NIST's guidance for a Zero Trust Architecture

Active Directory Policies

How to force Group Policy update?

What you will learn from this article:

Group Policies are a set of security and management instructions that are administered and updated to ensure secure and smooth operations of an Active Directory (AD) network. Sometimes, these Group Policies would need to be updated instantly for various reasons. Hence, Microsoft has provided functionalities to force Group Policy updates. In this article, we will touch upon what Group Policies are, and then we will take a look at the default Group Policy update schedule, why you would need to force update, and methods for forcing Group Policy updates in an AD network.

What are Group Policies and Group Policy objects?

Group Policies is an infrastructure that helps admins remotely manage configurations for users and computers in a domain through various policy settings and preferences. A Group Policy object (GPO) is a collection of Group Policy settings associated with a selected AD site, domain or OU. A few examples of Group Policies that can be associated with a GPO are security settings like password policies and account lockout policies, administrative templates, and more. To update Group Policies, these GPOs are where the update process takes place, and the updates are carried forward to all objects the GPO is tied to.

Default process of Group Policy update

By default, a Group Policy update takes between 90 and 120 minutes since updating the Group Policies. However, if you cannot wait that long for some specified reason, you would have to resort to force the GPO update process. There are several ways by which you can force a GPO update, but before that, let’s take a look at a few situations where you might have to force update Group Policies.

Why perform a Group Policy force update

There can be various reasons to force update a Group Policy. Perhaps a critical policy setting has been overlooked, or there was a restructuring process in an organization resulting in the policies being updated that need to come into effect immediately.

Group Policies are also refreshed when users log off and log back on, but you cannot ask every user to log off and then log on again. In such scenarios, forcing Group Policy updates can help achieve the task of refreshing Group Policies immediately.

How to force Group Policy update

In an AD environment, there are 3 options by which Group Policy updates can be forced into effect. They are as follows:

  • Forcing Group Policy update using Group Policy management Console (GPMC)
  • Forcing Group Policy update using PowerShell commands
  • Forcing Group Policy update using elevated Command Prompt

How to force Group Policy update using Group Policy Management Console

If you want to bypass command lines to force a Group Policy update, you can use the GPMC. Before updating the GPO, ensure that you have the necessary GPO attached to the necessary container object. Here’s how to force update Group Policies from the GPMC:

Go to Start -> Administrative Tools and select Group Policy Management.

Check if the GPO is linked to the container object.

Once the GPO is linked, right-click on the container, and select Group Policy Update.

A dialogue box will pop up asking whether you want to perform a force Group Policy update. Click Yes.

This will prompt the operating system to force update the Group Policies to the selected container, and all the objects within the container.

Forcing a Group Policy Object (GPO) using the group policy management wizard in Active Directory
Forcing a GPO Update

How to force Group Policy update using PowerShell commands

PowerShell is a powerful command-line and scripting tool that allows administrators to perform administrative and monitoring tasks. One of the functions is allowing administrators to force Group Policy updates. This functionality has been available to PowerShell since Windows Server 2012 operating system. You can either force update a GPO to a specific object such as a computer, or you can force GPO update on all computers. The command used for forcing a Group Policy update is Invoke-GPUpdate, and the parameter that is used to ensure that update happens instantly is RandomDelayMinutes 0. 

For example, if you want to force a GPO update in a single remote computer, here’s how the syntax works:

Invoke-GPUpdate -Computer ADGM8516 = RandomDelayMinutes 0

Do note that the computer that is being updated will show a pop-up dialogue box prompting that its Group Policy is being updated.

How to force Group Policy update using elevated Command Prompt

Finally, forcing Group Policy updates can also be done using the Command Prompt tool. However, it must be done with command prompt that has administrative permissions. To run an elevated command prompt:

Go to Start and search for Command Prompt.

Right-click on it and click Run as Administrator.

This will ensure that the command prompt runs with elevated permissions. To force a Group Policy update using this elevated Command Prompt, the command line utility gpupdate is used. The syntax used is as follows:

gpupdate [/Target:{Computer | User}] [/Force] [/Wait:value] [/Logoff] [/Boot]

The parameters mentioned in the syntax are as follows:

  • [Target:{Computer | User}] – This is the parameter that specifies whether only the users or computers must have their GPOs force updated. In case the target object is not specified, the operating system will update computers and users.
  • [/force] – This is the parameter that informs the computer to force update all Group Policies. In case this parameter is not specified, only the policies that are changed will be refreshed.
  • [/Wait:value] – This is the parameter that specifies the duration of time that has to be passed before initiating the force update process. This parameter is used to allow the policy update to finish its processing. The default value for this parameter is 600 seconds. If the value is set to 0, the command will be initiated immediately. If the value is set to -1, the system will wait indefinitely.
  • [/logoff] – This is the parameter that logs off the user from the computer once its Group Policy has been updated. This parameter is not mandatory.
  • [/boot] – This is the parameter that reboots the computer once the GPO update process is finished. This parameter, similar to the logoff parameter, is also not mandatory.
Related posts
Active Directory Policies

Group Policy Management Console (GPMC) – Part II

Active Directory Policies

Fine-Grained Password Policy: A Step-by-Step Configuration Guide

Active Directory Policies

Active Directory Account Lockout Policy

Active Directory Policies

Active Directory Password Policy

Leave a Reply

Your email address will not be published. Required fields are marked *