After changing any Group Policy setting using the local GPO editor (gpedit.msc) or domain policy editor (gpmc.msc), the new policy setting is not immediately applied to the user/computer. You can wait for automatic updating of GPO (up to 90 minutes), or you can update and apply policies manually using the GPUpdate command. The GPUpdate command is used to force the update of the computer and/or user group policy settings.
Note. The secedit/refreshpolicy command was used in Windows 2000 to manually refresh group policies. In the following versions of Windows, it was replaced by the GPUpdate utility.
The full syntax of the gpupdate tools looks like this:
Gpupdate [/Target:{Computer | User}] [/Force] [/Wait:<value>] [/Logoff] [/Boot] [/Sync]
When you run the gpupdate command without parameters, only new and changed user and computer policy settings are applied.
Updating policy…
Computer Policy update has completed successfully.
User Policy update has completed successfully.
You can only update user or computer policies using the /target option. For example,
- gpudate /target:user
- gpupdate /target:computer
To enforce the update of group policy settings you can use the GPUpdate /force command.
What is the Difference Between GPUpdate and GPUpdate /force?
The gpupdate command applies only changed policies, and the GPUpdate /force command reapplies all client policies—both new and old (regardless of whether they have been changed).
In most cases, you need to use gpupdate to update the policies on the computer. In large Active Directory domains, frequent use of the /force switch when updating GPOs places a heavy load on domain controllers (because computers re-request all policies targeted at them or users).
As we said earlier, group policies are updated automatically every 90 minutes or during computer startup. Therefore, in most cases you shouldn‘t use the gpupdate /force command (especially in various scenarios) due to the high load on client computers and domain controllers.
You can add a delay (up to 600 seconds) before updating policies using the /wait parameter:
Gpupdate /wait:30
Because some user policies cannot be updated in the background, but only at a user logon (installation of programs, folder redirection, etc.), you can log off for the current user with the command:
gpupdate /logoff
Some computer policy settings can only be applied at startup, so you can initiate a computer reboot using the /Boot parameter:
gpupdate /Boot
The /Sync parameter specifies that the next policy application should be performed synchronously. Active policy enforcement occurs when a computer is restarted or when a user logs on.
Invoke-GPUpdate cmdlet has been added to PowerShell 3.0, which can be used to update policies on remote computers. For example, the following command will launch a remote group policy update of on the computer PC1:
Invoke-GPUpdate -Computer PC1 -Force
You can force policy updates on all computers in the specified Active Directory OU using the commands:
$Comps = Get-AdComputer -SearchBase "OU=Computers,OU=Mun,OU=DE,DC=theitbros,DC=com" -Filter * Foreach ($Comp in $Comps) {invoke-gpupdate -Computer $Comp.Name}
- How to Search and Delete Malicious Emails in Office 365? - January 29, 2023
- How to Install Google Chrome for Fedora? - January 29, 2023
- Lens Kubernetes IDE — Opensource Lens Desktop - January 27, 2023
Hi Cyril:
On a domain Windows 10 computer operating outside the office network, and thus unable to access the domain, GPUpdate will not work, presenting the error message:
“Computer policy could not be updated successfully. The following errors were encountered: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.”
Is there a workaround for this?
I was trying to have the computer show all local accounts on the logon screen. Perhaps I can get it to do that by trying the same procedure from your post “https://theitbros.com/how-to-login-with-a-local-account-instead-of-domain-account/” from the local Administrator account?
Thank you,
— Ron