How to deploy and force updates with gpupdate

How do Group Policy settings work?

Group Policy stores related settings in configuration files called Group Policy Objects (GPOs). Administrators apply GPOs to Active Directory (AD) sites, the entire Domain, or organizational units (OUs) -- which are essentially user groups with shared management needs.

For example, IT may want to deploy a new piece of sales software. Administrators could create a GPO instructing the system to install the software, then apply the GPO to the sales department OU. Only computer accounts stored in the sales department OU will receive the application. As another example, admins could configure security settings, such as a login banner warning message, and link it to the AD Domain object. The settings would apply to all systems in the entire domain.

Domain controllers (DCs) store GPOs in the sysvol folder. Client systems download and apply the GPOs when they authenticate to the DC. They also check in with the DC periodically to discover whether there are new versions of the GPOs to apply.

This process is typically transparent and reliable. However, things can go wrong, and admins may find themselves troubleshooting Group Policy on desktop systems. The interaction of multiple GPOs applied at the Site, Domain and OU layers makes troubleshooting difficult.

While the gpresult command displays the current GPO settings, the gpupdate command checks for new GPO settings.

Group Policy settings refresh in various ways, including the following:

• Computer startup. The system applies Computer GPO settings at boot time during system authentication.
• User login. The system applies User GPO settings during the user authentication process.
• Group Policy refresh interval. The system checks in with DC for Group Policy changes every 90 minutes with a randomized offset between zero and 30 minutes.
• Group Policy Management Console. Right-click an OU and select Group Policy Update from the context menu to update policies for all OU members (Figure 1).
• gpresult command. The system checks in with the DC for Group Policy changes when you manually enter this command. Use the /force switch to reapply policies.
• Invoke-GPUpdate command. The local system checks in with the DC for Group Policy changes. Use the -Computer <computername> parameter to update a remote system.

What is the gpupdate command?

The gpupdate command causes any selected endpoints to check in with the DC that authenticated it to determine whether there have been any changes to the already applied GPO configurations. This is almost always done as part of testing or troubleshooting. Here are two sample use cases:

• Testing. The administrator made a GPO change and wants to view it on a workstation immediately.
• Troubleshooting. The admin is troubleshooting why the system doesn't have a specific Group Policy setting or is investigating performance issues with the system.

One way to check for updated GPOs is to reboot the system. That's not a very time-efficient method, especially when IT may need to repeat the process before a configuration appears. The gpupdate command allows admins to check Group Policy updates more quickly and easily. It gives troubleshooters direct control over the reapplication of Group Policy settings as well.

How to use gpupdate with the command prompt

Administrators input the gpupdate command via the command prompt. To access the command prompt, open the Windows cmd.exe interface. There are several ways to do this, including right-clicking the Start menu and selecting Terminal (Admin), typing "cmd" in the search bar, or browsing to the cmd.exe icon.

Once the prompt appears, simply type gpupdate to initiate the policy refresh. The output returns two messages:

"Computer Policy update has completed successfully."

"User Policy update has completed successfully."

As with other programs, admins can type gpupdate /? to see the additional options and features available with the command (Figure 2).

The following switches exist for gpupdate:

The Group Policy Client automatically caches GPOs during the periodic refresh actions. The gpresult command uses this cache to apply settings.

What is the /force switch for GPOs?

The built-in Group Policy Client service and the basic gpupdate command only check version information with the DC to determine whether any GPOs have changed. This is usually sufficient, but sometimes the troubleshooting process justifies the actual reapplication of the settings rather than just a version comparison.

In that case, use The Force.

This of course refers to the /force switch. The /force switch causes gpupdate to reapply the GPOs, regardless of whether they changed (Figure 3). The benefit of performing this action is that IT can be confident that Group Policy has applied the settings -- not just assuming they were configured based on a quick version check.

The output at the command prompt is the same as the usual gpupdate command. This command takes longer to run since it processes the GPOs. The only real drawback or downside to gpupdate /force is the time it takes to apply the settings and any required reboot associated with the configurations. Some settings require a reboot -- though most do not -- and some policy settings only apply at login.

Use the /force option when troubleshooting any GPO application issue, whether it be major feature updates or minor settings modifications. Perhaps Group Policy is set to restrict access to the display Control Panel interface. In this troubleshooting example, the interface is still available to the user, even though it shouldn't be. The admin should open a command prompt and run gpupdate /force. Reboot the system if prompted, log in as the user, and check Control Panel for the display interface.

Remember to combine gpupdate with gpresult to determine what GPOs the system uses.

Update Group Policy with PowerShell

PowerShell offers command-line administration and scripting to automate and simplify common tasks. It uses a noun-verb syntax with parameters to specify additional details and arguments.

Admins more comfortable with the PowerShell syntax should use the Invoke-GPUpdate -Force cmdlet to achieve the same goal as the traditional gpupdate /force command.

To run the cmdlet, open the PowerShell console. Do so by typing "powershell" in the Search menu, right-clicking the Start button and selecting Terminal (Admin), or browsing to the executable. Note that the Remote Server Administration Tools must be installed on the system for this to work.

Most administrators use Invoke-GPUpdate to refresh policies on remote computers using the -Computer <computername> parameter.

PS C:\Users\Administrator> invoke-gpupdate -Computer Win11-client

Using this cmdlet to target a remote system is easier than walking to it, especially for remote offices or work-from-home employees.

The Invoke-GPUpdate cmdlet includes many other useful options, including the ability to automatically reboot after applying the GPOs, force a user logoff after applying the GPOs and set a delay for the cmdlet.

Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to TechTarget Editorial and CompTIA Blogs.