Group Policy in Windows Server 2012: Using Remote GPUpdate
Group Policy in Windows Server 2012: Using Remote GPUpdate
If someone calls to say their computer doesn’t work quite right, the first thing you might have them do is run gpupdate /force to ensure they have the latest policy applied to their system. Now, you have the power to reach out and force a gpupdate without needing to be at the computer, remote in, or ask the user do it themselves.
The way remote gpupdate works is this: It creates a task through task scheduler. The task will execute within the next 10 minutes, which runs the GPUpdate locally on the machine. This will work on Vista and beyond.
Because this feature uses a remote connection, in order to use it you will need the following firewall rules enabled on clients.
· Remote Scheduled Tasks Management (RPC)
· Remote Scheduled Tasks Management (RPC-EPMAP)
· Windows Management Instrumentation (WMI-In)
Once you have these firewall rules applied to your clients, there are two ways you can invoke a remote Group Policy update.
Remote GP Update Wizard
From the GPMC, right click on an OU that contains computer objects.
![clip_image001[6]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/52/02/metablogapi/3323.clip_image0016_1CAF73B1.png "clip_image001[6]")
Click the “Group Policy Update” option.
![clip_image002[7]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/52/02/metablogapi/1007.clip_image0027_23627D34.png "clip_image002[7]")
This will run a gpupdate /force on all computers in the OU, and any subOUs. Computer policy will be refreshed for each computer, and user policy will be refreshed for any and all users currently logged into those computers.
![clip_image003[6]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/52/02/metablogapi/7357.clip_image0036_1C4340BC.png "clip_image003[6]")
The “success” and “failure” headers indicate how many computers were contacted and had the event planted on the computer. It does not indicate that those computers have already run gpupdate – just that they have successfully scheduled the update for some time in the next 10 minutes. In this case, I intentionally sabotaged one of my clients to demonstrate what failure looks like – you see an error code and a description, and you can “Save” your results to a .csv file to review what computers succeeded and did not succeed in receiving the task.
Powershell
The other option is to use Group Policy’s new PowerShell cmdlets. The Invoke-gpupdate cmdlet is part of the Group Policy Powershell Module that is installed when you install the Group Policy Management Feature on a machine.
This cmdlet gives you more flexibility with how Group Policy is updated. You can use all of the gpupdate parameters you may be familiar with, plus you can use the new remote GP update functionality to target one computer – or write a script that targets many computers.
An example of the most basic use of invoke-gpupdate:
Import-module groupPolicy
Invoke-gpupdate computername
The completion of this cmdlet will put a task on the computer that will execute a gpupdate /force