Skip to main content

Forcing a remote GPUpdate on a Client

By

Many times I have had to talk a remote user through a manual refresh of Group Policy.  Depending on the comfort level of the user, this is either a comfortable processes or a highly stressful event…for both of us.  You can use PowerShell V3 to invoke a GPUpdate on a remote client.  You need to get a few items in order first.

 

1 – Access to the GroupPolicy module. 

Your domain controllers have access to the GroupPolicy module. This is installed by default when they became domain controllers  For Windows 8 clients, download RSAT from here.

Once you have access to the module, you need to turn it on. Click Start and Type Programs and Features.

If you are using Windows 8, you will also need to click Settings.

image

Click Programs and Features

Click Turn Windows Features on or off. This will take a few minutes.

Expand Remote Server Administration Tools / Feature Administration Tools.

Check Group Policy Management Tools.

image

Click OK.

2 – Configure the Firewall to allow Group Policy Remote Updates.

For Server 2008 R2, you need to manually open the following ports for inbound traffic on your clients.

  • TCP RPC dynamic ports, Schedule (Task Scheduler service)
  • TCP port 135, RPCSS (Remote Procedure Call service)
  • TCP all ports, Winmgmt (Windows Management Instrumentation service)

Windows Server 2012 has a Starter GPO to help you out with this.

Open Server Manager.

Click Tools and select Group Policy Management

Expand the Group Policy Management tree to expose your domain.

Click Starter GPOs.  If this is the first time you have used Starter GPOs, you will see this:

image

Click Create Starter GPOs Folder.

You will now see a list of the Starter GPOs.

image

Right click where you want to scope this GPO to and then click Create a GPO in this…..

image

In the New GPO name, type the name that you want.

In the Source Starter GPO drop down box, select Group Policy Remote Update Firewall Ports

Click OK.

You need to let this GPO replicate to your clients before you can invoke a remote GPUpdate.

To test you remote update, log onto a client that you will force the remote update on.

Open PowerShell

Type GPResult /r and press Enter

Take note of the last time the the GPO was refreshed on either the Computer or User section.

image

Before proceeding, make sure that you are not attempting to do a remote update on clients in the default Computers container in active directory.  Move them to an Organizational Unit first.

Now, go to the server/client that you are going to invoke the remote GPUpdate from.

Open PowerShell. 

Type Invoke-GPUpdate –Computer <ComputerName> –Force –RandomDelay 0 and press Enter.  Replace <ComputerName> with the name of the remote client.

This will create a scheduled task on the remote client.  It will execute immediately with the –RandomDelay parameter set to 0.  The user will see a command window pop up as shown below. It will close automatically.

image

The remote update is now completed.

If you run a GPResult /r on the client, you will see that it has been updated.

image

Labels:

Comments

Anonymous said…
Do the Win2k8R2 firewall rules get installed on all the computers one would manage with this particular PS 3.0 command?? Plus upon any computers one might run it FROM??

Thank you, Tom
January 31, 2013 at 1:35 PM
Jason Yoder, MCT said…
Tom,

For Windows 2K R2, you will need to test it. I have taken down all my 2008 R2 servers. of course any client that a GPO applies to with settings that client has a client side extension for will be applied.

Jason
March 26, 2013 at 2:28 PM
Post a Comment

Popular posts from this blog

How to list all the AD LDS instances on a server

By
AD LDS allows you to provide directory services to applications that are free of the confines of Active Directory.  To list all the AD LDS instances on a server, follow this procedure: Log into the server in question Open a command prompt. Type dsdbutil and press Enter Type List Instances and press Enter . You will receive a list of the instance name, both the LDAP and SSL port numbers, the location of the database, and its status.
Post a Comment
Read more

How to run GPResult on a remote client with PowerShell

By
In the past, to run the GPResult command, you would need to either physically visit this client, have the user do it, or use and RDP connection.  In all cases, this will disrupt the user.  First, you need PowerShell remoting enabled on the target machine.  You can do this via Group Policy . Open PowerShell and type this command. Invoke-Command –ScriptBlock {GPResult /r} –ComputerName <ComputerName> Replace <ComputerName> with the name of the target.  Remember, the target needs to be online and accessible to you.
Post a Comment
Read more

Where did a User’s Account Get Locked Out?

By
Updated: May 15, 2015 When this article was originally published, two extra carriage returns were add causing the code to malfunction.  The code below is correct.   My client for this week’s PowerShell class had a really interesting question. They needed to know where an account is being locked out at. OK, interesting. Apparently users hop around clients and forget to log off, leading to eventual lock out of their accounts. The accounts can be unlocked, but are then relocked after Active Directory replication. This problem is solved in two parts. The first one is to modify the event auditing on the network. The second part is resolved with PowerShell. The first part involves creating a group policy that will encompass your Domain Controllers. In this GPO, make these changes. Expand Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Advanced Audit Policy Configuration \ Audit Policies \ Account Management Double click User Account Management C...
18 comments
Read more