Ebrahim Albasri
Group PolicyUncategorized

Group Policy – GPUpdate an OU of Computers

There are times when you need to remotely refresh the group policy on a group of computers, bypassing the 90 minute (+30 minute offset) default interval. Let’s look at 3 ways to achieve that, two of the methods require Server 2012 or Windows 8 with the remote administration tools to initiate the refresh, and the 3rd method can be initiated from Windows 7 or Server 2008 R2.

 

Method 1.

Server 2012 introduced the functionality to remotely refresh Group Policy settings for all computers in an OU from the Group Policy Management Console (GPMC). When you use this method, there is a random delay of up to 10 minutes, with the view of decreasing load on network traffic- this random delay cannot be configured when using the GUI. This method supports a Group Policy refresh for Windows Server 2012 R2 Preview, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8.1 Preview, Windows 8, Windows 7 and Windows Vista clients.

Open the GPMC, right click the OU of Computers you’d like to refresh and select Group Policy Update.

GPUpdate1

This will return the number of computer objects in the OU, and ask if you’re sure.

GPUpdate2

This will run a GPUpdate /force on all computer objects in the OU selected and any child OUs and will refresh both the computer and user policies.

GPupdate3

 

Method 2.

This method, requires Server 2012, or Windows 8 with the remote server administration tools. The following command will retrieve the computer objects from the Servers OU and run the Invoke-GPUpdate against them.

1
get-adcomputer -SearchBase "OU=Servers,DC=thesysadmins,DC=local" -Filter * | %{invoke-gpupdate -Computer $_.Name -RandomDelayInMinute 0; "Refreshing host $_."}

Be aware, this method will display the command prompt with “Updating Policy” on the computer objects you run it against. So bear this in mind if you’re running this against your desktops or laptops with users logged in.

GPupdate6

 

Method 3.

Fear not! If you’re not using Server 2012, you can still achieve the above with fairly little effort using Powershell to generate a list of computers and PSEXEC to run the GPUpdate command. The following Powershell will get you a list of computers from the Servers OU and export them to a text file on the C drive. You can replace this with a UNC path if desired. I’ve added a dummy first entry to the text file, for some reason PSExec fails the first entry so this gets around that.

1
Add-Content -path C:\Servers.txt -Value Dummy ; Get-ADComputer -LDAPFilter "(name=*)" -SearchBase "OU=Servers,DC=thesysadmins,DC=local" | Select -expand Name | Out-File -Encoding utf8 "C:\Servers.txt" -append

PSEXEC will connect to each of the machines in the Desktops.text and run a gpupdate /force, this method isn’t particuarly quick but it gets the job done.

1
psexec @"C:\Servers.txt" gpupdate /force

GPupdate4

 

Source:

TheSysAdmins

2 thoughts on “Group Policy – GPUpdate an OU of Computers

Leave a Reply

Your email address will not be published. Required fields are marked *