Remote Group Policy Update - 'Under the Bonnet'


Windows Server 2012 introduced the ability to perform remote Group Policy updates, kicked-off from the Group Policy Management Console or via the Invoke-GPUpdate PowerShell cmdlet.

So... what happens when you schedule a remote Group Policy update?

Before I start, the first thing to mention is that these updates can only be performed against Windows Vista / Windows Server 2008, or later, operating systems. The next thing of note is that RPC / WMI connectivity is required... sadly, there's no PowerShell Remoting to be found here.

Ok. Imagine we run this command to schedule an immediate Group Policy update on the local host:

Invoke-GPUpdate -RandomDelayInMinutes 0 -Force

 

What this actually does is connect to the target host, using RPC, and create two scheduled tasks under the following path - '\Microsoft\Windows\Group Policy'. Let's use PowerShell to take a look:

Get-ScheduledTask -TaskPath "\Microsoft\Windows\GroupPolicy\"

 

Some sample output:

 

One of the tasks running has a user UPN as part of its name. The WMI connectivity is used to establish currently logged on users and create corresponding tasks.

So... what do these scheduled tasks actually execute? Over to PowerShell:

(Get-ScheduledTask -TaskPath "\Microsoft\Windows\GroupPolicy\").Actions

 

Here, we use the automatic array member enumeration introduced in v3 of PowerShell to look at the 'Actions' property of each scheduled task. Here's the results:

  

Each scheduled task executes gpupdate.exe! One of the scheduled tasks uses the /target switch for an update of 'computer' settings, the other targets 'user' settings. Both use /force.

Who said legacy executables were dead? Well, I know I've said it on at least two occasions...

 

 

Comments (0)

Skip to main content