The command gpupdate /force
is used to force the update of group policies that are applied by your company. Changes made in the Group Policy are not applied immediately but after 90 mins by default (with a ~30 min offset to spread the load). By using the GPUpdate command we can force the update.
Group Policies are used to change security settings and for system management (like deploying printers or mapping network drives). For troubleshooting IT problems, it’s sometimes necessary to update the group policy manually.
How force group policy update
- Press Windows key + X or right-click on the start menu
- Select Windows PowerShell or Command Prompt
- Type gpupdate /force and press enter
Wait for the Computer and User policy to update
- Reboot your computer
A reboot is necessary to be sure that all settings are applied.
GPUpdate vs GPUpdate Force command
The gpupdate /force command is probably the most used group policy update command. When you use the /force
switch, all the policy settings are reapplied. For most use cases this is perfectly fine, but keep in mind, when you have a lot of group policies objects (GPO) or in a large environment, using the /force will put a huge load on the domain controllers.
If you have a large tenant or a lot of GPO’s, then it’s better to only run gpupdate without the /force
switch to apply new policy settings. This will get only the changes or new group policies, reducing the load on the client and domain controllers.
# Reapply all policies gpupdate /force # Get only the changed / new group policies gpupdate
Update only user or computer group policies
If you have a large environment or need to update the group policies on a lot of computers at the same time, then it can be useful to only update what is needed. This will reduce the load on the domain controllers and it’s of course faster.
To do this you can use the /target
switch. This allows you to update only the user or computer GPO’s.
# Update only the user policies gpupdate /target:user # Update only the computer policies gpupdate /target:computer
Automatically reboot or logoff after GPUpdate
Not all policy changes are applied immidiately. Due to Fast Boot, for example, are some settings only applied when the users logs in on the computer. Some settings even require a reboot to be applied.
With the use of the /logoff
or /boot
switch, we can let gpupdate figure out if a logoff or reboot is necessary. To be clear, if you run gpupdate /boot, then the computer will only reboot if a policy change requires it. Otherwise, the policy will be applied immediately without the reboot.
- GPUpdate /logoff is needed for example after policy changes in the Active Directory like folder redirections or printers. Changes in the AD are only applied when the user logs in on the computer.
- GPUpdate /boot is for example needed when you create Software Distribution changes.
Run GPUpdate on a Remote Computer
Sometimes you may need to update quickly the group policies on multiple computers because you changed the internet proxy settings or maybe to replace a printer for example. There are couple of ways to run GPUpdate on a remote computer
Using the Group Policy Management Console
You can initiate a group policy update on a whole OU with the Group Policy Management Console. It has to be an OU with only computer objects in it, so you can’t use the method on a user OU. Simply right-click on the OU where you have changed a policy and click on Group Policy Update
This will update the user and computer policies on all the computers in the given organization unit. The nice thing is that it will as for confirmation and show you how many computers are going to be updated.
After you have confirmed the update the policies will be updated and you can see the status of each computer. In this example 5 computers where turned off, so the update failed.
Use PowerShell to run GPUpdate on a Remote Computer
We can also use PowerShell to run gpupdate on remote computers. The only requirement is that you have Windows 2012 or later. Running it from Windows 10 is also possible, but then you need to open the PowerShell windows with a domain admin account.
The basis of the command is the Invoke-GPUpdate cmd. We also need to specify the computer and the RansomDelayInMinutes.
The RandomDelayInMinutes is used to lower the network load when you update a lot of computers at the same time. You can set it between 0 and 44640 minutes (31 days). Use 0 to run the update immediately.
Invoke-GPUpdate -Computer "labrat01" -RandomDelayInMinutes 0 -Force
If a user is logged on at the computer, then the Invoke-GPupdate command will ask the user for confirmation. By using the -force
switch we can run the updates without the confirmation.
With this, we can create a small script to target all computers in a specific OU and run GPupdate on them.
# Spread the load by setting the delay to between 1 and 30 minutes $random = Get-Random -Minimum 1 -Maximum 30 # Get the computers in an OU to update and run GPUpdate Get-AdComputer -SearchBase "OU=Computers,OU=Lab,DC=lazyadmin,DC=com" -Filter * | ForEach-Object -Proces {Invoke-GPUpdate -Computer $_.Name -RandomDelayInMinutes $random -Force}
Or if you want to use a list of computers:
# Based on a list $computers = "labpc01,labpc02,labpc03" $computers | ForEach-Object -Proces {Invoke-GPUpdate -Computer $_ -RandomDelayInMinutes $random -Force}
Wrapping Up
I hope this article helped you with the GPUpdate /force command. If you have any questions, then just drop a comment below.
Nice, clean, easy to follow and to the point article. Thanks so much!
Thanks, good and precise content.
Can’t really do that without computer account for user? User cannot have only user account to do gpupdate for them?
There is no way to target a user if you don’t know which computer he is using. A tool like PDQ Deploy and/or Inventory can really help with this.
how can i do gpupdate for a group in my domain, however for a group that contains users, not computers?
You will need to know which computer the user is using. That is not listed in the active directory, so you will need to have another source for that.
Thankyou so much. For your help but most for your humbleness. I know I am quite silly anout this but you helped me anyway. Thankyou!!
Andrea
Hi, it’s Andrea. And what about if I no longer want it on my laptop.
Let’s say I mistakenly typed the gpupdate on my PC. ( I was trying disinstalling a malwer)
What can we do to get rid of the update. And am I exposed to danger after that I have typed this command:
:\WINDOWS\system32>rd /S /Q “%WinDir%\System32\GroupPolicyUsers”
The system cannot find the file specified.
C:\WINDOWS\system32>rd /S /Q “%WinDir%\System32\GroupPolicy”
The system cannot find the file specified.
C:\WINDOWS\system32>gpupdate /force
Updating policy…
Computer Policy update has completed successfully.
User Policy update has completed successfully.
The RD command (remove directory) didn’t do anything, because the path was invalid.
If you haven’t changed any group policy setting (and you probably haven’t done that), then nothing is changed on your computer with the gpupdate /force command.