Skip to main content

Forcing a remote GPUpdate on a Client

Many times I have had to talk a remote user through a manual refresh of Group Policy.  Depending on the comfort level of the user, this is either a comfortable processes or a highly stressful event…for both of us.  You can use PowerShell V3 to invoke a GPUpdate on a remote client.  You need to get a few items in order first.

 

1 – Access to the GroupPolicy module. 

Your domain controllers have access to the GroupPolicy module. This is installed by default when they became domain controllers  For Windows 8 clients, download RSAT from here.

Once you have access to the module, you need to turn it on. Click Start and Type Programs and Features.

If you are using Windows 8, you will also need to click Settings.

image

Click Programs and Features

Click Turn Windows Features on or off. This will take a few minutes.

Expand Remote Server Administration Tools / Feature Administration Tools.

Check Group Policy Management Tools.

image

Click OK.

2 – Configure the Firewall to allow Group Policy Remote Updates.

For Server 2008 R2, you need to manually open the following ports for inbound traffic on your clients.

  • TCP RPC dynamic ports, Schedule (Task Scheduler service)
  • TCP port 135, RPCSS (Remote Procedure Call service)
  • TCP all ports, Winmgmt (Windows Management Instrumentation service)

Windows Server 2012 has a Starter GPO to help you out with this.

Open Server Manager.

Click Tools and select Group Policy Management

Expand the Group Policy Management tree to expose your domain.

Click Starter GPOs.  If this is the first time you have used Starter GPOs, you will see this:

image

Click Create Starter GPOs Folder.

You will now see a list of the Starter GPOs.

image

Right click where you want to scope this GPO to and then click Create a GPO in this…..

image

In the New GPO name, type the name that you want.

In the Source Starter GPO drop down box, select Group Policy Remote Update Firewall Ports

Click OK.

You need to let this GPO replicate to your clients before you can invoke a remote GPUpdate.

To test you remote update, log onto a client that you will force the remote update on.

Open PowerShell

Type GPResult /r and press Enter

Take note of the last time the the GPO was refreshed on either the Computer or User section.

image

Before proceeding, make sure that you are not attempting to do a remote update on clients in the default Computers container in active directory.  Move them to an Organizational Unit first.

Now, go to the server/client that you are going to invoke the remote GPUpdate from.

Open PowerShell. 

Type Invoke-GPUpdate –Computer <ComputerName> –Force –RandomDelay 0 and press Enter.  Replace <ComputerName> with the name of the remote client.

This will create a scheduled task on the remote client.  It will execute immediately with the –RandomDelay parameter set to 0.  The user will see a command window pop up as shown below. It will close automatically.

image

The remote update is now completed.

If you run a GPResult /r on the client, you will see that it has been updated.

image

Comments

Anonymous said…
Do the Win2k8R2 firewall rules get installed on all the computers one would manage with this particular PS 3.0 command?? Plus upon any computers one might run it FROM??

Thank you, Tom
Tom,

For Windows 2K R2, you will need to test it. I have taken down all my 2008 R2 servers. of course any client that a GPO applies to with settings that client has a client side extension for will be applied.

Jason

Popular posts from this blog

How to list all the AD LDS instances on a server

AD LDS allows you to provide directory services to applications that are free of the confines of Active Directory.  To list all the AD LDS instances on a server, follow this procedure: Log into the server in question Open a command prompt. Type dsdbutil and press Enter Type List Instances and press Enter . You will receive a list of the instance name, both the LDAP and SSL port numbers, the location of the database, and its status.

How to run GPResult on a remote client with PowerShell

In the past, to run the GPResult command, you would need to either physically visit this client, have the user do it, or use and RDP connection.  In all cases, this will disrupt the user.  First, you need PowerShell remoting enabled on the target machine.  You can do this via Group Policy . Open PowerShell and type this command. Invoke-Command –ScriptBlock {GPResult /r} –ComputerName <ComputerName> Replace <ComputerName> with the name of the target.  Remember, the target needs to be online and accessible to you.

Error icon when creating a GPO Preference drive map

You may not have an error at all.  Take a look at the drive mapping below. The red triangle is what threw us off.  It is not an error.  It is simply a color representation of the Replace option of the Action field in the properties of the drive mappings. Create action This give you a green triangle. The Create action creates a new mapped drive for users. Replace Action The Replace action gives you a red triangle.  This action will delete and recreate mapped drives for users. The net result of the Replace action is to overwrite all existing settings associated with the mapped drive. If the drive mapping does not exist, then the Replace action creates a new drive mapping. Update Action The Update action will have a yellow triangle. Update will modify settings of an existing mapped drive for users. This action differs from Replace in that it only updates settings defined within the preference item. All other settings remain as configured on the ma...