{"id":4687,"date":"2012-11-12T00:01:00","date_gmt":"2012-11-12T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2012\/11\/12\/force-a-domain-wide-update-of-group-policy-with-powershell\/"},"modified":"2012-11-12T00:01:00","modified_gmt":"2012-11-12T00:01:00","slug":"force-a-domain-wide-update-of-group-policy-with-powershell","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/force-a-domain-wide-update-of-group-policy-with-powershell\/","title":{"rendered":"Force a Domain-Wide Update of Group Policy with PowerShell"},"content":{"rendered":"

Summary:<\/strong> Microsoft Scripting Guy, Ed Wilson, shows how to force a domain-wide update of Group Policy by using Windows PowerShell.<\/p>\n

Microsoft Scripting Guy, Ed Wilson, is here. Well, tomorrow, the Scripting Wife and I leave for a three-week European Windows PowerShell tour. We will be doing five Windows PowerShell user groups and meeting with over a dozen Windows PowerShell MVPs, and other people from the Windows PowerShell community. I will be making extra blog postings about the trip, so stay tuned for details. If you are anywhere near where we will be, I encourage you to catch up with us. The Scripting Guys community page<\/a> has all the details. We will also be making postings on Facebook<\/a> and Twitter<\/a>.<\/p>\n

Updating Group Policy—domain-wide<\/h2>\n

Occasionally, I make a change to Group Policy on the network, and I want to force the policy to update on all the computers. Occasionally, they make changes at work, and I need to update my local Group Policy settings.<\/p>\n

To update Group Policy settings, I use the GPUpdate <\/em>utility. The GPUpdate utility has a number of switches. By default, GPUpdate updates both computer and user portions of Group Policy. But, I can control that by using the \/target<\/strong> parameter. For example, if I only want to update the computer portion of the policy, I use the \/target:computer. To update the user portion, it is \/target:user. The following command shows this technique.<\/p>\n

PS C:\\> gpupdate \/target:computer<\/p>\n

Updating policy…<\/p>\n

Computer Policy update has completed successfully.<\/p>\n

By default, GPUpdate will update only modified Group Policy settings. If I want to update all settings, use the \/force<\/strong> parameter. The command shown here updates all settings (regardless if they are modified) for both the computer and the user portions of Group Policy.<\/p>\n

PS C:\\> gpupdate \/force<\/p>\n

Updating policy…<\/p>\n

Computer Policy update has completed successfully.<\/p>\n

User Policy update has completed successfully.<\/p>\n

First, collect the computers in the domain<\/h2>\n

The first thing I need to do is to obtain a collection of all the computers on the domain. To do this, I use the Get-ADComputer<\/strong> cmdlet from the Active Directory module.<\/p>\n

Note<\/strong>   The Active Directory module is available from the RSAT tools.<\/p>\n

I store the returned computer objects in a variable named $cn. This is shown here.<\/p>\n

$cn = Get-ADComputer -filt *<\/p>\n

Second, create remote sessions<\/h2>\n

The second thing I need to do is to create a remote session with all the remote computers. To do this, I need to supply credentials to use for the remote session as well as use the New-PSSession<\/strong> cmdlet to create the connection. The first part is easy, I use the Get-Credential<\/strong> cmdlet and store the returned credential object. This is shown here.<\/p>\n

$cred = Get-Credential iammred\\administrator<\/p>\n

Now, I use the New-PSSession<\/strong> cmdlet. I provide the names of the computers and the credentials. This is shown here.<\/p>\n

$session = New-PSSession -cn $cn.name -cred $cred<\/p>\n

One thing to keep in mind is that at any given time in my domain, there are computers that are offline. These return as errors. Windows PowerShell keeps on creating new sessions in spite of the errors appearing in the console. The command and associated errors are shown in the image that follows.<\/p>\n

\"Image<\/a><\/p>\n

The presence of lots of errors may be disturbing. Because the returned session objects reside in the $session<\/strong> variable, I can easily check to ensure the sessions are open. This is shown here.<\/p>\n

\"Image<\/a><\/p>\n

Now, run the command on all the remote machines<\/h2>\n

To run the GPUpdate command on all my remote machines, I use the Invoke-Command<\/strong> cmdlet. The cool thing is that it uses the session objects stored in the $session<\/strong> variable. ICM<\/strong> is an alias for the Invoke-Command<\/strong> cmdlet. The command is shown here.<\/p>\n

icm -Session $session -ScriptBlock {gpupdate \/force}<\/p>\n

When I run the command, the results are shown in the Windows PowerShell console.<\/p>\n

\"Image<\/a><\/p>\n

Check to see if the update worked properly<\/h2>\n

When Group Policy settings successfully apply to a workstation, an event 1502 is displayed in the System event log on the computer. I can easily use Invoke-Command<\/strong> to retrieve this information. The command is shown here.<\/p>\n

icm -Session $session -ScriptBlock {Get-EventLog -LogName system -InstanceId1502 -Newest 1}<\/p>\n

The command and associated output are shown in the following image.<\/p>\n

\"Image<\/a><\/p>\n

A final fun Group Policy thing …<\/h2>\n

At times, I have to call the Help desk at work, and the answer is to refresh Group Policy on my local computer. This is not a problem because I can run GPUpdate from within Windows PowerShell. The thing is that they often want me to update Group Policy five times, and then wait five minutes between refreshes. No problem—I can do that in a single Windows PowerShell command line. This is shown here.<\/p>\n

1..5 | % {“refreshing GP $(Get-Date)”; gpupdate \/force ; sleep 300}<\/p>\n

The output and command are shown here.<\/p>\n

\"Image<\/a><\/p>\n

Join me tomorrow when I will talk about more cool Windows PowerShell stuff.<\/p>\n

I invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n

Ed Wilson, Microsoft Scripting Guy<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

Summary: Microsoft Scripting Guy, Ed Wilson, shows how to force a domain-wide update of Group Policy by using Windows PowerShell. Microsoft Scripting Guy, Ed Wilson, is here. Well, tomorrow, the Scripting Wife and I leave for a three-week European Windows PowerShell tour. We will be doing five Windows PowerShell user groups and meeting with over […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7,305,152,3,20,45],"class_list":["post-4687","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-active-directory","tag-computers","tag-group-policy","tag-scripting-guy","tag-user-accounts","tag-windows-powershell"],"acf":[],"blog_post_summary":"

Summary: Microsoft Scripting Guy, Ed Wilson, shows how to force a domain-wide update of Group Policy by using Windows PowerShell. Microsoft Scripting Guy, Ed Wilson, is here. Well, tomorrow, the Scripting Wife and I leave for a three-week European Windows PowerShell tour. We will be doing five Windows PowerShell user groups and meeting with over […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/4687","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=4687"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/4687\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=4687"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=4687"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=4687"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}