How do I force a remote Group Policy update in Windows Server 2012?
Group Policy settings refresh automatically every 90 minutes, with a random offset of 0 to 30 minutes so that not all computers in the domain refresh their Group Policy settings at the same time. If you want to apply new Group Policy settings without waiting for the next scheduled refresh, you can force an update by running the gpupdate command line tool locally.
Windows Server 2012 Group Policy Management Console (GPMC) has a new feature that allows administrators to remotely force a Group Policy refresh on all computers in an Active Directory (AD) Organizational Unit (OU). Additionally, there’s also a new PowerShell cmdlet (Invoke-GPUpdate) that allows you to do the same thing programmatically, with the advantage of being able to target the default Computers container.
Configure Windows Firewall to allow a remote Group Policy update
First we need to configure Windows Firewall across our network to support the ability to remotely refresh Group Policy.
- Logon to Windows Server 2012, or Windows 8 if you have the Windows Server 2012 Remote Server Administration Tools (RSAT) installed.
- Open Server Manager from the desktop Task Bar or Start screen.
- Open Group Policy Management from the Tools menu in Server Manager.
- In the left pane of GPMC, expand your AD forest, domain, and select Starter GPOs.
- In the right pane of GPMC, if you don’t see a list of Starter GPOs for your domain, click Create Starter GPOs Folder.
- Now in the left pane of GPMC, right click your AD domain and select Create a GPO in this domain, and Link it here… from the menu.
- In the New GPO dialog, name the GPO GPO remote update Windows Firewall settings, select Group Policy Remote Update Firewall Ports under Source Starter GPO and click OK.
- In the left pane of GPMC, click on your AD domain. In the right pane, switch to the Linked Group Policy Objects tab. Click the new firewall settings GPO in the list and using the arrows on the left, move it up in the link order above the Default Domain Policy.
Force a remote Group Policy update
Once the new GPO is linked to your domain, you’ll need to wait for Group Policy to refresh on all devices to which it applies before you can reliably force a remote update using GPMC.
To force a Group Policy update on all computers in an Organizational Unit (OU) using GPMC:
- Right-click the desired OU in GPMC and select Group Policy Update from the menu.
- Confirm the action in the Force Group Policy Update dialog by clicking Yes.
Check the results in the Remote Group Policy update results window.