This post is brought to you by Specops Software. What’s this? To enter the GPUpdate Pro Giveaway, continue reading.
You have your new GPO perfectly configured and you’ve linked it to your OUs. Heck, you’ve even made sure that your GPO didn’t have any common configuration issues! But now, you have to wait… 90 minutes… plus up to 30 extra minutes (due to the GPUpdate random interval). While you could run around and manually start the Group Policy refresh, let’s be lazy today and start a remote GPUpdate instead!
Note: Technically, the lazy option is to just wait. The lazy but intelligent option is to do it remotely. So, be smart about being lazy and use these three methods.
There are three main ways to perform a GPUpdate: the PowerShell way, the Active Directory way, and the Group Policy way. In an earlier post, we took a quick look at the first two methods. If you haven’t read it (or need a refresher on the difference between GPUpdate and GPUpdate /force), take a few minutes and read it now.
Today, we are going to detail the advantages of each method and when to use it. Believe me, using the wrong method at the wrong time can completely wreck your network!
Method 1: The PowerShell Way
When to Use it:
- In your tricked out custom Active Directory MMC
- In scripts or scheduled tasks
- When impressing the ladies with your mad coding skills.
How to Use it:
In PowerShell, simply run the command Invoke-GPUpdate RemoteComputerName. To run a remote GPUpdate against a computer named “HAL9000”, I would run Invoke-GPUpdate HAL9000 .
When attempting to GPUpdate HAL9000, I did get a very odd error message!
Pros and Cons:
On the positive side, PowerShell is a very efficient way of running a remote GPUpdate. When you combine it with a GPResults script, you can accomplish two related actions with one single button.
Invoke-GPUpdate also has an automatic delay built in that offsets the GPUpdate by up to 10 minutes. You can change this random delay if desired. This will help keep stress off of your domain controllers. On the negative side, it is visible when being ran and is not immediate. This brings us to our second way.
Method 2: The Group Policy Way
When to Use it:
- When you are already in the GPMC (and running the latest version)
- When you want to update an OU and don’t mind waiting 10 minutes but can’t stand waiting for 90 minutes
How to Use it:
In the GPMC, you can right click on any OU and select Group Policy Update. In the picture below, I right clicked on my Domain Computers OU to access this command. You will need to be running the latest version of the GPMC to see this command.
Pros and Cons
Normally, you will have the GPMC opened when want to run a remote GPUpdate. This is a big positive! On the downside, this feature is only available if your GPMC is the Windows 8 version or above.
Another potential downside: this method is the GUI version of the Invoke-GPUpdate command. Unlike the PowerShell method, you can’t change the 10 minute random delay.
Method 3: The Active Directory Method
This final method is the one I use 95% of the time. Because of this, we are going to cover it a little more extensively.
When to Use It:
- When you want an immediate GPUpdate or GPUpdate /force
- When you want to combine it with another command, such as a Windows Update or a restart
How to Use it:
To use this method, you will first need to download the free GPUpdate add-on from Specops Software. After installing, you can now right click on any OU within Active Directory Users and Computers for the GPUpdate options. Along with the Group Policy update command, the GPUpdate add-on will also give you a few more right-click commands that I have found to be very useful. These include:
- Wake On LAN: You will need to enable this setting in the BIOS first. This guide shows you how to deploy that setting.
- Remote Restart/Shutdown
- Windows Update trigger
As a cool mix between the command line and GUI worlds, you can also select the Specops GPUpdate button (in the right click menu) and customize the built in commands. For example, you can make the GPUpdate button always use a /Force switch or make the Wake On LAN command ping a machine before attempting to start it.
Pros and Cons
The biggest benefit is probably the immediate GPUpdate button with a graphical view. When you issue a command, you’ll immediately see the results as either a success or a failure.
As you can see in the picture below, I have just started a remote GPUpdate on 7,200 computers. As the command runs, the Succeeded and Failed bars will tally up as the Remaining bar falls. This makes it very easy to spot a problem or any offline machines.
There is one drawback to this method. You have to be a domain admin to install it the very first time. It requires some ADUC extensions. Though completely safe, I’ve seen some IT shops baulk at the idea of it. Oddly enough, these same shops normally make all of their users administrators…
Do you want to learn more about Group Policy and how it will make your life easier? then subscribe to DeployHappiness and get great weekly tips (plus your free guide to the Windows 8 Administrative Start Menu)!
Specops GPUpdate Pro Giveaway: Read on to Find Out How to Win!
The Prize: Specops GPUpdate Pro, Single License ($99 value)
Why Should I Care: With Specops GPUpdate Pro, you get 10 more right click commands such as RDP, Event Viewer, and Remote Execute This is on top of the commands mentioned above! Here is the full list of commands.
How to Enter: You have two ways. Either subscribe to DeployHappiness by email or leave a (constructive) comment on any post on DeployHappiness. The contest will run through Sunday, July 7th 2013. Your email address can be entered twice. So if you want to subscribe and leave a comment, you’ll be entered twice. If you leave two comments, you’ll be entered twice. On July 8th, an email address will be randomly selected and the winner will be notified by email.
Who Won: “>Congratulations to Ken Hyndman for winning the Specops GPUpdate Pro contest. But you can win future prizes (plus learn a ton of cool tricks)! Simply subscribe by email to get weekly tips (plus your free guide to the Windows 8 Administrative Start Menu)! You will also receive an email for future contests.
Great arcitcle many thanks.
Anyone using zScaler PA(like a VPN), but not always-on as there is a 40 sec delay at user logon before it’s enabled ( it’s not Machine certificate based).
We are WiFi only and Windows 10 Laptops are using cached user mode only. (Just a Guest WiFi – no Corp LAN)
The Laptops cannot register their IP address via DNS, as DNS is managed by zScaler.
So why does a local GPUpdate / force work?
Testing your Push options mentioned above tomorrow. Gut feel is they will not work.
I don’t think it would work either. Have you looked into enabling the Always Wait for Network at Startup and Logon setting? See slide 25: https://deployhappiness.com/wp-content/uploads/2013/03/Group-Policy1.pptx
Another tool for doing bulk update without changing the ADUC extensions is SCCM client action tools (https://sccmcat.codeplex.com/). This has worked very nicely for me doing gpupdates (under the other tab) on smaller batches of computers (20 – 50) when building machines for 1,200 machine refresh project.
I’ve been using Specops Gpupdate (free) for a few months and love it.
Without it and Concurrent RDP, work wouldn’t nearly be as fun! It is so easy to remotely turn on a machine and remote in without worrying about a teacher logging me off.
I love the gpupdate tool. Here is just one tip if you go in and add a command for gpudate /force make sure you don’t accidently click that for an OU that has 3000 computers in the middle of the day.
You are absolutely right! That is an easy way to max out your domain controllers and slow down logons!