gpupdate
command is used to update Group policies in Windows operating system Domain. There are different options to use with the gpupdate
but one of the most used option is /force
which will reapply all policy settings.
Gpupdate command is used to update Group policies in Windows operating system Domain. There are different options to use with the gpupdate but one of the most used option is. In this guide, you will learn how to use the GPResult command line tool to verify what group policy objects are applied to a user or computer. If your using group policy in your environment then you definitely should know how to use this tool. I want to perform a gpupdate as an -Action of a System.IO.FileSystemWatcher instance but gpupdate occasionally hangs completely when being called from PowerShell. I have tried the following way to handle an inresponsive gpupdate but it does not work as expected - the whole script still hangs when gpupdate goes wrong.
Get Help
Even “gpupdate” command provides very basic features we may need to get some help about the options. We can list help information by using /?
option like below. This will list options and option explanation of the “gpupdate” command.
Force Only
We can force to reapply all group policy settings with the /force option. The default behavior of the /force option is only update changed policies.
As we can see from screenshot User and Computer policies are updated successfully.
Update Only User Policies
Gupdate.exe file information Gupdate.exe process in Windows Task Manager. The process known as gupdate.exe belongs to software gupdate by unknown. Description: Gupdate.exe is not essential for Windows and will often cause problems. The file gupdate.exe is located in a subfolder of 'C:Program Files (x86)' (usually C:Program Files (x86)Companygupdate). Because the gpupdate.exe file is a Windows Operating System file it is not recommend you download this file from any website. If this file is missing, it is likely other Windows related files are also missing, we suggest re-installing Windows to make sure your issue is correctly resolved.
By default all policies will be updated with the “gpupdate” command. If we want to update only the policies related with the user objects wen need to specify the /Target:User
options to the “gpupdate” command like below.
Update Only Computer Policies
Alternatively, we can only update computer object-related policies with the option /Target:Computer
like below.
Force and Reboot
What Does Gpupdate /sync Do
If we want to force and make the system restart or reboot we should provide the option /boot
next to the option /force
like below.
Force and Logoff Account
We can also log off from the current session or account after updating the group policy forcibly. We will provide the /logoff
option after the option /force
like below.
Set Timeout To Force gpupdate
Updating group policy may take some time or run forever if there is a problem. This problem can be a network or domain-related problem. Especially in remote branches network problems are very popular. We can set a time that will stop the update if it is not completed. We call this a timeout and use /w
option and provide a time.
In this example, we will wait for 120
seconds in order to complete a group policy update.
Force gpupdate with PowerShell
gpupdate
command can be used in PowerShell too. We can use -force
option like below with Invoke-GPUpdate
command.
I teach several classes that cover Windows deployment, operations, and troubleshooting. Most of the content I teach is focused on enterprise environments – that is, generally, more than 5,000 systems. At that scale centralized IT management is a requirement, not an option. And the cornerstone of centralized computer configuration management in Windows are Active Directory and Group Policy.
Many of my students relate stories of making changes to Group Policy settings. Usually the story goes something like, “We needed to change the screensaver timeout period to kick in after 5 minutes for the HR department. So I edited the Group Policy and under User Configuration, Administrative Templates, Control Panel, Personalization, I set the ‘Screen saver timeout’ to 600 seconds. Then I ran GPUpdate /force on the HR computers to get the setting.” A common alternate ending to that story is replacing the GPUpdate /force command with rebooting the computer.
Neither rebooting the computer nor running GPUpdate /force are necessary. Group Policy updates happen all by themselves.
Group Policy Updates Itself
Yup, the Group Policy service on all domain-joined client computers regularly checks with Active Directory to see if anything has changed. If new or changed policies exist, they are applied to the computer. By default, Group Policy updates every 60 to 120 minutes, as well as during system startup.
The most efficient way to ensure faster application of Group Policy changes is to change how frequently the client checks with a domain controller. This uses the existing timing and infrastructure already built in to Group Policy. Running GPUpdate or rebooting the computers is not efficient in a large environment so these options simply don’t scale.
Changing the Group Policy Refresh Interval
An interesting coincidence is that the policy that configures this setting is itself built into Group Policy! You just need to know where it is and what the valid settings are.
The setting is in Group Policy under Computer ConfigurationAdministrative TemplatesSystemGroup Policy. There are two separate settings:
- Group Policy refresh interval for computers configures all non-domain controller systems within the scope of the policy. By default this is set to every 90 minutes with a random time offset of 0 to 30 minutes, resulting in a refresh interval of 60 to 120 minutes per computer.
- Group Policy refresh interval for domain controllers targets only domain controller systems within the scope of the policy. By default this is set to every 5 minutes with no random time offset.
Change those settings and each computer will use the new settings beginning with the next Group Policy refresh.
What Does Gpupdate /sync Do
Don’t Set the Refresh Very Low
Some administrators might want to crank this setting down as low as it will go to have computers update policy as fast as possible. That’s a really bad idea.
The policy refresh consumes resources on the client, the network, and the domain controller. The more frequently it runs, the more resources it consumes. The documentation defines the fastest possible refresh interval at 7 seconds. That setting will most likely result in unusable computers and CPU-bound domain controllers in very short order. In my experience, setting the computer interval to 60 minutes and reducing the offset to 10 minutes is sufficient to meet any regulatory or IT policy requirement while avoiding resource starvation on the systems.
Gpupdate What Does It Do
Good luck and be careful with this one!
Mike Danseglio -CISSP / CEH
Interface Technical Training – Technical Director and Instructor
You May Also Like
Active Directory, Domain Controllers, GPUpdate, Group Policy, Group Policy Deployment, Group Policy refresh interval, Group Policy refresh interval for domain controllers, Group Policy Updates