Remote Group Policy update in Windows Server 2012

Yep, you read it right. With Windows server 2012 we can perform a Group Policy update on remote computers at once, so the 90-120 minutes interval is gone. This can be done using the Group Policy Management console or PowerShell. If you opt to use the Group Policy Management console you have some limitations like: a 10 minutes interval before the policy is updated on clients, and you can’t update the policy on a specific computer, only the all OU. Instead, if you use PowerShell you can update the policy on specific computers and you can do this instantaneously. This feature can be used only on systems later than Windows Vista and Windows Server 2008, so if you still have Windows XP and 2003 server, you either upgrade, or use third-party tools.

Remember, this feature works only for computer accounts and not user accounts.

Let’s say, for the sake of this example that you have a policy named Disable Firewall, that you want to apply to all the computers in a specific OU, but don’t want to wait between 90 and 120 min for the policy to apply. In my AD infrastructure I created a separate OU where I put two of my Windows 7 clients, and linked the Disable Firewall policy to the Windows7 OU.

To force the policy to apply, open the Group Policy Management Console, right-click the OU where the policy is linked and choose Group Policy Update. Click Yes on the message box.


At the end you get the results if the policy update was applied successfully or not. If you want, you can save these results in a .csv file format by clicking the Save button.

If you open the Task Scheduler on one of those clients and browse to Microsoft > Windows > Group Policy, you can see a task created and waiting to be executed. This task was created remotely by the Group Policy Update wizard and all that is doing is executing the old gpupdate.exe /force command.

What if don’t want to force the update on all the computers in that OU, and only a few of them ? There is a PowerShell command that can do that for you. Using this command the policy will still have a 10 min delay.

Invoke-GpUpdate -Computer Client1

For an instant policy update use the -RandomDelayInMinutes parameter. The following example causes all Group Policy settings to be updated immediately on my client computer:

Invoke-GPUpdate -Computer client1 -RandomDelayInMinutes 0 -Force

Off course, you can extend this functionality with PowerShell and filter computer objects or force all computers in the organization to update their GPOs. The following command will get all the computers in the Windows7 OU, and schedule GPUpdate.exe to run within 10 minutes:

Get-ADComputer -Filter * -SearchBase "OU=Windows7,OU=Workstations,DC=vkernel,DC=local" | foreach {Invoke-GPUpdate -Computer $}

The following command schedules Gpupdate.exe to run immediately on every computer in the domain with an operating system name that includes the string “Windows7”:

Get-ADComputer -Filter 'OperatingSystem -like "*Windows7*"' | foreach {Invoke-GPUpdate -Computer $ -Random DelayInMinutes 0}

Remote Group Policy update relies on remote management, which is enabled by default in Windows Server 2012 in a domain environment. It works great by default on domain-joined computers that are running Windows Server 2012, but you might have problems with older operating systems that do not have Windows Management Framework 3.0 installed. For this you will have to enable firewall rules to permit the traffic but fortunately, there’s a new starter group policy object (GPO) for remote Group Policy updates that makes the all process of enabling the required firewall rules easy. If you open the Group Policy Management console and click the Starter GPOs object you can see a GPO named Group Policy Remote Update Firewall Ports. All you have to do here is right-click it and choose New GPO from Starter GPO, then link the new GPO to an OU.

Want content like this delivered right to your

email inbox?

Leave a Reply

Your email address will not be published. Required fields are marked *