Active Directory – Remote GPO Refresh

Remote GPO RefreshRemote GPO Refresh is a new feature introduced with Windows 2012, in the post how to take advantage of remote GPO refresh will be explained together with hints for a quick and painless configuration of necessary prerequisites.

Remote GPO Refresh – Prerequisites

Computer GPO settings are, by default, automatically refreshed in the background every 90 minutes with a random offset of 0 to 30 minutes but there are situations where forcing an immediate refresh is necessary.

To use remote GPO refresh there are some prerequisites that need to be satisfied, the process is supported on all clients running Windows Vista or later operating system, to schedule or run a remote GPO refresh from Group Policy Management Console you either need a Windows 2012 Domain Controller or a workstation running Windows 8/8.1 running RSAT tools.

In addition to OS requirements to successfully run a remote GPO refresh you need to configure Windows firewall with the necessary ports, Windows automatically creates a starter GPO which can be used for the purpose but I personally find it faster to use PowerShell, the following command will create a GPO from the starter GPO named Group Policy Remote Update Firewall Ports and will link it to the an OU named Test

New-GPO –Name "Remote GPO Refresh" –StarterGpoName "Group Policy Remote Update Firewall Ports" | New-GPLink –target "ou=Test,dc=helocheck,dc=com" –LinkEnabled yes

 Remote GPO Refresh – The PowerShell way

As I previously mentioned I prefer to use PowerShell whenever possible and remote GPO refresh is no exception to this especially when it is faster/easier than performing the same via GPMC, the cmdlet you’re after is called

Invoke-GPUpdate

If it is launched without any parameter it will refresh GPO on the computer where it is being ran, not much of a use, if you want to run it on a remote computer named HeloCheck01 you would use the following:

Invoke-GPUpdate -Computer HeloCheck01

The above command will work well for a single computer, if you need to run a remote GPO refresh on all computers under the Test OU you would use the following command:

#Import ActiveDirectory Module if not already loaded
Import-Module ActiveDirectory

Get-ADComputer –filter * -Searchbase "ou=Test, dc=HeloCheck,dc=com" | foreach {Invoke-GPUpdate –computer $_.name -force}

What we are doing in the above example is getting all computers in the Test OU in the HeloCheck.com domain and then piping the result to a foreach loop which will run the Invoke-GPUpdate on each single computer with the -force switch to force the application of the settings.

If you want to perform a remote GPO refresh on all computers in the domain with name starting with WKS you would run the following command:

Get-ADComputer –filter wks* -Searchbase "ou=Test, dc=HeloCheck,dc=com" | foreach {Invoke-GPUpdate –computer $_.name -force}

I hope you found the article useful and will take a few seconds to leave a comment and don’t forget to subscribe to RSS or connect with me via Social Networks so to be notified of each update!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s