So you’ve found yourself in a dilemma, you’ve just made a bunch of new GPO’s (Group Policy Objects) and you’ve got your manager breathing down your neck. You need these changes to apply NOW, not on the Active Directory timeline. Not to fear, PDQ’s got your back in this post we'll talk about how to use GPUdate remotely.
How to use GPUpdate remotely
Windows has a utility baked in that we can leverage as either a tool in PDQ Inventory or as a command step in PDQ Deploy. Either method you choose, we need to dig into the available options of the utility GPUpdate. Below is the usage statement Windows returns for the utility:
Description: Updates multiple Group Policy settings.
Syntax:
Gpupdate [/Target:{Computer | User}] [/Force] [/Wait:<value>] [/Logoff] [/Boot] [/Sync]
Parameters:
/Target:{Computer | User}:
Specifies that only User or only Computer policy settings are updated. By default, both User and Computer policy settings are updated.
/Force:
Reapplies all policy settings. By default, only policy settings that have changed are applied.
/Wait:{value}
Sets the number of seconds to wait for policy processing to finish. The default is 600 seconds. The value '0' means not to wait. The value '-1' means to wait indefinitely. When the time limit is exceeded, the command prompt returns, but policy processing continues.
/Logoff:
Causes a logoff after the Group Policy settings have been updated. This is required for those Group Policy client-side extensions that do not process policy on a background update cycle but do process policy when a user logs on. Examples include user-targeted Software Installation and Folder Redirection. This option has no effect if there are no extensions called that require a logoff.
/Boot
Causes a computer restart after the Group Policy settings are applied. This is required for those Group Policy client-side extensions that do not process policy on a background update cycle but do process policy at computer startup. Examples include computer-targeted Software Installation. This option has no effect if there are no extensions called that require a restart.
/Sync
Causes the next foreground policy application to be done synchronously. Foreground policy applications occur at computer startup and user logon. You can specify this for the user, computer or both using the /Target parameter. The /Force and /Wait parameters will be ignored if specified.
Now armed with all the info we need, we can start to create our command. Most of the time you don't want to interrupt your end users by forcing a logoff or unexpectedly rebooting their computer. Unless you like the phone calls and tickets that get created because of it.
We can ignore the first parameter of /target, as we’ll let PDQ handle the targeting for us, as we’ll be running the commands directly on the target, the next options are up to you. The most gentle example would be:
Gpupdate /force
That would re-apply all policies to the target machine, keep in mind that if the policies you are applying require reboots or logoffs, they will not apply.
Let's say we wanted to go all out, and just make sure everything reboots and logoffs are damned. The below would handle that.
Gpupdate /Force /Logoff /Boot
How PDQ Inventory Tools can help
Now that we’ve got our commands structured, it's off to PDQ. Now, we’ll focus on PDQ Inventory tools, but you can do the exact same thing with a Command Step in PDQ Deploy. I’ve found that Inventory tools are the more effective tool for the job (see what I did there… *insert laugh track*)
To create your tool, navigate to “Tools > Customize” In the window that appears, select “New > Tool”
The next screen is where all the magic happens. We need to give our tool a name, specify the run type, decide if we want any output, as well as configure any display/shortcut options.
Our tool will be a “remote” tool. We’ll also need to include the command we want to run “gpupdate/force
” I’ll also give my tool a unique icon so it's easier to find:
Now, if you are like me and hate clicking around with your mouse and dread right-click context menus you can assign this tool a keyboard shortcut. To do that put your cursor in the shortcut field, then enter your key-combo. In my case, I chose Ctrl+Alt+F because I can hit that with just my left hand, and I’m forcing a Group Policy update.
At this point, we’re now off to the races. You can hop back over to any of your collections, select some computers and enter your key-combo (or if you are attached to your mouse, select some computers > right-click > tools > select your tool).
Wrapping up
This same methodology could be applied to any repetitive task you find yourself doing. Windows has quite a few built-in command line utilities that by default do not allow for remote targeting. With PDQ Inventory tools, the commands execute on the remote target bypassing the need to target a specific computer.