Using GPUpdate to Update Group Policy Settings

After changing any Group Policy setting using the local GPO editor (gpedit.msc) or domain policy editor (gpmc.msc), the new policy setting is not immediately applied to the user/computer. You can wait for automatic updating of GPO (up to 90 minutes), or you can update and apply policies manually using the GPUpdate command. The GPUpdate command is used to force the update of the computer and/or user group policy settings.

Note. The secedit/refreshpolicy command was used in Windows 2000 to manually refresh group policies. In the following versions of Windows, it was replaced by the GPUpdate utility.

The full syntax of the gpupdate tools looks like this:

Gpupdate [/Target:{Computer | User}] [/Force] [/Wait:<value>] [/Logoff] [/Boot] [/Sync]



When you run the gpupdate command without parameters, only new and changed user and computer policy settings are applied.

gpupdate command

Updating policy…

Computer Policy update has completed successfully.

User Policy update has completed successfully.

You can only update user or computer policies using the /target option. For example,

  • gpudate /target:user
  • gpupdate /target:computer

To enforce the update of group policy settings you can use the GPUpdate /force command.

What is the Difference Between GPUpdate and GPUpdate /force?

The gpupdate command applies only changed policies, and the GPUpdate /force command reapplies all client policies—both new and old (regardless of whether they have been changed).

In most cases, you need to use gpupdate to update the policies on the computer. In large Active Directory domains, frequent use of the /force switch when updating GPOs places a heavy load on domain controllers (because computers re-request all policies targeted at them or users).

As we said earlier, group policies are updated automatically every 90 minutes or during computer startup. Therefore, in most cases you shouldn‘t use the gpupdate /force command (especially in various scenarios) due to the high load on client computers and domain controllers.

You can add a delay (up to 600 seconds) before updating policies using the /wait parameter:

Gpupdate /wait:30

Because some user policies cannot be updated in the background, but only at a user logon (installation of programs, folder redirection, etc.), you can log off for the current user with the command:

gpupdate /logoff

Some computer policy settings can only be applied at startup, so you can initiate a computer reboot using the /Boot parameter:

gpupdate /Boot

The /Sync parameter specifies that the next policy application should be performed synchronously. Active policy enforcement occurs when a computer is restarted or when a user logs on.

Invoke-GPUpdate cmdlet has been added to PowerShell 3.0, which can be used to update policies on remote computers. For example, the following command will launch a remote group policy update of on the computer PC1:

Invoke-GPUpdate -Computer PC1 -Force

You can force policy updates on all computers in the specified Active Directory OU using the commands:

$Comps = Get-AdComputer -SearchBase "OU=Computers,OU=Mun,OU=DE,DC=theitbros,DC=com" -Filter *

Foreach ($Comp in $Comps) {invoke-gpupdate -Computer $Comp.Name}
I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.

One comment

  1. Hi Cyril:

    On a domain Windows 10 computer operating outside the office network, and thus unable to access the domain, GPUpdate will not work, presenting the error message:

    “Computer policy could not be updated successfully. The following errors were encountered: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.”

    Is there a workaround for this?

    I was trying to have the computer show all local accounts on the logon screen. Perhaps I can get it to do that by trying the same procedure from your post “” from the local Administrator account?

    Thank you,

    — Ron

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.