Powershell – Force gpupdate on all Domain Computers

To totally unlock this section you need to Log-in

Client computers update Group Policies every 90 minutes by default, in a functional and working domain. In this brief article we will see how to force gpupdate command on all client computer of an organizational unit by running a PowerShell command from a remote computer.

What we are going to use is the powerful Invoke-GPUpdate cmdlet, already available on Windows Server 2012, 2012 R2 and Windows Server 2016 systems.

The Invoke-GPUpdate cmdlet refreshes Group Policy settings, including security settings that are set on remote computers by scheduling the running of the Gpupdate command on a remote computer. You can combine this cmdlet in a scripted fashion to schedule the Gpupdate command on a group of computers.

The refresh can be scheduled to immediately start a refresh of policy settings or wait for a specified period of time, up to a maximum of 31 days.

Powershell - Force gpupdate on all Domain Computers

To avoid putting a load on the network, the refresh times will be offset by a random delay.

In the following examples we are going to use the options below:

  • -Force: this forces the command to run without asking for user confirmation.
  • -RandomDelayInMinutes: this option pecifies the delay, in minutes, that Task Scheduler waits, with a random factor added to lower the network load, before running a scheduled Group Policy refresh. You can specify a delay in from 0 minutes to a maximum of 44640 minutes (31 days). A value of 0 causes the Group Policy refresh to run as soon as the gpupdate task has been scheduled.

This command can be used to update Windows 10, Windows 8.1, Windows 8 and Windows 7 clients.

As a requirement, this cmdlet, to work properly, will need Powershell installed as well as the Group Policy Management Console (GPMC), so usually this will be triggered directly on/from Domain Controllers.

Run the following command on a Domain Controller of the domain to force gpupdate on all client computer of the OU workstations:

Get-ADComputer -Filter * -SearchBase “OU=Workstations,DC=example,DC=com” | Foreach-Object {Invoke-GPUpdate -Computer $_.name -Force -RandomDelayInMinutes 0}

A quick glance at the client computer shows what happens: command prompt pops up and gpupdate is running. That’s cool.

To force gpupdate on all domain computers just run

Get-ADComputer -Filter * | Foreach-Object {Invoke-GPUpdate -Computer $_.name -Force -RandomDelayInMinutes 0}

Important: This command will force gpupdate on client computers and server systems.