introduced in Windows 2000, determines how programs, network resources, and operating systems behave for users and computers in an organization. Group Policy helps users to add policies for active objects by making modifications in Windows Windows Registry. Generally, by default Group Policy gets updated in the background every 90 minutes, after a change is recorded in the active object. Even when you change Group Policy Refresh Interval and set it at 0 minutes, the computer tries to update Group Policy every 7 seconds.

However, the updating of Group Policy depends upon the resources that have been modified and may vary according to the priority. So eventually there exists the possibility of a decrease in the speed of the computer since a Group Policy refresh in the background will affect system speed. Unfortunately, you won’t be able to determine how much consumption of memory is being carried out by Group Policy refresh since it is not listed in Task Manager. If we let Group Policy be updated after the user has been logged out, then the system will save on some resources. This is an option given in Windows, and should you wish to change this setting, for some reason, this is how to go about it.

Turn Off Group Policy Refresh

In this article, I’ll tell you the way to disable or turn off Group Policy from being updated automatically while the system is in use.

Disable background refresh of Group Policy using Local Group Policy Editor

1. Press Windows Key + R combination, type put gpedit.msc in Run dialog box and hit Enter to open the Local Group Policy Editor.

2. Navigate here:

Computer Configuration > Administrative Templates > System > Group Policy

3. In the right pane, look for the setting Turn off background refresh of Group Policy. It should have Not Configured status by default. Double-clicking on it will yield you the following window:

4. In the above window, select Enabled will let the computer refresh Group Policy objects after the computer is being logged out by the user rather than refreshing the same while the computer is in use. Click OK. Reboot to make changes effective. That’s it!

The policy Turn off background refresh of Group Policy overrides over policies Set Group Policy refresh interval for computers and Set Group Policy refresh interval for users which handles the refreshing time of Group Policy to update itself in background while we’re working on computer.

Disable background refresh of Group Policy using Registry Editor

1. Press Windows Key + R combination, type put Regedt32.exe in Run dialog box and hit Enter to open the Registry Editor.

2. Navigate to this registry key:

3. In the right pane of this location, create a DWORD named DisableBkGndGroupPolicy using Right-click -> New -> DWORD. Double click on it to modify, you’ll get this:

4. In the above-shown box, input the Value data equals to 1. Click OK. That’s it! Reboot to get results.

Date: April 25, 2018 Tags: Group Policy, Tips