Skip to main content

Forcing a remote GPUpdate on a Client

Many times I have had to talk a remote user through a manual refresh of Group Policy.  Depending on the comfort level of the user, this is either a comfortable processes or a highly stressful event…for both of us.  You can use PowerShell V3 to invoke a GPUpdate on a remote client.  You need to get a few items in order first.

 

1 – Access to the GroupPolicy module. 

Your domain controllers have access to the GroupPolicy module. This is installed by default when they became domain controllers  For Windows 8 clients, download RSAT from here.

Once you have access to the module, you need to turn it on. Click Start and Type Programs and Features.

If you are using Windows 8, you will also need to click Settings.

image

Click Programs and Features

Click Turn Windows Features on or off. This will take a few minutes.

Expand Remote Server Administration Tools / Feature Administration Tools.

Check Group Policy Management Tools.

image

Click OK.

2 – Configure the Firewall to allow Group Policy Remote Updates.

For Server 2008 R2, you need to manually open the following ports for inbound traffic on your clients.

  • TCP RPC dynamic ports, Schedule (Task Scheduler service)
  • TCP port 135, RPCSS (Remote Procedure Call service)
  • TCP all ports, Winmgmt (Windows Management Instrumentation service)

Windows Server 2012 has a Starter GPO to help you out with this.

Open Server Manager.

Click Tools and select Group Policy Management

Expand the Group Policy Management tree to expose your domain.

Click Starter GPOs.  If this is the first time you have used Starter GPOs, you will see this:

image

Click Create Starter GPOs Folder.

You will now see a list of the Starter GPOs.

image

Right click where you want to scope this GPO to and then click Create a GPO in this…..

image

In the New GPO name, type the name that you want.

In the Source Starter GPO drop down box, select Group Policy Remote Update Firewall Ports

Click OK.

You need to let this GPO replicate to your clients before you can invoke a remote GPUpdate.

To test you remote update, log onto a client that you will force the remote update on.

Open PowerShell

Type GPResult /r and press Enter

Take note of the last time the the GPO was refreshed on either the Computer or User section.

image

Before proceeding, make sure that you are not attempting to do a remote update on clients in the default Computers container in active directory.  Move them to an Organizational Unit first.

Now, go to the server/client that you are going to invoke the remote GPUpdate from.

Open PowerShell. 

Type Invoke-GPUpdate –Computer <ComputerName> –Force –RandomDelay 0 and press Enter.  Replace <ComputerName> with the name of the remote client.

This will create a scheduled task on the remote client.  It will execute immediately with the –RandomDelay parameter set to 0.  The user will see a command window pop up as shown below. It will close automatically.

image

The remote update is now completed.

If you run a GPResult /r on the client, you will see that it has been updated.

image

Comments

Anonymous said…
Do the Win2k8R2 firewall rules get installed on all the computers one would manage with this particular PS 3.0 command?? Plus upon any computers one might run it FROM??

Thank you, Tom
Tom,

For Windows 2K R2, you will need to test it. I have taken down all my 2008 R2 servers. of course any client that a GPO applies to with settings that client has a client side extension for will be applied.

Jason

Popular posts from this blog

Adding a Comment to a GPO with PowerShell

As I'm writing this article, I'm also writing a customization for a PowerShell course I'm teaching next week in Phoenix.  This customization deals with Group Policy and PowerShell.  For those of you who attend my classes may already know this, but I sit their and try to ask the questions to myself that others may ask as I present the material.  I finished up my customization a few hours ago and then I realized that I did not add in how to put a comment on a GPO.  This is a feature that many Group Policy Administrators may not be aware of. This past summer I attended a presentation at TechEd on Group Policy.  One organization in the crowd had over 5,000 Group Policies.  In an environment like that, the comment section can be priceless.  I always like to write in the comment section why I created the policy so I know its purpose next week after I've completed 50 other tasks and can't remember what I did 5 minutes ago. In the Group Policy module for PowerShell V3, th

Return duplicate values from a collection with PowerShell

If you have a collection of objects and you want to remove any duplicate items, it is fairly simple. # Create a collection with duplicate values $Set1 = 1 , 1 , 2 , 2 , 3 , 4 , 5 , 6 , 7 , 1 , 2   # Remove the duplicate values. $Set1 | Select-Object -Unique 1 2 3 4 5 6 7 What if you want only the duplicate values and nothing else? # Create a collection with duplicate values $Set1 = 1 , 1 , 2 , 2 , 3 , 4 , 5 , 6 , 7 , 1 , 2   #Create a second collection with duplicate values removed. $Set2 = $Set1 | Select-Object -Unique   # Return only the duplicate values. ( Compare-Object -ReferenceObject $Set2 -DifferenceObject $Set1 ) . InputObject | Select-Object – Unique 1 2 This works with objects as well as numbers.  The first command creates a collection with 2 duplicates of both 1 and 2.   The second command creates another collection with the duplicates filtered out.  The Compare-Object cmdlet will first find items that are diffe

How to list all the AD LDS instances on a server

AD LDS allows you to provide directory services to applications that are free of the confines of Active Directory.  To list all the AD LDS instances on a server, follow this procedure: Log into the server in question Open a command prompt. Type dsdbutil and press Enter Type List Instances and press Enter . You will receive a list of the instance name, both the LDAP and SSL port numbers, the location of the database, and its status.