Introduction
I needed to script a gpupdate /force and target a group of machines in an OU. The reason I wanted to script this is because I wanted to run the force in real time and also wanted to be sure that it ran successfully on the target machines. This seemed like the best idea and seemed a better option than waiting for the policy to update and hoping it applied the updated policy registry on all systems and worse yet, needing to run reports and troll through the results.
Over the last several years, I have been lucky enough to not rely on Group Policy all that much. With tools like RES ONE and AppSense at my disposal and the fact I have been pretty application focused, Group Policy has been last resort in most environments.
Imagine my delight when I realized I didn’t need to script this!! I found a helpful article and thought I found the holy grail. An option within the Group Policy Management Console within Server 2012 that not only can force the update but also return the results! Eureka!!
In this post I will go through how to remotely execute gpupdate on all systems in an OU using Group Policy Management but importantly, in my conclusion, I will detail why you should use caution when leveraging this feature!
How to Force GPUpdate on an OU from Group Policy Management Console
On Server 2012 or with newer versions of RSAT on your desktop, open Group Policy Management
Browse to the OU which you would like to force the gpupdate for, right click and click on Group Policy Update…
If you are deploying to one or two machines, you’ll just receive a confirmation message. When deploying to several machines you will receiving a warning about possibly straining network resources. If you are daring enough to proceed, click Yes. (I wouldn’t be worried about running it for a few hundred machines but again, check my conclusion at the bottom of this post before proceeding)
As the update runs on the machines, the results will populate. If you get any failures, you will want to investigate on that failed machine.
Conclusion
But Yarrrrrr….let this be a cautionary tale…and also a brain dump for myself to serve as a reminder to never ever do this on machines in a production environment! I got pretty lucky, I ran this against some systems in a non-production environment.
On machines that got the update, the gpupdate ran interactive so the users on the machines at the time saw this prompt which could look like an issue. It’s not in this instance, my updated policy did successfully take hold but the fact this didn’t run silently makes the feature pretty useless for my future use and I would suggest that you only use it in your own home lab or sandbox environment.
If you would like to ensure that the gpupdate run silently, you could change to refresh interval or script this using vbscript, PowerShell and even use PSEXEC.
I think this feature could be pretty useful, if you could be assured the update would run silently on the endpoints. Of course, in most situations you can likely just wait for the refresh interval but sometimes you may want an update to run before you can progress your work. What do you think? If you agree, please up vote this feature request on UserVoice here: User Voice for Group Policy Update Feature in Server 2016.