none
How to push down group policy from domain controller to a client after changes was made to the GPO.

    Question

  • Hi,

    I've a domain created and have created various test GPO policies. Can I ask how to push down a GPO from a domain controller to a client straight away after policy was modifed or created.

    Let say for a certain OU or computer DN 
    Monday, March 30, 2009 8:29 AM

Answers

  • There's no built-in mechanism, sorry.

    If it's only a test system, you can go with Salvador's suggestion and tweak the Group Policy "pull" interval time -- but please, only do that in a test environment. Having that set to a low value might lead you into trouble in a production environment due to increased load on the DCs as well as increased bandwidth usage.

    Cheers,
    Florian
    Microsoft MVP - Group Policy -- blog: http://www.frickelsoft.net/blog
    Tuesday, March 31, 2009 7:31 AM
  • Hi Kim Seng,

    Not possible, as far as I know. You may have to make do with a very short Group Policy Interval for Computers setting.

    Regards,

    Salvador Manaois III
    MCITP | Enterprise & Server Administrator
    MCSE MCSA MCTS(x5) CIWA C|EH
    My Blog: Bytes and Badz
    Tuesday, March 31, 2009 8:21 AM

All replies

  • I think you can do that in Windows Server 2008.  Not sure though.  From the client you can run "gpupdate" from the command line or have them log off then log back in.
    CCNA, A+, N+
    Monday, March 30, 2009 9:33 PM
  • Hi,

    Thanks for the replied. I know that gpupdate can help to pull down the latest GPO policy. But I'm more interested in knowing how to push down from domain controller to the clients such as windows VISTA, etc. 
    Tuesday, March 31, 2009 12:50 AM
  • Hi Kim Seng,

    Your query depends on how fast your domain controllers push changes done to group policies. Normally, for DCs belonging to the same site, replication for GPO changes takes less than a minute whereas inter-site replication of the changes may depend on your replication topology.

    Assuming you are working an a single-site domain (eg, GPO changes are replicated in less than a minute), you can configure your computers' GPO background refresh (Group Policy Refresh Interval for Computers) to something like 1 minute so that they will receive the updated policies when this threshold is reached. Note of potentially bandwidth implications and DC loading, however. You can configure this under Computer Configuration\Administrative Templates\System\Group Policy.

    You can trigger a background refresh of Group Policy on demand from the client using gpudate /force. However, the application of Group Policy cannot be pushed to clients on demand from the server.

    Regards,

    Salvador Manaois III
    MCITP | Enterprise & Server Administrator
    MCSE MCSA MCTS(x5) CIWA C|EH
    My Blog: Bytes and Badz

    Tuesday, March 31, 2009 2:38 AM
  • Hi Salvado,

    Thanks for the replied.

    This is what I have researched as well. :p

    So can I say that it is not possible to push down group policy on demand from server to clients? :(

    Tuesday, March 31, 2009 3:07 AM
  • Howdie!

    I would like to note that GP application isn't a "push" mechanism - you don't push policies you actually create them on the DCs - the DCs replicate them and clients check for updates on a regular basis (every 90 minutes + random offset of max. 30 minutes. So every max120 minutes they get checked). If changes have occured, clients automatically apply them.

    You can force the "pull" mechanism with the command line utility "gpupdate".

    Cheers,
    Florian
    Microsoft MVP - Group Policy -- blog: http://www.frickelsoft.net/blog
    Tuesday, March 31, 2009 6:40 AM
  • Hi Florian,

    Thanks for the replied.

    I guess I could not do a push from the DC to the clients on demand.
    Tuesday, March 31, 2009 6:45 AM
  • There's no built-in mechanism, sorry.

    If it's only a test system, you can go with Salvador's suggestion and tweak the Group Policy "pull" interval time -- but please, only do that in a test environment. Having that set to a low value might lead you into trouble in a production environment due to increased load on the DCs as well as increased bandwidth usage.

    Cheers,
    Florian
    Microsoft MVP - Group Policy -- blog: http://www.frickelsoft.net/blog
    Tuesday, March 31, 2009 7:31 AM
  • Hi Kim Seng,

    Not possible, as far as I know. You may have to make do with a very short Group Policy Interval for Computers setting.

    Regards,

    Salvador Manaois III
    MCITP | Enterprise & Server Administrator
    MCSE MCSA MCTS(x5) CIWA C|EH
    My Blog: Bytes and Badz
    Tuesday, March 31, 2009 8:21 AM
  • Hi Florian and Salvador,

    Thanks for your replied.

    I have actually tried with the settings, Group Policy Interval for Computers settings such as changes the value to 0. What it did was it do policy update every 7 seconds. It causes lots of bandwidth wastage. :( 

    But this is not what I want. :(
    Tuesday, March 31, 2009 10:18 AM
  • Wednesday, May 27, 2009 7:04 AM
  • Or you could try this:

    http://www.specopssoft.com/products/specopsgpupdate/

    Ray
    Ray Hayes

    Hi Ray,

    Thanks for the link, will try it out.
    Wednesday, May 27, 2009 1:54 PM
  • Florian;
    Can I go off on a little tangent here?
    I make a change to a GPO on the DC. Assuming the default 90 minute refresh interval, an XP workstation picks up the GPO within the next 120 minutes. It doesn't apply the computer scope of the GPO until reboot, even if I were to do a gpudate /force shortly after I made the change to the GPO. Do I have that right?
    Likewsie, if I changed the user scope and did a gpudate /force, it isn't applied until the user logs on?
    tia and TGIF
    Friday, August 14, 2009 1:20 PM
  • I use the PsExec by Mark Russinovich. The downside is that it will only do one computer a time. Useful to a certain point. http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx Cheers, Ozz.
    Thursday, July 19, 2012 12:56 AM
  • While it is technically true you can not "PUSH" out and GPUPDATE to your computer Windows 8/2012 does have a group policy update features that also works on Windows 7/2008 R2... You just need to have GPMC install on a Windows 8 computer somewhere in your organisation. See http://www.grouppolicy.biz/2012/04/how-to-configure-and-use-group-policy-update-in-windows-8/

    Hope it helps


    Alan Burchill (MVP)
    http://www.grouppolicy.biz

    @alanburchill

    Thursday, July 19, 2012 3:21 AM
  • I run dsquery of the OU and send a cleaned up version of the results to a txt file and then run a psexec to call the txt file and run gpupdate /force:

    For /f %u in (Y:\serverlist.txt) do psexec \\%u gpupdate /force

    I know it is messy but it gets the task done. :)

    Here is an actual test: 

    C:\SH>For /f %u in (serverlist.txt) do psexec \\%u gpupdate /force

    C:\SH>psexec \\TESTSYSTEM01 gpupdate /force

    PsExec v1.98 - Execute processes remotely
    Copyright (C) 2001-2010 Mark Russinovich
    Sysinternals - www.sysinternals.com


    Updating Policy...

    User Policy update has completed successfully.
    Computer Policy update has completed successfully.

    gpupdate exited on TESTSYSTEM01 with error code 0.

    C:\SH>psexec \\TESTSYSTEM02 gpupdate /force

    PsExec v1.98 - Execute processes remotely
    Copyright (C) 2001-2010 Mark Russinovich
    Sysinternals - www.sysinternals.com


    Updating Policy...

    User Policy update has completed successfully.
    Computer Policy update has completed successfully.

    gpupdate exited on TESTSYSTEM02 with error code 0.

    C:\SH>psexec \\TESTSYSTEM03 gpupdate /force

    PsExec v1.98 - Execute processes remotely
    Copyright (C) 2001-2010 Mark Russinovich
    Sysinternals - www.sysinternals.com


    Updating Policy...

    User Policy update has completed successfully.
    Computer Policy update has completed successfully.

    gpupdate exited on TESTSYSTEM03 with error code 0.


    Wednesday, July 25, 2012 1:47 AM
  • Thanks Ozz. I used PsExec as you mentioned, but used \\* as computer name and it will run on all computers in the domain.

    ie: psexce \\* gpupdate /force.

    Download PsTools from http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

    Wednesday, December 26, 2012 5:02 AM