what changes can a machine make to a force
Originally published February, 2017 and updated May, 2019
Forcing a Group Policy Update
Imagine that you become a phone telephone call from the security specialist who handles your firewalls and proxy servers. He tells you that he has added an additional proxy server for users going to the internet. Yous add together a new GPO that affects all users so they tin can use the new proxy server via Internet Explorer. Unremarkably, information technology takes between 90 and 120 minutes for a new GPO to be applied, but yous need the new settings to be applied right at present, and you cannot tell your users to log off and log dorsum in to apply them. In cases like these, you might desire to bypass the normal wait time before groundwork policy processing kicks in. You lot can exercise so using the command prompt, the Group Policy Management Console (GPMC) or PowerShell.
Forcing a Group Policy Update using the Command Prompt
Your commencement option is to run a simple command that tells the customer to skip the normal background processing interval and update all new or changed GPOs from the server right at present. Still, you must physically trot out to each user machine and enter the gpupdate command, thereby refreshing the Group Policy object, along with any other new or changed GPOs, manually.
Note that running the gpupdate command with no parameters will refresh both the User and the Computer halves of the Group Policy objects. To refresh only one half or the other, utilise this syntax:
gpupdate /Target:Figurer, /Target:User
Running gpupdate while a user is logged on to a machine immediately gives Windows the new GPO settings (bold, of grade, that the domain controller has the replicated GPO information).
In Windows XP and later on, Fast Boot, Software Distribution and Folder Redirection are enabled by default, so settings are processed only at the next logon time. If you utilize the right switches, gpupdate tin figure out if newly changed items crave a logoff or reboot to be active:
- Running gpupdate with the /Logoff switch will effigy out if a policy alter in Agile Directory requires the user to log off. If not, the new settings are applied immediately; if so, the user volition automatically be logged off and the Group Policy settings volition exist practical when they log dorsum in.
- Similarly, if Fast Boot is enabled, a restart is required to apply GPOs that accept Software Distribution settings. Running gpupdate with the /boot switch will figure out if a policy has something that requires a reboot and automatically reboot the computer. If the updated GPO does non crave a reboot, the GPO settings are applied and the user remains logged on.
Both the /Logoff and /kick switches are optional.
The give-and-take so far applies only to new GPOs and changes to existing ones. However, sometimes you might want to use all GPOs to a computer — not just new or changed GPOs merely erstwhile ones as well. In that example, you need to apply the /force switch with gpupdate, as follows:
gpupdate /force
Other options are available in conjunction with /forcefulness, including:
- /Logoff — Log the user off afterward the Grouping Policy settings have been updated.
- /Sync — Change the foreground (startup/logon) processing to synchronous.
- /Boot — Restart the machine subsequently the Group Policy settings are practical.
Forcing a Group Policy Update using the Grouping Policy Direction Panel
As an alternative to the command-line tools, you can force a Grouping Policy update using the Group Policy Direction Panel (GPMC). GPMC is included with every Microsoft Windows Server since Windows Server 2008; you tin can too get information technology by installing Remote Server Administration Tools (RSAT).
To forcefulness a GPO to be applied, take these unproblematic steps:
- Open
- Link the GPO to an OU.
- Right-click the OU and choose the "Group Policy Update" selection.
- Ostend the activity in the Forcefulness Group Policy Update dialog by clicking "Yes".
Forcing a Grouping Policy Update using PowerShell
Since Windows Server 2012, you can strength a Group Policy refresh using the PowerShell cmdlet Invoke-GPUpdate. This command can be used for Group Policy remote update of Windows client computers. You volition need to accept both PowerShell and the Group Policy Management Panel installed.
Here is an example of using this cmdlet to force an immediate Grouping Policy update on a particular computer:
Invoke-GPUpdate -Computer WKS0456 = RandomDelayMinutes 0
The RandomDelayMinutes 0 parameter ensures that the policy is updated instantly. The only downside to using this parameter is that the users will get a cmd screen pop-upwards.
If you want to forcefulness an update on all computers, run these commands:
$compgpoupd = Get-ADComputer -Filter * $compgpoupd | ForEach-Object -Process {Invoke-GPUpdate -Computer $_.name -RandomDelayInMinutes 0 -Force}
This code will get all computers from the domain, put them into a variable and run the commands for each object.
GPO Background Refresh
All Group Policy clients process GPOs when the background refresh interval comes to pass — only they process only those GPOs that are new or have changed since the final time the customer requested them.
Even so, for security settings, the Group Policy engine works differently. It asks for a special background refresh but for security policy settings. This is called the background security refresh and is valid for every version of Windows Server. Every xvi hours, each Group Policy client asks Active Directory well-nigh all the GPOs that contain security settings (not just the ones that accept inverse) and reapplies those security settings. This ensures that if a security setting has changed on the client (behind the Group Policy engine's back), it'south automatically reverted to the proper setting inside 16 hours.
Background Refresh Procedure for Local GPOs
If users are local administrators of their Windows machines, they have full control to go around the Group Policy engine processes and tin make changes to local policies — changes that could nullify a policy you've set with a GPO, including things on the system that shouldn't be changed. To avoid this issue, you should requite local administrator accounts only to some privileged users that cannot work with local ambassador rights or give local admin rights only to those applications that privileged users need to run. Yous should never requite regular users administrative rights.
Mandatory Reapplication of Not-security Grouping Policy Settings
Every bit described in a higher place, the background security refresh updates all security-related policy settings every xvi hours. But sometimes you also need to force non-security settings to exist applied, even if the GPOs on the servers haven't inverse in guild to fix exploits that aren't specifically security related.
You tin can choose to mandate the reapplication of the following areas of Group Policy during each initial policy processing and groundwork refresh:
- Registry (Administrative Templates)
- Internet Explorer Maintenance
- IP Security
- EFS Recovery Policy
- Wireless Policy
- Disk Quota
- Scripts
- Security
- Folder Redirection
- Software Installation
- Wired Policy
Conclusion
To epitomize, when you change a GPO in Active Directory, it will be automatically applied at the next refresh interval; y'all tin can likewise force a refresh to utilise it immediately to your customer systems. As an extra safety measure, you tin can ready mandatory reapplication to ensure that certain Group Policy settings are always reapplied, even if they take not changed. This enables you to revert whatever unwanted changes made past local administrators.
Source: https://blog.netwrix.com/2017/02/17/group-policy-update/
0 Response to "what changes can a machine make to a force"
Post a Comment