{"id":4091,"date":"2015-09-14T08:23:19","date_gmt":"2015-09-14T13:23:19","guid":{"rendered":"http:\/\/www.poweradmin.com\/blog\/?p=4091"},"modified":"2015-08-31T08:36:41","modified_gmt":"2015-08-31T13:36:41","slug":"remote-group-policy-update","status":"publish","type":"post","link":"https:\/\/www.poweradmin.com\/blog\/remote-group-policy-update\/","title":{"rendered":"Remote Group Policy Update"},"content":{"rendered":"

With the release of Windows Server 2012 Microsoft added several new features to the server Edition. We\u2019ve already discussed about some of these enhancements and today we\u2019ll continue discovering another one, the remote group policy<\/a> update feature. If you\u2019ve worked on previous Windows Server<\/a> Editions you know that the only way in which you could force a group policy update on a machine was by executing gpupdate command. This procedure could be achieved either by using Remote Desktop Connection and executing the command locally in Powershell or by creating a script then using the Invoke-Command<\/i> cmdlet with the gpupdate<\/i> in its script block. Although the second method was efficient it required some extra Powershell scripting knowledge so added extra complexity to the over wall operation. In large enterprises this was the only way in which you\u2019d be able to force a group policy update on multiple servers.<\/span><\/p>\n

Windows Server 2012 added the so called remote group policy update feature which allows Administrators to perform a group policy update procedure on multiple hosts using either the Group Policy Management Console or PowerShell. I\u2019ve personally used this technique and I can assure you that makes your life much better as a Sysadmin<\/a>. It\u2019s easy to use and I\u2019ve tested it successfully when deploying and testing a lot of group policy objects within my Active Directory<\/a> environment.<\/span><\/p>\n

You can execute remote group policy update using the group policy management console by right clicking on an organizational unit:<\/span><\/p>\n

\"group-policy-management\"<\/a><\/p>\n

You will be prompted that that group policy update will be executed on all objects and subcontainers within the selected organizational unit. Although this mechanism is easy to use, does not allow you to exclude or filter the machines on which the group policy update will run:<\/span><\/p>\n

\"Force-Group-Policy-Update\"<\/a><\/p>\n

Note that you can use this method only on machines running Windows Server 2008, Windows Vista or newer Editions. Once you click the yes button, gpupdate will be scheduled within a 10 minutes interval on all computers within the selected OU. You will be able to view the list of all computers on which the group policy update has run. The wizard will prompt you if any errors occur along with an error description:<\/span><\/p>\n

\"Remote-Group-Policy-Updates-Results\"<\/a><\/p>\n

You can perform the same operation using Powershell with the new Invoke-GPUpdate<\/i> cmdlet. If the command is executed on a machine without parameters it will schedule a group policy update within a 10 minutes interval only on that particular host. Type get-help Invoke-GPUpdate<\/i> to view the parameters that can be used with this cmdlet:<\/span><\/p>\n

\"invoke-gpupdate\"<\/a><\/p>\n

You can use the Invoke-GPUpdate \u2013Computer computer_name<\/i> command to specify a remote machine on which group policy will be executed. To extend the range on which group policy will run, use the Get-ADComputer<\/i> command with the following parameters:<\/span><\/p>\n

Get-ADComputer -Filter * -SearchBase \u201cOU=Domain Controllers,DC=ppscu,DC=com\u201d<\/i><\/span><\/p>\n

In the searchable section is where you specify in which OU the operation will run. I\u2019m using a testing environment for this demonstration so I only have one DC in this OU:<\/span><\/p>\n

\"get-adcomputer\"<\/a><\/p>\n

We can pipe the results of the command and execute Invoke-GPUpdate<\/i> on all machines that were displayed by Get-ADComputer<\/i>:<\/span><\/p>\n

Get-ADComputer -Filter * -SearchBase \u201cOU=Domain Controllers,DC=ppscu,DC=com\u201d | foreach { Invoke-GPUpdate -Computer $_.name }<\/i><\/span><\/p>\n

\"invoke-gpudate\"<\/a><\/p>\n

If we eliminate the \u2013 SearchBase<\/i> parameter, gupdate will run on all computers part of the domain:<\/span><\/p>\n

Get-ADComputer -Filter * | foreach {Invoke-GPUpdate -Computer $_.name}<\/i><\/span><\/p>\n

Using the Get-ADComputer<\/i> filtering option we can modify the scope of the remote group policy update procedure. If you\u2019ve used this command before you already know that you can filter based on all the attributes that a computer object can have such as its Operating System, IPV4 address, etc. You can view all the attributes of a computer object by typing the following command:<\/span><\/p>\n

Get-ADComputer computer_name -Properties *<\/i><\/span><\/p>\n

\"get-adcomputer-2\"<\/a><\/p>\n

\u00a0<\/p>\n

The remote group policy update will create a task in task scheduler, this service must be up and running to successfully run gpupdate. Note that the task will be created under Task Scheduler Library\\Microsoft\\Windows\\GroupPolicy<\/i>:<\/span><\/p>\n

\"task-scheduler\"<\/a><\/p>\n

Make sure to check out this section if you encounter issues when using the group policy remote update procedure. Tasks have an expiration date so they will be automatically deleted after a period of time.<\/span><\/p>\n

I\u2019ve never worked in an enterprise that was using local Windows Server Firewall<\/a> because it\u2019s still not good enough when talking about firewall rules propagation and scalability so in most cases you\u2019ll find it disabled. Large enterprises use dedicated firewall devices or servers to create the security policies they need so often the Windows Firewall is disabled through group policy. If you use Windows Firewall within your domain you\u2019ll need to make sure that the firewall rules are created for remote group policy update to work. Microsoft created a starter group policy object for this feature so you can simply link it to the domain:<\/span><\/p>\n

\"group-policy-remote-update-firewall-ports\"<\/a><\/p>\n

Multiple group policy cmdlets were introduced by Microsoft with the release of Windows Server 2012, you can explore them by checking the GroupPolicy module in Windows Powershell using Get-Command -Module GroupPolicy<\/i>:<\/span><\/p>\n

\"get-command\"<\/a><\/p>\n

That\u2019s about it for this article folks, hope you\u2019ve understood this simple but yet usefully feature that was introduced with the latest Windows Server Edition. Wish you all the best and stay tuned for the following articles from our blog.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

With the release of Windows Server 2012 Microsoft added several new features to the server Edition. We\u2019ve already discussed about some of these enhancements and today we\u2019ll continue discovering another one, the remote group policy update feature. If you\u2019ve worked on previous Windows Server Editions you know that the only way in which you could […]<\/p>\n","protected":false},"author":4,"featured_media":4100,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,9,8],"tags":[],"class_list":["post-4091","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-how-to","category-technical","category-windows"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/4091","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/comments?post=4091"}],"version-history":[{"count":3,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/4091\/revisions"}],"predecessor-version":[{"id":4104,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/4091\/revisions\/4104"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media\/4100"}],"wp:attachment":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media?parent=4091"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/categories?post=4091"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/tags?post=4091"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}