When I first started learning about Active Directory, Group Policy always seemed very fickle. Sometimes I could run GPUpdate, other times I had to run /force.
As it turned out, Group Policy was always working – I just didn’t understand it. So what’s the difference between GPUpdate and GPUpdate /force? Well –
GPUpdate: Applies any policies that is new or modified
GPUpdate /force: Reapplies every policy, new and old.
So which one should I use? 99% of the time, you should only run gpupdate. If you just edited a GPO and want to see results immediately, running gpupdate will do the trick. In fact, running GPUPdate /force on a large number of computers can be damaging to your career. This is because these machines will hit a domain controller and reevaluate every GPO applicable to them.
Note: If you are looking for the remote version of GPUpdate in Active Directory Users and Computers, see this guide.
Anything else?
Since you asked, why yes there is! GPUpdate has a few other options for you to use.
/LogOff: Certain GPOS, such as Folder Redirection, can’t apply in the background. If a logoff is required, this switch will initiate it.
/Boot: If a policy, such as software installation, needs to be applied – the boot command will reboot the machine.
/Sync: Useful for changing the foreground (startup/logon) processing to synchronous.
…Enlightening…
Sarcasm aside, yes it is! You probably noticed a lack of remote support with GPUpdate. To address this, Microsoft introduced the Invoke-GPUpdate cmdlet. Here is an example:
Invoke-GPUpdate -Computer COMPUTERNAME -Force
or
$Computers = Get-AdComputer -SearchBase “OU=Brunswick, DC=Test,DC=local” -Filter *
Foreach ($Computer in $Computers) {invoke-gpupdate -Computer $Computers.Name}
Got an easier way to GPUpdate?
The example above might not be the most practical way of initiating a GPUpdate. Knowing this, Microsoft included the ability to start a GPUpdate remotely in the Server 2012/Windows 8 version of Group Policy Management Console.
As you can see in the picture above, right clicking on any OU will allow you to trigger a remote GPUpdate. Microsoft provided a little security with this tool by not allowing a GPUpdate at the domain level. However, this only works within Group Policy Management. Because a good bit of my work is done within Active Directory Users and Computer, I prefer this method of running a remote GPUpdate.
GPUpdate seemed like such a simple tool. As you now know, it is very powerful and completely customizable to your situation and environment. So the next time you see an administrator running an unwarranted gpupdate /force, explain the differences and let your domain controllers take a breather! And now that GPUpdate has been straightened out, have you been running GPResult remotely?
Finally, if you want to learn more about Group Policy and how it will make your life easier, then subscribe to DeployHappiness and get great weekly tips (plus your free guide to the Windows 8 Administrative Start Menu)!
Awesome!
Hello i study a Window server 2008R2
How to do a remote gpupdate for Machine OU ?
for example there is a 100 pc in sales department do i need to open all the pc and CMD and type /gpupdate /force ? to each pc ? is there any way to make it easier ? or do really need to do it manually ?
See this link: https://deployhappiness.com/remote-gpupdate-how-and-when-to-use-it/
If, instead of modifying a GPO, I add a user to the group the GPO is filtered to, will a simple gpupdate suffice, or is that a candidate for /force?
You will need to log off and log back on. The user will not see it is a member of the group until this is done.
If, instead of modifying a GPO, I link a new GPO to the OU where a computer is in, will a simple gpupdate suffice, or is that a candidate for /force?
A simple gpupdate would work.
“gpupdate” checks if the versions of GPOs in cache are of the same versions with physical GPOs and then update it if they are different.
gpupdate /force will update even if the versions are the same.
Basically, anytime GPO is changed in a usual way, the version is changed as well automatically.
However, if you go to \\YourDomain\SYSVOL\YourDomain\Policies\ and change GPO manually, the version of the GPO will remain the same. If you run gpupdate, it won’t update GPO on the client. However, if you run gpupdate /force – then it will. That is only the example, which I can think of, where the key “/force” is useful…
That is a good use for the /force parameter.
The other common use that I’ve seen is when someone edits the policy settings in the registry on the locla machine. The /force will reset the settings to the correct domain values.
Hi,
Thanks for writing about this.
I’m about to move a file share this weekend and need the drive mapping applied by Group policy to be changed to all computers at startup monday morning. Do you have any suggestions or experience from that?
Will the mapping be updated on startup as the computer have been turned of more than 90 mins? (turned of the entire weekend).
Best,
Jon
No problem Jon.
Drive mappings are always processed on logon. I would recommend change the existing preferences to a delete action (with apply once and do not reapply checked). Then create a new GPP drive mapping preference pointing to the new share.
In the future, use DFS namespaces for the drive mapping share.
But what happens with the policy’s when removing the networkcable from a pc or even or from removing from the domain.? I guess the first option will not remove the applied policy’s but the 2nd one removes them?
If the computer is offline (but still on the domain), the policy will still apply. If the machine is removed from the domain, polices won’t apply but preferences might still apply. Here is a link explaining that:
https://deployhappiness.com/policy-or-preference/
My problem with gpupdate (with or without the /force) is that it always takes multiple reboots to kick in. I’m talking about software installation GPO’s mostly. I do it once, reboot, no change, do it again, (which is when I know it has worked b/c now it prompts to reboot) and then it works.
It sounds like you need to enable “Always Wait on the Network for Startup and Logon”. This will allow you to reboot just once for software installation.
Wow, fast response
I just read about that with this caveat:
“This way, Group Policy will be processed synchronously. Note that this will increase the time needed to boot-up and logon.”
I’m removing an old version of Office from all my user machines in order to go to Office 365 Pro Plus (which is a major pain cuz you can’t GPO new office).
Not sure if I want to universally increase boot up and logon times plus what happens when a laptop leaves the building, does it wait for the network? (which will never appear until they VPN)
On my lunch break. 🙂
It won’t add much time to your logons/startup. At the most, 30 seconds or so. Less if your network is fast.
If domain controller is not available (such as for an off-line machine), the Group Policy service will immediately stop processing. This means no delay for off-line/off-site clients.
I like your first image. gpupdate /pleasework.
lol, missed it 🙂
I have to put a little humor into this site! Tech stuff can be so boring sometimes…