Remote Group Policy Update

With the release of Windows Server 2012 Microsoft added several new features to the server Edition. We’ve already discussed about some of these enhancements and today we’ll continue discovering another one, the remote group policy update feature. If you’ve worked on previous Windows Server Editions you know that the only way in which you could force a group policy update on a machine was by executing gpupdate command. This procedure could be achieved either by using Remote Desktop Connection and executing the command locally in Powershell or by creating a script then using the Invoke-Command cmdlet with the gpupdate in its script block. Although the second method was efficient it required some extra Powershell scripting knowledge so added extra complexity to the over wall operation. In large enterprises this was the only way in which you’d be able to force a group policy update on multiple servers.

Windows Server 2012 added the so called remote group policy update feature which allows Administrators to perform a group policy update procedure on multiple hosts using either the Group Policy Management Console or PowerShell. I’ve personally used this technique and I can assure you that makes your life much better as a Sysadmin. It’s easy to use and I’ve tested it successfully when deploying and testing a lot of group policy objects within my Active Directory environment.

You can execute remote group policy update using the group policy management console by right clicking on an organizational unit:

group-policy-management

You will be prompted that that group policy update will be executed on all objects and subcontainers within the selected organizational unit. Although this mechanism is easy to use, does not allow you to exclude or filter the machines on which the group policy update will run:

Force-Group-Policy-Update

Note that you can use this method only on machines running Windows Server 2008, Windows Vista or newer Editions. Once you click the yes button, gpupdate will be scheduled within a 10 minutes interval on all computers within the selected OU. You will be able to view the list of all computers on which the group policy update has run. The wizard will prompt you if any errors occur along with an error description:

Remote-Group-Policy-Updates-Results

You can perform the same operation using Powershell with the new Invoke-GPUpdate cmdlet. If the command is executed on a machine without parameters it will schedule a group policy update within a 10 minutes interval only on that particular host. Type get-help Invoke-GPUpdate to view the parameters that can be used with this cmdlet:

invoke-gpupdate

You can use the Invoke-GPUpdate –Computer computer_name command to specify a remote machine on which group policy will be executed. To extend the range on which group policy will run, use the Get-ADComputer command with the following parameters:

Get-ADComputer -Filter * -SearchBase “OU=Domain Controllers,DC=ppscu,DC=com”

In the searchable section is where you specify in which OU the operation will run. I’m using a testing environment for this demonstration so I only have one DC in this OU:

get-adcomputer

We can pipe the results of the command and execute Invoke-GPUpdate on all machines that were displayed by Get-ADComputer:

Get-ADComputer -Filter * -SearchBase “OU=Domain Controllers,DC=ppscu,DC=com” | foreach { Invoke-GPUpdate -Computer $_.name }

invoke-gpudate

If we eliminate the – SearchBase parameter, gupdate will run on all computers part of the domain:

Get-ADComputer -Filter * | foreach {Invoke-GPUpdate -Computer $_.name}

Using the Get-ADComputer filtering option we can modify the scope of the remote group policy update procedure. If you’ve used this command before you already know that you can filter based on all the attributes that a computer object can have such as its Operating System, IPV4 address, etc. You can view all the attributes of a computer object by typing the following command:

Get-ADComputer computer_name -Properties *

get-adcomputer-2

 

The remote group policy update will create a task in task scheduler, this service must be up and running to successfully run gpupdate. Note that the task will be created under Task Scheduler Library\Microsoft\Windows\GroupPolicy:

task-scheduler

Make sure to check out this section if you encounter issues when using the group policy remote update procedure. Tasks have an expiration date so they will be automatically deleted after a period of time.

I’ve never worked in an enterprise that was using local Windows Server Firewall because it’s still not good enough when talking about firewall rules propagation and scalability so in most cases you’ll find it disabled. Large enterprises use dedicated firewall devices or servers to create the security policies they need so often the Windows Firewall is disabled through group policy. If you use Windows Firewall within your domain you’ll need to make sure that the firewall rules are created for remote group policy update to work. Microsoft created a starter group policy object for this feature so you can simply link it to the domain:

group-policy-remote-update-firewall-ports

Multiple group policy cmdlets were introduced by Microsoft with the release of Windows Server 2012, you can explore them by checking the GroupPolicy module in Windows Powershell using Get-Command -Module GroupPolicy:

get-command

That’s about it for this article folks, hope you’ve understood this simple but yet usefully feature that was introduced with the latest Windows Server Edition. Wish you all the best and stay tuned for the following articles from our blog.

You can learn more about Dan Popescu by visiting him on Google+


Posted

in

, ,

by

Tags: