The Group Policy Update Conundrum

When testing new Group Policy Objects (GPOs) to see if they are being applied correctly, I would always run the same command without really knowing what exactly the command is doing.

I first started learning about Active Directory and Group Policy many years ago. I am sad to say it and even a little embarrassed...roughly a year ago from writing this post I had always used the following command.

GPUpdate /Force

Is this a bad command to run? 
No, not necessarily. Let's say you have a newly deployed server and it has yet to receive the Organizational Unit's policies. Running the above command would be more than acceptable on an individual basis.

Is it OK to run the above command against a group of systems simultaneously? 


Running GPUpdate /force on a large number of systems will cause them to query a domain controller and reevaluate every GPO applicable to them. All at once... Placing a large load on your domain controller(s).

Let's take a step back and look at the GPUpdate command.

GPUpdate: By itself, applies any policies that are new or have been modified.



99% of the time you should only run GPUpdate. If you simply created or modified a GPO and need to verify the results immediately, running GPUpdate will do the trick. 

GPUpdate /force: Applies every policy, new and old.

So, can you now imagine how detrimental running GPUpdate /force could be to your network and domain controllers if it was ran in a script targeted at multiple systems? 

What else can the GPUpdate command do? 

/LogOff: Some GPOs, such as Folder Redirection, cannot be apply in the background. If a logoff is required, this switch will initiate it.

/Boot: If a policy, such as software installation, needs to be applied – the boot command will reboot the machine.

/Sync: Useful for changing the foreground (startup/logon) processing to synchronous.

Remote GPUpdate

You may have noticed an unfortunate lack of remote support with the GPUpdate command. To address this, Microsoft introduced the Invoke-GPUpdate cmdlet. Here is an example:

Invoke-GPUpdate -Computer COMPUTERNAME -Force

or

$Computers  = Get-AdComputer -SearchBase “OU=Brunswick, DC=Test,DC=local” -Filter *

Foreach ($Computer in $Computers) {invoke-gpupdate -Computer $Computers.Name}


Conclusion

GPUpdate is a very powerful tool and can be customized to fit your situation and environment. The next time you see an administrator run an unwarranted GPUpdate /Force, explain the differences and let your domain controllers relax. 

Remember, knowing is half the battle.

No comments

Back to Top