After changing any Group Policy setting using the local GPO editor (gpedit.msc) or domain policy editor (gpmc.msc), the new policy setting is not immediately applied to the user/computer. You can wait for automatic updating of GPO (up to 90 minutes), or you can update and apply policies manually using the GPUpdate command. The GPUpdate command is used to force the update of the computer and/or user group policy settings.
Note. The secedit/refreshpolicy command was used in Windows 2000 to manually refresh group policies. In the following versions of Windows, it was replaced by the GPUpdate utility.
The full syntax of the gpupdate tools looks like this:
Gpupdate [/Target:{Computer | User}] [/Force] [/Wait:<value>] [/Logoff] [/Boot] [/Sync]
When you run the gpupdate command without parameters, only new and changed user and computer policy settings are applied.
Updating policy…
Computer Policy update has completed successfully.
User Policy update has completed successfully.
You can only update user or computer policies using the /target option. For example,
- gpudate /target:user
- gpupdate /target:computer
To enforce the update of group policy settings you can use the GPUpdate /force command.
What is the Difference Between GPUpdate and GPUpdate /force?
The gpupdate command applies only changed policies, and the GPUpdate /force command reapplies all client policies—both new and old (regardless of whether they have been changed).
In most cases, you need to use gpupdate to update the policies on the computer. In large Active Directory domains, frequent use of the /force switch when updating GPOs places a heavy load on domain controllers (because computers re-request all policies targeted at them or users).
As we said earlier, group policies are updated automatically every 90 minutes or during computer startup. Therefore, in most cases you shouldn‘t use the gpupdate /force command (especially in various scenarios) due to the high load on client computers and domain controllers.
You can add a delay (up to 600 seconds) before updating policies using the /wait parameter:
Gpupdate /wait:30
Because some user policies cannot be updated in the background, but only at a user logon (installation of programs, folder redirection, etc.), you can log off for the current user with the command:
gpupdate /logoff
Some computer policy settings can only be applied at startup, so you can initiate a computer reboot using the /Boot parameter:
gpupdate /Boot
The /Sync parameter specifies that the next policy application should be performed synchronously. Active policy enforcement occurs when a computer is restarted or when a user logs on.
Invoke-GPUpdate cmdlet has been added to PowerShell 3.0, which can be used to update policies on remote computers. For example, the following command will launch a remote group policy update of on the computer PC1:
Invoke-GPUpdate -Computer PC1 -Force
You can force policy updates on all computers in the specified Active Directory OU using the commands:
$Comps = Get-AdComputer -SearchBase "OU=Computers,OU=Mun,OU=DE,DC=theitbros,DC=com" -Filter *
Foreach ($Comp in $Comps) {invoke-gpupdate -Computer $Comp.Name}